Slashdot Mirror


Gates on Winsecurity

xandroid writes "Just a couple days after talking about free hardware, Bill Gates has sent an email to customers saying that Microsoft will continue to focus on security, titled 'A Microsoft Progress Report: Security' (MSNBC story, PC Magazine story, Google News' related stories). The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication', but says that to counter the threats, Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. He also talks about the XP Service Pack 2, and says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)'." Reader Zephyr_in writes "Macworld reports that the beta-release of Longhorn is likely to be postponed to early 2005 because Microsoft is concentrating first on a security-focused update (SP2) to Windows XP. Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"

19 of 543 comments (clear)

  1. Thoughts on Gates by DarkHelmet · · Score: 5, Insightful
    and says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)

    Excuse me, but Intel's ripped off 64-bit system has no sort of NX bit on it. That is the primary difference between AMD and Intel's 64 bit x86 implementation.

    What I'm curious about is if this statement from Gates is a forward statement. Does this mean that Intel will adopt the NX bit within the next year or so? Hopefully this will be the case.

    I can imagine with this in place, I imagine a lot more of the script kiddies will be doing "Nuke" style attacks rather than full-on hacks. In this case, say if Apache were to have a buffer overrun exploit, the most that would happen is the service would be shut down. Still a pain in the ass for anyone trying to run a web server, but better than running a service that potentially grants access to your machine.

    That and worms will hopefully not be so rampant anymore, provided that people stop opening exe email attachments. Don't we wish.

    Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"

    Well, what exactly is the one "must-have" feature in Longhorn that makes it necessary today? Nothing really. A database-driven file system is not necessary. Internet Explorer 7 is not necessary (at least if you have Firefox it isn't). More DRM? Not necessary. What's necessary today are security fixes. And as long as Microsoft keeps patching WinXP, Longhorn is not needed anytime soon.

    What is necessary now is SP2. And the sooner they release that, the better.

    --
    /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
  2. Re:Well.... by Anonymous Coward · · Score: 5, Insightful
    So this statement from Gates only really applies unless you are using something other than OS X, Linux, IRIX, Solaris, BSD, etc.... :-)

    Which is 90% of us, so get over yourself. OS snobbery is obnoxious.


  3. Maybe Theo could help? by ChiralSoftware · · Score: 5, Insightful
    OpenBSD has had "W^X" for quite a while now, and it sounds like that is what Bill is talking about. It is a great idea. There is just no reason for a program to ever modify its own executable code, with a very few exceptions such as Java's JIT compiler. For once it sounds like he is talking about security that protects his customers, not "security" such as DRM which reduces the capabilities of the product.

    --------
    Create a WAP server

    1. Re:Maybe Theo could help? by Fapestniegd · · Score: 5, Insightful

      There is just no reason for a program to ever modify its own executable code.

      Apparently you've never written an anti-piracy wrapper for a Windows application.
      That's how the good ones do it, by decrypting/modifying thier own binary code section in memory.
      I guess as a GNU advocate, there is no need for anti-piracy programs,
      but some people butter their bread writing software and they can't just give it away.

  4. Protected Stack hardware requirements? by ponds · · Score: 5, Insightful

    Why does a protected stack need hardware modification ? IANACE, but doesn't OpenBSD do this on standard hardware? As much as I don't like substanceless MS criticism, and as much as I want the status quo's platform to be secure; I really think that actions speak louder than words, and while SP2 is a big step in the right direction, how about: 1. Ditching ActiveX, does anyone actually use this for anything other than malware anymore? 2. Disabling the (Outlook) preview pane by default 3. Higher SSL Verbosity with IE 4. IE URL-bar and statusbar should go into an "extra careful verbose mode" when it encounters hexadecimal encoding ( % ). IMO, these are all obvious things that should have been changed LONG ago, why are they still defaults?

  5. Never admit ! by Onan+The+Librarian · · Score: 5, Insightful

    I read Gates's comments a few days ago and noted that at no point does he even come close to admitting that every virus, worm, or other exploit that hits Windows is able to do so because Windows own code has made it possible. "Windows security" should be used as a perfect example for a dictionary definition of an oxymoron.

    Seriously, with approximately sixty billion dollars in the bank, exactly what prevents M$ from producing a secure OS ?

  6. Re:The REAL security problem in '04 by Lane.exe · · Score: 5, Insightful
    When's the last time you used an Apple computer? OS X is able to do so much automatically because hardware parameters are generally known when using Apple or Apple-trusted hardware. Configurations are a snap because there's no gamut of odd brands with odd settings floating around out there. The only things that one takes the time to configure are things like non-Apple mice, wireless cards or printers. Everything else is pretty much a simple set-up operation. This isn't because Apple is trying to make stupid users, but rather because it allows intelligent users to manage their systems easier.

    I KNOW how to spend all day trying to configure various things and optimize them for security and use. However, sometimes, I don't feel like reading through piles of security docs just to make sure I can feel safe plugging my computer into a cable line. It's nice to have things just work, and work securely, right out of the box. Apple, however, has provided an operating system whereby I can spend endless hours tinkering with settings, in both a CLI and GUI environment; but by no means do I have to do this in order to get my computer working securely. The best thing you can do for a clueless user who just wants to check e-mail is get them an eMac or iMac. No fancy cables to plug in, no massive suite of security software to install -- just turn on OS X's firewall (built on that rock solid BSD standard ipfw), set up mail.app for their e-mail and get Safari or Mozilla Firebird to start blocking popups. Instantly, they're secured against anything except a direct, targeted attack against their computer. Worms, trojans, spyware... not a problem.

    --
    IAALS.
  7. Re:The REAL security problem in '04 by BWJones · · Score: 5, Insightful

    Apple computers are created for, and solely used by people who know, and want to know nothing about computers, the "proudly ignorants".

    Ah, but they are also used by the most advanced computer users out there. Those that use them for a variety of fields in science from quantum chemistry to astrophysics, medicine and computer science. Pretty impressive that.

    This is a dangerous mindset to encourage. Their computers are set up to do everything for you, to treat the user with a kind of benevolent contempt.

    What is a dangerous mindset? Allowing people to be connected? Allowing them access to information? What are you going to say next......That people should not be able to vote for whom they want?

    As to doing things for you, yeah, when I want to plug in a hard drive, it is automatically mounted and I don't have to type in the CLI two or three lines of commands to get it mounted and shared. There are many other examples of this and why you perceive this as benevolent contempt completely escapes me.

    Some recent pricing of upgrades illustrates the kind of attitude Apple has to its customers.

    This leap of logic is confusing. And what recent pricing are you referring to? Can they not expect to make a profit on their investment? Be thankful Microsoft has some minor competition, or else you might be paying more than you might think.

    --
    Visit Jonesblog and say hello.
  8. NX - Finally by rdean400 · · Score: 5, Informative

    About freaking time. IBM's mainframe and midrange server architectures have been doing this for years. In OS/400, for example, the only things the processor will execute are program objects. Memory blocks marked as data cannot be executed, even in the event of a buffer overflow. The OS and hardware work together to ensure this.

  9. Re:The REAL security problem in '04 by naden · · Score: 5, Insightful

    You troll .. and to the mods your no better.

    I think most people will agree most security problems boil down to one simple thing, the stupidity of the user

    Your missing the whole point. The users aren't stupid - they don't care. Computers are not an integral part of their life as they are probably are for you. Hence implying they are stupid because they can't spot a virus is just plain rude.

    I have to ask if you know exactly what happens and what to do if your car suddenly stops for no reason. Does it make you an idiot if you have to ask for help ? No because for most cars are a tool not a lifestyle - just like computers.

    Apple computers are created for, and solely used by people who know, and want to know nothing about computers, the "proudly ignorants".

    Now that Apple is *nix based I find this kind of statement quite suprising. What a bunch of proudly ignorant people.

    Apple computers yes do have the obscurity security benefit, however they also have intelligent default settings. Windows with XP SP2 will finally set the defaults to what they should have been from the start.

    You are the ignorant one not the non-techie users.

    --
    Funtage Factor: Purple
  10. Innovative, isn't it ? by lazy_arabica · · Score: 5, Funny
    Meanwhile, criminal hackers have become more sophisticated

    Sure, it was easier to write an assembler program adding it's own code to a software, while keeping the infected program executable, than scripting 15 lines of VB Script.

    The kinds of threats are evolving too. Blaster, for example, hijacked individual computers, turning innocent users into unknowing and innocent worm propagators.

    Oh, those poor and innocent individual users. What a wonderful way to make them think they are only victims, and never responsible of the spread of a virus, even if they don't make any effort to secure their system.

    Central to our security efforts is preventing malicious code from being able to exploit a vulnerability by isolating such code, providing more effective control over what computer processes can talk to or work with, and making systems more resilient so they are able to identify and stop suspicious or bad behavior in its tracks.

    Of course, the idea that a malicious program shouldn't be able to do much damage, because it has very restrictive rights is a strong innovation.

    Memory Protection: Malicious software designed to exploit buffer overruns can allow too much data to be copied into areas of the computer's memory. Although no single technique can completely eliminate this type of vulnerability, Microsoft is employing a number of security technologies to mitigate these attacks.

    Wonderful ! Microsoft OSs will (at last) have memory protection ! Let me remember, how old is Unix ? Nearly 40, isn't it ?

    Could someone explain me how Microsoft can be seen innovative by so many people ? And how they can so proudly try to make us believe they always were (and will be) on the right way ?
    -----
  11. Re:By the time SP2 comes out... by bonch · · Score: 5, Interesting

    Linux/*BSD will have a better GUI than Windows, more application and driver support than Windows, and an infinitely better design and development process.

    Doubt it. Care to point to any signs that show this magical stride Linux is going to make?

    OK, two out of four isn't bad. But Microsoft must be scared of something. Why is one of the wealthiest corporations in the world and its army of developers having so much trouble getting something out the door, and why is Bill going out of his way to appear to tow the line? Kind of spooky.

    They're not having any "trouble." They're creating entirely new technologies for this new operating system. MSDN has been putting out "The .NET Show" videos every month showcasing the new technologies. People can make apps using XAML and a few lines of .NET code. One video shows the dev writing 10-15 line app that lets him update his website blog. They're hardware-accelerating everything, stripping out Win32, and revamping all of Windows. Where are we going to be at in 2006? KDE 3.5 and GNOME 2.8, with the same old XFree86 technology running beneath (oh, gee, it might be XServer instead which will, gasp, add transparency). Same old, same old.

  12. Re:Fine, whtever. by DoraLives · · Score: 5, Funny
    I ave *never* been infected by a virus. Never.

    Do not tempt the gods that way. You're just asking for something.

    --
    Is it fascism yet?
  13. GET RID OF THE IE-DESKTOP INTEGRATION by argent · · Score: 5, Interesting

    "Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. "

    BILL: GET RID OF THE MICROSOFT HTML CONTROL.

    Getting rid of ActiveX and splitting the MS HTML control into a separate modules so programs can display local HTML without worrying about it kicking off a local exploit or downloading untrusted material from the Internet... not just defining zones, but separating the display code, the internet code, and the active desktop code into separate modules that don't interact with each other except through an application that has to explicitly request dangerous things... that would do more for security than anything else Microsoft could do between now and the end of time.

    But to do that would be to back out of the claim that it was essential to merge IE and the desktop back when they violated their agreement with the DoJ back in the '90s, and Microsoft cares way more about losing face than improving security.

  14. Funny... by ntr0py · · Score: 5, Funny

    ... that "Winsecurity" is so far removed from actual "security" that it deserves its own word.

  15. Proudly ignorant or TCO-conscious? by G4from128k · · Score: 5, Insightful

    Apple computers are created for, and solely used by people who know, and want to know nothing about computers, the "proudly ignorants"

    Every extra hour that I am forced to spend learning how make make a computer do what it should have done in the first place adds $50 to the TCO of that machine. So if I have spend even one hour per week figuring out how to keep my machine safe from exploits, I've added $2500 to for the cost of that machine for that year.

    I am not proudly ignorant, I only realize that my time is limited and that spending it patching gaping holes in a badly designed product is not top of my list of either fun or productive things to do. At best, you could call me resentfully ignorant because I resent that ignorance should be a problem.

    I'm not even sure how you can blame Apple for much of the Internet's current dismal state of affairs. What percentage of viruses, trojans, spam, etc. are distributed via Apple machines?

    But, as long as we are playing the blame game, I might as well burn a few karma points. Lets add some more culprits to the list:
    1. All the IT vendors that touted software and internet services.
    2. All the businesses and organizations that listened to IT vendor's hype and gave PCs to all their employees.
    3. The original internet standards designer who gave us naive, overly-trusting standards that make it too easy for anonymous blackhats and spammers to send out untraceable virus packets and spam
    4. CPU makers (and Gordon Moore) for giving us such a rapid pace of performance growth that no platform ever matures before it is replaced by another exploit-ridden next generation OS

    I'm sure there are others.

    --
    Two wrongs don't make a right, but three lefts do.
  16. Re:Well.... by pantherace · · Score: 5, Insightful
    This argument is just not valid. Windows simply is insecure, and it's users are part of the problem, but they aren't really the root.

    How long has linux existed, and how many worms have there been? Or applications: 2 apache worms or so? and apache is by sheer numbers, what? 60% or more of the webservers on the internet. (lets assume there are actually a dozen apache worms since 1992, if there are even that many, that's one a year.) How many IIS worms are there?

    How many worms have been able to break into the kernel itself? Oh, given the couple of kernel bugs, it was possible, but they were all local exploits. Which requires the code to be run on the system as opposed to things like the Classic MacOS had some virii for it, but compare the length of time it had been out (and how it was the GUI computer for quite a while) 16 years or so (1984-2000) Over that time, there were probably less virii for it than windows 98 got in the first year. (Probably partly because as an OS it was one of the dumbest in terms of networking, you couldn't do anything with it.)

    MacOS X has been out for around for 4, and the number of worms is comparable to those for Linux, as in almost nothing.

    I expect when Longhorn comes out, there will again be another torrent of worms. But maybe Microsoft may be getting it together with regards to security. They did a pretty good job of stability with 2000, but backslid on XP.

    Even if Linux/KDE became as dominant as dominant as Windows is now, the problem wouldn't be nearly as bad. You see, Linux distributions (almost all? and the people who aren't should know what they are doing) use package management. This means that instead of running an installer for program a, b, c off of cds or the internet, they use packages provided by people who they can check cryptographic signatures of automatically, for example with rpm. Now, that's not perfect, and you don't have to have that, but it gets people into a method of expecting part of it to come from a trusted source (eg gentoo which provides md5sums of all the packages downloaded. or rpm which allows both server and developer signatures last I looked.) The distribution is EXPECTED to provide this, and if they don't either the user doesn't know enough to get it, and askes someone else for help, or knows enough to figure out that www.warez-cracks-hijacking-your-game.com is not a good site to get things from.

  17. Some of what he says is right. by jonadab · · Score: 5, Interesting

    No, not everything, of course. But some of what he says is right. Much of
    the bits about isolation and resiliency are dead on the money: having the
    firewall on by default is a start, but if I understand correctly what he's
    saying (which is hard, because the wording is brief and nontechnical; it
    was obviously not written for a technically-inclined audience), Microsoft
    intends to actually *fix* Outlook. Not "patch" it to stop a particular
    exploit, but actually fix the root problem.

    He also says some stuff that's good to hear despite not really constituting
    security -- e.g., popup blocking, and not loading remote content in email.

    He also talks about taking measures at the system level to mitigate the risk
    of buffer overruns, but I can't tell from what he says whether what they're
    doing there will be helpful or a placebo. This is where the CPU NX stuff
    comes in, and I'm a little over my head there; I understand the idea, but
    I don't think I grok all of the implications.

    This is actually a good article. Not perfect, but good. Go read it, those
    of you who haven't yet. I don't think we're going to slashdot Microsoft.

    --
    Cut that out, or I will ship you to Norilsk in a box.
  18. Linux Security by MichaelKaiserProScri · · Score: 5, Insightful

    Here's an interesting though. Is Linux more secure and stable BECAUSE it is more difficult to set up?

    Linux makes few assumptions. You have to explicitly install and run things if you want them. There is no marketing pressure to force you to take features you do not want. Heck, you can even build your own kernel to include or exclude features. The "barrier to entry" under Linux is higher. So the majority of Linux installs were installed by somebody who actually knows something about a computer.

    Conversly, Windows is easy to install. Furthermore, since it comes pre-installed on most computers, it is REAL easy to install. Windows is not so much of a choice for most users as it is the failure to make a choice. Many of the people "succesfully" running Windows are "twelve o' clock flashers". (You know, those people who's VCR constantly flashes "12:00" because they have no idea how to set it.) Combine this with cheap, always on broadband and you have a recipe for disaster.

    You've heard of "Security through obscurity", well Windows suffers from "Insecurity through ubiquity"