Slashdot Mirror
Microsoft's Security Report Card
Decaffeinated Jedi writes "In January 2002, Microsoft launched an initiative called 'Trustworthy Computing' aimed at building better security into its products. It's now two years later, and News.com serves up a report card evaluating Microsoft's efforts. Kevin Kean, a group manager at Microsoft's Security Response Center, points out that customers are better off now than they were before the company made the move to refocus on security issues. An analyst quoted in the article, Stephen O'Grady, agrees that he would give Microsoft 'improved marks,' but also notes that the company is not yet where it needs to be in terms of security. He goes on to suggest, however, that 'the numbers indicate that they are at least taking it seriously.' It sounds like Microsoft might have earned itself an Incomplete on this report card."
And so we have a report card that wouldn't get you accepted to a state university, by the largest, most economically endowed entity in the world.
I'm sorry, Microsoft, but you have to be held to higher standards, not lower. Open source is able to do better with infinitely less.
If a bunch of hobbiests were able to colonize the moon, would we hold back any criticism of NASA?
Or maybe we've just figured out a better way of doing things. In which case, maybe the soft spot for the dinosaurs is somewhat warranted.
Comon sense is a job for all of us, including Microsoft. Most vendors use common sense when they delay a product release due to security problems. Microsoft has historicaly not done that.
I think that it is great that less critical problems are being found now then with Windows 2000, and I hope the trend continues.
As an aside, I installed OS X on my grandmother's computer, and until now, forgot about her. Thanks for the reminder to write. Unfortunately, even that is not maintenence-free. Apple has had their own security problems of late.
How about an honest embrace of common sense?
Sig (appended to the end of comments you post, 120 chars)
that they've discovered their security problem is much bigger than they thought it was.
Sure they've progressed in terms of there's more known security holes fixed now than there was 1-2 years back, but there's also far more security holes that have been identified and at (seemingly) a much faster rate than 1-2 years ago.
In other words, 2 years ago, they rated a 4/10 in terms of security. Today, I'd say they probably rate 20/50. Overall, my impression is that they've essentially stayed in place in terms of removing security holes from their products.
If you think that I'm being unfair, consider how long it's taking new security holes to get fixed now versus 2 years ago - it seems to be generally longer.
Also, consider that MS has now taken the step of bundling security updates into big bunches, to ease the pain of applying them - that they've had to resort to this is a reasonable indication (IMHO) that the quantity of security holes being *fixed* has gone up significantly.
Finally, consider the rate at which security holes are being uncovered - it would have to start dropping off dramatically if MS was being successful in fixing their problems. That certainly doesn't seem to have happened.
I have to give MS two thumbs up. They now have automatic updates pushed to clients. They also have the Server tools to cache the updates locally for networks, and push them from there so you can hold updates back if they break some internal software.
.Net. In the future, code written for windows will be written in .Net by default, and buffer overflows will pretty much go away.
MS is also working on more secure technologies like
MS is working on code signing at every level of the system. This means no more boot viruses, no more trojans.
MS is still lacking on speed to update. The RPC bug was on the streets long enough for exploits to be written BEFORE they got even the smallest patch out. The big worms came after they did get the patch out, but people weren't updating.
Where does Linux stand in all of this?
Updates are usually still handled manually with apt-get update/upgrade. RedHat has live notification, but it's still done manually for the most part, which slows down the process. There are wasy of caching apt packages for internal use by making your own apt-source, but they can be difficult to implement. You can do similar things with RedHat, but there isn't a lot of work being done in this area.
Open Source developers still hug C and hate most anything running in any other safer languages because of performance. Despite it actually costing more man hours to manually go out and install new versions of SSH, bind, sendmail, etc. every 3 months, for some odd reason open source developers value cpu clock cycles on a machine that sits idle 99% of the time more than an actual person that can hardly find 5 minutes, and usually admins so many computers it turns into an all-nighter.
Open Source people see code signing as a way to enact DRM and are fighting it.
Open Source releases updates within minutes of being aware of prossible security problems, sometimes it can take an hour or a day on less critical projects, but for the most part updates are very quick.
I see progress in MS land, but Open Source people are fighting the future, and are living in status quo. There's no reason why 99% of the daemons out there couldn't be written in Python or Java (with Kaffe even). There's no real reason to fight TCP yet.
Karma Clown
You forgot a few things in your honesty, as I'm sure I'll forget a few from mine.
.net can't be used by linux programmers.
.Net isn't unique.
1: Microsoft has been convicted of antitrust violations. Hence why
2: Blaster.
3: Many linux groups are still nitpicky crazy people who instead of agreeing and copromising, they bicker. Even more are lazy, or greedy, or just plain stupid.
4: Open source people see Microsoft's code signing as a way to enact DRM, which is a polite way of saying they want total world domination. Many linux guru's like the idea of code signing, they just don't like Microsoft and they have good reasons.
5: Linux, netware, and other operating systems are still used for servers more often than Microsoft's software. MS's software is only used on desktops because everyone knows it. I'v used KDE on suse 8.1, it works well for anyone accept power users and I see no reason for ma n' pa to spend $300 on a new copy of winxp so they can check their e-mail.
6: Coding tools for linux exist that are open source and that work well. Not everyone is coding in C.
7: Linux is known for it's efficiency. On a server, efficiency > ease of use. Ms's software was designed for idiots, Linux was designed for people who know what they are doing. Linux is for the person who says "my powersupply blew out last storm, I'll replace the fuse and see if it works" whereas microsoft is for people that say "computer doesn't work = replace computer".
I see progress in for both linux and windows. I see more mind-blowing applications coming out for linux next year and I also see the first idiot proof interfaces coming into being. I don't see microsoft living upto their security bullshit, which they've had several years to implement but haven't. You can say "they're getting better" all you want, but is their security really better than it was in 2000? I see more DRM being brought into play, and it being either accepted or rejected on an individual basis. Ultamatly, in 10 years, I see microsoft becoming a linux distibutor, weither announced or unannounced.
Candy-Coated Knowledge