Slashdot Mirror


Gates on Winsecurity

xandroid writes "Just a couple days after talking about free hardware, Bill Gates has sent an email to customers saying that Microsoft will continue to focus on security, titled 'A Microsoft Progress Report: Security' (MSNBC story, PC Magazine story, Google News' related stories). The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication', but says that to counter the threats, Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. He also talks about the XP Service Pack 2, and says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)'." Reader Zephyr_in writes "Macworld reports that the beta-release of Longhorn is likely to be postponed to early 2005 because Microsoft is concentrating first on a security-focused update (SP2) to Windows XP. Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"

11 of 543 comments (clear)

  1. Re:By the time SP2 comes out... by bonch · · Score: 5, Interesting

    Linux/*BSD will have a better GUI than Windows, more application and driver support than Windows, and an infinitely better design and development process.

    Doubt it. Care to point to any signs that show this magical stride Linux is going to make?

    OK, two out of four isn't bad. But Microsoft must be scared of something. Why is one of the wealthiest corporations in the world and its army of developers having so much trouble getting something out the door, and why is Bill going out of his way to appear to tow the line? Kind of spooky.

    They're not having any "trouble." They're creating entirely new technologies for this new operating system. MSDN has been putting out "The .NET Show" videos every month showcasing the new technologies. People can make apps using XAML and a few lines of .NET code. One video shows the dev writing 10-15 line app that lets him update his website blog. They're hardware-accelerating everything, stripping out Win32, and revamping all of Windows. Where are we going to be at in 2006? KDE 3.5 and GNOME 2.8, with the same old XFree86 technology running beneath (oh, gee, it might be XServer instead which will, gasp, add transparency). Same old, same old.

  2. Re:In the meantime by bonch · · Score: 4, Interesting

    Security is nice and all, but Longhorn is starting to remind me of heaven - a long way off with no concensus on what it is really like.

    Guess you missed the Longhorn PDC build, the endless Longhorn build leaks that come out every couple of weeks, and the monthly videos MSDN has been putting out that showcase a new Longhorn technology by the devs who wrote it.

    I don't get the need for people to imply it's "vaporware"--Longhorn is coming, and we need to be ready. There's a reason we have the Mono project...there are devs who recognize what the future will be.

  3. GET RID OF THE IE-DESKTOP INTEGRATION by argent · · Score: 5, Interesting

    "Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. "

    BILL: GET RID OF THE MICROSOFT HTML CONTROL.

    Getting rid of ActiveX and splitting the MS HTML control into a separate modules so programs can display local HTML without worrying about it kicking off a local exploit or downloading untrusted material from the Internet... not just defining zones, but separating the display code, the internet code, and the active desktop code into separate modules that don't interact with each other except through an application that has to explicitly request dangerous things... that would do more for security than anything else Microsoft could do between now and the end of time.

    But to do that would be to back out of the claim that it was essential to merge IE and the desktop back when they violated their agreement with the DoJ back in the '90s, and Microsoft cares way more about losing face than improving security.

  4. Re:Protected Stack hardware requirements? by argent · · Score: 3, Interesting

    "Everything is obvious in hindsight. Nothing is obvious until it has been done."

    I banned IE and Outlook at work almost 10 years ago when they merged IE and the desktop. THAT was obviously a bad idea from the start, it's still a bad idea, they still refuse to undo it, and THEY WILL HAVE NO SECURITY until it's undone.

    Look, I'm not a frigging genius, but I could tell it was a bad enough idea to take that unpopular stand... and then I looked like a hero when Melissa and the rest of the Outlook viruses mowed everyone else down and left our part of the company untouched. What totally stuns me is that not only has it not been undone, even with almost ten years of proof that it's a bad idea there is no groundswell of opposition to that merge. Microsoft has done a sterling job of throwing up one red herring after another to divert attention from the fundamental design flaw.

  5. Re: The point everyone misses by jaavaaguru · · Score: 4, Interesting

    On OSX/Linux/BSD/Solaris...

    For the virus to be executed, it would have to be saved to disk and then have the execute bit set. For it to do this automatically, that would involve executing, which it doesn't yet have permission to do.

    For a user to execute it, they'd have to save the attachment, switch to their file manager, change the permissions on the file, then run it. That's one more step that is require on Microsoft Windows, and following the data that's more than 2 clicks away is too far away rule, a lot of people won't bother if it takes that much effort.

    Most operating systems have this feature built in. If Microsoft were competent enough to have it built into Windows, there would be no need to go chasing the CPU manufacturers.

  6. Some of what he says is right. by jonadab · · Score: 5, Interesting

    No, not everything, of course. But some of what he says is right. Much of
    the bits about isolation and resiliency are dead on the money: having the
    firewall on by default is a start, but if I understand correctly what he's
    saying (which is hard, because the wording is brief and nontechnical; it
    was obviously not written for a technically-inclined audience), Microsoft
    intends to actually *fix* Outlook. Not "patch" it to stop a particular
    exploit, but actually fix the root problem.

    He also says some stuff that's good to hear despite not really constituting
    security -- e.g., popup blocking, and not loading remote content in email.

    He also talks about taking measures at the system level to mitigate the risk
    of buffer overruns, but I can't tell from what he says whether what they're
    doing there will be helpful or a placebo. This is where the CPU NX stuff
    comes in, and I'm a little over my head there; I understand the idea, but
    I don't think I grok all of the implications.

    This is actually a good article. Not perfect, but good. Go read it, those
    of you who haven't yet. I don't think we're going to slashdot Microsoft.

    --
    Cut that out, or I will ship you to Norilsk in a box.
  7. Re:Never admit ! by DarkVein · · Score: 3, Interesting

    Game developers? Game developers don't care about copy prevention. Publishers don't develop it either. Third parties sell it to publishers under false pretenses and nonsense that breaks down to "every time someone copies your discs, you lose money."

    And, as a rule, these third parties are nowhere near the leading edge of computer science. They are always business ventures. They hunt and search for techniques to deliver what the slogan on their incorporation documents says they're going to deliver, and pay a nominal research cost to develop it into something they can sell. They are neither smart nor industrious. They can, however, speak BS and HS to CEOs and CIOs of B2B and B2B "Publishing Industry Leaders" in the expanding software publishing industry. Make Big Money.

    Game developers, on the other hand, don't give a rat's ass about these people. They don't want people to mooch off their hard work without paying for it. But, most of the devs I've talked to understand that most copies are not lost purchases. They also realize how much trouble copy prevention mechanisms cause them and their fans/customers. However, the decision to impliment them is not theirs. And they can't bad mouth the decision, or the publisher will have a tantrum and drop them under the "don't slander us" clause of their contract.

    However, if you frequent some of the better game company run forums... Ion Storm, and formerly Bioware, etc., you'll find that they have very explicit almost uniform rules about discussing copy prevention. They don't permit software titles to be mentioned, or links, but they will fully permit discussion of the problem and mechanisms and methods to correct the problems. When developers respond, it's sympathetic and hesitant, and usually mentions somehow that it's the publisher's fault and they can't do anything about it. Bioware's forums got strict and silent about the issue all at once, after a large continuous volume of complaints--very uncharacteristic of the company, and indicative of some sort of "shut up and shut them up" order.

    --

    I'm as mimsy as the next borogove but your mome raths are completely outgrabe.

  8. THE spin doctor by digitect · · Score: 4, Interesting

    Don't you just love how Windows' in-securities are spun as "evil forces"?

    And don't you also love how Microsoft's solutions always point the responsibility finger elsewhere. They always try to paint themselves as the good guy, having to clean up after the mayhem someone else initiated. "Here's our progress on taking steps to combat the evil in the world."

    One of these days, business is going to wake up to this shell game and start holding the software manufacturer to blame for the general design problems of their products. Then you'll start seeing a general shift to another platform, maybe starting in the back office, file and printer serving, firewalls, etc. The desktop will be last.

    Wait a sec, perhaps that explains the new firewall corporate bought for our branch to replace our old Win2K one... Linux.

    --
    There is no need to use a SlashDot sig for SEO...
  9. Re:Linux Security by extra+the+woos · · Score: 3, Interesting

    Not to make another reply right after my last one disagreeing with someone but... I dont really think barrier of entry has anything to do with it...(and yeah i'm just ranting here dont mod me up its off topic) Ease of installation...Windows being easier to install is a MYTH!!! IT'S NOT EASIER TO INSTALL WINDOWS!!! It's easier to install software on windows for the average user...(yes, i use debian, yes, apt-get is even easier, no, i dont think my mom would find it easier at this time. yes, once the synaptic gui improves more it'll blow windows away for desktop software installation by n00bs.) But I mean, SuSe, Mandrake, etc, are easier to install than windows. So joe user brings home an old copy of 2k that he got to upgrade that old 98 that they have on their 1998 compaq. Joe has a cable modem. He pops the disc in, boots, installs, no problem. Right from the get-go he starts getting messenger spam! He's confused, he calls a friend who tells him how to turn the messenger off (why was it on by default?). Fortunately joe's video card was detected so it's not in 16 color mode! But there's another problem. Joe hears about a security update he needs to stop the blaster worm. Problem is the worm had already infected his computer. In order to get the patch, he needs to go to the windows update site, but he can't get there because his computer keeps shutting down. So he figures out that he can set the date back (common sense or a nerdy friend maybe)! But windows update still wont work, because RPC is crashed and windows update needed it to install the patch (to joe, his computer is just broken, he doesn't know what's going on). What the hell does he do. Our user is VERY confused. So Joe installs a copy of linux instead because he heard it was "better" and his nerd friend gave it to him for free and its even LEGAL to get it for free..this AMAZES JOE! He puts the cd in the drive and powers his computer on...His distribution, right in the install, detects his cable modem and at the end before the install even finishes, connects him up and downloads the latest security stuff!!! Amazing! All he needed to do was type his name, what he wanted his computer's name to be, and what he wanted to do on his computer (joe wanted to do word processing, and graphics and games sounded interesting too...joe left the rest alone)...Setup tells joe to make his own account, he thinks this is neat. The install is done, he reboots. He types in his username (neat, he's loggin into his own computer, he's never seen anything actually secure before, win98 you could just press cancel!)... He sees a desktop, with icons for the web, and a word processor. What has a higher barrier of entry there? Installation is something linux is better at than windows, it's NOT EVEN CLOSE...I'd compare installing linux to installing mac os 7 on an old machine. It just works. Unless you have some weird homebuilt setup with odd hardware (and Joe user WILL NOT HAVE ANY), you don't even need to install any drivers for anything. Compare that with Windows 2000 (maybe xp is better, I saw no reason to buy xp so I use 2k for my everquest needs, no, it does not run under winex): Windows installs. Unplug the net connection and install some security updates that I downloaded in linux. Plug network cable back in. Cry at 16 color desktop. Get nvidia drivers. Wonder why sound is messed up. Get new sound drivers. Not all the agp features are working..what! Get via 4-in-1's. (once set up, win2k is the best version of windows by far imho, i like it actually..just dont say installing it is easier than linux)... To be fair, in debian (not known for being easy to install) my nvidia card was not configured for opengl. Course, to be fair to linux, the install was every bit as easy as installing the graphics drivers in windows. Download them off nvidia's site, run program...yay... (Yes, i know nerd-centered distros like debian, gentoo, etc, are harder, and yes I run debian on my machine, and have experienced installing red hat, mandrake, and suse).

    --
    replacing it with NEW Folger's Crystals! (lets see if they notice the difference)
  10. Re: The point everyone misses by Angry+Pixie · · Score: 4, Interesting

    You're being misleading! The fact is, I as a Windows user don't even need to save a virus to disk and run it in order to get infected. :P

    So UNIX users are actually three steps removed from dangerous attachments, but seriously will KDE and GNOME eventually bring in traditionally Windows specific security issues inadvertantly by trying to mimic the Windows environment?

  11. Re:Well.... by Grishnakh · · Score: 3, Interesting

    It's not the opperating system itself that is causing the problems, it's the smacked asses that use it maliciously. Don't blame the drunk driver, blame the car and the sober drivers right? Get a clue.

    I disagree. The "smacked asses" are starting the problems, but the operating system is turning a very small problem into a very large one.

    To use your drunk driver analogy, suppose 90% of the cars on the road, made by "Fireball Motors Corporation", suddenly exploded when even tapped by another vehicle, let alone a full collision. Even worse, after these cars become rolling fireballs, they suddenly accelerate wildly and run into as many other cars as possible, which of course turns them into rolling fireballs. Of course, this isn't much of a problem if everyone drives perfectly and never makes a mistake, but every Friday night, a few drunk drivers accidentally run into other cars, causing the freeways to turn into massive infernos. A few people escape unharmed, because they bought cars from Orange Motor Corp., Banana Motors, or built their own. These other cars just get a little dent when a Fireball car hits them. However, every Saturday after the morgues have processed all the charred bodies, the victims' families cry about the drunk driver that caused the tragedy, but no one ever considers getting rid of their Fireball car. When an Orange driver asks them why, they say they like the knobs on the stereo better, and are willing to risk their life for that. Then the Orange driver throws a rock at their car and laughs as it bursts into flames.

    Sorry, but given the risk you run by sticking with Windows, I have no sympathy for you at all, and I'll laugh when a virus or worm wipes out your data. It's just a matter of time.