Gates on Winsecurity
xandroid writes "Just a couple days after talking about free hardware, Bill Gates has sent an email to customers saying that Microsoft will continue to focus on security, titled 'A Microsoft Progress Report: Security' (MSNBC story, PC Magazine story, Google News' related stories). The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication', but says that to counter the threats, Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. He also talks about the XP Service Pack 2, and says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)'." Reader Zephyr_in writes "Macworld reports that the beta-release of Longhorn is likely to be postponed to early 2005 because Microsoft is concentrating first on a security-focused update (SP2) to Windows XP. Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"
The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication',
:-)
I don't know about that.......seeing as how I use OS X, I have yet to experience downtime or hassles due to viruses or worms. Of course there are problems with an increased number of emails from Windows machines containing worms and such, but they are simply filtered out via the spam filter. So this statement from Gates only really applies unless you are using something other than OS X, Linux, IRIX, Solaris, BSD, etc....
Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"
Windows is Microsoft's cash cow and from an investor perspective, there may be push from the shareholders.I have sold off most of my Microsoft stock on principle after watching their abuse of the PC market for the last few years, but I still own some and this is not encouraging.
Visit Jonesblog and say hello.
I seem to remember this site used to focus on Linux, with only the occasional Microsoft-bashing article. Nowadays, it's completely the opposite.
Maybe perhaps michael and the editors are just trying to generate the extra pagehits and flamewars that Microsoft brings.
SIG:Slashdot: indymedia for nerds.
Excuse me, but Intel's ripped off 64-bit system has no sort of NX bit on it. That is the primary difference between AMD and Intel's 64 bit x86 implementation.
What I'm curious about is if this statement from Gates is a forward statement. Does this mean that Intel will adopt the NX bit within the next year or so? Hopefully this will be the case.
I can imagine with this in place, I imagine a lot more of the script kiddies will be doing "Nuke" style attacks rather than full-on hacks. In this case, say if Apache were to have a buffer overrun exploit, the most that would happen is the service would be shut down. Still a pain in the ass for anyone trying to run a web server, but better than running a service that potentially grants access to your machine.
That and worms will hopefully not be so rampant anymore, provided that people stop opening exe email attachments. Don't we wish.
Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"
Well, what exactly is the one "must-have" feature in Longhorn that makes it necessary today? Nothing really. A database-driven file system is not necessary. Internet Explorer 7 is not necessary (at least if you have Firefox it isn't). More DRM? Not necessary. What's necessary today are security fixes. And as long as Microsoft keeps patching WinXP, Longhorn is not needed anytime soon.
What is necessary now is SP2. And the sooner they release that, the better.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
telling me what I can and cannot run.
--------
Create a WAP server
Tell gates not to forget about lowering prices. This will help slow the move from Windows to Linux as well.
Price and security both need to be priorities for Microsoft. Both price and security are BIG TIME negative aspects of owning Windows.
Whatever Gates may say, I think most people will agree most security problems boil down to one simple thing, the stupidity of the user. When I say stupidity, I do not mean it as an insulting term as it applies in every day life. Perhaps ignorance is a better term to use. For every RPC vulnerability in a badly written program, there are millions of users clicking on virus laden attachments. To know better is not rocket science. Once you get a feel for them, computers are very simple systems, complicated only in the fine detail, and there is a huge resource of information out there for anyone to easily find.
So how have we come to the situation as it appears today? How is there this sudden increase in ignorant users who, while singly can only destroy their own connective experience, in their millions can ruin the Internet for all of us. I mean the virus propagaters, the incompetent admins, the 1% who buy spam products.
I would suggest there are two modern phenomenon which account for the huge numbers of inept computing users. One is contained by the phrase "the October that never ended". Yes, AOL (and other ISPs) have to bear the burden for some of the mess. There is nothing inherently wrong with giving the inexperienced access to the web. But not giving them the most cursory Internet security information and programs is akin to leaving your car running and throwing the keys in the midst of a nearby group of drunken adolescents.
IMO the other main player in the make-a-fast-buck-off-the-stupid industry has to be Apple computers. Controversial, but let me explain. Apple computers are created for, and solely used by people who know, and want to know nothing about computers, the "proudly ignorants". This is a dangerous mindset to encourage. Their computers are set up to do everything for you, to treat the user with a kind of benevolent contempt. Some recent pricing of upgrades illustrates the kind of attitude Apple has to its customers. While relatively unpopular, Apple computers can safely get away with this. But like "security through obscurity" it is not a policy that can scale safely.
AOL and Apple are a twin prong attack on our Internet experience. Perhaps it is time to introduce a licensing scheme beginning with the users of these two products. We license Car drivers, because a bad car driver is a danger to others as well as himself. Increasingly it is becoming clear that inexperienced users must fall in the same category.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
Why does a protected stack need hardware modification ? IANACE, but doesn't OpenBSD do this on standard hardware? As much as I don't like substanceless MS criticism, and as much as I want the status quo's platform to be secure; I really think that actions speak louder than words, and while SP2 is a big step in the right direction, how about: 1. Ditching ActiveX, does anyone actually use this for anything other than malware anymore? 2. Disabling the (Outlook) preview pane by default 3. Higher SSL Verbosity with IE 4. IE URL-bar and statusbar should go into an "extra careful verbose mode" when it encounters hexadecimal encoding ( % ). IMO, these are all obvious things that should have been changed LONG ago, why are they still defaults?
What wasn't said
"....and if anyone makes a workaround for the NX feature to install Linux we will be able to use the DMCA to thwart them."
I read Gates's comments a few days ago and noted that at no point does he even come close to admitting that every virus, worm, or other exploit that hits Windows is able to do so because Windows own code has made it possible. "Windows security" should be used as a perfect example for a dictionary definition of an oxymoron.
Seriously, with approximately sixty billion dollars in the bank, exactly what prevents M$ from producing a secure OS ?
Slashdot posts every single letter, lecture, and little throwaway statement Bill Gates in order to give the "M$"-bashers something to froth over.
Absolutely nothing new will be offered in the discussions for this article.
Meanwhile, Gentoo, Debian, GNU (twice!), and Gnome have all been hacked in the span of the last six months, and LinuxSecurity reports dozens of vulnerabilities for each distro every week alone.
It will always boil down to this--security as a criticism against Windows will always be something that's only valid to other Slashdotters. Most of the rest of the world doesn't see it that way, and the rational of us see it as an admin and user ignorance problem. When Slashdot posts articles with titles like "Another New Microsoft Hole" and it turns out to be a user-ran executable attachment worm (yes, this was a real article), or "Microsoft Violates Human Rights In China" simply because Windows is used by the government there (never mind that China has its own custom Linux distribution, but I doubt we'll ever see "OSS Violates Human Rights In China"), I can only shake my head and just wait for the next cool technology article.
Becuase that's why I first started coming to Slashdot--the cool tech news. Not "let's fill our daily quota of one 'bash M$' article per day." I used to go to K5 as an alternative because of the interesting tech articles that didn't get posted here, but at some point K5 became a liberal anti-Bush administration site. This place has become an anti-RIAA, anti-M$ site. I miss when there was no agenda other than being a cool site for nerds to get news on the latest Stallman lecture, Linux kernel technology, or programmer interview.
But, here's an idea! What if the email program DIDN'T EXECUTE SCRIPTS WRITTEN IN BASIC!
Hey, Bill, here's some code that will kill worms dead:
How long will it take until Microsoft dips into the Outlook code and stops the running scripts in message attachments?
Maybe never. They'll just build rarely updated "after the fact" virus scanning in the next XP service pack! Yeah, that'll do it.
I won't need it. I use Thunderbird and Mozilla Mail.
Ever dream you could fly? Get up from the Flight Sim. I Fly
With Longhorn only coming out in 2006, hopefully Linux will make a huge push over the next couple of years to cement itself as a serious 'business desktop' platform.
.NET and include things like Avalon, Indigo, WinFS, and so on. I guess what I'm saying is Microsoft is actually pushing to do a revolutionary release--this will be the same kind of change going from Windows 3.1 to 95 was.
People were saying this around 2002. Two years later, and KDE and GNOME are still pretty much the same, slowly taking evolutionary baby steps.
Longhorn is going to be entirely
Plus, I think Slashdotters ignore that people have Windows software and won't magically dump it all and switch to Linux simply because the next version of Windows is due out in 2006 instead of 2005. I see no signs whatsoever that signify Linux is going to make some sort of great stride in the next two years. In fact, things look much the same as they did two years ago, except that KDE and GNOME have, like, more buttons and stuff, and now we're supposed to be switching away from DevFS or something in our production kernels...
Personally, I think Apple is making incredible headway lately. They're Doing Everything Right(tm). If anyone's making strides today and in the next couple of years, it's Apple. OS X just gets better and better (and subsequently ripped off...).
Would you rather have a half-finished OS be released?
Apple computers are created for, and solely used by people who know, and want to know nothing about computers, the "proudly ignorants"
Every extra hour that I am forced to spend learning how make make a computer do what it should have done in the first place adds $50 to the TCO of that machine. So if I have spend even one hour per week figuring out how to keep my machine safe from exploits, I've added $2500 to for the cost of that machine for that year.
I am not proudly ignorant, I only realize that my time is limited and that spending it patching gaping holes in a badly designed product is not top of my list of either fun or productive things to do. At best, you could call me resentfully ignorant because I resent that ignorance should be a problem.
I'm not even sure how you can blame Apple for much of the Internet's current dismal state of affairs. What percentage of viruses, trojans, spam, etc. are distributed via Apple machines?
But, as long as we are playing the blame game, I might as well burn a few karma points. Lets add some more culprits to the list:
1. All the IT vendors that touted software and internet services.
2. All the businesses and organizations that listened to IT vendor's hype and gave PCs to all their employees.
3. The original internet standards designer who gave us naive, overly-trusting standards that make it too easy for anonymous blackhats and spammers to send out untraceable virus packets and spam
4. CPU makers (and Gordon Moore) for giving us such a rapid pace of performance growth that no platform ever matures before it is replaced by another exploit-ridden next generation OS
I'm sure there are others.
Two wrongs don't make a right, but three lefts do.
You mean like every other Windows version?
It's hard to be religious when certain people are never incinerated by bolts of lightning.
Where are we going to be at in 2006? KDE 3.5 and GNOME 2.8, with the same old XFree86 technology running beneath
You know, there's a flipside to that coin: if it ain't broke (which it mostly isn't), don't fix it. Unlike Microsoft, "we" don't have to do buzzword-laden feature releases on a regular basis.
Free software isn't perfect by any means, but it's steadily improving. Besides, nobody really knows where we'll be at in 2006 - not even Microsoft can give you any guarantees on where they'll be then.
Oh, please, don't be so condescending. I'm a programmer, been one since 1978 (how old are you?) and I've been using Macs since they came out. Even have a Lisa. I'm the IT director at a company where we have about 30 servers, most of them Macs. The ones that aren't are running a variety of *nix, and one Windows Terminal Server. I've written TONS of code for DOS, for heaven's sake, and Windows since 3.1.
Trust me, I am not "proudly ignorant". I use Macs because they're better. Period. I am not genetically defective, either. Jeez.
Here's an interesting though. Is Linux more secure and stable BECAUSE it is more difficult to set up?
Linux makes few assumptions. You have to explicitly install and run things if you want them. There is no marketing pressure to force you to take features you do not want. Heck, you can even build your own kernel to include or exclude features. The "barrier to entry" under Linux is higher. So the majority of Linux installs were installed by somebody who actually knows something about a computer.
Conversly, Windows is easy to install. Furthermore, since it comes pre-installed on most computers, it is REAL easy to install. Windows is not so much of a choice for most users as it is the failure to make a choice. Many of the people "succesfully" running Windows are "twelve o' clock flashers". (You know, those people who's VCR constantly flashes "12:00" because they have no idea how to set it.) Combine this with cheap, always on broadband and you have a recipe for disaster.
You've heard of "Security through obscurity", well Windows suffers from "Insecurity through ubiquity"
I think you underestimate users. People will double click, unzip and spend however long it takes to run any attachment they get. Even if their e-mail program or ISP or whoever says something like "The attachment is a virus... do not open it." They will still open it.
Now, for most users, It's not the 2 clicks away is too far rule... it's called you need an administrator password to install anything rule. This is why people tell you to not log in as root. (and why the root account is disabled by default in OS X) Now when you double click that attachment and instead of opening a document, it prompts you with the password dialog box, alarm bells should start ringing.
Oh and most archival programs will save rwx flags. So while it's harder to get a virus, never underestimate how stupid people can be.
So on OS X, if I download a SWF file or a HTML file with embedded JScript, or visit a page with a Java applet in it, I won't be able to execute any of the scripting code embedded in those files unless I copy them to my hard disk and set an execute flag?
Saying that forcing users to enable an Execution Flag on files before you can run them, is a 'security feature' is ignorant. There are plenty of plain file formats that can contain executable code in them, and an 'execute flag' doesn't do anything to solve that problem. All it does is inconvenience users. Word Macro Viruses were plenty effective even though you couldn't double-click a Word file and run it just like an EXE file.
using namespace slashdot;
troll::post();
I was talking about executable files (notice the word "executed" in my post). You're talking about interpreted scripting languages. If you don't want such things to be run, then either disable whatever "feature" causes them to be run, or choose to use software that simply doesn't run them.
./perlfile.pl until the execute bit is set. Running it using perl ./perlfile.pl is different, since the initial program being run is the perl executable, and it's not up to the shell to decide how to run the script.
Java VMs (at least the real Sun versions) have a security policy which prevents applets writing data to anything other than the domain from which they came. i.e. if it came from the internet, it cannot read/write to any arbitrary part of the local filesystem unless you change the security policy manually.
"Plain file formats" do not contain executable code. They might contain code that can be interpreted. A perl file downloaded from the Internet for example cannot be run by typing
I'd agree that any point-and-click GUI that lets users run interpreted code from files like that is missing something in the security department.
The execution bit being a security feature is a fact, not a sign of being ignorant.
Follow me
And AMD supports it first. They support it right now. Intel is dragging their feet on it. That's the reason I WILL be buying AMD and boycotting Intel (although there are others, this would be the main one).
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Couple of random thoughts:
1. NX bit is not an end all in preventing mal code from running. It does limit some exposure.
2. DRM is not guaranteed security as MS is trying to sell to the public. It does guarantee that fixing a hacked system will be sooooo much more difficult. A successful hack could rended someone's local data inaccessable. And we are sure to see version 1.0 type vunerabilities in bios, os and libraries for a while... eeek.
3. MS providing antivirus, firewall and so on will not work out as competition between vendors has fueled a ton of creativity and generated some pretty amazing products. Let's hope this feature is like the backup software included with Win3.11 and 95 rather than IE.
4. None of this really speaks to MS's most important and weakest security-wise product: MS Office.
-- $G
I can't get too worked up about the threat to Symantec et al. caused by MS closing their security loopholes.
Those loopholes should never have existed in the first place. I think the fundamental unfairness is that we had to be saddled for a couple of decades with a P.O.S. "operating environment" because both MS and its customers were too short-sighted to get it right the first time.
Also, no matter how much good faith effort is exerted to close security holes at the design and implementation levels, there will *always* be a need/market for an external security effort. Something like CERT won't go away. I can still imagine a healthy "security ecology", as organizations attempt to crack MS software and blackmail^W attempt to convince the rest of the world that the fix is needed.
John.
once it's proven to work, then the bells and whistles get added.
...
Unfortunately, once you add the bells and whistles you can no longer say with any certainty that the code still "works." Anytime someone touches working code they risk breaking it. Only way to avoid that is testing, which is as much of an inexact science as programming is
He isn't saying he is going to deduct it on his taxes dumass. He is saying that he is willing to pay more for a machine that will allow him to spend more time making money and less time fixing it. If his productivity increases, he will make back the difference.
Well I run several *nix servers, my home and office machine are both Win XP. I ave *never* been infected by a virus. Never.
In the words of some of the security professionals out there(from the people at @stake and foundstone):
If you have never been hacked [sic] you are either too small a target to be worthwhile, or, you have been hit, but are not good enough to notice.
Amongst security professionals, you are rated good if when asked how many times have you been hacked in the last 5 years, and your answer is "once or twice". If it is "never" that is almost as bad as "lots".
Try to hack my 31337 firewall!
Second, there is a lot of variety in Linux installations even though they are all compatible in broad terms. Differences in what languages are available, permissions on what the user can run, where files are located, etc. And since the average Linux user isn't being spoonfed Microsoft "innovation", the average Linux user knows better than to open an unknown mail attachment and every Linux mail client will not do this by default.
Linux distros don't run unneeded services out of the box by default (been that way for years). Most exploits in Linux take advantage of minor vulnerabilities (such as the Ramen worm which used a hole in the lpd print daemon to deface insecure Apache installations). Even then, without administrator (root) power, the damage these worms/viruses can cause is very limited.
It isn't impossible to write a worm to affect Linux. Just difficult. And even when done, the vulnerability that made it possible is often patched within hours. Viruses are for all intents and purposes impossible to write for Linux without a root exploit available.
The inherent design differences of Linux vs. Windows even with Linux installations becoming more prevalent and thus more inviting to attack will still keep Linux, *BSD and Mac OS X relatively safe from large scale, billion dollar attacks that run rampant on MS based systems. And if there is an attack, the Linux community will fix it and help educate rather than beg the government to create standards and blame the whole thing on customers rather than admit to plain crappy software engineering.
So? He also said ..
"640K ought to be enough for anybody."
- Bill Gates, 1981
Technically, if it's embedded in an e-mail and runs itselfvia some scripting feature, and speards itself to other computers, it's a worm.
Unix/Linux users are one step ahead of Windows as far as standard viruses go, but they're a long way off as far as worms go. I'm not aware of any mail clients in KDE or Gnome that support scripting, and if one did appear, I don't see why people would switch away from the current range of excellent apps like Evolution and KMail/Kontact.
If one of those did start supporting scripting, I'm betting that enough people at the development end care, and the default would be to have scripting turned off.
Follow me
There's a *BIG* difference between "a hacker 0wn3d my b0x" and "Some VB script 0wn3d half of the windows boxen on the internet, automatically, without any manual interaction from the hacker".