Windows Not Expected Secure Until 2011, Says MS

Rantastic writes "In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline." He also reveals that he runs Firefox."

Download.Ject

[romper]

From TFA:

WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?

In case anyone is wondering about Download.Ject, check this link out. It's only a matter of time until a high-volume site gets compromised with this exploit. Scary stuff.

Sadly, Firefox isn't affected.

Re:Download.Ject

[daeley]

Sadly, Firefox isn't affected.

When will Open Source advocates realize that it's just this sort of behind-the-times technological gaffe that will keep Linux in single-digit marketshare forever? ;)

Re:Download.Ject

[W2k]

If there's no fix for Internet Explorer, then what do you call this?

Oddly, the site you linked says that SP2 users are affected, but Microsoft's page says they're not. Clearly someone must be wrong, or the page you linked is about a completely different bug (it does not mention Download.Ject in its body). What gives?

Re:Download.Ject

[Jim_Maryland]

If I'm not mistaken, XP SP2 includes the work around which changes a registry entry related to the exploit. XP SP2 doesn't really fix this particular problem but disables the functionality that is being exploited. In a way, users aren't at risk, but if you rely on that functionality, well your out of luck for now or you must run with the risk.

Re:Download.Ject

[W2k]

Relying on IE-only functionality (as I assume this is) is a retarded thing to do anyway, with the extreme gain in marketshare that Firefox has seen recently. People who make that mistake deserve a good slapping, or at the very least, a reality check.

Regardless of what Microsoft and their fans may think, the browser wars are all started up again. Anyone who designs their site to be IE-only nowadays is just asking for trouble. Unfortunately, it's not exactly uncommon.

Re:Download.Ject

[aron_wallaker]

I tried it on WinXP Pro (no SP2) IE 6.0.28 and it went through on the first try without even a warning from IE.

Re:Download.Ject

[Jim_Maryland]

Unfortunately you'll find that organizations do rely on Internet Explorer as it comes with MS operating systems by default. Personally I avoid using MS IE unless absolutely necessary (a couple of my company's internal websites, namely benefits, time sheet, etc..., check for the browser and don't permit anything but IE) as I like features of the Mozilla based browsers (tabbed browsing being the first that comes to mind). As for calling it a mistake to choose IE only functionality, this all depends on the application. If developing for an internal website, then as a corporation, they do have the ability to require use of a particular application (even if the IT folks dislike it). This wouldn't be the logical choice, but the money controlling the project is theirs and they can decide what to do with it.

As for you statement about the browser wars, hopefully your right. Ideally all browsers will approach the standards correctly and then end users will be able to choose the browser they like without worrying that some web pages will not display correctly.

Re:Download.Ject

[Dh2000]

Yep, it seems the grandparent installed IE.

Re:Download.Ject

[gad_zuki!]

Just tried it on a fresh SP2 install and it works. The kicker is even after I've closed IE I still can't delete the boom.exe file from startup because its being used by a different program. Oh well, might as well disarm it (yeah I know its a 0kb exe but what the hey) with msconfig.

The handful of sites that don't work well with Firefox/Moz is really a small price to pay for the added security especially in regards to drive-by spyware installs.

Re:Download.Ject

[Kernkraft400]

Try this to get round sites that check for the user agent and blcok non-IE browsers (it works a treat for me with Firefox 0.9.3)...

*User Agent Switcher Extension*

"The User Agent Switcher extension for Mozilla Firefox and Mozilla adds a menu to switch the user agent of the browser. It is designed to provide functionality similar to the 'Browser Identification' feature of Opera and allows configuration of the list of user agents to display in the menu."

http://www.chrispederick.com/work/firefox/userag en tswitcher/

Re:Download.Ject

[Henk+Poley]

The exploit still works under XP SP2. At least the file was dropped there into my startup menu.

Honesy

[dsk052]

Hey, at least their honest about it. They could have put a spin on it.

Re:Honesy

[krog]

They left the spinning to Slashdot. RTFA. The interviewee says:

It's not a switch that can be flipped. Software written by humans will always contain errors. We're fundamentally changing the way things operate, to help to make software more resistant to attacks. We're two and a half years down a much longer road; it's more of a 10-year timeline.

What me meant is that Microsoft is completely reworking the way their browser operates -- not just toughening a few system calls here and there. A total reconsideration of how a browser should be designed.

The Slashdot editors took that and spit out "AHAHA M$IE INSEKURE UNTIL 2011! LOL@GATES"

Hardly seems fair.

Re:Honesy

[Ignignot]

They could have put a spin on it.

It is likely that this is spin. When someone has a job that depends on the future security of a product that is likely next to impossible to make secure without a complete rewrite, what can he do? He has limited budjet, and unrealistic goals. So he makes a 10 year plan, saying that they will be secure in 10 years. He shows progress to his boss, and his boss is happy. He gets to keep his job.

Then, 2 years down the line, he revises his 10 year plan to expire in another 10 years - as long as the deadline is far enough away, he keeps his job, he puts food on the table, and the PR bunnies have something to hop about. This happens all the time in business, particularly publicly held companies. I would be very sceptical about any future Microsoft promises about security.

Interesting...

[rah1420]

I thought Microsofties had to eat their own dog food?

Also admitted

[ReidMaynard]

Stephen Toulouse also admitted he is retiring in 2010...

Re:Also admitted

[southpolesammy]

Perhaps, however I'm pretty sure it won't be from Microsoft after this article....

Missing: Interview

[RobertB-DC]

What sort of "interview" only includes four loaded questions? Wired gets hold of the Microsoft "security program manager", and these are all the questions they ask? I'm no M$ fanboy (though I must admit I make a living writing programs for Windows), but surely they can do better than this obvious hatchet job:

WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?

In other words: So, when will you stop beating your wife?

Meanwhile, Firefox and Opera look awfully appealing.

Ok, the guy really stepped in it here when he plugged Firefox (though I'm an Opera fan, myself).

What about removing capabilities from IE to beef up security?

You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?

Seems like you're fighting a losing battle.

Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."

Re:Missing: Interview

[savagedome]

when will you stop beating your wife?

Mu

Re:Missing: Interview

[MrMr]

In other words: So, when will you stop beating your wife?
Except that to make the analogy complete, you should add that in this case the question is put to somebody who is actually busy beating his wife...

Objection: counsel is badgering the witness
Overruled, Wired reporters are not counsel but more like prosecution, and this guy is not a witness but a suspect.

Re:Missing: Interview

[BrynM]

What sort of "interview" only includes four loaded questions?

In the print version of the September issue, it's just a sidebar. Wired does this a lot. There are often little tidbits in sidebars throughout the magazine. This was one of them. Go look at a copy at your local newsstand. I don't remember what page it's on, but it was never meant to be a full blown article/interview. I'm actually impressed that they include their content in the web version so completely.

Re:Missing: Interview

[Tet]

Ok, the guy really stepped in it here when he plugged Firefox

But he didn't even do that! All he said was that he needed to upgrade Firefox to fix a security problem. Not that he used it as his main browser, and certainly not that he didn't use IE every day like all good Microsoft employees. Merely that he had it installed on his machine, and patched it as appropriate. In his job, I'd expect him to have a copy of alternative browsers on his system. I'd be surprised if he doesn't have Opera installed, too.

Re:Missing: Interview

[l1_wulf]

Wired: September 2004
Hot Seat sidebar: "Microsoft's War on Bugs" page 098

Re:Missing: Interview

[sjames]

In other words: So, when will you stop beating your wife?

Not really, no. The question was about a specific hole who's existance is not in dispute. It makes no unwarranted assumptions and doesn't ask him to make any new admissions in answering. Unless you mean to imply that the question might cause him to accidentally admit to doing his job?

You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?

Perhaps not, but it's a fair question. Many people are of the opinion that the feature shouldn't have been there in the first place (for security reasons). It wouldn't be the first time MS has given customers a choice between break feature X or be insecure.

Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."

Perhaps, but since MS has a history of being less than forthcoming on the witness stand (literally as well as fuguratively), additional lattitude in questioning may be given.

Re:Missing: Interview

[black+mariah]

Yeah, I'm sick of hearing this whiny tit moronic shit. "AH-HAH! Someone at M$ uses Firefox! M$$ IS T3H DYING!!!!1" Ummm... no, retard, they just don't see software as a fucking religion. I worked for one guitar company and still was able to play other companies guitars. My hands didn't burn off due to the sacrilege. It's a fucking piece of software. Same with the dipshits that spooge their pants when someone mentions MS buying more Macs. "OMG! THEY BUY APPLES!" They own a large stake of the company, and develop software for their platform... gee, why would they want to use Macs?

Repeat after me: "I am a loser. I fill the void that social retardation has left in my personality with stupid shit that nobody else gives a flying fuck about. My opinion does not matter to anyone but me. My continued insistence on software-as-religion is fucking stupid, and I need to go out and get laid or at LEAST interact with other humans in some way."

Re:Missing: Interview

[acebone]

> "OMG! THEY BUY APPLES!" They own a large stake of the company,

No - they sold that large stake didn't they ?

>Repeat after me: "I am a loser. I fill the void that social retardation has left in my personality with stupid shit that nobody else gives a flying fuck about. My opinion does not matter to anyone but me. My continued insistence on software-as-religion is fucking stupid, and I need to go out and get laid or at LEAST interact with other humans in some way.

Eat your own dogfood man !

I security really that important?

[ellem]

Windows hasn't been all that secure since, well, forver. Has the horrendous security done anything other than support thousands of jobs and spawed a massive aftermarket security industry?

Re:I security really that important?

[hernyo]

This sounds like "death is good because it makes us appreciate life"...

Non-security is a thing we don't like, so of course we want to get rid of it.

-----
yeah, my englisk sucks

Re:I security really that important?

[dodgy_knickers]

"Has the horrendous security done anything other than support thousands of jobs and spawed a massive aftermarket security industry?"

By that logic, we should view terrorism as good for the economy since it creates jobs for the folks employed at the office of Homeland Security.

Think, real hard. What other effects came from from security flaws (in either case)? Anything bad? Anything at all?

Perhaps this is just crazy talk, but I submit that there are better ways to stimulate the economy.

-kev

Re:I security really that important?

[mrchaotica]

Those thousands of jobs are just running on a treadmill and sucking resources from companies that do real work. If Windows was secure, all that capital and talent could be used for something better.

Re:I security really that important?

[jcr]

Broken Window Fallacy.

-jcr

Re:I security really that important?

[EinarH]

Read this.

Re:I security really that important?

[jcr]

Yeah, but dang it: I meant to say "Broken Windows Fallacy".

Palladium?

[onree]

Sounds like an acknowledgment of the extended timeline for something like Palladium/Trusted Computing. I've been curious to hear more about when and where that's actually going to show up.

He runs Firefox, duh!?

[garcia]

He also reveals that he runs Firefox.

If you were working in the X divison of a company wouldn't YOU be using a competitors program so that you could know what they were doing to make their side better? I know I would.

In fact, I would be completely disappointed if he DIDN'T run Firefox.

Reading between the lines

[El]

"it's more of a 10-year timeline... but my stock options will be fully vested in 5 years, so I'll be long gone before the shit hits the fan on security still not being fixed!"

I dont know if he really *uses* firefox...

[angst7]

The context made it seem more like he saw an opportunity to mention a flaw in the competing product.

Re:I dont know if he really *uses* firefox...

[Aneurysm9]

Exactly. When was this interview done that he had just installed the shell exploit fix that morning? Besides, that's a fix for a *Windows* problem and he should be more concerned with fixing it than making hay about someone else's patch for their problem.

Four Questions

[AKAImBatman]

Only four questions? Yikes! That's not much of an article!

Re:Download.Ject -- CORRECTION

[romper]

Sorry to reply to my own post, but figured I should before the flamethrowers start in.

Download.Ject information is actually here. The exploit referred to above is actually the "what a drag" exploit. Still pretty scary if you ask me.

Anyway, the editor (me) regrets this error. =)

7 Years To Go?

[MooseByte]

... So please refrain from computing for the next 7 years. Just go about your lives. Pay no attention to the penguin and cute little red daemon over there. Hey look! Over here! Have this complimentary Plush Clippy!

Service Pack 2

[mishehu]

And gee, I thought that service pack 2 with a firewall that can be controlled by ActiveX was going to fix all of those holes!

Oh, wait, actually service pack 2 renders some computer unbootable, so that must be the real trick!

Re:Service Pack 2

[Bert64]

Well XP is the most secure windows ever!
Haven't you read the blurb during installation? it also starts much faster than any previous version of windows...
Lets forget about 3.1, which on any machine capable of running XP loads almost instantly and doesn't even support tcp/ip by default, so no chance of getting owned on the internet.

Totally

[mfh]

Geez, if I said things like that about my product, to the extent where I wouldn't even use it because it's so insecure, I'd be shown the door in next to no time.

Yeah, who wants to bet that Stephen Toulouse gets a pink slip? It wasn't long after Salon suggested people switch to Firefox or Mozilla until IE was patched, before we learned that MS was selling the magazine.

Re:Totally

[Duke+Machesne]

That was slate.

Re:Totally

[Duke+Machesne]

heh... don't take it so hard ;)

I once spent fifteen minutes arguing that Elvis Costello was in Styx.

Fat lot of good it will do...

[darth_MALL]

According to the Mayan Calendar We'll only get a year to enjoy it!

Re:Fat lot of good it will do...

[MooseByte]

"According to the Mayan Calendar We'll only get a year to enjoy it!"

We won't even get there. I hesitate to instigate a panic, but... MY calendar runs out on Dec 31 of THIS YEAR! AAAIEEEEEE!

No Time Toulouse

[Otis2222222]

The first thing I thought of when I saw the guy's name. Still cracks me up everytime I see it. Am I the only one that thought of this sketch?

Move the timeline out indefinately...

If everyone is spreading viruses, it ceases to be a stigma, and becomes the accepted norm. Think of it this way:

If everyone had AIDS, you wouldn't have to be all that concerned about STDs now, would you?

New Apple add:
iMac, its like a computer with a condom!

Security Update

[MikeMacK]

Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system.

But that's just it, at least he had an update to install, MS doesn't release security updates as quickly as it needs too, as the first question mentioned.

Re:Security Update

[Archangel+Michael]

Actually, the exploit only worked on Windows Machines. Firefox for Linux, MacOS etc was not affected. It had more to do with native Windows security than it had to do with Firefox.

Buy a car from my company now!

[tie_guy_matt]

Yes buy a car from me today. Look at all the great features! The controls are so easy to use! Any idiot can drive one!

Of course we won't perfect the brakes or the air bags for another 10 years or so, but hey the seat belts work most of the time. So buy my car version "XP" now so you can get a taste of what a safe car of the future will be like

Re:Firing offense?

[gregarican]

I recall years ago working for the RAID manufacturing division of Conner (the hard drive/tape drive company, which was bought out by Seagate). The building right down the street from ours was responsible for tech support of their tape drives and backup software. What did our facility use for backup software? Not Backup Exec! We used Legato Networker. I recall some tours the corporate big wigs were given every now and then. Their expressions were funny to see if they peeked in the server room!

Story comes with ad for Microsoft "security"

[Animats]

This Slashdot page is being served with a Microsoft ad boasting about their security. Really.

Bash away...

[MalaclypseTheYounger]

Everyone bashes Microsoft because of their fallible software.

Let's think about this for a moment: ALL SOFTWARE IS INSECURE. Microsoft is just the biggest player, so they are targeted the most often. There have been 'proof-of-concept' viruses written for Linux, Macintosh, even cellphones via BlueTooth.

Compare Microsoft to automobile makers. When they started, they were unsafe. So they added a 'fix' like seatbelts. Then they added crumple zones, an enhancement to make them safe. Airbags, side impact curtains, rear-sensors for backing up, and so on, and so on.

If the stupid driver of the car wants to get drunk and drive backwards 100mph down the freeway with no lights on, do we blame the automobile manufacturer?

No... so, maybe we should just START to take a little blame for windows security problems. Stop running that cute screensaver your Aunt Matilda sent you. Don't go to webpages that advertise 'warez' and 'free 3leet mp3z!'

Microsoft is partly to blame, but they're the biggest fish in the sea. Every 'fisherman' is out to get them. When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure... They may get fixed quicker because of the relative smallness and open source attributes, but the bugs are there. Just no one is looking/caring too much. Yet.

(I fully expect to be modded down a bajillion points for making a case for Microsoft here. Go ahead, then)

Re:Bash away...

[BenjiPenguin]

"Microsoft is partly to blame, but they're the biggest fish in the sea. Every 'fisherman' is out to get them. When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure... They may get fixed quicker because of the relative smallness and open source attributes, but the bugs are there. Just no one is looking/caring too much. Yet."

Linux is already one of the biggest players in the server department, and that's where a majority of viruses and exploits are aimed at... I still don't see announcements for all these business running Linux servers being compromised.... The fact is, Linux is theoretically and in actual practice more stable and secure. Windows isn't.. A virus won't JUST affect your user account files in Windows... I think they're mostly to blame...

" No... so, maybe we should just START to take a little blame for windows security problems. Stop running that cute screensaver your Aunt Matilda sent you. Don't go to webpages that advertise 'warez' and 'free 3leet mp3z!'"

People aren't that smart.

Re:Bash away...

[josh3736]

I wish I had the points to mod you up. You make very valid points that the zealots just don't want to hear.

I hear about Linux exploits just as often as Windows exploits. There's kernel exploits that can get a remote user root. But it always gets brushed off as not a big deal, because hey, there's gonna be a patch out in a few days, right?

Sure, but the serious Windows exploits usually have a patch out in a few days too. It's just a matter of the responsible persons getting it installed.

Linux or Windows, if you don't take steps to be secure, you're gonna get 0wn3d. And that's the problem-- most Windows users don't even understand the fundamental problem, much less why they should install these updates. This is why I think SP2 is a move in the right direction with Windows Update automatically downloading and updating by default. I just fear the day someone cracks Windows Update and has it distribute their new l33t worm...

Re:Bash away...

[Peaker]

There have been 'proof-of-concept' viruses written for Linux, Macintosh, even cellphones via BlueTooth.

And how many of them actually succeeded in infecting millions of machines?

Compare Microsoft to automobile makers. When they started, they were unsafe. So they added a 'fix' like seatbelts. Then they added crumple zones, an enhancement to make them safe. Airbags, side impact curtains, rear-sensors for backing up, and so on, and so on.

That analogy is useless. In computing, the OS can have near infinite control of all the computer's resources, including all of its outgoing connections/etc, while a car only has control of itself. Thus, in computing, if done right, an OS can use its power to limit unwanted use of its resources much more powerfully than a car can limit another from racing into it.

When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure..

Your statements sum up to:

A. Windows is more targeted by attackers than other operating systems
B. Other operating systems are just as insecure

And you attempt to make B sound as the logical continuation of A. Well, it isn't, and B is only your personal opinion.

Re:Bash away...

[El]

even cellphones via BlueTooth. Uh, those cellphones wouldn't by any chance happen to be running Windows CE, would they? (Actually, the problem is that the OBEX protocol allows anyone to send a business card to your PDA/cellphone without asking your permission first. How those business cards then become executables or alter existing files is beyond me.)

Re:Bash away...

[El]

If the stupid driver of the car wants to get drunk and drive backwards 100mph down the freeway with no lights on, do we blame the automobile manufacturer? Yes we should blame the manufacturer, if the vehicle is configure by default to drive 100mph in reverse with the lights off, and it actually requires a more sophisticated user to reconfigure it to go forward more slowly with the lights on...

A more appropriate analogy would be if a car manufacturer made a car with a big, shiny hood ornament, but when anybody pressed on it, it would pop the hood open. Sure, it makes it easier for mechanics to access the engine... but it also make it easier for miscreants to steal your battery!

Re:Bash away...

[MikeMacK]

Compare Microsoft to automobile makers. When they started, they were unsafe. So they added a 'fix' like seatbelts. Then they added crumple zones, an enhancement to make them safe. Airbags, side impact curtains, rear-sensors for backing up, and so on, and so on.

I think a big difference here is that car manufacturers REDESIGNED cars to add those things, we don't have airbags in our Model-T's. MS has not done a good job of redesigning Windows, so the insecurities remain.

Re:Bash away...

[Kent+Recal]

Linux remote-root exploits just happen rarely and kernel exploits even more so.

But what excuse does the biggest software company in the world have to not fix the gaping security holes in their two most used and probably most sensitive applications, explorer and outlook?
We are watching this weekly windows exploit drama not for months but for years now. It's getting really old and its not funny at all anymore.

The worms we have seen were pretty harmless in my book, I'm still waiting for the one that carries some more serious payload. Like wiping out all accessible drives (network volumes), saturating all network cards with malicious packets, stuff like that. MS probably needs that kind of wake up call but are they really that bone-headed to not see it coming?

Re:Bash away...

[argent]

I hear about Linux exploits just as often as Windows exploits

Funny, I don't. I wouldn't be horribly upset if I did, I don't care for Linux all that much and I use other systems more often myself. But I don't.

I hear about exploits in third party applications that run on both Windows and Linux get called "Linux Exploits". I hear about exploits in interfaces that both Windows and Linux used called "Linux Exploits". I hear about exploits in some proprietary package Red Hat added called "Linux Exploits". I don't hear about exploits in Mozilla or Opera called "Windows Exploits". I don't hear about flaws in encryption algorithms called "Windows Exploits". And I definitely don't hear bugs in software HP or DEC added to their laptop installs called "Windows Exploits".

the serious Windows exploits usually have a patch out in a few days too

Microsoft has refused to fix a fundamental security flaw in IE for seven years now, and even fought a lawsuit that could have forced them to fix it or be split into multiple companies if they lost, and it's still there.

Linux or Windows, if you don't take steps to be secure, you're gonna get 0wn3d

Windows is the only one where, by default, every user is root on their own machine, all the time, so EVERY remote exploit is a root exploit.

Windows is the only one where, by default, all the exploitable services are turned on after you've installed it.

Windows is the only one where you can get exploited just opening an email message. That one still boggles me... back before Melissa, the idea of a mail virus or worm that could do that was a JOKE. You at least had to explicitly run something before you could get attacked, so the "Good Times" virus hoax was hilarious. Nobody would ever build a mail program that would do that, or if they did they'd fix it for good, right away, by removing the ability to run software from a text window...

That Microsoft not only did it, but has refused to back out of the design that *still* allows it to happen whenever someone comes up with a new combination of file names and types to trick it into running something in the wrong zone, is just incomprehensible...

Comment removed

[account_deleted]

Comment removed based on user account deletion

What?? 100% known secure isn't possible.

[DunbarTheInept]

What in the blazes does it mean for something to finally be "secure"?? It's not as if it's actually an achievable goal, and it's not as if you'd have a way to detect when you'd achieved it even if it was achievable.

The 100% secure line is an asymptote. You can get fractionally closer to it, but never ever actually achieve it.

Re:It's a JOKE

[Ignignot]

You may think that its funny that firefox doesn't support Download.Ject technology, but for the rest of us in the real world, how can we offer it as an alternative to explorer? My PHB will just say "Ignignot, I like this FireFox thing you have working on my computer. But I've read in the Wall Street Journal that it doesn't support Download.Ject. I'm afraid we simply can't afford to make this switch."

We need this feature fixed now if not sooner, otherwise we're all going to be stuck using this insecure MS offering!

When will there ever be a feature complete open source internet explorer??

To be fair...

[artemis67]

he didn't say that FireFox was his primary browser, he just said that he had to patch it because of a vulnerability.

I would hope that as a program manager he would have a copy of each of the competing browsers on his system, so that he can steal... ah, borrow, ideas from them.

Re:To be fair...

[Patoski]

he didn't say that FireFox was his primary browser, he just said that he had to patch it because of a vulnerability.

I would hope that as a program manager he would have a copy of each of the competing browsers on his system, so that he can steal... ah, borrow, ideas from them.

What made this quote so striking isn't that he uses a competitor's product (he *should* be using their product). The point is that he *must* use a competing product because IE isn't secure in this case. To underline the matter both browsers were exposed to this vulnerability but Mozilla/Firefox had a patch out the same day the vuln was reported to them. We're all still waiting for a patch from MS closing in on two months later to fix this security hole. Surely, that is at least a little embarrasing considering all the noise out of Redmond lately about security being their top priority.

I do give Toulouse big points for mentioning that he had to use Firefox in this case. Honesty like that is refreshing! The software industry could do with a bit more candor like this.

In case you're wondering... why?

[Penguinoflight]

First, someone posted above, the analogy between windows security fix, and Slashdot's terrible "IT" theme.

Second, the idea that an MS head is using firefox is hardly surprising, it's much more at issue that he's willing to admit it to Wired, and doesn't even seem to mind that open source is a better alternative.

Microsoft has had a history of using open source projects, most famously with qmail+unix on their hotmail, but even branching to the MSN gaming zone, etc. It's really not too surprising, considering a lot of the unix foundation implemented in their NT-XP series.

Re:In case you're wondering... why?

[4of12]

the idea that an MS head is using firefox

and that he projects such a long time for security to happen gives him greater credibility among IT people that have a clue.

MS has lost so much credibility in so many ways in the past that they have nowhere to go but up. Why pretend anymore?

Re:In case you're wondering... why?

[burns210]

"qmail+unix on their hotmail"

That was from the original creators of hotmail. MS bought out hotmail... It took several years, but Hotmail was finally moved over to an NT base, which it now runs on.

Among other browsers, I'm sure!

[addie]

He also reveals that he runs Firefox

Indeed, parent post is correct. Besides, the article doesn't say that he uses FireFox exclusively by any means. In fact he only mentions FireFox to prove that all browsers are susceptible to attacks.. Here's hoping he also uses NS, Opera, Safari, and whatever browser he can to do testing and research.

Yet more spin by /. zealots who don't take the article at face value.

Sad

[apoplectic]

What kind of pathetic headline is that? When did MS say "MS not expected secure until 2011"?!?! This is called sensationalist GARBAGE, people! Stop putting this swill up as headline material.

Having someone say "it's more of a 10-year timeline" does not equate to "MS not expected secure until 2011"...much less "MS says" 2011. The phrase "more of a..." connotes a generality. The headline is pure, conjured specificity.

Crap like this makes me become seriously disenchanted with Slashdot.

Re:Sad

[apoplectic]

Microsoft never said "it's a 10 year plan". Sure, I'm picking nits here...but the crux of the quote is that there is no quick fix in, say, 2 to 3 years..."it's more of a 10-year timeline". In otherwords, less than a sprint and more like a marathon. Is that a 5 year marathon? Ten years? Fifteen years? Who knows? Microsoft might know for certain, but they're only throwing out generalizations here.

But this quote does NOT read "it's a 10 year plan". Read into it what you will; embrace self-delusion.

Re:Sad

[Sponge+Bath]

Crap like this makes me become seriously disenchanted with Slashdot.

Really?

It keeps me coming back for more...
just like Big Macs and nicotine.

Even XP SP2 is easy to tamper with

[mslinux]

Change the following registry value to 4 and the new "Windows Security Center" will stop working upon reboot... it runs as a service that any admin user can kill. Did I mention that by default all XP users are admin ;)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\w scsvc\Start

Also, here's a Python script that will automatically kill the new "Windows Firewall" in to XP Service Pack 2. You can bet your ass that hackers are already tampering with this. Click a URL and bam... the firewall goes down.

This is just two example of what MS does to "secure" their systems. God help us all.

Re:Even XP SP2 is easy to tamper with

[JKR]

It asks you which of the current users should be setup as a local system admin

This is not how you should set up a domain, by the way. There shouldn't BE any local users other than the local administrator. Domain user accounts are managed from the domain controller.

Usually we only have one user on each machine, and so they get the admin rights locally on it.

And why are you expecting this to be secure? Do you give everyone root on their own linux boxes as well? Any domain admin with a clue sets things up so that the domain users are "User" or "Power User" at best, and a lot of places lock things down even further using group policy. You can reduce XP to kiosk mode if necessary. I've actually deployed SP2 in a domain and the XP firewall can be configured using domain policy such that local admin can't mess with it.

Jon.

What is unfair here?

[revscat]

A) A Microsoft representative said that it will take an estimated 11 years to fully secure Windows
B) Slashdot reports this

What spinning or unfair editing took place here? Your pullquote doesn't seem to show anything unfair. Yes, they are reworking key system components. But that still doesn't change the fact that Windows is so insecure that it will, by their own admission, take over 10 years to fix it. That's pretty important.

Re:What is unfair here?

[danheskett]

What spinning or unfair editing took place here?
No, the Microsoft guy said that the security goals set forth are not short term goals, but rather, long terms goals, aka 10 years.

The headline of the Slashdot article makes it seems like he said flat out that Windows will be insecure for 10 years. Which isn't true, and which isn't what he said.

At some point people on Slashdot are going to have to come to grips with the fact that there are levels of security. MS is in the middle of a big push to change how they themselves and more importantly their customers think about security.

It's a non-trivial thing. Windows developers haven't been thinking about security until recently. It's been a non-issue until the world and MS made it one.

Getting the core of Microsoft software, applications, services and servers up to date, as well as creating tools that forcefully prod developers into coding effectively and securely is the real big goal of Microsoft's security plan.

Now look at this very short interview. The original question was:

We asked Stephen Toulouse, Microsoft's security program manager, if Redmond is fighting a war it can't win.
That's clearly the question he is responding to in the final "question": "Seems like you're fighting a losing battle.".

Rethink it in light of that question. Security isn't a start at X, arrive at Y, and you are done thing. Any developer knows that.

MS has done the basic things they never did before: disable services by default, enforce passwords, use least privelage practices, and the like. That's step 1. They've gone a head and prodded developers to be more conscious of security problems - that's step 2. They've updated thier own software to be much more resilent to attack. This isn't about just buffer overruns and whatnot. It's about cross-site scripting, phishing, and the like. It's about redesigning things to be secure by default.

Getting everyone in the Windows world to that point is the stated goal of the MS security initiative. The Slashdot headline made it seem like a MS rep said point blank that to make Windows secure would take until 2011. And that is pretty clear.

When the question "Seems like you're fighting a losing battle" was posed the MS guy responded by saying "'s not a switch that can be flipped. Software written by humans will always contain errors. We're fundamentally changing the way things operate, to help to make software more resistant to attacks. We're two and a half years down a much longer road; it's more of a 10-year timeline."

Finally,as an FYI. The rate of security flaws in Windows itself isn't terribly bad. Windows XP is a decent product, and it's not terribly hard to harden. Take a Windows XP box, turn on auto-updates, run FireFox, and be done with it.

Re:What is unfair here?

[malfunct]

I agree with you, 11 years to as near perfect as they understand how to do. SP2 was a huge way toward basic security and did many good things.

What I want to know is whether Linux has even admitted that it has a security problem to work on? I know they try to be secure but it seems a great many people thing that Linux is already secure.

Meaningless

[Lord_Dweomer]

In that much time, there will be new vulnerabilities discovered in new software that is created. There will ALWAYS be a way, and there is no way they can guarantee this. Will computers be a little more secure? Sure, in many ways. But they will also be a lot more insecure in others. Remember, we're dealing with the same idiots who install Bonzi Buddy because he seems friendly, or Weatherbug because it sounds so convenient that they don't care abou the EULA.

Re:Firing offense?

[brickbat]

This really needs to be modded down, as it's not only not insightful, it demonstrates a total lack of comprehension of Toulouse's response.

He did not say he didn't use IE. He simply mentioned needing to install a security update of Firefox. Yes, Virginia, there are other browsers that have security flaws other than IE. That doesn't make them better or worse, it just illustrates that the problem isn't isolated to Microsoft.

And I suspect that in performing his job duties, he needs to be familiar with a wide array of browser technologies, not just IE.

So, please mod the parent down -1, Needs a Clue.

2011, huh?

[faqmaster]

Great. Linux should be ready for the desktop by then!

Firefox has bugs

[qwerty75]

Not certain what the big deal is about him running firefox. It seems to me the only statement he made was that he has to download patches for that program too not that he exclusively used Firefox as his browser because of secruity problems with IE.

The only secure computer is one that is turned off and encased in six cubic feet of concrete surrounded by a faraday cage.

What the...?

[Jugalator]

Since when did security become a goal you can achieve after a certain amount of time?

It's something you always need to keep an eye open for, and combat exploits whenever necessary. How can Microsoft say "it's more of a 10-year timeline". That statement alone makes me wonder how sane Microsoft's security program manager is. So Microsoft are going to dismantle their security team in 2011?

What would the Linux community think if Linus went out claiming that "we expect the Linux kernel to be secure in version 3.0"??

Anyone who takes software security seriously should understand that you can never expect a product to be secure after some period of time.

"Secure" is also relative and not at all an absolute term.

Re:Firing offense?

[GeorgeMcBay]

He doesn't say he doesn't use IE because it is insecure. What he said is he recently had to a patch a Firefox installation because it (also) suffered from an exploit.

Somebody didn't read the article...

Re:Longhorn

It's way easier than that. No need to create a user/group [which would require root access that not all companies give everyone].

Unlike most MSFT software, MySQL installs just fine without root privileges.

Linux add....

[vwjeff]

New Apple add:
iMac, its like a computer with a condom!

New add for Linux:

Linux: you can't get infected unless you get laid.

Everyone so far has missed the point

[slashname3]

Everyone so far has missed the point about him saying their security plan was a 10 year plan. Microsoft looked long and hard at the trends and figured out that in 10 years Windows would be displaced as the leading client OS by Linux (or some other system).

Case in point, they are paying out huge dividend this year. Why? So they can all pocket a boat load of money before everyone finds out that Longhorn won't be delivered on time or with all features (see other recent story on /. about this).
So now that they have drawn down that huge cache of money and paid it to all those that hold stock they can cruise control for a few years as they start figuring out ways to sell of portions of the company to turn it into money to put in thier pockets.

I believe they have seen the writing on the wall and have started the process of shutting things down. Only problem is that you don't shut down a colossus like Microsoft over night. Very similar to AT&T, they have been in a downward spiral for many years. In AT&T's case they have at most another 5 years before someone picks up the carcass and finishes stripping it. Microsoft will take another 20 years before they finally have squezzed every last nickel out of the user population.

Re:What?? 100% known secure isn't possible.

[Aadain2001]

True, but when you are only at 20%, you still have a LOOOOOOONG way to go. You can start complaining about this when MS is closer to 95-99% :-P

Re:Longhorn

[MooseByte]

"What if God smoked Cannibis?"

Dude, come on. The platypus is a dead giveaway.

Re:Download.Ject -- CORRECTION

[Davak]

Is the "what a drag" exploit the same as the drag and drop exploit?

I couldn't open the sample exploit listed in the parent, but I could open he one in the link I provided. The proof is safe and scary.

If they are not going to fix these errors, Microsoft should at least give us a naming system! It's hard to discuss the exploits when we don't know how to name them correctly. :)

Should we call this one "how to skin a windows box"?

BWAHAHAHAHAHA!!!

[Master+of+Transhuman]

It doesn't get better than this!

Microsoft will take TEN YEARS to get secure?

After pissing away thirty billion in R&D money for a one-time stock prop scheme?

And their head of security uses Firefox?

This is like discovering Bush prays to Allah!

BWAHAHAHAHAHA!!!

Hey, how about this theory?! Gates is secretly a hacker like the guy in the Sandra Bullock movie and really wants everybody to be insecure so he can take over the world!

BWAHAHAHAHAHAHA!!!

Mod this troll, mod this flamebait! Is that all you got, huh? Are you nuts? Come at me!

Re:BWAHAHAHAHAHA!!!

[Quill_28]

> This is like discovering Bush prays to Allah!

He does.

The Jews, Christians, and Muslims are pray to the same God, the God of Abraham.

The Jews come from the line of Issac(Abram's son with Sarah) the Muslims from Ishmael(Abram's son with Hagar).

The Jews are still waiting for the Messiah, while the Christians believe the Messiah has come(Jesus Christ).

Re:Firing offense?

[prisoner-of-enigma]

He doesn't say he doesn't use IE because it is insecure. What he said is he recently had to a patch a Firefox installation because it (also) suffered from an exploit.

Somebody didn't read the article...

No, somebody did read the article, but filtered out anything remotely resembing (a) a slight against OSS and (b) any vindication, however slight, of Microsoft and their products. Typical Slashdot behavior. Everything bad about Microsoft must be emphasized, and anything good must be squelched. At the same time, anything good about FOSS must be emphasized, and anything bad must be buried with Jimmy Hoffa.

Where's the "-1 Michael-Moore-style selective editing" mod point when you need one, eh? That's what I love about Slashdot, the fair and balanced perspective everyone has here. Makes me so proud to be a Linux user. Not.

respun

[Doc+Ruby]

In other words "Windows Expected Insecure Until At Least 2011, Says MS".

Re:Firing offense?

[calethix]

That's what I'd like to know. The article summary makes it sound like he uses Firefox because he doesn't trust IE.
All I found in the article was:
"Meanwhile, Firefox and Opera look awfully appealing.
Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."

That sounds more to me like he's trying to point out that other browsers can have vulnerabilities as well. He doesn't say anything about exclusively using Firefox. Maybe he just installed Firefox just to see what the competition is like.

Poor guy is really having to struggle...

[argent]

Poor guy is really having to struggle to say something that'll make his job look less hopeless. The "patch to Firefox" that he's talking about is actually a patch to a PNG library used by a lot of applications, not just Firefox.

On the other hand, he didn't say "Windows not secure until 2011", and I think his "10 year plan" is more of an acknowledgement of the magnitude of the problem than a hint as to Microsoft's timeline.

I wonder if he's even got the authority to deal with the real problems buried deep in the design of IE. If not, they can take 10 years or 100 years and still not get rid of "cross zone" attacks. I suspect only hope is that other browser developers will suddenly agree with microsoft that security zones based on the current location of a file is a much better idea than limiting the potential targets for an attack to just the application that's responsible for downloading and displaying an untrusted document. If that happens, then they'll REALLY be able to argue "everyone else has the same problem" and mean it.

Taht's not a FIX... That's a FUX

[Foofoobar]

That's not a fix, that's a FUX. It looks like a fix but if you percieve a FUX to be a FIX, you're bound to get FUXED.

Seriously though, they can't fix it without removing IE from the system. You can easily get around their FUX by using a shell call... which makes this bug even scarier.

IE share down 2% according to WSJ

[pileated]

Oddly enough I happened to read both the WSJ article and the Toulouse mini-article during my lunch a few minutes ago and came back to find this on slashdot.

I also have to commend the graphic that accompanies the WSJ article. The article says that for the first time ever IE share dropped, presumably because of the virus threat. Also a few words about the Mozilla developers.

It's the fundamental APIs

[msobkow]

The heavy use of anonymous pointers, multi-function entry points, and DLL initialization/release interactions create an absolute nightmare to maintain.

Even for a relatively small project, you have to spend a fair amount of time just getting code separated into mainline and DLL. Then you get the joy of dealing with the weirdities of the Windows variation on process interaction with DLLs.

I can't imagine any way of securing that spaghetti except to scrap the Win32 API and make the .Net framework the Windows programming layer. Then you can get rid of those holdover APIs from DOS-thunker days and replace the kernel with one that was designed for multi-user security.

You can be grateful Microsoft is finally taking security seriously if you like. I look back on 10-15 years of pager calls, system recoveries, and late projects because of bugs, many of which have never been fixed. My patience with their problems and excuses ended a long, long time ago.

Don't forget Microsoft has been around almost exactly as long as GNU.org. Linux is a pup compared to Windows, yet look how much faster that team addresses problems than the much larger team at Microsoft.

If Microsoft's market share begins hurting because of their security issues, they've no one else to blame but themselves. If the industry demands POSIX server APIs and Windows can't deliver, Microsoft has no one to blame but themselves -- the Cygwin team seems to have managed the task.

Microsoft and a lot of other companies need to get back to re-verifying their core business and refocus on producing marketable products and services. Times change, and last decade's sure winner is last year's end-of-life product. A little less focus on the stock market, and a little more on realistic business models and long-term viability.

Re:It's the fundamental APIs

[IvyKing]

Don't forget Microsoft has been around almost exactly as long as GNU.org.

Don't you mean that Microsoft Windows has been around almost excatly as long as GNU.org???

Microsoft started ca 1976, MS-Windows 1.0 announced late 1983, GNU manifesto published in Dr Dobbs in 1984.

Re:Longhorn

[Deep+Fried+Geekboy]

For feck's sake. That's the SIMPLEST install?

Simple to me means 'double click the installer, then type your password when it asks for it'.

Correction:

[gillbates]

From the article:

Software written by humans will always contain errors.

Should read:

Software written by Microsoft will always contain errors.

I write software that doesn't contain errors, every day, on systems which deal with far more data than the average MS app. It seems to me that Microsoft's has no idea what constitutes professionalism:

1. Bug-free code isn't hard to write if you use good design principles. I do, and I don't see why Microsoft can't. My job depends on writing bug-free code; I don't have the option of simply letting it go - I either fix it, or I'm fired.
2. Even if you can't write bug-free code, a well-designed, modularized project won't take long to debug. Given that most MS software is written in languages which encourage good design principles such as encapsulation, modularization, and well-defined interfaces, I'm at a loss as to explain how their software quality is so much lower than normal. The typical enterprise data system works more reliably than the most reliable Microsoft software.
3. There is no excuse for not properly testing an application. You don't have to walk through every possible execution path to test well - rather, you can construct data and test sequences which will likely trigger the most common forms of bugs (like opening a document larger than the available memory, for example...).
4. Even if you can neither design well nor write perfect code, a professional has an obligation to at least debug his code before release. People are going to spend billions of dollars on your software, and probably tens of billions of dollars cleaning up the security holes and bugs; these bugs are not mere inconveniences, and the software maker has a moral obligation to fix them before release.

I understand why the majority of the world runs windows. Most people don't want to complicate things any more than necessary. But the inability of users to grasp technical details does not justify releasing a product, which in any other industry, would be a prime lawsuit candidate under fraud and lemon laws.

Re:Correction:

[Macrobat]

I write software that doesn't contain errors, every day, on systems which deal with far more data than the average MS app.

I find this hard to believe. Are you saying that you write software that is as complex as the usual MS app, and that it contains no errors whatsoever and has never had to be debugged? It seems like everyone from Knuth on down has written bugs in software when working on an application of non-trivial complexity, so I'm a little skeptical if that's your claim.

And the amount of data that an app processes is not the only measure of a program's complexity: does your program interoperate with a dozen others in a standard cut-and-paste manner; does it hide the complexity of operation from the end user so he or she can point and click and get things done; does it use an API so that software writers outside of your company can can write apps that interact with it; does your software run on multiple different hardware platforms; do you add new features to it when marketing surveys show people want it?

I'm not saying that all of those criteria are necessarily the best or most desirable (e.g., sometimes you want software that's only usable by industry professionals), but those are the constraints that Microsoft operates within, and they all increase the complexity of even the simplest-seeming of applications.

Re:Correction:

[Junta]

Wow, you must really lack some real-world experience to make such a cocky declaration.
1. You are right, it isn't hard to write bug-free code, it is nearly impossible for all but the simplest of projects. It is possible to acheive an at least apparently bug-free state, but only in relatively simple applications dealing with a relatively well controlled data set.
2. Point taken that well architected code lends itself well to problem isolation and debug. Most MS software is written in C/C++ still, and those languages can be used well or poorly with respect to modularity. The price to pay for flexibility is that developers can bypass the mechanisms that encourage modular design. Regardless of language a developer can always fail to modularize a design properly, particularly if the application encounters new functional requirements in the middle of a development cycle.
3. Testing an application can be very very hard for even not so complex software. You can of course test a good representative sample of normal operation and likely problematic circumstances, but there are many many variations and those corner cases which they can't know in advance (if so, secure software would be easy...) are where >98% of field problems customers see come out of.
4. Basically the same exact point as 3, of course they do, but, as you say, not all branches of execution are realistically testable, and it is even worse for a commercial entity with limited resource, the problem space is simply too large.

Re:Correction:

[gillbates]

1. does your program interoperate with a dozen others in a standard cut-and-paste manner;
2. does it hide the complexity of operation from the end user so he or she can point and click and get things done;
3. does it use an API so that software writers outside of your company can can write apps that interact with it;
4. does your software run on multiple different hardware platforms;
5. do you add new features to it when marketing surveys show people want it?

1, 2, and 5: Yes. 3 and 4: No.

But, I'm not the only programmer; I work on a team. I'm responsible for very small pieces of a very large project, and because our software was well architected, it's easier for me to write bug-free code.

Are you saying that you write software that is as complex as the usual MS app, and that it contains no errors whatsoever and has never had to be debugged?

Yes, it is more complex, and it did start off with errors - but I made certain it was debugged it before it went into production. And it isn't hard to write bug-free code when you've got a well-written specification and a well designed interface. And when you've got another programmer reviewing your code, you tend to be a little bit more careful. Even if I happen to miss something, the likelihood that a programmer senior to me will miss the same bug is pretty small.

Think about how difficult it would be to write a flawless Hello World program.

But, no, no one could write bug free code, right?

The idea of good design is that you reduce the complexity of the individual components to the point where even a secretary couldn't screw it up. And it does work - the systems I work with contain ten thousand modules; our project would have failed had we used the "Microsoft approach". (Code first, debug later, lament the lack of design in blog somewhere...)

Writing bug free code is more a matter of one's character than ability. You make a concious decision to compromise quality for deadlines; you make a conscious decision to forego good design for the sake of expediency. But if you find yourself in this business for long, you realize that good software always lasts longer than the original coders ever envisioned (Y2K, anyone?). What it really comes down to is whether or not a person has the professionalism to insist on reasonable time schedules and self-discipline to prove their design before beginning coding. Good software comes not from fast coders, but good designers.

Stupid criticism

Granted that "it's more of a ten year focus" is a stupid answer, but /.'s criticism is equally stupid. What would the correct answer be? It's not "Yep, we've been at it for two years and we're done. All our software is secure now." Rather, the correct answer is, "We will continue to focus on security for the foreseeable future."

To a software engineer, the much-publicised "Microsoft focus on security" seems actually to have been more of an internal awareness drive. Microsoft just wanted to educate all its programmers so they stopped writing buffer overflows and absurd permissions holes. At the same time, I imagine some existing code was reviewed with an eye toward identifying security holes. All commendable stuff (although it's mindboggling that this sort of thing should even be necessary).

But even with that part supposedly accomplished, security is never "done". Once you start paying attention to it, you're now doing the right thing. You don't stop. The focus on security education may be over. The focus on security as an important part of software engineering should continue as long as, and to the degree that, consumers need secure software.

Doubledge sword

[superpulpsicle]

Linux will always be 1 step ahead in security.

MS will always be 1 step ahead in features.

Guess what, features sell. Maybe in the year 3000 things might be different.

Re:Doubledge sword

[BasilBrush]

How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X? How can MS be 1 step ahead in features when I.E. does less than Firefox?

MS is one step ahead in having off the shelf applications written for it. That's the reason why most people stick with it. The applications that they already have, and the applications that they forsee themselves wanting to run run on Windows. It's not because of features.

Re:Doubledge sword

How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X?

They aren't.

The only thing I can think of that you might be referring to is Avalon. And that is considerably more advanced than Quartz Extreme. Quartz Extreme is like the current Windows rendering engine on steroids - it does more in hardware, it does more fancy stuff, but at heart it's still 2D bitmap-based software rendering with some fancy anti-aliasing, alpha compositing, and Expose bolted on top. Avalon is fully vector-based and done entirely in hardware. You simply can't compare the two directly.

Re:Doubledge sword

[Tanktalus]

How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X? How can MS be 1 step ahead in features when I.E. does less than Firefox?

Us OS/2 guys always said the same thing about Windows - why wait for Windows95 when OS/2 had all its features, and stability as well? Obviously MS doesn't even need features to continue selling.

Re:Doubledge sword

[rspress]

While it maybe bitmap based Quartz itself is based on the adobe PDF engine, which renders both vector and bitmap via the computers 3d card.

While it is all just eye candy the new imageunits or coregrahpic and corevideo are the really exciting things in tiger and which has no equal on the windows side. I am looking forward to Tiger for these features which should make any other platform for video look slow and clumsy. Catch the keynote video at the Apple quicktime site. This is truly amazing stuff. I expect a windows knock-off around 2007-2008.

Re:Doubledge sword

[mnmn]

I just cant bear NOT to reply to this.

Linux has more functionality than Windows. No question about it.

Answer these:

how many ports (cpu architectures) does windows run on?

is windows tcpip more featureful and flexible than windows?

which version of windows has more GUI features than the latest KDE or GNOME?

does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)

how many different ways can you install windows?

is windows' threads implementation the best in the market?

is windows memory management the best in the market?

show me the most secure windows, I'll show you 10 more oses more secure than that.

by a WIDE margin.

Re:Doubledge sword

[rspress]

I have actually heard about this but it was not what I was talking about. Coreimage and corevideo let you use real time effects on videos and still images or a mix of both and text layers all in real time. All effects are floating point and you can drag the effect or transition around the screen in real time with the video playing underneath. Transitions can be stopped half way through and dragged around the screen in real time. These are not in preview windows but the full screen, full data rate video. You really have to see it to appreciate it.

Actually I went retro on my PC and erased the drives and installed Windows 2000 pro. I am actually glad to be rid of XP Pro. Since most of my school work will center around 2000 pro that does not hurt either ;-)

Re:Doubledge sword

[Smurf]

lies in your post:

1) into Windows by 2006 what is already in OS X
2) I.E. does less than Firefox

No, no, he's actually correct. Check the features in Panther (and Jaguar) from the Apple site (ignore Tiger, since we are talking about the present). Admittedly, Longhorn will feature some things not currently in OS X, but that's if they don't shave them off also.

Then go to the Mozilla site and download Firefox. It's free! You have an excuse for not trying OS X, but there is no excuse for not trying Firefox. (And yet, I still prefer Safari.)

You will be surprised by how the herd mentality that ties you to MS's products is making you miss. Now. Not in two years.

Re:Doubledge sword

[cot]

"MS is one step ahead in having off the shelf applications written for it."

More like 9 steps, but yeah, that's the big deal.

Re:Doubledge sword

[PocketPick]

Those are all nice features for some, but not features that will sell an operating system to Joe User. When a user boots up thier computer, they want three things:

-To Read Email
-To Use Office (or other word processing/spreadsheet/presentation application)
-To Surf the internet.

That's all. My grandmother doesn't care if KDE provides quick access to the console terminal, nice configuration of profiles or quick ways to make system level modifications. And she definitetly wouldn't care about ports or tcp-ip (even if she had a vague idea of what they were). In short, she would have no intention of touching these features in the first place even if they were present in Windows.

Your case of installation is another excellent example. Windows install methods are kept basic for the simple reason that even your most average user has to be able to perform it (and Microsoft knows it). Having a variety of installation methods and added complexity tends to scare people away from any product in general. Whether it's simply choosing 1 application from hundreds that you want to install or telling someone to setup partitions and swap space, they'll be terrified if you put too much in thier face.

Linux Distribution companies realize this, and are working hard to simplyfy thier installation methods. Based on what i've seen when I picked up SuSE 9.0 a while back, this is certainly true.

In time, people will come to become more computer literate, and perhaps these features will have some meaning. Till then though, it's not going to be all the fancy under-the-hood features that sell a product. It's going to be simplicty.

Re:Doubledge sword

[Foolhardy]

While it maybe bitmap based Quartz itself is based on the adobe PDF engine, which renders both vector and bitmap via the computers 3d card.

Everything that PDF can do for rendering, so can a Windows Metafile. Yes, this includes complex vector graphics, text, bitmaps and transformations(scaling, rotation, shearing). Notice that it has been supported since NT 3.1. As for video acceleration, GDI can use a video driver to offload many functions onto hardware, including:
Alpha blending
Filling paths
Fill gradients
Draw lines
Move, set the mouse cursor
Scale bitmaps
Render text
Render transparencies
Stretch with raster op
Set arbitrary surface transformations including translation, scaling, rotation and shearing
Outline a path
Note that all the linked functions are implemented by the video driver, not GDI. If a video driver doesn't support a feature, GDI breaks it down in software into the most complex format supported.
What can Quartz Extreme do that Windows NT couldn't since 3.1? There are a few small things but nothing major.

Re:Doubledge sword

[Joe+U]

And now I'll answer as the average Joe User.

how many ports (cpu architectures) does windows run on?

One, the system I own. I don't care about the others. I have no need to, this is not a hobby, this is my computer.

is windows tcpip more featureful and flexible than windows?

It works with everything I have.

which version of windows has more GUI features than the latest KDE or GNOME?

Without editing files and getting complicated? 95/98/Me/2000/XP/NT 4

does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)

Your hardware is broken, you should fix it.

how many different ways can you install windows?

One, the way it installs on my system.

is windows' threads implementation the best in the market?

As far as I'm concerned it is.

is windows memory management the best in the market?

As far as I'm concerned it is.

show me the most secure windows, I'll show you 10 more oses more secure than that.

Strange, they all have BSD in their name.

Re:Doubledge sword

[Sj0]

Ignorance is a stupid arguement. Especially when the original arguement has nothing to do with the fact that you're ignorant. It's features which are being spoken of, remember?

Re:Doubledge sword

[znode]

It's features which are being spoken of, remember?

No, it's the features that the CUSTOMER CARE ABOUT which are being spoken, and grandparent has done a good job of listening them. This is because CUSTOMERS choose what set of features to care about, remember?

Re:Doubledge sword

[unclethursday]

lies in your post:

1) into Windows by 2006 what is already in OS X

So where's Expose in Windows? This alone is one feature of Panther (and future OS X and above releases) that makes OS X worth having. Having one button press to either make all open windows scale down and show on the desktop so you can get what you want, or another button press to bring all open windows of one application to the front, scaled down (and tab between apps) so you can choose the window you want, or yet another button to make every window get off the desktop to get to something on the desktop; and hit corresponding button again to go back to how you were, is simply wonderful. I don't recall this feature in any current version of Windows. I expect something similar to be copiedH^H^H^H^H^H^innovated into Longhorn.

What about the advanced graphics engine of OS X that allows you to scale windows without losing much quality when going bigger, or keeping the same quality when going smaller?

What about a scalable tool bar (dock in OS X) that can be modified to make icons scale up when moved over so you know what you are over if the tool bar is very full? Oh, wait, that goes with the advanced graphics engine.

What about incredibly fast user switching without logging off another user to accomplish? Well, this may be in Windows, but I haven't really used any Windows beyond 98 SE.

2) I.E. does less than Firefox

Tabbed browsing? It is in Firefox, not IE.

IE finally got a built in popup blocker, but only if you have Windows XP with Service Pack 2, and there's still a ton of people running Windows 98-2000 and not XP.

CSS support? It's much better and standards compliant in Firefox than in IE.

Fully W3C HTML standard compliant? Firefox, not IE.

So, how exacly was he lying?

I'd really like to know.

another admission?

[twitter]

I've been curious to hear more about when and where that's actually going to show up.

I thought that M$ was allready working with BIOS makers on this and that it was already here. This could be an admission that trusted computing is not secure computing.

Re:Firing offense?

[brickbat]

We should also consider that Wired edited his responses to fit the allotted space (assuming that this is from the current print issue and not an online-only piece). Any journalist should know that taking quotes can lead to misinterpretations.

I am willing to give him the benefit of the doubt and assume that Firefox is but one of many browsers he runs, as would be prudent for someone working on software security. It's quite possible for even third-party browsers to expose flaws in the OS itself, so it's in Microsoft's best interests to keep tabs on how other browsers interact with its platform.

Re:Firing offense?

[BryanR1977]

"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."

That would probably be the shell:// vulnerability, which if I recall the Mozilla dev's removed the functionality because windows handeled the call in an insecure way. BTW to the best of my kwowledge IE still accepts shell:// URLs.

Proven wrong again and again.

[Chris+Burke]

There is some truth to Windows being targetted because it is the most popular. However, the example of Apache vs IIS demonstrates that it isn't necessarily the most popular target that is targeted, but the easiest target. That Windows/IE/Outlook are both popular and insecure just makes them even more attractive.

"ALL SOFTWARE IS INSECURE" is just a cheap way of avoiding the fact that some software is less secure than others, that some architectural decisions lead to less secure designs than others, that some corporate environments are more conducive to insecure software than others, etc. The maxim "all sufficiently complicated software contains bugs" is absolutely not an excuse in any way for exceptionally buggy software.

I don't want to abuse your car analogy too much, but if one of the major auto manufacturers was lagging in safety technology by forty years would you still use the excuse that such things are incremental and no car is 100% safe? Did "all cars are capable of crashing" save the Corsair or the Pinto, or were these in fact crap designs?

I couldn't prove that Linux/Mozilla/whatever have fewer vulnerabilities. Nevertheless, your belief that they would be the same, based on the assumption that known vulnerabilities scale with popularity and nothing else, including the design of the software in question I find highly suspect.

Define "secure"

[gone.fishing]

At first I wanted to make some wry but funny comment about Microsoft's ability to make anything secure but as I was trying to come up with something I realized that "secure" is the sort of term that is hard to define.

What is "secure" anyhow? Is "As secure as a nuclear weapons facility" really secure? Not if we believe 60 Minutes last night. How about "As secure as Ft. Knox" - there was something a few months ago that said that Ft. Knox was susceptable to attack (especially air attack if I remember right).

So, nothing is really sercure. Secure is really an analog thing. The keys to your car make your car resonably secure (and if you want more security, add an alarm). But is your car really secure? No, many a locked and alarmed car have been ripped off.

Banks are secure right? If so, why are they robbed?

Windows will never be secure, because nothing can ever be 100 percent B.S.-free "secure" Not Linux, not Windows, not Ft Knox.

Will Windows be reasonably secure in ten years? Probably by many people's standards, yes. But there will still be need for added security when it is called for. Just like a typical bank has more security than a typical house.

Your argument is old, well known, and well refuted

[argent]

When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure...

The historical record does not support your assertion.

Microsoft was not always the dominant player, and it is not the dominant player in all markets. In markets where they are not the dominant player it is still common to find exploits for Microsoft applications outnumbering non-Microsoft applications.

A technical examination of the exploits fails to support your conclusion.

There are entire classes of security holes, like "cross zone" exploits, that only exist because Microsoft's software is using fundamentally unsound designs. There are classes of exploits that nobody even bothers to seriously track on Windows because Windows is missing the security boundary that such an exploit would attack: there can't be a "break chroot" exploit in Windows because Windows doesn't have "chroot", and the equivalent of a "local root" exploit on Windows is uninteresting because enough Windows users run as Administrator all the time... because that's how Microsoft sets the default user up... that it's irrelevant.

Microsoft's design is such that they only have to fail in one place, and at that point the game is over, the attacker has won. On other platforms the attacker has to first get their exploit into an environment where it might be executed, then (because automatically executing untrusted content is a Microsoft innovation) they have to trick the user into executing them, and then they have a fairly limited ability to cause problems until they break root. And it's possible to run your browser in a chrooted environment or jail to add a fourth hurdle that must be overcome before they can change any system or executable files. On BSD a fifth layer of security, the immutable flag, would mean they'd then have to wait for a reboot before they could have a hope of compromising the system.

Why does UNIX have all these layers of security? Because it was developed in a hostile multiuser environment from early days. Particularly BSD: you have professors and students working on the same computers, with the only thing keeping the students away from their professor's files (next week's test, their grades) was the local security. This isn't all that unusual, most operating systems developed during the '70s and early '80s were subject to the same evolutionary pressure... and UNIX-based operating systems benefit from that historical background.

Windows was not developed for a secure environment. The assumption was that there was really only one local user and he could do anything. When NT was shoehorned underneath this, most of the security capabilities had to be bypassed because they made things just too hard for applications that had been developed for a more trusting environment. It will require a significant redesign *and* breaking many many applications (for example, every application that uses the HTML control) to fix this.

I don't see that happening. that's why I said this guy has a really tough job.

Matter of proportion

[gillbates]

The objection is not that Microsoft's software is insecure, but rather that their closest competition has at least two orders of magnitude fewer exploits and viruses than they.

If hundreds of exploits per month were discovered for Macs or Linux, your point would be valid. Problem is, the number of exploits available for all computers systems since the 50's is easily less than the number discovered in Windows in one year.

To make matters worse the rate at which exploits are being discovered is increasing, not decreasing, or even remaining stable. And this from a company making three billion dollars a month. How is it then, that a bunch of ragtag volunteers put together a more secure OS than a company which can spend a billion dollars a month on development?

Microsoft Windows, and the attendant problems it has experienced has brought shame on the entire profession. It isn't a matter of a few human errors here and there - Microsoft releases code with wanton disregard for the effects it will have on the user. You would expect more from a such a successful company, but apparently, Microsoft believes the professional standards followed by the rest of the industry simply do not apply to them.

And that, is why they get bashed. They dismiss the wisdom gained by years of computer science, and when their systems run rampant with bugs and security holes, they claim that such lofty goals as security and reliability are unattainable - in spite of the fact that their peers who did heed the lessons of computers science have managed to build such systems.

Greate Quote!

[danZenie]

Software written by humans will always contain errors.

from know on we should out source non-humans to write all software

er...

[ColonBlow]

when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline."

I didn't read the article. This was Bush talking about Iraq, right?

Re:Firing offense?

Isn't this flaw one in WIndows, as opposed to the browser itself?

If so, that makes it worse - the OS is broken.

Misleading statement.

[halfabee]

From the article:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."

I presume that Toulouse was referring to the update that fixed the "shell:" exploit.... this was only a problem with Firefox on Windows machines, because the flaw is inherit in the OS, not in the Firefox browser.

True, security is an issue about which everyone in the industry should be concerned. Call a spade a spade, though... Microsoft is well behind the curve.

Re:Longhorn

[Epidemical]

But if you want it to be that simple you shouldn't be installing databases for anything other than personal enjoyment, now should you?

Re:Longhorn

[Moridineas]

Or you should be running FreeBSD!

cd /usr/ports/databases/mysql41-server
make install

Done!

"Secure" is an end user decision - a balance

[cheros]

Although I agree with you questioning the definition, I disagree with your subsequent line of reasoning. An end user should not be expected to have to become a car mechanic to just run a car, but this is precisely what Windows is presently asking.

I've switched people (end users, not techies) to both Mac and Linux, and in both cases there was a general relief of not having to patch so much (I let them try for a month first). "So much" is the defining factor here - it's way, waaay too much for a common end user (and now well beyond the capability of an average modem to cope with, see SecurityFocus.com). To stay with car analogies, the Windows end users now run cars that need a brake fluid change every half mile. And when they ask the dealer they are told that the next car they buy will be better - out in the next couple of years or so.

Ask yourself: would you really, really like to buy another car of that make when there is a growing mountain of evidence that it can be different? Those I switched over didn't want to go back once they passed that first "It's new and scary" hump. That tells me more than marketing campaigns or "facts" give me.

Enough is enough - they had their chance. Anyone responsible for running a business should start to look at the risks they run - and insurances should start to have a good look at how much risk they insure if the business runs Windows.

Re:Just another example...

[SlightOverdose]

Don't worry. the instant someone commits another change to the Linux Kernel cvs repository or someone uses a GPL program that happens to be less free than another GPL program because GNU/RMS said so we'll know about it.

And of course we'll hear all about the Bowolf cluster in Soviet Russia that set us up and bomb and all your hot grits are belong to Natalie Portman. which will result in a four page flamewar over the correct spelling of Beowulf.

Re:Actually

[loqi]

He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such.

From article:
Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system.

So yes, it's possible that he only ever installs patches/upgrades to Firefox, and never actually "uses" it. But FAIAP, he uses Firefox.

Does it really matter?

[hollywoodb]

I'm really starting to wonder that by the time Longhorn is released, will anyone really care? The hardcore will have read enough articles to make their eyes bleed. The linux folk will continue life as usual. Some of the better features have already been stripped. Microsoft says 2006, but I don't trust MS to keep a launch on schedule for two more years.

Actually, you're wrong.

[transops.net]

Your comment was:

"He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such."

To quote TFA:

"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."

Please RTFA before posting corrections to the comments of others. Thank you.

Re:Longhorn

[runderwo]

First you do

# apt-get install mysql-server

Then ... oh, you're done.

Re:Longhorn

[Epidemical]

I don't really see the conflict here.

A large format camera is easy to use for someone with experience using it.
MySQL is easy to install for someone with experience doing it.

If you don't know how to do it, learn how before attempting to either use a large format camera or installing/configuring MySQL. Where exactly is the problem?

I agree that some Linux applications need to be easier to install for ordinary users, but something as complex as a database installed with Next->Next->Next->Finished can only create problems.

Signed,
Unix-head.

Re:What?? 100% known secure isn't possible.

[jd]

Actually, it is. It's just very difficult to achieve and very expensive to maintain.

To be 100% secure, you must demonstrate the following:

• A robust specification exists or can be derived. (A robust specification is one in which it is not possible to construct an improperly handled input)
• Each component of the software, in turn, can be verified against the specification -OR- can be proved by formal methods as being robust
• Each component of the software that manages resources can be shown to be robust against exhausting that resource
• The security model is such that a component's scope is clearly defined and enforced

None of this requires the typical "inspect 'til you collapse of old age" method of securing software. If a component is verified or proven, then it's 100% bullet-proof, or damn close. By then placing the additional constraint that it can't do anything outside of a rigidly-defined scope, you render any flaws that do remain unable to be exploited.

As great as this method is, there are problems. Specifications, of any meaningful size, are extremely difficult to write. Most Software Engineers don't bother, precicely because it is so hard to do well enough to be useful.

Proving a specification as complete and robust is relatively straight-forward, but still very time-consuming (and therefore expensive).

Mathematically proving that a program is both a complete and sufficient implementation of a specification (ie: any case that can happen to one will happen to both in exactly the same way) is absolutely horrible to do. Even a relatively simple, short function can take days to prove. Something like the Linux kernel would take decades - by which time the kernel you'd verified would be so out-of-date as to be useless.

Making a function 100% bullet-proof on the resource front isn't easy. Resources aren't so easy to handle in pure mathematics, because they are finite in size, react in finite time intervals, and otherwise behave in inconveniently Real World-ish ways. Here, you'd have to demonstrate a total mapping between the theoretical ideal and the physical reality, and the appropriate trapping/handling of errors and extreme conditions.

Finally, the security model. It is always possible to miss something, even when using very exacting, detailed models to describe the behaviour of software. It is also always possible for someone who understands the behaviour well enough to exploit what should happen, for their own purposes. By running every single component of the software through a security model that rigorously controls what can happen, you trap any missed errors and any correct but abused behaviour.

I mentioned that this was difficult, time-consuming and expensive. A company the size of Microsoft, investing every cent it had into formal software verification, could probably produce a 100% secure version of the Linux kernel within a year or so. It would then go broke, having spent nothing on making an income in all that time. The "security" would last up to the next kernel patch, after which new bugs may well have been introduced.

"But that means it's impossible!" No, not quite. If, say, the US Government invested that kind of money into Linux security, you could be looking at provably-secure "A1-compliant" full-featured Linux distributions by 2011. It's not impossible. But it's not that likely, either.

There are no "provably secure" commercial or free OS' in existance, and any military ones that exist are probably very specialised, extremely secret, and utterly impossible to maintain. (The number of people who could maintain such a beast is extremely small, and not growing any larger. With the move away from robust designs, those who even could do the work have no incentive to keep those skills honed.)

I do not expect to live to see the day where there is even mo

Re:Download.Ject -- CORRECTION

[SlowMovingTarget]

Hee hee hee... I find the following bit from Microsoft's instructions on how to clean the trojans funny:

Note If you have difficulty running the Download.Ject removal tool from this page, it may be due to your browser's security settings. You can also try downloading the removal tool... (emphasis added)

Basically, they're saying that you don't have IE in pants-down mode, so their ActiveX scripty-do can't run. Is that ironic, or just amusing?

No system is secure

[Pan+T.+Hose]

Please, let us not be so unfair to Microsoft. No system is 100% secure. I am sure that by 2011 OpenBSD might have another two or maybe even three local exploits in some services not installed by default. Security is very hard and nothing is totally secure, be it Windows, OpenBSD, KeyKOS or EROS--no difference.

are apples the same as oranges?

[way2trivial]

I've got an idea, lets make a list pitting product A's strengths against Product B's weaknesses..

can your car go as fast as my bicycle?

can my sister pee farther than my uncle?

how many different programs can you burn dvd's with in linux?

how many linux computers can play doom 3?

I'm not playing favorites, just objecting to your biased list.

Re:are apples the same as oranges?

[strider44]

how many different programs can you burn dvd's with in linux?

Just off the top of my head, four. There are also two major (and free) dvd movie authoring packages. Look them up.

how many linux computers can play doom 3?

In a few weeks, all of them.

Won't be secure until 2011... hmmm

[Allnighterking]

With Longhorn (or maybe since it's had it's most valuable assets removed we should call it Steerhorn) due out in 2006 and Security not reached until 2011, does that means that Windows isn't expecting a secure product until Steerhorns replacement?!?

Oh well maybe by the time my 4 year old graduates from college Windows will be a viable OS. They've always had potential as a desktop OS but keep falling short.

Is it a fix? Or is it a fux?

[Pan+T.+Hose]

That's not a fix, that's a FUX. It looks like a fix but if you percieve a FUX to be a FIX, you're bound to get FUXED.

Is it a fix? Or is it a fux? No! It's a fox! Firefox!!!

They should just dump Windows...

[BalkanBoy]

And go with Mac OS X... they will have at least one cash cow, MS Office X ported as is.

Windows needs a redesign.

flamebait?

[Henk+Poley]

which version of windows has more GUI features than the latest KDE or GNOME?

Without editing files and getting complicated? 95/98/Me/2000/XP/NT 4

Pardon me, but I've used KDE for quite some time now but I never edited a single KDE config file. Since I started using Linux I've done less configuration fiddling than under Windows.

All the other answers are also simply flamebait or plain incorrect (maybe except the hardware thing). For example, BSD 'is' not the only operating system that is more secure than windows.