Slashdot Mirror
Gates on Winsecurity
xandroid writes "Just a couple days after talking about free hardware, Bill Gates has sent an email to customers saying that Microsoft will continue to focus on security, titled 'A Microsoft Progress Report: Security' (MSNBC story, PC Magazine story, Google News' related stories). The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication', but says that to counter the threats, Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. He also talks about the XP Service Pack 2, and says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)'." Reader Zephyr_in writes "Macworld reports that the beta-release of Longhorn is likely to be postponed to early 2005 because Microsoft is concentrating first on a security-focused update (SP2) to Windows XP. Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"
With Longhorn only coming out in 2006, hopefully Linux will make a huge push over the next couple of years to cement itself as a serious 'business desktop' platform.
Because the fact remains that many businesses will be reluctant to upgrade their existing systems to Longhorn if there isn't some huge productivity increases. Hence Linux can be promoted as the solution for business's existing systems. Dump Windows. Install Linux.
In order for this to happen there needs to be a lot more education to the pointy-haired people of this world. These are the ones that control the purse strings and most of them don't know what Linux is or what benefits it provides over Windows.
Someone/some company needs to take the initiative and educate the non-Slashdot readers about the security issues that Windows currently has and the benefits that Linux provides.
Funtage Factor: Purple
Well, what exactly is the one "must-have" feature in Longhorn that makes it necessary today? Nothing really. A database-driven file system is not necessary. Internet Explorer 7 is not necessary (at least if you have Firefox it isn't). More DRM? Not necessary. What's necessary today are security fixes. And as long as Microsoft keeps patching WinXP, Longhorn is not needed anytime soon.
If you want to be technical, nothing is NECESSARY. You can live just fine without computers (or for that matter, technology in general).
The next version of windows will be "better" than the current version. Just as Win2k3 is better than Win2k, how XP is better than Win9x, and how Win9x was better than Win3.x... No version of windows was ever necessary -- but it has always been better than what came before it.
I really want to disagree with this, but I just can't.
If Microsoft took up another strategy than pure marketing; they could offer alot better of a product, at the same return.
Microsoft basically offers three things:
1.) A decent operating system. Ill get modded down for saying this, but it's an OK system. It isn't wicked l33t for people like us, but it's a decent system for the status quo.
2.) A excellent office suite (sans Outlook). Anyone want to argue that MS office hasn't been top of its class ever since it started dueling with wordperfect?
3.) Free (beer) apps with Windows. Two of which are HORRIBLY ABYSMAL. Most of the "windows security flaws" come from these two apps; and these alone are the cause of 99% of spyware, adware, phishing, and viruses.
MS needs to drop IE and Outlook. Just get rid of them. Let people download Firefox and Thunderbird or whatever.
MS would lose absolutely nothing by dropping IE and Outlook, gain alot of extra time for their coding and R&D teams, and gain a ton of security, by not having these two awfully designed programs ship with an OS that they claim to be trying to improve the security of.
MS will continue to talk about Longhorn to ensure nobody else can grab mindshare. I swear Longhorn stories are on sites like Slashdot and .com.com.com everyday and yet there is no end of talking about a product that won't be out for years.
Security is nice and all, but Longhorn is starting to remind me of heaven - a long way off with no concensus on what it is really like. A lot of faith that things will get better someday is almost required, just as faith is required for the religious minded.
Linux/*BSD will have a better GUI than Windows, more application and driver support than Windows, and an infinitely better design and development process.
.NET Show" videos every month showcasing the new technologies. People can make apps using XAML and a few lines of .NET code. One video shows the dev writing 10-15 line app that lets him update his website blog. They're hardware-accelerating everything, stripping out Win32, and revamping all of Windows. Where are we going to be at in 2006? KDE 3.5 and GNOME 2.8, with the same old XFree86 technology running beneath (oh, gee, it might be XServer instead which will, gasp, add transparency). Same old, same old.
Doubt it. Care to point to any signs that show this magical stride Linux is going to make?
OK, two out of four isn't bad. But Microsoft must be scared of something. Why is one of the wealthiest corporations in the world and its army of developers having so much trouble getting something out the door, and why is Bill going out of his way to appear to tow the line? Kind of spooky.
They're not having any "trouble." They're creating entirely new technologies for this new operating system. MSDN has been putting out "The
Whats the result? Users don't even *crack* manuals open, they expect just to be a genius at anything they try. Then software companies realized "hey, nobodys reading these manuals" and they cut costs by stop including them altogether.
When they do include a manual they're terrible. I purchsed a Dell Axim x3i lately. It came with a 200 page manual that's WORTHLESS (and I have a CS degree). I wanted to know if I could sync the device over TCP (the answer is yes, but only if I connect to a windows machine first with the same SMB name as my linux machine grrrrr) -- the manual has no information of any kind on it. Just dry lists of "How to setup feature X", doesn't even mention the purpose or the reason for setting up X, or what it can do. Just the steps to do it with no information ...
Long story short, if I'm confused with a CS degree, who isn't? The companies that stell us this stuff encourage ignorance, theres not a place to learn!
Religion is a gateway psychosis. -- Dave Foley
"Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. "
BILL: GET RID OF THE MICROSOFT HTML CONTROL.
Getting rid of ActiveX and splitting the MS HTML control into a separate modules so programs can display local HTML without worrying about it kicking off a local exploit or downloading untrusted material from the Internet... not just defining zones, but separating the display code, the internet code, and the active desktop code into separate modules that don't interact with each other except through an application that has to explicitly request dangerous things... that would do more for security than anything else Microsoft could do between now and the end of time.
But to do that would be to back out of the claim that it was essential to merge IE and the desktop back when they violated their agreement with the DoJ back in the '90s, and Microsoft cares way more about losing face than improving security.
"Everything is obvious in hindsight. Nothing is obvious until it has been done."
I banned IE and Outlook at work almost 10 years ago when they merged IE and the desktop. THAT was obviously a bad idea from the start, it's still a bad idea, they still refuse to undo it, and THEY WILL HAVE NO SECURITY until it's undone.
Look, I'm not a frigging genius, but I could tell it was a bad enough idea to take that unpopular stand... and then I looked like a hero when Melissa and the rest of the Outlook viruses mowed everyone else down and left our part of the company untouched. What totally stuns me is that not only has it not been undone, even with almost ten years of proof that it's a bad idea there is no groundswell of opposition to that merge. Microsoft has done a sterling job of throwing up one red herring after another to divert attention from the fundamental design flaw.
On OSX/Linux/BSD/Solaris...
For the virus to be executed, it would have to be saved to disk and then have the execute bit set. For it to do this automatically, that would involve executing, which it doesn't yet have permission to do.
For a user to execute it, they'd have to save the attachment, switch to their file manager, change the permissions on the file, then run it. That's one more step that is require on Microsoft Windows, and following the data that's more than 2 clicks away is too far away rule, a lot of people won't bother if it takes that much effort.
Most operating systems have this feature built in. If Microsoft were competent enough to have it built into Windows, there would be no need to go chasing the CPU manufacturers.
Follow me
No, not everything, of course. But some of what he says is right. Much of
the bits about isolation and resiliency are dead on the money: having the
firewall on by default is a start, but if I understand correctly what he's
saying (which is hard, because the wording is brief and nontechnical; it
was obviously not written for a technically-inclined audience), Microsoft
intends to actually *fix* Outlook. Not "patch" it to stop a particular
exploit, but actually fix the root problem.
He also says some stuff that's good to hear despite not really constituting
security -- e.g., popup blocking, and not loading remote content in email.
He also talks about taking measures at the system level to mitigate the risk
of buffer overruns, but I can't tell from what he says whether what they're
doing there will be helpful or a placebo. This is where the CPU NX stuff
comes in, and I'm a little over my head there; I understand the idea, but
I don't think I grok all of the implications.
This is actually a good article. Not perfect, but good. Go read it, those
of you who haven't yet. I don't think we're going to slashdot Microsoft.
Cut that out, or I will ship you to Norilsk in a box.
Interesting how the article fails to place any blame with Microsoft - the company that provided the faulty platform for the spread of this malicious software.
Imagine if you bought a microwave oven that didn't have sufficient shielding to protect you from the "criminal" radiation within.
And this malicious software "evolves" too. Oh yes. Its not the platform itself that becomes more and more buggy. No. the malicious software "evolves".
Microsoft are also committed to major investments in customer education as well. Thats right. its your fault you got a virus. Stupid customer.
So Microsoft create this problem and now its "really funky and groovey" because it is trying to patch its own mess up. And who is going to pay for all of this, dear customer? You guessed it.
Much as I like their 3 steps to "protect your pc", they seem to miss out the obvious one:
Don't use faulty software.
Game developers? Game developers don't care about copy prevention. Publishers don't develop it either. Third parties sell it to publishers under false pretenses and nonsense that breaks down to "every time someone copies your discs, you lose money."
And, as a rule, these third parties are nowhere near the leading edge of computer science. They are always business ventures. They hunt and search for techniques to deliver what the slogan on their incorporation documents says they're going to deliver, and pay a nominal research cost to develop it into something they can sell. They are neither smart nor industrious. They can, however, speak BS and HS to CEOs and CIOs of B2B and B2B "Publishing Industry Leaders" in the expanding software publishing industry. Make Big Money.
Game developers, on the other hand, don't give a rat's ass about these people. They don't want people to mooch off their hard work without paying for it. But, most of the devs I've talked to understand that most copies are not lost purchases. They also realize how much trouble copy prevention mechanisms cause them and their fans/customers. However, the decision to impliment them is not theirs. And they can't bad mouth the decision, or the publisher will have a tantrum and drop them under the "don't slander us" clause of their contract.
However, if you frequent some of the better game company run forums... Ion Storm, and formerly Bioware, etc., you'll find that they have very explicit almost uniform rules about discussing copy prevention. They don't permit software titles to be mentioned, or links, but they will fully permit discussion of the problem and mechanisms and methods to correct the problems. When developers respond, it's sympathetic and hesitant, and usually mentions somehow that it's the publisher's fault and they can't do anything about it. Bioware's forums got strict and silent about the issue all at once, after a large continuous volume of complaints--very uncharacteristic of the company, and indicative of some sort of "shut up and shut them up" order.
I'm as mimsy as the next borogove but your mome raths are completely outgrabe.
I have yet to experience downtime or hassles due to viruses or worms.
:)
I'm not going to get into an OS war but I also have not had any downtime due to a worm or virus on my Windows XP box. This is because I do not open e-mail attachments, run a hardware firewall, and keep my system up to date with the latest patches and virus definitions.
I also have a G4 running OSX and an older PC running SuSE. My favorite is the G4 not because I am a Apple zealot but because I like the interface. I didn't like Apple before OSX. I still don't like Apple hardware but I can get over that.
My point here is that the most important aspect of security is the user. Microsoft still has an uphill battle but I believe they are moving in the right direction. Right now I think the best thing Microsoft could do would be to buy some TV time and inform the average Windows user on how to improve security (besides switching to Linux)
I still remember the day I could open up anything...yes... anything in my text editor without the slightest fear of anything going amiss. The absolute worst that could possibly happen is I get a screenfull of gibberish as the character generator tried to translate the binary file to displayable characters.
Then some yokel got busy with embedded executables ( not Gates... I am talking about the guys behind the ANSI escape codes which enabled certain codes to be defined then execute to do certain things ) and the first "ANSI bombs" were crafted. Its been downhill from there.
If nothing else, return to a clean form of HTML. Standardize it. And give it no power to do ANYTHING but display.
And Gates, stay out of those damn plug-ins. You don't wanna take the heat for the security risks, because anyone can write a plug-in to do all sorts of nefarious things under the rug. Trying to make some sort of automated install easy for some businessman is only gonna be subverted to make worms and viruses autoinstall.
Asking people to install programs they know nothing about to me is akin to asking people to sign legal forms they know nothing about. If businesses are going to be afforded the protection of the law when it comes to people not knowing how it works, they are going to have to assume all liability for what it does when said uninformed people run it.
If we can't enforce this accountability onto software developers, then we are never gonna get rid of those underhanded people who release code that has ulterior motives. Those people who release sneakycode are really making it tough on the rest of us who want honest programs.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Don't you just love how Windows' in-securities are spun as "evil forces"?
And don't you also love how Microsoft's solutions always point the responsibility finger elsewhere. They always try to paint themselves as the good guy, having to clean up after the mayhem someone else initiated. "Here's our progress on taking steps to combat the evil in the world."
One of these days, business is going to wake up to this shell game and start holding the software manufacturer to blame for the general design problems of their products. Then you'll start seeing a general shift to another platform, maybe starting in the back office, file and printer serving, firewalls, etc. The desktop will be last.
Wait a sec, perhaps that explains the new firewall corporate bought for our branch to replace our old Win2K one... Linux.
There is no need to use a SlashDot sig for SEO...
Not to make another reply right after my last one disagreeing with someone but... I dont really think barrier of entry has anything to do with it...(and yeah i'm just ranting here dont mod me up its off topic) Ease of installation...Windows being easier to install is a MYTH!!! IT'S NOT EASIER TO INSTALL WINDOWS!!! It's easier to install software on windows for the average user...(yes, i use debian, yes, apt-get is even easier, no, i dont think my mom would find it easier at this time. yes, once the synaptic gui improves more it'll blow windows away for desktop software installation by n00bs.) But I mean, SuSe, Mandrake, etc, are easier to install than windows. So joe user brings home an old copy of 2k that he got to upgrade that old 98 that they have on their 1998 compaq. Joe has a cable modem. He pops the disc in, boots, installs, no problem. Right from the get-go he starts getting messenger spam! He's confused, he calls a friend who tells him how to turn the messenger off (why was it on by default?). Fortunately joe's video card was detected so it's not in 16 color mode! But there's another problem. Joe hears about a security update he needs to stop the blaster worm. Problem is the worm had already infected his computer. In order to get the patch, he needs to go to the windows update site, but he can't get there because his computer keeps shutting down. So he figures out that he can set the date back (common sense or a nerdy friend maybe)! But windows update still wont work, because RPC is crashed and windows update needed it to install the patch (to joe, his computer is just broken, he doesn't know what's going on). What the hell does he do. Our user is VERY confused. So Joe installs a copy of linux instead because he heard it was "better" and his nerd friend gave it to him for free and its even LEGAL to get it for free..this AMAZES JOE! He puts the cd in the drive and powers his computer on...His distribution, right in the install, detects his cable modem and at the end before the install even finishes, connects him up and downloads the latest security stuff!!! Amazing! All he needed to do was type his name, what he wanted his computer's name to be, and what he wanted to do on his computer (joe wanted to do word processing, and graphics and games sounded interesting too...joe left the rest alone)...Setup tells joe to make his own account, he thinks this is neat. The install is done, he reboots. He types in his username (neat, he's loggin into his own computer, he's never seen anything actually secure before, win98 you could just press cancel!)... He sees a desktop, with icons for the web, and a word processor. What has a higher barrier of entry there? Installation is something linux is better at than windows, it's NOT EVEN CLOSE...I'd compare installing linux to installing mac os 7 on an old machine. It just works. Unless you have some weird homebuilt setup with odd hardware (and Joe user WILL NOT HAVE ANY), you don't even need to install any drivers for anything. Compare that with Windows 2000 (maybe xp is better, I saw no reason to buy xp so I use 2k for my everquest needs, no, it does not run under winex): Windows installs. Unplug the net connection and install some security updates that I downloaded in linux. Plug network cable back in. Cry at 16 color desktop. Get nvidia drivers. Wonder why sound is messed up. Get new sound drivers. Not all the agp features are working..what! Get via 4-in-1's. (once set up, win2k is the best version of windows by far imho, i like it actually..just dont say installing it is easier than linux)... To be fair, in debian (not known for being easy to install) my nvidia card was not configured for opengl. Course, to be fair to linux, the install was every bit as easy as installing the graphics drivers in windows. Download them off nvidia's site, run program...yay... (Yes, i know nerd-centered distros like debian, gentoo, etc, are harder, and yes I run debian on my machine, and have experienced installing red hat, mandrake, and suse).
replacing it with NEW Folger's Crystals! (lets see if they notice the difference)
You're being misleading! The fact is, I as a Windows user don't even need to save a virus to disk and run it in order to get infected. :P
So UNIX users are actually three steps removed from dangerous attachments, but seriously will KDE and GNOME eventually bring in traditionally Windows specific security issues inadvertantly by trying to mimic the Windows environment?
It's not the opperating system itself that is causing the problems, it's the smacked asses that use it maliciously. Don't blame the drunk driver, blame the car and the sober drivers right? Get a clue.
I disagree. The "smacked asses" are starting the problems, but the operating system is turning a very small problem into a very large one.
To use your drunk driver analogy, suppose 90% of the cars on the road, made by "Fireball Motors Corporation", suddenly exploded when even tapped by another vehicle, let alone a full collision. Even worse, after these cars become rolling fireballs, they suddenly accelerate wildly and run into as many other cars as possible, which of course turns them into rolling fireballs. Of course, this isn't much of a problem if everyone drives perfectly and never makes a mistake, but every Friday night, a few drunk drivers accidentally run into other cars, causing the freeways to turn into massive infernos. A few people escape unharmed, because they bought cars from Orange Motor Corp., Banana Motors, or built their own. These other cars just get a little dent when a Fireball car hits them. However, every Saturday after the morgues have processed all the charred bodies, the victims' families cry about the drunk driver that caused the tragedy, but no one ever considers getting rid of their Fireball car. When an Orange driver asks them why, they say they like the knobs on the stereo better, and are willing to risk their life for that. Then the Orange driver throws a rock at their car and laughs as it bursts into flames.
Sorry, but given the risk you run by sticking with Windows, I have no sympathy for you at all, and I'll laugh when a virus or worm wipes out your data. It's just a matter of time.
...Microsoft has managed to "persuade" a large number of their customers into paying for upgrades that might or might not materialize within the subscription period.
What is necessary now is SP2. And the sooner they release that, the better.
Service Pack 2 will undoubtedly create just as many problems as it purports to fix. Microsoft creates intentionally marginal products to encourage us all to upgrade every few years. This is the core strategy of Microsoft, and has been for 20 years at least.
Good point, There was a time, not all that long ago, when Unix OSes were completely full of swiss cheese buffer overflows -- and this was fixed only with incremental code audits and very minor design changes.
The Linux Advocates need to grasp that "Security" is not a permanent problem with Windows.
If you read slashdot 5 years ago, the top complaints were:
+ Stability
+ Bloat
+ Viruses
+ Security (even though *nix breakins were far more common back then)
What are people gonna do when MS solves all these problems? (oh yeah, they will complain about DRM).
You're argument is invalid as well.
A hacker will use the most COMMON (read available)way to break into a system. That common gateway right now happens to be windows.
Before you go off saying how secure your favorite OS is, keep this in mind. No other OS has undergone as much of a beating as Windows. Until linux or whatever has been used and abused by 90% of computer users, it's not really a fair comparison.
I'm not advocating M$. I'm simply stating a fact. You can bet when (and I do mean when) open source goes mainstream, it will have its fair share of issues. Maybe none quite so, how shall I say, obnoxious, but problems all the same.
A car salesman can show me a beatiful car and say that it'll solve all my problems, but I still take it out for a test drive first.
~X~
~X~
The hoard of people arguing about virii and worms in this thread is just amazing. I'm suprised people aren't bickering about the hardware level NX. No Execute? Sounds like a BAD idea. ::sigh::
The whole DRM thing is getting to be ridiculous. I shouldn't have to present my papers to the DRM gestapo every time I want to do something on my computer.
The disappointing thing is that most people who buy a Dell/Gateway/Prefab computer in the next 3-5 years won't know a single thing about NX and DRM. Only the geeks will know better.
.deviatefromtheabsolute.
I guess you missed the study that Slashdot posted which stated Linux was the most breached OS on the net.
.NET, so most everything will be sandboxed. What's going to happen when we see another article about a public Linux breach like we've had with Gentoo, Debian, Gnome, etc. and nothing happening on the Windows front because Microsoft has taken all these extra measures? I'm sure Slashdotters will find something to bitch about, but personally the technology fascinates me, and there are some damn smart people working over there at Microsoft.
I seriously doubt Windows is inherently more secure--the fact is, that operating is in use by some 90% of computer users, so it's not unreasonable to expect that things are going to get through once in a while. In that regard, Windows has the potential to become more secure than Linux simply because it's so much more field-tested.
You mention that Longhorn will ship with worm vulnerabilities, without realizing that Longhorn will be entirely