Gates on Winsecurity
xandroid writes "Just a couple days after talking about free hardware, Bill Gates has sent an email to customers saying that Microsoft will continue to focus on security, titled 'A Microsoft Progress Report: Security' (MSNBC story, PC Magazine story, Google News' related stories). The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication', but says that to counter the threats, Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. He also talks about the XP Service Pack 2, and says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)'." Reader Zephyr_in writes "Macworld reports that the beta-release of Longhorn is likely to be postponed to early 2005 because Microsoft is concentrating first on a security-focused update (SP2) to Windows XP. Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"
Linux/*BSD will have a better GUI than Windows, more application and driver support than Windows, and an infinitely better design and development process.
.NET Show" videos every month showcasing the new technologies. People can make apps using XAML and a few lines of .NET code. One video shows the dev writing 10-15 line app that lets him update his website blog. They're hardware-accelerating everything, stripping out Win32, and revamping all of Windows. Where are we going to be at in 2006? KDE 3.5 and GNOME 2.8, with the same old XFree86 technology running beneath (oh, gee, it might be XServer instead which will, gasp, add transparency). Same old, same old.
Doubt it. Care to point to any signs that show this magical stride Linux is going to make?
OK, two out of four isn't bad. But Microsoft must be scared of something. Why is one of the wealthiest corporations in the world and its army of developers having so much trouble getting something out the door, and why is Bill going out of his way to appear to tow the line? Kind of spooky.
They're not having any "trouble." They're creating entirely new technologies for this new operating system. MSDN has been putting out "The
Security is nice and all, but Longhorn is starting to remind me of heaven - a long way off with no concensus on what it is really like.
Guess you missed the Longhorn PDC build, the endless Longhorn build leaks that come out every couple of weeks, and the monthly videos MSDN has been putting out that showcase a new Longhorn technology by the devs who wrote it.
I don't get the need for people to imply it's "vaporware"--Longhorn is coming, and we need to be ready. There's a reason we have the Mono project...there are devs who recognize what the future will be.
"Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. "
BILL: GET RID OF THE MICROSOFT HTML CONTROL.
Getting rid of ActiveX and splitting the MS HTML control into a separate modules so programs can display local HTML without worrying about it kicking off a local exploit or downloading untrusted material from the Internet... not just defining zones, but separating the display code, the internet code, and the active desktop code into separate modules that don't interact with each other except through an application that has to explicitly request dangerous things... that would do more for security than anything else Microsoft could do between now and the end of time.
But to do that would be to back out of the claim that it was essential to merge IE and the desktop back when they violated their agreement with the DoJ back in the '90s, and Microsoft cares way more about losing face than improving security.
On OSX/Linux/BSD/Solaris...
For the virus to be executed, it would have to be saved to disk and then have the execute bit set. For it to do this automatically, that would involve executing, which it doesn't yet have permission to do.
For a user to execute it, they'd have to save the attachment, switch to their file manager, change the permissions on the file, then run it. That's one more step that is require on Microsoft Windows, and following the data that's more than 2 clicks away is too far away rule, a lot of people won't bother if it takes that much effort.
Most operating systems have this feature built in. If Microsoft were competent enough to have it built into Windows, there would be no need to go chasing the CPU manufacturers.
Follow me
No, not everything, of course. But some of what he says is right. Much of
the bits about isolation and resiliency are dead on the money: having the
firewall on by default is a start, but if I understand correctly what he's
saying (which is hard, because the wording is brief and nontechnical; it
was obviously not written for a technically-inclined audience), Microsoft
intends to actually *fix* Outlook. Not "patch" it to stop a particular
exploit, but actually fix the root problem.
He also says some stuff that's good to hear despite not really constituting
security -- e.g., popup blocking, and not loading remote content in email.
He also talks about taking measures at the system level to mitigate the risk
of buffer overruns, but I can't tell from what he says whether what they're
doing there will be helpful or a placebo. This is where the CPU NX stuff
comes in, and I'm a little over my head there; I understand the idea, but
I don't think I grok all of the implications.
This is actually a good article. Not perfect, but good. Go read it, those
of you who haven't yet. I don't think we're going to slashdot Microsoft.
Cut that out, or I will ship you to Norilsk in a box.
Don't you just love how Windows' in-securities are spun as "evil forces"?
And don't you also love how Microsoft's solutions always point the responsibility finger elsewhere. They always try to paint themselves as the good guy, having to clean up after the mayhem someone else initiated. "Here's our progress on taking steps to combat the evil in the world."
One of these days, business is going to wake up to this shell game and start holding the software manufacturer to blame for the general design problems of their products. Then you'll start seeing a general shift to another platform, maybe starting in the back office, file and printer serving, firewalls, etc. The desktop will be last.
Wait a sec, perhaps that explains the new firewall corporate bought for our branch to replace our old Win2K one... Linux.
There is no need to use a SlashDot sig for SEO...
You're being misleading! The fact is, I as a Windows user don't even need to save a virus to disk and run it in order to get infected. :P
So UNIX users are actually three steps removed from dangerous attachments, but seriously will KDE and GNOME eventually bring in traditionally Windows specific security issues inadvertantly by trying to mimic the Windows environment?