Microsoft's Security Report Card

Decaffeinated Jedi writes "In January 2002, Microsoft launched an initiative called 'Trustworthy Computing' aimed at building better security into its products. It's now two years later, and News.com serves up a report card evaluating Microsoft's efforts. Kevin Kean, a group manager at Microsoft's Security Response Center, points out that customers are better off now than they were before the company made the move to refocus on security issues. An analyst quoted in the article, Stephen O'Grady, agrees that he would give Microsoft 'improved marks,' but also notes that the company is not yet where it needs to be in terms of security. He goes on to suggest, however, that 'the numbers indicate that they are at least taking it seriously.' It sounds like Microsoft might have earned itself an Incomplete on this report card."

Let's be honest

[ObviousGuy]

Is any software really at the point where we can install it and forget about it?

Security is a job for all of us, not just Microsoft.

As long as hackers out there have the tuits to break into systems, security is everyone's business.

Re:Let's be honest

[littlerubberfeet]

Comon sense is a job for all of us, including Microsoft. Most vendors use common sense when they delay a product release due to security problems. Microsoft has historicaly not done that.

I think that it is great that less critical problems are being found now then with Windows 2000, and I hope the trend continues.

As an aside, I installed OS X on my grandmother's computer, and until now, forgot about her. Thanks for the reminder to write. Unfortunately, even that is not maintenence-free. Apple has had their own security problems of late.

How about an honest embrace of common sense?

Re:Let's be honest

[bryhhh]

I think that it is great that less critical problems are being found now then with Windows 2000, and I hope the trend continues.

The quantity seems to have dropped, but the severity seems to keep increasing.

Just look at the havok caused by the recent RPC worms.

- I'm also in disbelief that Microsoft still haven't released a patch for the %00 bug in IE that allows spammers and malicious web admins to obscure the real URL the user is being directed to, perhaps Microsoft don't see a bug which could be used to trick people out of their hard earned cash as a Critical problem?

Re:Let's be honest

[bryhhh]

Microsoft don't see a bug which could be used to trick people out of their hard earned cash as a Critical problem?

They wouldn't see it as a bug, heck that's exactly what Microsoft have been doing to their customers for years!

Re:Let's be honest

[jamwt]

Is any software really at the point where we can install it and forget about it?

Qmail is pretty damn close.

Re:Let's be honest

[Chemical+Serenity]

The DJBDNS suite can be added to that list. Hasn't changed in years... apparently hasn't ever needed to.

Re:Let's be honest

[j3110]

I have to give MS two thumbs up. They now have automatic updates pushed to clients. They also have the Server tools to cache the updates locally for networks, and push them from there so you can hold updates back if they break some internal software.

MS is also working on more secure technologies like .Net. In the future, code written for windows will be written in .Net by default, and buffer overflows will pretty much go away.

MS is working on code signing at every level of the system. This means no more boot viruses, no more trojans.

MS is still lacking on speed to update. The RPC bug was on the streets long enough for exploits to be written BEFORE they got even the smallest patch out. The big worms came after they did get the patch out, but people weren't updating.

Where does Linux stand in all of this?

Updates are usually still handled manually with apt-get update/upgrade. RedHat has live notification, but it's still done manually for the most part, which slows down the process. There are wasy of caching apt packages for internal use by making your own apt-source, but they can be difficult to implement. You can do similar things with RedHat, but there isn't a lot of work being done in this area.

Open Source developers still hug C and hate most anything running in any other safer languages because of performance. Despite it actually costing more man hours to manually go out and install new versions of SSH, bind, sendmail, etc. every 3 months, for some odd reason open source developers value cpu clock cycles on a machine that sits idle 99% of the time more than an actual person that can hardly find 5 minutes, and usually admins so many computers it turns into an all-nighter.

Open Source people see code signing as a way to enact DRM and are fighting it.

Open Source releases updates within minutes of being aware of prossible security problems, sometimes it can take an hour or a day on less critical projects, but for the most part updates are very quick.

I see progress in MS land, but Open Source people are fighting the future, and are living in status quo. There's no reason why 99% of the daemons out there couldn't be written in Python or Java (with Kaffe even). There's no real reason to fight TCP yet.

Re:Let's be honest

[SlashDread]

I have to give MS two thumbs down.
Sure, the security is improving, the SUS server is a nice tool.

But what bugs me beyond belief is the amazing lack of information it gives.

SUS out of the box does not:

- Client cannot be controlled, you cant use Windows update to update your system NOW, you will have to rely on reghacks, and stopping and starting services, to make sure your system will be updated in approx 15 minutes..

That is crap, Im the sysadmin, I want to make sure that the system is updated NOW.

- The SUS Server has no simple reporting -who-, -when- and if successfull or not, of events like a client connected and pulled updates.

This is even more crap, I cannot scan the server for activity from clients, unless I go digging in cryptic log files, which are not identified in the MS docs about SUS anyway.

Sure, there is a smart guys script that does that, which involves installing stuff for IIS, without properly explaining how and where. Again unacceptable.

It is that Nachio blasted our network away that we HAVE to be protected so I use it.

But Im very dissapointed in the lack of control and information it gives.

THATS my gripes with MS, stop listing to the damn users already!@ And start listing to the sorrow admins, like me.

NOT just for security in press, but for the daily lives of their admins. After all THEY need to understand whats happening, THATS the basis of REAL security.

"/Dread"

Re:Let's be honest

[houghi]

Updates are usually still handled manually with apt-get update/upgrade. RedHat has live notification, but it's still done manually for the most part, which slows down the process. There are wasy of caching apt packages for internal use by making your own apt-source, but they can be difficult to implement. You can do similar things with RedHat, but there isn't a lot of work being done in this area.

SUSE has the possabilaty to do automated updates. Just put them in a crontab. I asume this can be done by other distro's as well. You apperently aplaud the fact that Microsofy has automated updates and there is nothing wrong woth that. Most Linuxusers however would like to know what is being installed on their systems and are very afraid of some automagic system that will install stuff on their boxen. As you point out there are systems to do updates under Linux. The question remains if this should be on by default or not.

On one side we have the fact that we do not want Microsoft to do anything on our system, because they are the evil emire. On the other side we want them to have automated updates. Choose your poison.

Re:Let's be honest

[Tim+C]

There are essentially two ways to update a modern Windows machine (ie Win2k or newer - I've not used 98 in years, or Me at all). You can either visit the Windows Update site and choose what updates you want to install, or you can use the Automatic Updates tool.

Automatic Updates checks for critical updates only, and works in three modes: notify me, download and notify me, or download and install. In the first two modes, you have complete control over what gets installed - even in the case that it's downloaded, it won't be installed unless you give the go-ahead. The third mode, of course, is fully automatic - available critical updates are downloaded and installed at a time specified by the user (it defaults to 3am, iirc).

Personally, in the year or so I've been using XP, I've found no reason not to have it set to automatically install updates. Nothing has broken, and if any unpleasant features have been installed for me, I certainly haven't noticed. (And given the way sites like /. and the Register jump all over anything MS does, I assume that nothing has been)

Re:Let's be honest

[tres]

Updates are usually still handled manually with apt-get update/upgrade.

Sorry, but if I really felt stupid enough, I could have cron job'd my portupgrade, apt-get, urpmi or up2date long, long before Microsoft thought it was a good idea to push updates to clients; we could have been doing this back while microsoft was trying to convince the court that a HTML interface was the only way that they could update their OS.

You seem to have gotten lost somewhere along the way--updates are manual for a reason. The prudent admin takes the time to know what vulnerabilities or potential problems are going to affect their system. The prodent admin knows whether updating is necessary and what potential problems it may cause. Availability of new code doesn't mean that updates are required.

Automating updates isn't "progress." It isn't even hard.

Open Source developers might "hug" C, but they are much less aflicted by language myopia than are Windows developers.

What Windows IDE will do syntax highlighting for Python
How about PERL?
or PHP?
or Ruby?
or any of the other numerous languages that are not only supported, but are afforded real, working tools natively supported by the environment.

I think your point is something to take very seriously; but I don't see the Open Source community sitting, waiting for MS. Ultimately the idea is fallacious because it takes for granted the idea that new == better. There are many, many reasons to stick with something that works.

Words of wisdom that have been around much longer than you or I: "If it ain't broke, don't fix it."

Re:Let's be honest

[JPriest]

It's security 101

Services should not default to listening state. Nobody has ever been able to write secure services yet people keep saying "I think we've got it this time"

Leave it off, if I need it I will turn it on. If I am too stupid to turn it on than maybe it shouldn't be on, or at least not accepting connections and data from any IP address on the net. This common sense and they are just now adding it to SP2. And before you step in and call me a Linux zealot, most Linux destroys do this wrong also.

BTW, I suspect the incomplete will be reevaluated on after the release of SP2, which I admit, is a large improvement.

Re:Let's be honest

[TyrranzzX]

You forgot a few things in your honesty, as I'm sure I'll forget a few from mine.

1: Microsoft has been convicted of antitrust violations. Hence why .net can't be used by linux programmers.

2: Blaster.

3: Many linux groups are still nitpicky crazy people who instead of agreeing and copromising, they bicker. Even more are lazy, or greedy, or just plain stupid.

4: Open source people see Microsoft's code signing as a way to enact DRM, which is a polite way of saying they want total world domination. Many linux guru's like the idea of code signing, they just don't like Microsoft and they have good reasons.

5: Linux, netware, and other operating systems are still used for servers more often than Microsoft's software. MS's software is only used on desktops because everyone knows it. I'v used KDE on suse 8.1, it works well for anyone accept power users and I see no reason for ma n' pa to spend $300 on a new copy of winxp so they can check their e-mail.

6: Coding tools for linux exist that are open source and that work well. Not everyone is coding in C. .Net isn't unique.

7: Linux is known for it's efficiency. On a server, efficiency > ease of use. Ms's software was designed for idiots, Linux was designed for people who know what they are doing. Linux is for the person who says "my powersupply blew out last storm, I'll replace the fuse and see if it works" whereas microsoft is for people that say "computer doesn't work = replace computer".

I see progress in for both linux and windows. I see more mind-blowing applications coming out for linux next year and I also see the first idiot proof interfaces coming into being. I don't see microsoft living upto their security bullshit, which they've had several years to implement but haven't. You can say "they're getting better" all you want, but is their security really better than it was in 2000? I see more DRM being brought into play, and it being either accepted or rejected on an individual basis. Ultamatly, in 10 years, I see microsoft becoming a linux distibutor, weither announced or unannounced.

Re:Let's be honest

[JPriest]

I miss my bash shell when I am in windows but it can be done.

C:\>netstat -a | findstr LISTENING >file.txt
C:\>wc -l file.txt
file.txt: Lines: 12
C:\>ver
Microsoft Windows XP [Version 5.1.2600]
C:\>

wc binary link here

Re:Let's be honest

[Florian+Weimer]

Security is a job for all of us, not just Microsoft.

Yes, that's a nice spin -- it's your own fault when your computer has been successfully attacked, even if the vendor has known about the vulnerability for months.

The most important part about patching is that you have to do it. If something goes wrong, the vendor can blame you. You don't pay your virus scanner tax? Your fault. You don't pay for personal firewalling software? Again your fault. You don't apply that multi-megabyte security upgrade? Of course, it's your fault.

As long as hackers out there have the tuits to break into systems, security is everyone's business.

But if your basic infrastructure is broken, you can't fix it on your own. There's no workaround for gaping security holes in Internet Explorer, and Microsoft hasn't been able to deliver a patch to fix these.I nstead, they more and more "security researchers" end up on Microsoft's payroll and suddenly claim on public mailing lists that using Internet Explorer is safe as long as you use the right security settings.

By the way, Mozilla isn't better either (a number of unspecified security fixes in 1.6), and it looks as if the security audit has been stopped. But in contrast to Microsoft, they don't have to pay for the "this browser is safe to use" bullshit.

Re:Let's be honest

[Slightly+Askew]

You seem to have gotten lost somewhere along the way--updates are manual for a reason

This just goes to show how little experience most Linux desktop (not server) admins have in the real world. End users can not be trusted to update their machines. Yes, updates should be done manually to test for potential problems...in a lab environment. After they have been tested and approved in the lab, they should be rolled automatically to the end user. It is simply ludicrous to assume that one admin, or even a team of them, is going to manually install patches to 50,000 workstations every couple months.

Re:Let's be honest

[glh]

1: Microsoft has been convicted of antitrust violations. Hence why .net can't be used by linux programmers.
What's stopping them? The go-mono project is quite active- I get at least 50 emails a day from linux programmers that are using .NET on linux. There is also .GNU and some other projects. Rotor is only for "educational purposes" but it runs on OpenBSD.

2: Blaster.
The most popular platform, ran by the most people in the world, etc. is bound to have security holes that get exploited. Unfortunately when 95% of the people out there don't know how to patch, these are blown way out of proportion. One company can only do so much to prevent the problems- anything else and you get complainers (see point #4).

Many linux groups are still nitpicky crazy people who instead of agreeing and copromising, they bicker. Even more are lazy, or greedy, or just plain stupid.
I've presented at LUG's and I would somewhat agree with this point. There are some people that are just interested in getting things work, but many of them are hecklers, complainers, etc. It's just the sub culture. I used to be "on the other side of the fence" and I know the mindset. Once I graduated college and started working with business, my perspective changed quite a bit. People are drawn to anger/hate/etc. and unfortunately leaders in the linux community help foster this so it continues to pervade.

4: Open source people see Microsoft's code signing as a way to enact DRM, which is a polite way of saying they want total world domination. Many linux guru's like the idea of code signing, they just don't like Microsoft and they have good reasons.

Exactly. MS starts implementing security to eliminate things that happen in #2, and now the complaints start rolling in. No matter what MS does there will always be naysayers. They will never be satisfied.

5: Linux, netware, and other operating systems are still used for servers more often than Microsoft's software. MS's software is only used on desktops because everyone knows it. I'v used KDE on suse 8.1, it works well for anyone accept power users and I see no reason for ma n' pa to spend $300 on a new copy of winxp so they can check their e-mail.

In most companies that I have worked in or with, Linux tends to be used primarily for non-critical systems. Solaris is used on any other *nix based system for critical things (eg. production oracle databases), and the hardware cost is astronomical in comparison. We are converting to Win2K servers. The license cost for a business is not what a consumer would pay, in fact it is significantly less (ex-$100 instead of $300 for XP). Most new PC's that companies order (ie, dell) come with WinXP anyway.

6: Coding tools for linux exist that are open source and that work well. Not everyone is coding in C. .Net isn't unique

Ok, as a .NET developer I definitely have some comments on this one. One of the biggest reasons I "switched" to MS was because of the development tools available. Not only that, but also the support, and the willingness of the developer community (tons and tons of support- just do a google search), as well as Microsoft. There are MS dev leads that help support developers FREE of charge. Sure, the cost of the tool can be pricey, but you aren't just buying the tool. Also, I have never found a tool that has all the needed capabilities/performance/integrated environment of VS.NET in an open source project (for any language). Some open source Java tools come close, but they tend to be really slow and lacking one or two key features that I need to be productive.

7: Linux is known for it's efficiency. On a server, efficiency > ease of use. Ms's software was designed for idiots,

I don't think it was designed for "idiots" but I agree that there is definitely a level of abstraction that MS unnecessarily gives the sys admin that ca

Re:Let's be honest

[AbbyNormal]

Not an m$ fan, but there are a few points I'd like to make.

. Hence why .net can't be used by linux programmers Huh??? Um...what about Mono?

Blaster Non .NET signed code, what's your point?

Microsoft's code signing as a way to enact DRM What about signing Java applets for security?

MS's software is only used on desktops because everyone knows it. Um, a majority of enterprise environments that I work in all use Win2k servers to a good degree of success. (Some of the logic to use Win2k is pretty lame...most could easily be replaced with Linux based systems. )

Ms's software was designed for idiots, Why is this bad? Going back to your previous argument, are your "ma n' pa" linux gurus? Are the majority of enterprise/home users, gurus? This is the very elitist attitude that ticks me off. I see it routinely on newbie bulletin boards and chats...it really chaps my you know what. I almost completely switched over all of my systems to FreeBSD for this very reason (support base).

I believe most of your comments were rants against the evil Empire, rather than anything of content.

Linux needs to START catering to "idiots" if this is going to be the "Year of the Linux Desktop". Not all users and even developers are masters of their operating system (I'm going to get flamed for this, but they really don't have to). A user/developer needs to be able to adopt a Linux system and then say: "Hey you know what would be cool" and then proceeds to build a couple of apps

I think that is when Linux will really take off. A few of my developer friends (Perl mongers) refuse to run linux because of the amount of time it takes them to do simple stuff (Plug-in cameras and other peripherals and have them instantly recognized). I can see their point sometimes, when I'm trying to get a pacakge to be installed, only to be told I need four other updates in order to install the first.

The post was right thought:Linux was designed for people who know what they are doing...

That needs to change very quickly.

There are a lot of flavors of Linux out there that I believe are on the right path (I, for one, like Mandrake...and previously Red Hat).

Improved marks?

Stephen O'Grady, agrees that he would give Microsoft 'improved marks,...

Going from an F- to an F+ isn't something to get excited about.

new differnce

[Hes+Nikke]

now that i'm an MCP (sucks huh?) i'll be trying to get as many people away from the Microsoft platform to something more secure at every opportunity i can get :)

i'm calling myself a trojan horse :)

Re:new differnce

[tankdilla]

Convert other MCPs like you so that you in essence self-replicate and become updated to a virus.

Re:new differnce

[Hes+Nikke]

wasn't that the plot in tron?

*ducks*

Re:new differnce

[steveha]

i'm an MCP

Do you have some guy named Tron throwing a glowing frisbee at you now?

Sorry, couldn't resist. :-)

steveha

Let's Compare

I would like to see some comparisons to Red Hat version 7.2 (since O1) compared to XP (in terms of security patches, not bug fixes).

Heck Red Hat doesn't even support it anymore! 9.0 is coming up too!

No news isn't good news

[eamonman]

Funny, it seems to imply in the news.com article that less advisories are better than more... hell, I think my ol' comp running win98 went for many months last year without a single advisory notice when I clicking into the Windows update site. Pfft. So therefore win98 is safer than Server 2003... :P

Nor really

[Cipster]

I thought an Incomplete actually counted as an F.

I think the appropriate grade for this would be an IP (in progress).

Re:Nor really

[servognome]

It just means MS isn't eligible to play sports this semester.

Wait a minute...

[AstrumPreliator]

Does anybody remember the article where old Microsoft basically said it was the end consumers responsibility to keep things secure and not the developers? I'll have to find the article, but it's only a couple months old or so. I think the "report card" should be re-evaluated knowing that Microsoft really doesn't care about security like they claim to.

Re:Wait a minute...

[JanusFury]

It is a responsibility of the end-user to keep a computer secure. If you are in control of your PC, it is your responsibility.

If the end user was to grant full control over his computer to Microsoft, then it wouldn't be his responsibility to keep it up to date.

'Secure' technlologies like the DRM used in iTunes' M4P and WMP's WMA files are exactly that - granting some of your control over your computer to those companies in exchange for being able to get music files.

In this case, by granting some of your control over your PC to Microsoft (allowing them to automatically update your PC with new fixes) you can gain more security.

But do you really want to leave your security and privacy in the hands of a corporation? Or would you rather spend the time to do it yourself? You can't have it both ways. Either you keep your PC secure (either by updating Windows often and using a firewall and not visiting random sites and opening random attachments, etc., or by switching to a more secure operating system), or you let someone else do it for you.

Re:Wait a minute...

[AstrumPreliator]

Okay, here is the article.

ITB: Security starts with the developer. What do you think that developers can do to harden their apps and how is Microsoft helping with tools?
BG: You don't need perfect code to avoid security problems. There are things we're doing that are making code closer to perfect, in terms of tools and security audits and things like that. But there are two other techniques: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things.

So why are we grading Microsoft on security when it is apparently the consumers responsibility. I'm not saying I disagree with taking responsibility as a consumer, but I don't think Microsoft is adequetly doing their job.

MS improving

[Esteanil]

That MS is actually improving security is good for all of us.
It's about time, and they still have a long way to go, but increasing security gives less room for E-mail viruses, worms and other network-hogging exploits.

Hmm... Any chance of a class-action suit from people who do NOT use Microsoft, addressing the way their lack of security has wrecked important services for non-MS users?
After all, those of us who don't use MS have never accepted their EULAs, but they've still wreaked havoc for our systems.
Could at least lead to an even further increased MS focus on security, which would help everyone...

Can't get into Yale with this...

[dominion]

And so we have a report card that wouldn't get you accepted to a state university, by the largest, most economically endowed entity in the world.

I'm sorry, Microsoft, but you have to be held to higher standards, not lower. Open source is able to do better with infinitely less.

If a bunch of hobbiests were able to colonize the moon, would we hold back any criticism of NASA?

Or maybe we've just figured out a better way of doing things. In which case, maybe the soft spot for the dinosaurs is somewhat warranted.

Re:Can't get into Yale with this...

Wow. I think we found our textbook definition of a strawman argument. I'm gonna use this for future reference.

Re:Can't get into Yale with this...

[Penguinshit]

Almost all of whom contribute their work for free, as in unpaid.

I don't know about your math, but last time I checked, "free" was considerably less than "~$38 Billion".

Re:Can't get into Yale with this...

[Malor]

I don't know what planet you're from, but on EARTH, we Linux admins have been scrambling just as desperately as Microsoft admins for the last year or so.

I've had a hypothesis for some time that the security flaw rate in Linux would decline over time and eventually approach zero, where Microsoft's would stay essentially constant. I believed this would happen because the Linux source was open and all the security holes would gradually be found and squashed, where the Microsoft source, being closed, wouldn't be as closely examined and would remain a fertile field for new exploits forever.

Well, in 2003, my pretty little hypothesis sure wasn't looking too good. I haven't actually compared numbers, but I felt like there were just as many bad critical bugs on Linux as there were on Microsoft. From my perception, the Linux rate rose, while the Microsoft rate dropped, which is exactly opposite what I was expecting.

I still believe that closed source is "fake" security, and that the only way to get REAL security is for everything to be open, but in terms of actual number of published exploits, both systems appear to be about equal at the moment.

And the standards to which Microsoft needs to be held are pretty much immaterial; only Microsoft can fix that code, where anyone can, in theory, fix bugs in OSS. Personally, I think we can use them as a yardstick, but we shouldn't be flinging mud.... very many more years like 2003, and they'll be flinging lots more of it back at us.

In 2003, OSS security sucked. I hope 2004 is better.

They've still got a ways to go.

If you don't use Windows Update to handle your security patching, it's quite a bit of work to patch a system.

Just trying to figure out what needs to be updated is a pain in itself, unless you figure out that you need the MBSE. Then you need to wade through the security bulletins, which sometimes contain the patch (in varying locations of the document and with no fewer than two pages to go through to get to the patch) and sometimes tell you to go to Windows Update. Not an option when you're trying to cut a disc for a client, or are dealing with an environment that doesn't allow Windows Update for security reasons.

Grabbing MBSE and every available patch from the website and applying said patches to a fresh Windows XP installation took about two and a half hours, and was incomplete (MBSE reported four patches that weren't applied). Windows Update isn't appropriate for a fresh install because of things like Blaster that will automatically infect the system upon connection to the Internet.

Then, there's all the defaults they've got to have their system phone home, such as sa.windows.com for searches, IE automated updates, WMP automated updates (including DRM), ntp.windows.com, Automated Windows Update. Locking down a Windows XP system is an exercise in frustration.

Trustworthy computing? Methinks not. Linux/BSD/OSX may have their myriad security and design flaws (except OpenBSD, which has yet to have a remote root compromise), but Windows XP holds a special place in my heart. Microsoft has admitted they've got an issue with security, which is a good thing, but now they should really address it -- they should be doing everything possible for the user to take control of his/her system, instead of heading the other way.

Re:They've still got a ways to go.

[Clovert+Agent]

If you don't use Windows Update to handle your security patching, it's quite a bit of work to patch a system.

Uh-huh. And you use what to update your Linux systems? Do you manually visit every relevant website and download updates, compile and reinstall everything, resolving dependencies by hand?

Or do you use apt, up2date, emerge...? I'm not clear on how this differs from Windows Update, with the obvious exception of altered EULAs and similar nastiness. There's no excusing that.

My point is that updating any OS without some sort of frontend to do the legwork is horrible. Bash MS, sure, but bash fairly. They've got a decent-and-improving frontend to their patching, a variety of tools to check your network for patch levels, and so on. Good enough? Depends on your environment, but it's a LOT better than nothing.

Microsoft and Security

[Tuxedo+Jack]

It's about as big an oxymoron as Microsoft Works.

OK, I'm VERY sorry but...

[TheMMaster]

I am not quite sure if this is off-topic, but I'm going to take a gamble here :)

""There is an order of magnitude--more people using Automatic Update and downloading patches," Microsoft's Kean said."

This would be the system that gave the world the "DRM or be unpatched" situation, right? how trustworthy.... changing functionality along with a "security" patch

I know that bashing microsoft is a favorite past-time here :) but I'm really bothered that this "report card" doesn't include anything from the myrad of unpatched internet explorer holes and the way microsoft relicenses PATCHES... I mean, really EULA's for PATCHES? what if I DON'T agree???

really HOW is this "trustworthy" ??

I am REALLY impressed by the stupidity of these "reviewers" and how easily people forget these sorts of things... cudos to microsoft PR... AGAIN :)

I REALLY needed to get this of off my chest :)

Re:OK, I'm VERY sorry but...

[Tim+C]

Microsoft finially pushes the final patch that makes it impossible for your windows system to play ANYTHING not WMA AND signed.

And you know as well as I do that there would be an absolute uproar should that ever happen. MS are big, but they've been swayed by public outcry before - just look at the extension of support for Win98 as one example.

Besides which, as soon as the story hit, people would simply stop applying that patch - while some would almost certainly reinstall the OS to rid themselves of it if need be. I really can't imagine such a thing lasting very long, were it to happen.

in fact in the eula you had to agree to get the patch I mentioned before, even says they have the "right" to do such a thing.

I can't imagine that sort of thing standing up in court though. Sure, perhaps the EULA could be interpreted as allowing MS to do it, but that doesn't necessarily make it binding. EULAs aren't contracts, but here in the UK at least, you can't get away with putting just anything in a contract, and I would imagine that an EULA is the same. For example, just because I sign an employment contract with a clause in it that states that should I ever leave, I have to give them my firstborn, doesn't mean that I'd have to honour it.

In fact, if you read most EULAs thoroughly, you'll see something to the effect that should any clause be found to be unenforceable, that won't render the entire agreement void. That would imply to me that a court has the power to throw out terms it deems unreasonable. I would very much expect that enforced manipulation or deletion of software and data would be found to be unreasonable, whether the EULA allowed for it or not.

Re:Microsoft Security

[bryhhh]

Microsoft Security. What's it all about?

Well that's an easy answer. It's all about educating 'users'.

1. Don't open emails unless you are certain it is from a trusted source.

2. Keep your system patched

3. Ensure you have Anti Virus software installed, and up-to-date.

4. Use the firewall built into XP, or install one of the many free (for personal use) 3rd party firewalls, or even better look for an ISP that firewalls sensitive ports for you.

This is all basic stuff, but many home users don't really give a stuff if their machine is taking part in a DDoS attack, as long as they can still get to their email, view web pages, send instant messages and download pr0n (actually - forget the last one, that's us geeks)

Windows is at that point

[commodoresloat]

Oh - I thought you said "at that point where we can throw it away and forget about it."

80::20 rule applied to Microsft Security

[leoaugust]

"Customers are better off today than they were a year ago, and they will be even better off in the future," said Kevin Kean, a group manager at Microsoft's Security Response Center.

What a well worded articulation - almost Greenspan-ish like in a sense that it looks like he is saying something, but you can never hold him upto for "whatever he is saying." And I think this quote summarises the whole article well.

It is 80:20 rule or in Microsoft's case 40:60 rule. In the first year you move 40 % of the distance towards the the Security Goal-Post. So, "Customers are better off today than they were a year ago, . In the next year you move another 40 % towards the goal. So, "Customers are better off two years from today than they will be a year from today. . An so on and on ...

Now if the security Goal Post moves and you find yourself heading in the wrong direction, as it always does in Real life, you can frame your message as follows. You are now 60 % away from the old place. So, "Customers are better off today than they were a year ago, . In the next year you move another 60 % away from the old place. So, "Customers are better off two years from today than they will be a year from today. . An so on and on ...

So,

• "Customers are better off today than they were a year ago,
• and
• they will be even better off in the future,"

And how can you be wrong when you say it the way it is said. What a well worded articulation.

Re:Secure Means

[Daengbo]

There's this old military joke about the word secure, and I'll try to remember it correctly:

• Tell the Air Force to secure a building, and they'll lock the doors and windows.
• tell the Army to secure the same building, and they'll post and roam guards.
• Tell the Marines to secure it, and they'll run in shooting and kill all the AF and USA guys.

Where does MS fall on that scale?

Microsoft's Report Card

[vought]

SCHOOL OF CAPITOLISM

SEMESTER 2, 2003

PRODUCTIVITY 101 3 HRS 80% C
ECONOMICS 307 3 HRS 100% A
CREATIVITY 92 3 HRS 67% D
GOV'T STUDIES 203 3 HRS 100% A
COSC 507 ADVANCED 3 HRS 78% C
MONO 302 3 HRS 100% A
BORE 405 3 HRS 100% A
THFT 305 3 HRS 100% A
LIES 205 3 HRS 100% A
SCUR 101 3 HRS 20% F
MONO 400 3 HRS 100% A
CONV 101 3 HRS 10% F
HID 205 3 HRS 70% C
OVERALL AVG. 78% C

This explains why mediocre rules the market.

Re:Microsoft's Report Card

[lxs]

SCHOOL OF CAPITOLISM

Is that next-door to the Skool ov Speling?

Improved marks!?

[MasterSLATE]

I'm sorry, but after such large-scale security issues like Blaster and Klez, I don't think it's appropriate to give them any sort of improved marks. Sure, the patch might have been out.. But security is also about education.

Give them an "F" on the report card

[QuantGuy]

Three observations.

• First, Microsoft gets no points for "taking security more seriously," because that's a DUH! instinct. Consider that large parts of the public sectors in Israel, the UK, India, China and Germany have decided to go the open source route -- in part because of security fears. Consider also that Microsoft's deferred revenues (new contracts!) were off by ~$600M last quarter; Connors specifically pointed out that this was because "salespeople were helping customers deal with security." Ballmer must be crapping himself. So what we're seeing is a survival instinct, not shrewdness, on Microsoft's part. So, no points for that.
• Second, the scourge that is the Windows security problem has reached the level of pandemic in 80-90% of all companies. The patch-and-pray vicious cycle is overwhelming everything else. For IT staffs, it's Love in the Time of Cholera out there. As we speak, the spreadsheet monks at Gartner and IDC are probably flailing wildly as they attempt to update their TCO models.
• Third, I resent the fact that Microsoft has commingled the need to fix a serious quality and customer satisfaction issue (shoddy code) with the implementation of market-preserving technologies (e.g., Palladium^H^H^H^H^H^H^H^H^H er, the "Next Generation Trusted Computing Base"). Business model enforcement through cryptography should not be confused with security.

Re-writing Windows from the ground up seems to me to be the best remedy. Forcibly breaking backwards compatibility should be a design goal.

Re:Give them an "F" on the report card

[QuantGuy]

Re-writing from scratch is eminently feasible... just ask Apple.

As for breaking backwards compatibility, I don't see why this is so objectionable. Microsoft wants this to happen anyway, since the company is encouraging customers to write code in languages that use the .NET CLR ("managed code"). Most of today's most critical business applications will almost certainly need to be re-written for Longhorn.

If Apple can create a virtual "Classic" OS 9 environment that runs under OS X, why can't Microsoft create an OS with a virtual Win32 environment, sort of like the way VMWare does it but with a (much) stricter security sandbox around it? All new code would run in the "new" environment (presumably CLR-based).

As for breakage, frankly I don't see how on earth you're going to get better security for without breaking something. When Gates stated that "when we have a choice between functionality and security, we must choose security," do you really think he meant it would be painless? Far better, I say, to rip the Band-Aid off quickly then r-e-a-l s-l-o-w-l-y, which is what we're doing now.

Nullum prandium gratuitum.

Is

[katalyst]

Microsoft BS7799 certified?

Re:Is

[Justin205]

Microsoft BS7799 certified?

I don't know about the 7799 part, but Microsoft is certainly BS certified.

Confusing figures...

[Polkyb]

It says here, Mr Gates, that you released 32 security advisories and 21 vulnerability fixes for Windoze 2000 Server in the first six months, yet for Windoze 2003 server you 14 flaw fixes and 6 critical issues...

Would this be because W2K3 server is based on Windoze XP code and that the majority of bugs had been ironed out already in the months between the releases?

hmmmm....

Re:Microsoft Security

[Afrosheen]

1. Don't open emails unless you are certain it is from a trusted source.

That's the big problem here. When your email client, by default, displays HTML and executes macros and scripts, you're extra vulnerable. Even if it's from your pal Bob that you've known for 40 years, his computer may have been owned by a worm and just emailed all his friends seeking to propagate. You say 'hey it's from Bob, I trust him' and open it. Boom, you're owned too, and may never know it.

Bad design is bad design, there's no two ways about it.

Re:Microsoft Security

Outlook 2003 does none of those things by default. MS has learned.

I think a fairer summary is...

[darnok]

that they've discovered their security problem is much bigger than they thought it was.

Sure they've progressed in terms of there's more known security holes fixed now than there was 1-2 years back, but there's also far more security holes that have been identified and at (seemingly) a much faster rate than 1-2 years ago.

In other words, 2 years ago, they rated a 4/10 in terms of security. Today, I'd say they probably rate 20/50. Overall, my impression is that they've essentially stayed in place in terms of removing security holes from their products.

If you think that I'm being unfair, consider how long it's taking new security holes to get fixed now versus 2 years ago - it seems to be generally longer.

Also, consider that MS has now taken the step of bundling security updates into big bunches, to ease the pain of applying them - that they've had to resort to this is a reasonable indication (IMHO) that the quantity of security holes being *fixed* has gone up significantly.

Finally, consider the rate at which security holes are being uncovered - it would have to start dropping off dramatically if MS was being successful in fixing their problems. That certainly doesn't seem to have happened.

agree

[Tom]

O'Grady, agrees that he would give Microsoft 'improved marks,'

Have to agree there. Two years ago, it would have been a solid F (us) or 6 (de). Today it's an E (us) or 5 (de).

Re:agree

[Tom]

Nah, I just didn't go to school in the US. Didn't know there is no E. So they get a D instead. Or whatever else you have that means "you passed. barely. And only because I had a good day".

Re:Microsoft Security

[WIAKywbfatw]

It's an oxymoron.

Seriously though, it's good to see that Windows 98 support has been extended. I shudder to think how many compromised Windows 98 systems there are out there now, let alone imagine how many there would be in 6-12 months time once vulnerabilities that hadn't been patched before support was dropped began to be exploited in earnest.

Microsoft Culture

[gen2002]

Although Microsoft is knowen for its security problem the individual microsoft programmist is a good one . Microsoft don't make secure products because the programmers are directed from the menegment to prefer nice Shiny GUI instead on security.

Yeah, right...

[pjrc]

If Microsoft were really taking security seriously, why would they not yet fix the IE phishing (URL obfuscation) bug. This is such a simple thing to fix, and it has been public knowledge since at least December 9.

For an indication of just how seriously Microsoft is taking security, rather than quickly fixing the bug, Microsoft is advising users to manually type URLs rather than click on hyperlinks. Well, of course, only malicious hyperlinks... but because of this bug, a scammer's link appears to be to the genuine website. Of course, they offer other gems, such as a chuck of javascript you can run to tell you the URL of the website you're actually viewing, since their software can't be bothered with giving you a correct indication. Or you can launch notepad and copy a shortcut. Yeah, everyone should have to go to the trouble of doing these steps, because they couldn't manage to get a fix out quickly (within the 1 week between the disclosure and scam artists starting to use it to trick end users to disclose sensitive indo). Microsoft also suggest viewing email at text-only... effectively reading all the html source, and changing to the high security profile )turning off all the dangerous technologies they have "innovated" over the years: ActiveX, scripting, etc...) not because they will help you avoid being tricked, but because it will limit the damage.

All because they couldn't fix this simple problem quickly.

Yeah, that's taking security seriously!

Re:Yeah, right...

[Tim+C]

All because they couldn't fix this simple problem quickly.

Interesting; I take it that you've seen the IE source code, then? I mean, you have to have, to know that it's a simple problem that can be fixed quickly, rather than something buried deep in the bowels of the code in a module that has hundreds of dependencies - or even something buried deep in the bowels of the OS/MFC, with thousands of dependencies.

No, I don't think it's likely - but you're spouting supposition as though it were gospel. Unless, of course, you've seen the source.

Yeah, that's taking security seriously!

Well, rushing a patch out as fast as possible isn't taking security seriously either, if that patch introduces another exploitable bug.

Re:Yeah, right...

[man_ls]

How, then, do you propose they keep pirated copies of XP from downloading updates?

They blocked the number one pirate CD key from downloading them even before SP1. And, with SP1, they blocked around 150 other "commonly used" pirate CD keys.

That doesn't mean there aren't other corporate keys that are valid...corporate keys bypass activation so there's no validity checks. If it's a corporate key leaked from a large company, it's feasible that it could go unnoticed for a long period of time before being caught and invalidated.

I, personally, advocate Windows Update sending a 'destroy installation' command that will cause Windows to boot to some kind of anti-piracy screen, and destroy all other files on the hard drive. And, I think that's perfectly reasonable -- you steal the software, you run the risk of the software you're not using legitimately destroying your data.

You just run into the problem of detecting pirate copies then.

Re:Microsoft Security

[NemoX]

umm how about switching to a more secure OS so you don't have to put up with all that BS.

In the past 3 years I have only used linux at home. Never had to worry about viruses, nor spam (yeah, that's right, I averaged 2-3 peices a year), nor spyware (spam maker), nor adware (spam maker), nor web browsing issues (IE security flaws). Now I spend more time cleaning up all this crap then anything cause I have to have a winblows box at home so i can do .net crap >:[

Granted I kept the system patched, and used the built in firewall (switched no to yes, how hard is that? Thanks to SuSE for the easy prebuilt firewall). But at least I never had to reinstall my entire OS because a windows update failed (which just happened to my brother yesterday, and I have seen it several other times, too!)

So, no, it is not just about educating users, it is about makeing a more secure system! Windows is crap,when will the world realize this? (I'm not saying linux is the best, just better...every OS has it's problems, but windows just has the most...by far)

Seeing it in another perspective

[euggie]

I am reading a lot of MS-bashing here. But let's take a look at some facts here:

Consider a pretty standard setup--the OS, plus ftpd and httpd--here's the count of errata advisory between M$ Win2k Server and RedHat 9:

Microsoft: 1, for the botched FrontPage Extension patch released in November.
RedHat: 4, for the following:
1. Dec 2nd: Updated 2.4 kernel fixes privilege escalation security vulnerability RHSA-2003:392-05
2. Dec 16th: Updated lftp packages fix security vulnerability RHSA-2003:403-07
3. Dec 17th: Updated httpd packages fix Apache security vulnerabilities RHSA-2003:320-09
4. Dec 24th: Updated 2.4 kernel fixes various bugs RHBA-2003:394-08

Not to mention I will need to think about what to do when RH9 becomes EOL in April.

Interesting.

I am by no means by pro-MS here. If I have my way it'd be all qmail and publicfile. In fact, I don't have the balls to put my company's Exchange server directly on the 'net; I put it behind a RedHat box running perdition, and have qmail as the MX, behind an IOS IDS/FW.

Trust needs to be earned, and MS is slowly earning mine in the security front. I don't trust MS software enough to stick them directly on the Internet yet, but they did earn my trust to let Windows Update automatically sort things out: Not a glitch in the last 18 months.

The fact of a matter is, with a little clue as a admin, Windows can be made pretty secure. Being clueless, Linux can be made to be a big wad of swiss cheese.

We Linux and /. crowds--me included--can be an arrogant and blinded bunch. Sure, we can sit around bashing MS and fool ourselves on how insecure Windows is, but that doesn't accomplish anything. MS is catching up /fast/; that's fact. If we remain complacent, we can fall behind sooner than you think.

Now that you have the facts... Go ahead, mod me down.

Re:Seeing it in another perspective

[Oriumpor]

Well when Microsquish made the switch to akamai recently for their software update hosting they broke many users ability to update and gave no release on how to fix it. Yes sure, it was just an issue of changing the default url to httpS instead of http and accepting the new certificate, but how many joe blows are going to know that? And no, an obscure technet article referenced by a letter and a number does not count as a release, especially in a service as important as software update has become for M$.

Even if SUS works properly, what is the purpose of needing to reboot every system that is updated. Can't this be taken care of with minimal (3-6 seconds) downtime while a service resets?

We all know by it's very nature Linux is more secure than microsoft. The sheer number of vulnerabilities available is not neccessarily a good measure of the actual security of the system. The measure is properly the number of vulnerabilities successfully taken advantage of easily and massively.

Let me sound off for a second here on the major issues I personally have with MS:
CODERED
NIMDA
MIMAIL
BUGBEAR
KLEZ
NACHI
BLASTER

Good security practices, updating regularly and keeping up to date virus protection is an important part of stopping the above garbage from getting on your network. EVEN then, the affects of the above will still cause you downtime since your provider will have to scramble to deal with all the there-after DDoS.

The following is reason enough to be extra wary of any microsoft product security wise. Believe it or not, Nachi apparently SAVED M$ ass when it came to MS-Blaster. The number of source addresses scanning for 135 dropped by nearly 80% in these first weeks of 2004. AND there are STILL code red systems out there attaching to my Apache server occasionally. I sure don't see a massive SSH/Apache Code Red/Nimda style worm topping the bandwidth charts.

The duece you say, imagine that the web browser with 70% market share doesn't have a massive network-screeching-to-a-halt worm spreading with free reign?

Who cares anymore, it's been 8 years GNU/Linux+Apache+SSH has proven itself the most secure and reliable system for Web-Serving and MySQL+PHP is fast overtaking MsSQL+ASP as the most popular method of dynamic content distribution.

Once I start seeing massive changes to the netcraft survey, then I'll believe Microsoft has done enough to curb their Virus problems. The proof is in the puddin so to speak.

incomplete after a while becomes...

[MoFoQ]

An incomplete after a while becomes an F at most colleges....and since it's been going on for more than two years.

Re:Microsoft Security

[bryhhh]

umm how about switching to a more secure OS so you don't have to put up with all that BS.

Your choice of OS doesn't make your system secure. What makes a system secure is a user that has a clue.

In the past 3 years I have only used linux at home. Never had to worry about viruses, nor spam (yeah, that's right, I averaged 2-3 peices a year), nor spyware (spam maker), nor adware (spam maker), nor web browsing issues (IE security flaws). Now I spend more time cleaning up all this crap then anything cause I have to have a winblows box at home so i can do .net crap

Like you, I've not had a Virus in countless years. I don't get spam, My system has no spyware, or adware or web browsing issues (Firebird rules!), and I run a Windows box (Prerequisite of being a Windows Sysadmin). Had I have been an uneducated user, I'm sure I would have fallen fowl of most (if not all) of the issues you have listed.

But at least I never had to reinstall my entire OS because a windows update failed (which just happened to my brother yesterday, and I have seen it several other times, too!)

There are aproximately 3000 Windows PC's on the university network that I admin, and I don't see Windows Update issues that you see. Occasionaly a patch will fail, but if you know what you doing it is quite simple to fix, without having to resort to a complete re-install. Reinstalls are for failed disks and compromised machines.

So, no, it is not just about educating users, it is about makeing a more secure system!

But who makes the system secure? Why _educated_ users do. - If a user is clueless, the odds are that they will be compromised, regardless of what OS they choose.

Windows is crap,when will the world realize this?

I'm beginning to think you are a troll.

Re:Secure Means

[dazed-n-confused]

Not quite:

• Tell the Navy to secure a building, and they'll lock the doors and windows when they leave.
  
• Tell the Army personnel to secure a building, and they'll post guards on the doors and patrol the perimeter.
  
• Tell the Marines to secure a building, and they'll assault and capture it, killing everybody inside.
  
• Tell the Air Force to secure a building, and they'll take out a twenty-year lease with an option to buy.

MCP Club

[Skreech]

The first rule of MCP club is you do not talk about MCP club.

Now go set up franchises all over the country.

Same goes for Apple

[Tune]

>Microsoft don't make secure products because the programmers are directed from the menegment to prefer nice Shiny GUI instead on security.

Apple has some good programmers
Apple management has a GUI focus

Still Apple doesn't make conceptual security flaws like requiring root privilege for any user to perform even the most basic tasks.

--
Every program has two purposes -- one for which it was written and another for which it wasn't.

Re:Microsoft Security

[rifter]

Microsoft Security. What's it all about? Is it good, or it is whack?

I'd have to say whack. As is this report. Crowing about the lack of reported vulnerabilities means nothing when you have paid security firms not to report vulnerabilities! Of COURSE the vulnerabilities reported have decreased. But have the real vulnerabilities decreased? Thanks to Microsoft, we will never know.

Without subjecting themselves to the same review other operating systems undergo, they have no cause to crow about a perceived dearth of vulnerabilities, especially since many previously reported vulnerabilities persist and will not be patched (but are not included in this report since they are not newly reported).

[Somewhat OT] Re:Let's be honest

[cubic6]

The way I see it, the argument that programs "need not be fast" is saying that most things we do with our computers (web browsing, listening to music, writing email and word processing) aren't terribly processor intensive. The bottlenecks are usually storage speed and user response. Even the newest and greatest DDR3000 memory can't send data anywhere nearly as fast as a 500mhz PIII can execute it. Same thing with hard drives and network. It's also true that most user interaction is the slowest part of most operations. If you're typing in MS Word (or OpenOffice.org ;), your processor is sitting there going "OK, type another letter!" about 2 billion times a second.

That said, our requirements (I assume you're with me, cause you're compiling stuff...) are a little different than the average user. I manage to hit 100% CPU utilization pretty regularly due to compiling, POV-Ray, starting Mozilla, etc.

Just the fact that it doesn't have to be fast doesn't mean it can't be, but I figure the less time the developers spend making Windows 0.0000001 second faster at popping up the start menu the more time they spend fixing bugs and security holes.

Re:[Somewhat OT] Re:Let's be honest

[hauer]

The bottlenecks are usually storage speed and user response.

Indeed. You are highlighting the first principle of optimization: only do it where it makes a difference - something I completely agree with.

It's also true that most user interaction is the slowest part of most operations. If you're typing in MS Word (or OpenOffice.org ;), your processor is sitting there going "OK, type another letter!" about 2 billion times a second.

Agreed. But just because most of the time you do not notice it, if some of the time you do, that can make quite a difference in convenience. In a multiuser environment, where you log in daily, maybe more often, it does matter whether your programs fire up in a second or in two minutes. When your browser needs to start a helper application, ditto. After you have typed twenty pages in Word (with 99% idle CPU), with figures and tables and you want to tweak with the layout, fonts, styles, etc., the faster your document is rerendered, the more convenient/fast/versatile your design effort will be.

And if you want to do image manipulation on your photo album at some point...

I wholeheartedly agree with you that the needs of different types of users are quite different. But I do not think that speed requirement is only that of programmers/geeks.

Glass Houses?

[gregarican]

This honestly isn't intended to be a troll, but I'm sure it will probably be modded as such. Microsoft has had a slew of issues trying to patch apparently flawed reused code (since all Windows versions are built on top of each other's code, with reportedly Longhorn being the first "from scratch" Windows version). The fact that the same buffer overflows are so pervasive in their product line is inexcusable. Input validation and boundary checks are basics most folks learn in CS101 - Introduction to Programming. You wouldn't expect such flaws in each and every version of Windows software.

All of that being said, no technology area is devoid of security flaws. Look at the recent attention given to H.323 standard vulnerabilities due to default ASN.1 parsing. That affects many vendors and product lines. Today I read an ISC diary entry detailing a couple of exploits that affect non-Windows environments. Apache, OpenSSH, QMail, Sendmail, etc. have all had their share of recently announced flaws.

Of course Open Source Software *should* be more secure since many eyes can review the code as it is maintained and updated. But the fact that nevertheless there are significant flaws and exploits in this area further proves my point. Microsoft is the largest software company on the planet so of course they have a target on their back. There are no doubt many third party organizations dedicated to doing nothing but trying to break Windows in order to submit security reports. Of course there are anonymous black hats doing the same but for other obvious reasons.

If the same manpower and effort was dedicated to breaking Linux and OSS applications (which currently have much less exposure and market share) I am sure that even more holes would be poked into what most folks on this board defend as being the silver bullet against corporate greed, monopolistic tyranny, and gaping security holes.

Yeah, wait a minute!

[$ASANY]

Just when was it that "visiting random sites" or "opening random attachments" became sufficient explanations for a system going kablooie? "Well, Joe, you surfed www.turnips.net and you know it's a bad site! What were you thinking?" "Oh, my bad. Next time I'll consult the list of 'safe' sites before I go someplace unfamiliar."

We're not going to hold a software company responsible for selling a product that risks the data on your system by leaving itself vulnerable to normal user actions? What next, advisories that you shouldn't drive north because cold weather might make the wheels fall off your car at speeds in excess of 40 mph?

If I surf to a site, or open a random attachment in a viewer, and my system dies as a result, that software is defective by design. Any company that tells me I can't do either of these things with their products is admitting that they are knowingly selling defective software.

Really, though, it's the users who shell out significant coin buying products that are known to be defective that needs to change. If users won't hold a vendor accountable for their miserably defective garbage by not buying it, I guess the user community deserves all the pain that bad decisions cause. At least they could be rephrasing their complaints as "I bought a piece of crap and it exploded when I used it. I made a stupid decision." rather than "I surfed this site and my PC blew up. Bad site! Bad, bad site!"

Re:Microsoft Security

[poptones]

But that's the thing, see. I do agree that it's largley because of MS that machines are so cheap and available as they are today (although I'm not saying another MS wouldn't have come along). Without a "commodity OS" we would not have "commodity systems" and would be well back from where we are today.

Look to the past to see the future: when radio first began it was completely unregulated because no one knew exactly how it even worked. Even after radio receivers had become affordable enough to enter "middle class" homes radio was still largely unregulated - until it came to the point you had neighboring transmitter stations engaging in kilowatt battles for the same frequency space because "that's where people were listening." The bands became increasingly crowded because ANYONE could rig up a transmitter and have at it.

What you and I have come to expect from the PC has been shaped by our participation in the "invention" of it. But a vast majority of users - even users who witnessed that invention process - have no ethical relationship to that community. They no more expect to have to defend their personal computers from attack in their own homes than they expect to have to defend themselves from personal attack in that same space. Even when it comes to "attack" from communications mediums like TV and radio and telephones.

THAT'S why the modern PC is still not what it needs to be. not for grandma who just wants to check her email and surf the net. If grandma wants to play games there's nothing at all wrong with being able to download free games from a website - but there absolutely SHOULD be mechanisms in place to prevent grandma's computer from requiring a repairman's attention simply because the game didn't "like" her computer. Yes, it would take a lot of clock cycles to have this kind of protection. And yes, it would impact performance. But clock cycles are ever increasingly cheap, and there's nothing to prevent grandma from learning HOW that box works and then delving deeper.

The solution IS technological. the internet is not "broken" but it still needs a way to be "fixed" at least as perceived by the majority of inexperienced home users. And it better come quick, because the lawyers and lobbyists are lining up their constituents.

You should not have to know how to build a radio just to be able to listen to music. And you should not have to know how to "install a program" and "configure user identities" just to be able to surf public spaces, correspond via email and chat, play games and watch movies and listen to music without being accosted or verbally abused in your own home.

If we don't fix it, the politicians will... or they'll bleed us to death trying.

It's going to be a long, difficult march

[mwood]

Many of the problems have been embedded in their corporate culture from Day 1. It's gonna take a long time to train *everybody* to think first about how some new whizzy feature might work against the security of the system as a whole, especially in a place where (apparently) whizzy features are the medium of exchange, and the more you can coin the richer you are.

Re:How come we never see an OSS report card?

[MattMan741]

as much as its a good thing to see someone who doesnt blithly follow the "if i install linux the box will magically become secure" myth, there are a few reasons that OSS isnt getting this kind of attention. first off, theres the process. someone reports the problem to ms, ms denies it, someone else reports it, ms denys it, but starts looking at it. it gets validated and the maintenance guys start looking at it. eventually they find the bug and make the patch. the patch goes to qa. the qa people make sure nothing gets broken by the patch, and then it makes its way to ms update. as opposed to (worst case) someone posting the problem to the mailing list of the app, (best case) someone posts the problem and a fix to the mailing list of the app. the turnaround in OSS is much faster, patches are issued all the time, usually within hours of the vulnerability being found. compare that with the microsoft turnaround.... the second thing is that, as much as people here hate to admit it, linux related stuff doesnt matter as much. when the overwhelming majority of computers on the internet can be harnesed for DDoS attacks, the scruteny falls on the people who allow this to happen. last point, do a comparison between the number of microsoft CERT warnings compared to those of other operating systems and tell me that the scruteny is unwarrented

To Paraphrase...

[MonkeyGone2Heaven]

That's not a bug, that's our business plan!

Re:Linux SecWindows Sec: NOT, my linux was rooted

[aaron_pet]

dude, windows has EASY security updates.

I use Gentoo Linux.. and had my box rooted right out in front of me.

and more often the linux security updates cause the computer not to boot!
(I updated some stuff on Suse with their updater... and blam, my boss was pissed at me, cause he told me NOT to update the boxes, and I was being paranoid about outsiders... but the suse update (kernel update) caused the computer not to boot even!

anyway, my gentoo was rooted, and I've had viruses on my windows... er.. dos on my 286 from a floppy... and from letting other people use my windows with infected floppies...

IMNSHO Linux is more difficult/mystic to keep secure... however it is getting better, and it's free... and I don't have to keep track of stupid serial numbers or pay for it.