Slashdot Mirror


Windows Not Expected Secure Until 2011, Says MS

Rantastic writes "In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline." He also reveals that he runs Firefox."

37 of 627 comments (clear)

  1. Missing: Interview by RobertB-DC · · Score: 5, Insightful

    What sort of "interview" only includes four loaded questions? Wired gets hold of the Microsoft "security program manager", and these are all the questions they ask? I'm no M$ fanboy (though I must admit I make a living writing programs for Windows), but surely they can do better than this obvious hatchet job:

    WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?

    In other words: So, when will you stop beating your wife?

    Meanwhile, Firefox and Opera look awfully appealing.

    Ok, the guy really stepped in it here when he plugged Firefox (though I'm an Opera fan, myself).

    What about removing capabilities from IE to beef up security?

    You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?

    Seems like you're fighting a losing battle.

    Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
    1. Re:Missing: Interview by MrMr · · Score: 5, Insightful

      In other words: So, when will you stop beating your wife?
      Except that to make the analogy complete, you should add that in this case the question is put to somebody who is actually busy beating his wife...

      Objection: counsel is badgering the witness
      Overruled, Wired reporters are not counsel but more like prosecution, and this guy is not a witness but a suspect.

    2. Re:Missing: Interview by sjames · · Score: 4, Insightful

      In other words: So, when will you stop beating your wife?

      Not really, no. The question was about a specific hole who's existance is not in dispute. It makes no unwarranted assumptions and doesn't ask him to make any new admissions in answering. Unless you mean to imply that the question might cause him to accidentally admit to doing his job?

      You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?

      Perhaps not, but it's a fair question. Many people are of the opinion that the feature shouldn't have been there in the first place (for security reasons). It wouldn't be the first time MS has given customers a choice between break feature X or be insecure.

      Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."

      Perhaps, but since MS has a history of being less than forthcoming on the witness stand (literally as well as fuguratively), additional lattitude in questioning may be given.

  2. He runs Firefox, duh!? by garcia · · Score: 4, Insightful

    He also reveals that he runs Firefox.

    If you were working in the X divison of a company wouldn't YOU be using a competitors program so that you could know what they were doing to make their side better? I know I would.

    In fact, I would be completely disappointed if he DIDN'T run Firefox.

  3. Four Questions by AKAImBatman · · Score: 3, Insightful

    Only four questions? Yikes! That's not much of an article!

  4. Security Update by MikeMacK · · Score: 5, Insightful
    Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system.

    But that's just it, at least he had an update to install, MS doesn't release security updates as quickly as it needs too, as the first question mentioned.

  5. Re:Honesy by krog · · Score: 5, Insightful

    They left the spinning to Slashdot. RTFA. The interviewee says:

    It's not a switch that can be flipped. Software written by humans will always contain errors. We're fundamentally changing the way things operate, to help to make software more resistant to attacks. We're two and a half years down a much longer road; it's more of a 10-year timeline.

    What me meant is that Microsoft is completely reworking the way their browser operates -- not just toughening a few system calls here and there. A total reconsideration of how a browser should be designed.

    The Slashdot editors took that and spit out "AHAHA M$IE INSEKURE UNTIL 2011! LOL@GATES"

    Hardly seems fair.

  6. What?? 100% known secure isn't possible. by DunbarTheInept · · Score: 4, Insightful

    What in the blazes does it mean for something to finally be "secure"?? It's not as if it's actually an achievable goal, and it's not as if you'd have a way to detect when you'd achieved it even if it was achievable.

    The 100% secure line is an asymptote. You can get fractionally closer to it, but never ever actually achieve it.

    --

    Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.

  7. To be fair... by artemis67 · · Score: 5, Insightful

    he didn't say that FireFox was his primary browser, he just said that he had to patch it because of a vulnerability.

    I would hope that as a program manager he would have a copy of each of the competing browsers on his system, so that he can steal... ah, borrow, ideas from them.

  8. In case you're wondering... why? by Penguinoflight · · Score: 4, Insightful

    First, someone posted above, the analogy between windows security fix, and Slashdot's terrible "IT" theme.

    Second, the idea that an MS head is using firefox is hardly surprising, it's much more at issue that he's willing to admit it to Wired, and doesn't even seem to mind that open source is a better alternative.

    Microsoft has had a history of using open source projects, most famously with qmail+unix on their hotmail, but even branching to the MSN gaming zone, etc. It's really not too surprising, considering a lot of the unix foundation implemented in their NT-XP series.

    --
    "And we have seen and do testify that the Father sent the Son to be the Savior of the World"
    1 John 4:14
  9. Among other browsers, I'm sure! by addie · · Score: 5, Insightful

    He also reveals that he runs Firefox

    Indeed, parent post is correct. Besides, the article doesn't say that he uses FireFox exclusively by any means. In fact he only mentions FireFox to prove that all browsers are susceptible to attacks.. Here's hoping he also uses NS, Opera, Safari, and whatever browser he can to do testing and research.

    Yet more spin by /. zealots who don't take the article at face value.

  10. Sad by apoplectic · · Score: 5, Insightful

    What kind of pathetic headline is that? When did MS say "MS not expected secure until 2011"?!?! This is called sensationalist GARBAGE, people! Stop putting this swill up as headline material.

    Having someone say "it's more of a 10-year timeline" does not equate to "MS not expected secure until 2011"...much less "MS says" 2011. The phrase "more of a..." connotes a generality. The headline is pure, conjured specificity.

    Crap like this makes me become seriously disenchanted with Slashdot.

  11. Re:I dont know if he really *uses* firefox... by Aneurysm9 · · Score: 4, Insightful

    Exactly. When was this interview done that he had just installed the shell exploit fix that morning? Besides, that's a fix for a *Windows* problem and he should be more concerned with fixing it than making hay about someone else's patch for their problem.

    --
    There was Cowboy Neal at the wheel of a bus to never-ever land.
  12. Re:Honesy by Ignignot · · Score: 4, Insightful

    They could have put a spin on it.

    It is likely that this is spin. When someone has a job that depends on the future security of a product that is likely next to impossible to make secure without a complete rewrite, what can he do? He has limited budjet, and unrealistic goals. So he makes a 10 year plan, saying that they will be secure in 10 years. He shows progress to his boss, and his boss is happy. He gets to keep his job.

    Then, 2 years down the line, he revises his 10 year plan to expire in another 10 years - as long as the deadline is far enough away, he keeps his job, he puts food on the table, and the PR bunnies have something to hop about. This happens all the time in business, particularly publicly held companies. I would be very sceptical about any future Microsoft promises about security.

    --
    I submitted this story last night, and it didn't get posted.
  13. Re:Bash away... by BenjiPenguin · · Score: 5, Insightful

    "Microsoft is partly to blame, but they're the biggest fish in the sea. Every 'fisherman' is out to get them. When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure... They may get fixed quicker because of the relative smallness and open source attributes, but the bugs are there. Just no one is looking/caring too much. Yet."

    Linux is already one of the biggest players in the server department, and that's where a majority of viruses and exploits are aimed at... I still don't see announcements for all these business running Linux servers being compromised.... The fact is, Linux is theoretically and in actual practice more stable and secure. Windows isn't.. A virus won't JUST affect your user account files in Windows... I think they're mostly to blame...

    " No... so, maybe we should just START to take a little blame for windows security problems. Stop running that cute screensaver your Aunt Matilda sent you. Don't go to webpages that advertise 'warez' and 'free 3leet mp3z!'"

    People aren't that smart.

  14. What the...? by Jugalator · · Score: 4, Insightful

    Since when did security become a goal you can achieve after a certain amount of time?

    It's something you always need to keep an eye open for, and combat exploits whenever necessary. How can Microsoft say "it's more of a 10-year timeline". That statement alone makes me wonder how sane Microsoft's security program manager is. So Microsoft are going to dismantle their security team in 2011?

    What would the Linux community think if Linus went out claiming that "we expect the Linux kernel to be secure in version 3.0"??

    Anyone who takes software security seriously should understand that you can never expect a product to be secure after some period of time.

    "Secure" is also relative and not at all an absolute term.

    --
    Beware: In C++, your friends can see your privates!
  15. Re:I security really that important? by hernyo · · Score: 5, Insightful

    This sounds like "death is good because it makes us appreciate life"...

    Non-security is a thing we don't like, so of course we want to get rid of it.

    -----
    yeah, my englisk sucks

  16. Re:Download.Ject by W2k · · Score: 4, Insightful

    Relying on IE-only functionality (as I assume this is) is a retarded thing to do anyway, with the extreme gain in marketshare that Firefox has seen recently. People who make that mistake deserve a good slapping, or at the very least, a reality check.

    Regardless of what Microsoft and their fans may think, the browser wars are all started up again. Anyone who designs their site to be IE-only nowadays is just asking for trouble. Unfortunately, it's not exactly uncommon.

    --
    Quality, performance, value; you get only two, and you don't always get to pick.
  17. Re:I security really that important? by dodgy_knickers · · Score: 5, Insightful

    "Has the horrendous security done anything other than support thousands of jobs and spawed a massive aftermarket security industry?"

    By that logic, we should view terrorism as good for the economy since it creates jobs for the folks employed at the office of Homeland Security.

    Think, real hard. What other effects came from from security flaws (in either case)? Anything bad? Anything at all?

    Perhaps this is just crazy talk, but I submit that there are better ways to stimulate the economy.

    -kev

  18. Re:I security really that important? by mrchaotica · · Score: 5, Insightful

    Those thousands of jobs are just running on a treadmill and sucking resources from companies that do real work. If Windows was secure, all that capital and talent could be used for something better.

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  19. Re:Longhorn by Anonymous Coward · · Score: 3, Insightful
    It's way easier than that. No need to create a user/group [which would require root access that not all companies give everyone].

    Unlike most MSFT software, MySQL installs just fine without root privileges.

  20. Re:Firing offense? by calethix · · Score: 5, Insightful

    That's what I'd like to know. The article summary makes it sound like he uses Firefox because he doesn't trust IE.
    All I found in the article was:
    "Meanwhile, Firefox and Opera look awfully appealing.
    Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."


    That sounds more to me like he's trying to point out that other browsers can have vulnerabilities as well. He doesn't say anything about exclusively using Firefox. Maybe he just installed Firefox just to see what the competition is like.

  21. Re:Longhorn by Deep+Fried+Geekboy · · Score: 4, Insightful

    For feck's sake. That's the SIMPLEST install?

    Simple to me means 'double click the installer, then type your password when it asks for it'.

    --

    I'm not wrong. You haven't thought about it hard enough.

  22. Re:What is unfair here? by danheskett · · Score: 5, Insightful

    What spinning or unfair editing took place here?
    No, the Microsoft guy said that the security goals set forth are not short term goals, but rather, long terms goals, aka 10 years.

    The headline of the Slashdot article makes it seems like he said flat out that Windows will be insecure for 10 years. Which isn't true, and which isn't what he said.

    At some point people on Slashdot are going to have to come to grips with the fact that there are levels of security. MS is in the middle of a big push to change how they themselves and more importantly their customers think about security.

    It's a non-trivial thing. Windows developers haven't been thinking about security until recently. It's been a non-issue until the world and MS made it one.

    Getting the core of Microsoft software, applications, services and servers up to date, as well as creating tools that forcefully prod developers into coding effectively and securely is the real big goal of Microsoft's security plan.

    Now look at this very short interview. The original question was:

    We asked Stephen Toulouse, Microsoft's security program manager, if Redmond is fighting a war it can't win.
    That's clearly the question he is responding to in the final "question": "Seems like you're fighting a losing battle.".

    Rethink it in light of that question. Security isn't a start at X, arrive at Y, and you are done thing. Any developer knows that.

    MS has done the basic things they never did before: disable services by default, enforce passwords, use least privelage practices, and the like. That's step 1. They've gone a head and prodded developers to be more conscious of security problems - that's step 2. They've updated thier own software to be much more resilent to attack. This isn't about just buffer overruns and whatnot. It's about cross-site scripting, phishing, and the like. It's about redesigning things to be secure by default.

    Getting everyone in the Windows world to that point is the stated goal of the MS security initiative. The Slashdot headline made it seem like a MS rep said point blank that to make Windows secure would take until 2011. And that is pretty clear.

    When the question "Seems like you're fighting a losing battle" was posed the MS guy responded by saying "'s not a switch that can be flipped. Software written by humans will always contain errors. We're fundamentally changing the way things operate, to help to make software more resistant to attacks. We're two and a half years down a much longer road; it's more of a 10-year timeline."

    Finally,as an FYI. The rate of security flaws in Windows itself isn't terribly bad. Windows XP is a decent product, and it's not terribly hard to harden. Take a Windows XP box, turn on auto-updates, run FireFox, and be done with it.

  23. Correction: by gillbates · · Score: 3, Insightful

    From the article:

    Software written by humans will always contain errors.

    Should read:

    Software written by Microsoft will always contain errors.

    I write software that doesn't contain errors, every day, on systems which deal with far more data than the average MS app. It seems to me that Microsoft's has no idea what constitutes professionalism:

    1. Bug-free code isn't hard to write if you use good design principles. I do, and I don't see why Microsoft can't. My job depends on writing bug-free code; I don't have the option of simply letting it go - I either fix it, or I'm fired.
    2. Even if you can't write bug-free code, a well-designed, modularized project won't take long to debug. Given that most MS software is written in languages which encourage good design principles such as encapsulation, modularization, and well-defined interfaces, I'm at a loss as to explain how their software quality is so much lower than normal. The typical enterprise data system works more reliably than the most reliable Microsoft software.
    3. There is no excuse for not properly testing an application. You don't have to walk through every possible execution path to test well - rather, you can construct data and test sequences which will likely trigger the most common forms of bugs (like opening a document larger than the available memory, for example...).
    4. Even if you can neither design well nor write perfect code, a professional has an obligation to at least debug his code before release. People are going to spend billions of dollars on your software, and probably tens of billions of dollars cleaning up the security holes and bugs; these bugs are not mere inconveniences, and the software maker has a moral obligation to fix them before release.

    I understand why the majority of the world runs windows. Most people don't want to complicate things any more than necessary. But the inability of users to grasp technical details does not justify releasing a product, which in any other industry, would be a prime lawsuit candidate under fraud and lemon laws.

    --
    The society for a thought-free internet welcomes you.
    1. Re:Correction: by Macrobat · · Score: 4, Insightful

      I write software that doesn't contain errors, every day, on systems which deal with far more data than the average MS app.

      I find this hard to believe. Are you saying that you write software that is as complex as the usual MS app, and that it contains no errors whatsoever and has never had to be debugged? It seems like everyone from Knuth on down has written bugs in software when working on an application of non-trivial complexity, so I'm a little skeptical if that's your claim.

      And the amount of data that an app processes is not the only measure of a program's complexity: does your program interoperate with a dozen others in a standard cut-and-paste manner; does it hide the complexity of operation from the end user so he or she can point and click and get things done; does it use an API so that software writers outside of your company can can write apps that interact with it; does your software run on multiple different hardware platforms; do you add new features to it when marketing surveys show people want it?

      I'm not saying that all of those criteria are necessarily the best or most desirable (e.g., sometimes you want software that's only usable by industry professionals), but those are the constraints that Microsoft operates within, and they all increase the complexity of even the simplest-seeming of applications.

      --
      "Hardly used" will not fetch you a better price for your brain.
  24. Re:Download.Ject by Jim_Maryland · · Score: 3, Insightful

    Unfortunately you'll find that organizations do rely on Internet Explorer as it comes with MS operating systems by default. Personally I avoid using MS IE unless absolutely necessary (a couple of my company's internal websites, namely benefits, time sheet, etc..., check for the browser and don't permit anything but IE) as I like features of the Mozilla based browsers (tabbed browsing being the first that comes to mind). As for calling it a mistake to choose IE only functionality, this all depends on the application. If developing for an internal website, then as a corporation, they do have the ability to require use of a particular application (even if the IT folks dislike it). This wouldn't be the logical choice, but the money controlling the project is theirs and they can decide what to do with it.

    As for you statement about the browser wars, hopefully your right. Ideally all browsers will approach the standards correctly and then end users will be able to choose the browser they like without worrying that some web pages will not display correctly.

  25. Re:Bash away... by Kent+Recal · · Score: 5, Insightful

    Linux remote-root exploits just happen rarely and kernel exploits even more so.

    But what excuse does the biggest software company in the world have to not fix the gaping security holes in their two most used and probably most sensitive applications, explorer and outlook?
    We are watching this weekly windows exploit drama not for months but for years now. It's getting really old and its not funny at all anymore.

    The worms we have seen were pretty harmless in my book, I'm still waiting for the one that carries some more serious payload. Like wiping out all accessible drives (network volumes), saturating all network cards with malicious packets, stuff like that. MS probably needs that kind of wake up call but are they really that bone-headed to not see it coming?

  26. Doubledge sword by superpulpsicle · · Score: 5, Insightful

    Linux will always be 1 step ahead in security.

    MS will always be 1 step ahead in features.

    Guess what, features sell. Maybe in the year 3000 things might be different.

    1. Re:Doubledge sword by BasilBrush · · Score: 4, Insightful

      How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X? How can MS be 1 step ahead in features when I.E. does less than Firefox?

      MS is one step ahead in having off the shelf applications written for it. That's the reason why most people stick with it. The applications that they already have, and the applications that they forsee themselves wanting to run run on Windows. It's not because of features.

    2. Re:Doubledge sword by Tanktalus · · Score: 4, Insightful
      How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X? How can MS be 1 step ahead in features when I.E. does less than Firefox?

      Us OS/2 guys always said the same thing about Windows - why wait for Windows95 when OS/2 had all its features, and stability as well? Obviously MS doesn't even need features to continue selling.

    3. Re:Doubledge sword by mnmn · · Score: 4, Insightful

      I just cant bear NOT to reply to this.

      Linux has more functionality than Windows. No question about it.

      Answer these:

      how many ports (cpu architectures) does windows run on?

      is windows tcpip more featureful and flexible than windows?

      which version of windows has more GUI features than the latest KDE or GNOME?

      does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)

      how many different ways can you install windows?

      is windows' threads implementation the best in the market?

      is windows memory management the best in the market?

      show me the most secure windows, I'll show you 10 more oses more secure than that.

      by a WIDE margin.

      --
      "Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
    4. Re:Doubledge sword by Joe+U · · Score: 5, Insightful

      And now I'll answer as the average Joe User.

      how many ports (cpu architectures) does windows run on?

      One, the system I own. I don't care about the others. I have no need to, this is not a hobby, this is my computer.

      is windows tcpip more featureful and flexible than windows?

      It works with everything I have.

      which version of windows has more GUI features than the latest KDE or GNOME?

      Without editing files and getting complicated? 95/98/Me/2000/XP/NT 4

      does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)

      Your hardware is broken, you should fix it.

      how many different ways can you install windows?

      One, the way it installs on my system.

      is windows' threads implementation the best in the market?

      As far as I'm concerned it is.

      is windows memory management the best in the market?

      As far as I'm concerned it is.

      show me the most secure windows, I'll show you 10 more oses more secure than that.

      Strange, they all have BSD in their name.

  27. Matter of proportion by gillbates · · Score: 4, Insightful

    The objection is not that Microsoft's software is insecure, but rather that their closest competition has at least two orders of magnitude fewer exploits and viruses than they.

    If hundreds of exploits per month were discovered for Macs or Linux, your point would be valid. Problem is, the number of exploits available for all computers systems since the 50's is easily less than the number discovered in Windows in one year.

    To make matters worse the rate at which exploits are being discovered is increasing, not decreasing, or even remaining stable. And this from a company making three billion dollars a month. How is it then, that a bunch of ragtag volunteers put together a more secure OS than a company which can spend a billion dollars a month on development?

    Microsoft Windows, and the attendant problems it has experienced has brought shame on the entire profession. It isn't a matter of a few human errors here and there - Microsoft releases code with wanton disregard for the effects it will have on the user. You would expect more from a such a successful company, but apparently, Microsoft believes the professional standards followed by the rest of the industry simply do not apply to them.

    And that, is why they get bashed. They dismiss the wisdom gained by years of computer science, and when their systems run rampant with bugs and security holes, they claim that such lofty goals as security and reliability are unattainable - in spite of the fact that their peers who did heed the lessons of computers science have managed to build such systems.

    --
    The society for a thought-free internet welcomes you.
  28. Does it really matter? by hollywoodb · · Score: 3, Insightful

    I'm really starting to wonder that by the time Longhorn is released, will anyone really care? The hardcore will have read enough articles to make their eyes bleed. The linux folk will continue life as usual. Some of the better features have already been stripped. Microsoft says 2006, but I don't trust MS to keep a launch on schedule for two more years.

    --
    I may have to share this planet with animals, but I'm doing my damn best to eat every last one of them.
  29. Re:Longhorn by Epidemical · · Score: 3, Insightful

    I don't really see the conflict here.

    A large format camera is easy to use for someone with experience using it.
    MySQL is easy to install for someone with experience doing it.

    If you don't know how to do it, learn how before attempting to either use a large format camera or installing/configuring MySQL. Where exactly is the problem?

    I agree that some Linux applications need to be easier to install for ordinary users, but something as complex as a database installed with Next->Next->Next->Finished can only create problems.

    Signed,
    Unix-head.

  30. are apples the same as oranges? by way2trivial · · Score: 4, Insightful
    I've got an idea, lets make a list pitting product A's strengths against Product B's weaknesses..

    can your car go as fast as my bicycle?

    can my sister pee farther than my uncle?

    how many different programs can you burn dvd's with in linux?

    how many linux computers can play doom 3?

    I'm not playing favorites, just objecting to your biased list.

    --
    every day http://en.wikipedia.org/wiki/Special:Random