Slashdot Mirror
Microsoft's Security Report Card
Decaffeinated Jedi writes "In January 2002, Microsoft launched an initiative called 'Trustworthy Computing' aimed at building better security into its products. It's now two years later, and News.com serves up a report card evaluating Microsoft's efforts. Kevin Kean, a group manager at Microsoft's Security Response Center, points out that customers are better off now than they were before the company made the move to refocus on security issues. An analyst quoted in the article, Stephen O'Grady, agrees that he would give Microsoft 'improved marks,' but also notes that the company is not yet where it needs to be in terms of security. He goes on to suggest, however, that 'the numbers indicate that they are at least taking it seriously.' It sounds like Microsoft might have earned itself an Incomplete on this report card."
I would like to see some comparisons to Red Hat version 7.2 (since O1) compared to XP (in terms of security patches, not bug fixes).
Heck Red Hat doesn't even support it anymore! 9.0 is coming up too!
And so we have a report card that wouldn't get you accepted to a state university, by the largest, most economically endowed entity in the world.
I'm sorry, Microsoft, but you have to be held to higher standards, not lower. Open source is able to do better with infinitely less.
If a bunch of hobbiests were able to colonize the moon, would we hold back any criticism of NASA?
Or maybe we've just figured out a better way of doing things. In which case, maybe the soft spot for the dinosaurs is somewhat warranted.
Comon sense is a job for all of us, including Microsoft. Most vendors use common sense when they delay a product release due to security problems. Microsoft has historicaly not done that.
I think that it is great that less critical problems are being found now then with Windows 2000, and I hope the trend continues.
As an aside, I installed OS X on my grandmother's computer, and until now, forgot about her. Thanks for the reminder to write. Unfortunately, even that is not maintenence-free. Apple has had their own security problems of late.
How about an honest embrace of common sense?
Sig (appended to the end of comments you post, 120 chars)
And I'll show Microsoft a bigger market!
Until then, I'll stick with BSD, Solaris and Linux.
Is any software really at the point where we can install it and forget about it?
Qmail is pretty damn close.
So why are we grading Microsoft on security when it is apparently the consumers responsibility. I'm not saying I disagree with taking responsibility as a consumer, but I don't think Microsoft is adequetly doing their job.
Outlook 2003 does none of those things by default. MS has learned.
that they've discovered their security problem is much bigger than they thought it was.
Sure they've progressed in terms of there's more known security holes fixed now than there was 1-2 years back, but there's also far more security holes that have been identified and at (seemingly) a much faster rate than 1-2 years ago.
In other words, 2 years ago, they rated a 4/10 in terms of security. Today, I'd say they probably rate 20/50. Overall, my impression is that they've essentially stayed in place in terms of removing security holes from their products.
If you think that I'm being unfair, consider how long it's taking new security holes to get fixed now versus 2 years ago - it seems to be generally longer.
Also, consider that MS has now taken the step of bundling security updates into big bunches, to ease the pain of applying them - that they've had to resort to this is a reasonable indication (IMHO) that the quantity of security holes being *fixed* has gone up significantly.
Finally, consider the rate at which security holes are being uncovered - it would have to start dropping off dramatically if MS was being successful in fixing their problems. That certainly doesn't seem to have happened.
I have to give MS two thumbs up. They now have automatic updates pushed to clients. They also have the Server tools to cache the updates locally for networks, and push them from there so you can hold updates back if they break some internal software.
.Net. In the future, code written for windows will be written in .Net by default, and buffer overflows will pretty much go away.
MS is also working on more secure technologies like
MS is working on code signing at every level of the system. This means no more boot viruses, no more trojans.
MS is still lacking on speed to update. The RPC bug was on the streets long enough for exploits to be written BEFORE they got even the smallest patch out. The big worms came after they did get the patch out, but people weren't updating.
Where does Linux stand in all of this?
Updates are usually still handled manually with apt-get update/upgrade. RedHat has live notification, but it's still done manually for the most part, which slows down the process. There are wasy of caching apt packages for internal use by making your own apt-source, but they can be difficult to implement. You can do similar things with RedHat, but there isn't a lot of work being done in this area.
Open Source developers still hug C and hate most anything running in any other safer languages because of performance. Despite it actually costing more man hours to manually go out and install new versions of SSH, bind, sendmail, etc. every 3 months, for some odd reason open source developers value cpu clock cycles on a machine that sits idle 99% of the time more than an actual person that can hardly find 5 minutes, and usually admins so many computers it turns into an all-nighter.
Open Source people see code signing as a way to enact DRM and are fighting it.
Open Source releases updates within minutes of being aware of prossible security problems, sometimes it can take an hour or a day on less critical projects, but for the most part updates are very quick.
I see progress in MS land, but Open Source people are fighting the future, and are living in status quo. There's no reason why 99% of the daemons out there couldn't be written in Python or Java (with Kaffe even). There's no real reason to fight TCP yet.
Karma Clown
Security at MS is a marketing thing not a cultural thing. They're putting a lot of effort into patching Windows (because they want the worlds data centres to start running it and .NET so that their future is a bit safer), but they're putting very little effort into other products - for instance IE's most recent phishing bug which prevents it displaying anything after a ""%01" in the address bar (a gift for spammers after your credit card details everywhere) was picked up well over a month ago and yet no patch exists. And don't get me started on its awful SSL implementation. IE is a good example of a relatively small product that needs re-writing from the ground up and has done ever since it was first cobbled together several versions ago. MS hasn't done anything to it, and won't, because it looses money for them anyway. They might sort out Windows with Longhaul or whatever its called, but my guess is that they won't. With a bit of luck it will be too late for them by then anyway and Penguins will rule the world.
It's security 101
Services should not default to listening state. Nobody has ever been able to write secure services yet people keep saying "I think we've got it this time"
Leave it off, if I need it I will turn it on. If I am too stupid to turn it on than maybe it shouldn't be on, or at least not accepting connections and data from any IP address on the net. This common sense and they are just now adding it to SP2. And before you step in and call me a Linux zealot, most Linux destroys do this wrong also.
BTW, I suspect the incomplete will be reevaluated on after the release of SP2, which I admit, is a large improvement.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
You forgot a few things in your honesty, as I'm sure I'll forget a few from mine.
.net can't be used by linux programmers.
.Net isn't unique.
1: Microsoft has been convicted of antitrust violations. Hence why
2: Blaster.
3: Many linux groups are still nitpicky crazy people who instead of agreeing and copromising, they bicker. Even more are lazy, or greedy, or just plain stupid.
4: Open source people see Microsoft's code signing as a way to enact DRM, which is a polite way of saying they want total world domination. Many linux guru's like the idea of code signing, they just don't like Microsoft and they have good reasons.
5: Linux, netware, and other operating systems are still used for servers more often than Microsoft's software. MS's software is only used on desktops because everyone knows it. I'v used KDE on suse 8.1, it works well for anyone accept power users and I see no reason for ma n' pa to spend $300 on a new copy of winxp so they can check their e-mail.
6: Coding tools for linux exist that are open source and that work well. Not everyone is coding in C.
7: Linux is known for it's efficiency. On a server, efficiency > ease of use. Ms's software was designed for idiots, Linux was designed for people who know what they are doing. Linux is for the person who says "my powersupply blew out last storm, I'll replace the fuse and see if it works" whereas microsoft is for people that say "computer doesn't work = replace computer".
I see progress in for both linux and windows. I see more mind-blowing applications coming out for linux next year and I also see the first idiot proof interfaces coming into being. I don't see microsoft living upto their security bullshit, which they've had several years to implement but haven't. You can say "they're getting better" all you want, but is their security really better than it was in 2000? I see more DRM being brought into play, and it being either accepted or rejected on an individual basis. Ultamatly, in 10 years, I see microsoft becoming a linux distibutor, weither announced or unannounced.
Candy-Coated Knowledge
>Microsoft don't make secure products because the programmers are directed from the menegment to prefer nice Shiny GUI instead on security.
Apple has some good programmers
Apple management has a GUI focus
Still Apple doesn't make conceptual security flaws like requiring root privilege for any user to perform even the most basic tasks.
--
Every program has two purposes -- one for which it was written and another for which it wasn't.
C:\>netstat -a | findstr LISTENING >file.txt
C:\>wc -l file.txt
file.txt: Lines: 12
C:\>ver
Microsoft Windows XP [Version 5.1.2600]
C:\>
wc binary link here
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
How, then, do you propose they keep pirated copies of XP from downloading updates?
They blocked the number one pirate CD key from downloading them even before SP1. And, with SP1, they blocked around 150 other "commonly used" pirate CD keys.
That doesn't mean there aren't other corporate keys that are valid...corporate keys bypass activation so there's no validity checks. If it's a corporate key leaked from a large company, it's feasible that it could go unnoticed for a long period of time before being caught and invalidated.
I, personally, advocate Windows Update sending a 'destroy installation' command that will cause Windows to boot to some kind of anti-piracy screen, and destroy all other files on the hard drive. And, I think that's perfectly reasonable -- you steal the software, you run the risk of the software you're not using legitimately destroying your data.
You just run into the problem of detecting pirate copies then.
Indeed. You are highlighting the first principle of optimization: only do it where it makes a difference - something I completely agree with.
Agreed. But just because most of the time you do not notice it, if some of the time you do, that can make quite a difference in convenience. In a multiuser environment, where you log in daily, maybe more often, it does matter whether your programs fire up in a second or in two minutes. When your browser needs to start a helper application, ditto. After you have typed twenty pages in Word (with 99% idle CPU), with figures and tables and you want to tweak with the layout, fonts, styles, etc., the faster your document is rerendered, the more convenient/fast/versatile your design effort will be.
And if you want to do image manipulation on your photo album at some point...
I wholeheartedly agree with you that the needs of different types of users are quite different. But I do not think that speed requirement is only that of programmers/geeks.
Come on, this was a bad year, though everybody seems to pretend that nothing happened.
In the span of six months, GNU was hacked twice, and GNOME, Gentoo, and Debian were all breached. And according to Linux's dirty little secret, LinuxSecurity.com, dozens of new holes in OSS software are discovered every week.
Where is the Slashdot article on that?
"Sufferin' succotash."