IE Holes Not Microsoft's Fault, Says Bill

thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?

No thanks

[BWJones]

Gates: Understand those are cases where you are downloading third-party software.'

Hrmmmm. Downloading third party software on my Macintosh does not seem to get me into trouble in the same manner as it does on Windows........Why is that Mr. Gates? Furthermore, I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?

Moving along: Q: Might you add anti-virus/spyware protection in Windows? Gates: It's not a thing you build in. You have to offer a service......Why is that Mr. Gates? I would have thought that you would offer a secure environment as part of your product out of the box? What does that tell us about the quality of your products? After all, does not my automobile come with airbags and antilock brakes and skid control and all wheel drive? Under your logic, those features would only work if I paid a monthly premium.

You know, I kept waiting for something better to happen with Windows, but I have work to do and things to create, so I'll stick with OS X and my Macintosh. Thanks anyway.

Re:No thanks

[strider44]

Of course the simple solution is not to run under admin. I like the way that linux actually forces (well it doesn't but severly recommends) the user not to run something under admin. Then again usually for newbies spyware can be installed as easily as

Installation Instructions
1. Login as root
...

Re:No thanks

[asadsalm]

Q: Might you add anti-virus/spyware protection in Windows?

Gates: It's not a thing you build in.

Us: But a browser is a thing you can build in ... Right?

Re:No thanks

[mikkom]

Most of the servers are unix boxes that are connected to internat and many of them don't have firewall. Simply because there are no services that need to be firewalled.

Windows instead has many "default" services that you can't turn off.

Re:No thanks

[ajd1474]

If MS included Anti-virus, serious Firewall software and whatever else you feel they should include to make it "secure", you'd be the first person up in arms claiming it to be another example of MS using their monopoly to push out competitors.

Everyone wants MS to remove things like CD-burning, Media Player, IE etc because it is anti-competitive and now you WANT THEM to build MORE APPS IN??

Also, motor companies do NOT make Airbags, ABS and skid control... they are usually made by third party companies (Bosch for example). So are you suggesting that Windows comes bundled with Norton Antivirus/Firewall, that you shouldnt get a choice, and that we should add another $50 to the cost? Sounds anti-competitive to me. Sounds like you're another /. er who trips over their own arguments in an effort to be the first to bash MS.

Re:No thanks

[stephanruby]

"*sigh* I'm talking about viruses and malware, not remote exploits - don't worry though, I'm used to people mixing the two up. "

He wasn't criticizing what you said, he was criticizing your reasoning behind what you said. If what you said is true for "viruses" and "malware", why wouldn't it be also true for "remote exploits"?

It sounds to me like you came up with an overgeneralization and now you're trying to rationalize it in face of contradictory evidence. *sight* You can be as impatient with us as you want and you can patronize us all you want, but your backtracking rationalization about the technical proficiency of users doesn't hold much water. For me, the only reason I first installed Apache was because I had no clue about how I could install Microsoft's Personal Web Server. I suspect it's the same for most users. Apache simply worked out of the box, that's it magic and that's partly why it has the biggest marketshare.

Re:No thanks

[aichpvee]

You're obviously very confused. The *nix box "can" be compromised, but probably won't be. The windows box "WILL" be comprimised, and in a matter of minutes.

Whether things would be reversed along with the marketshare, it's impossible to say. But there's really no way anyone can do it worse than what microsoft is doing.

Re:No thanks

[tuxlove]

You're not playing devil's advocate, your point is just irrelevant. The original poster's point is that there are plenty of security holes that have nothing to do with downloading third party software. You can get compromised by reading your email, visiting websites (there are dozens of known vulnerabilities) or even having your computer sitting idle on the Internet, all of which have nothing to do with downloading third party software. A firewall is moot for the first two, and irrelevant for the third, because as soon as you take away the firewall the machine's toast w/o downloading a thing. Putting a NAT router in front of Windows doesn't fix it, it just masks the problem Bill Gates says isn't there.

Re:No thanks

[thepoch]

Argh I'm beginning to sound like a broken CD lately, having to always repeat myself.

It isn't only that Microsoft doesn't even try to tell people that using Admin all the time is bad. It's also the stupid developers that never test their software with non-Admin accounts. And don't even start to talk about RunAs. That's broken as well for most apps.

The only way for all this nonsense to hopefully be worked out is if Microsoft forced developers by making the default account a "User" account. Not even a "Power User" as that's pretty lame as well. Then every app out there will be forced to store their settings in the user's respective "Documents and Settings" folder. At this time, a lot of apps still store settings in either C:\Program Files\ or in HKEY_LOCAL_MACHINE. I'd rather have it in my own C:\D & S\username\Application Data folder and in HKEY_CURRENT_USER. This makes it more similar to *nix where it stores all settings in my /home/username in .files or .directories.

Double Argh. Palm is one company that does this badly. Imagine everyone having to be an Administrator just because Palm Hotsync's data to C:\Program Files\Palm\$palmname. Sheesh.

Re:No thanks

[ultranova]

Unfortunately, running as a normal user won't do any good in a single-user system. After all, you have the right to access your own folders, and thus are still vulnerable to malware which installs there - you just can't pollute other users with it.

Linux isn't immune to this problem either. It was designed to sandbox users from each other, but a single normal user will find it difficult to sandbox individual processes. Any process running at my privileges can access all my files, install cron jobs to be run automatically at machine boot, etc.

A real solution is a fine-grained permission control. For example, a Web browser should be able to read it's configuration files and plugins/extensions, connect to any Internet address, and write to the bookmark file(s) and download and cache directorie(s). It shouldn't be able to do anything else. If there was an easy way to do this, even if the browser was compromised by a web site, there wouldn't be much that site could do. Especially if you could set the bookmark and configuration files to be stored as a "journaled" file, which would record the changes to it and allow returning to any given point in time. Obviously, you'd also need to move any downloaded files away from the download folder and check them with MD5/SHA1 checksums to avoid tampering (but how do you get that checksum, if you suspect your browser has been compromised ?)

I'd imagine something like this could be done with relative ease with Hurd, since one of it's design goals is to allow each user to replace parts of the operating system (even the file systems) with new parts without disturbing others. So you could install a translator to control access to your home directory or any subdirectories (but of course such translators can also be removed by programs runnign with your permissions - that's one permission that should be droppable).

An alternative way would be to allow users to build and set up "subusers" - simply add 32 bits to processes (and files) user id. The complete id would then be in the form of userid.subid. Userid.0 would have all the rights of the user, while userid.1 would be a "subuser" and have limited rights (the system would basically make userid.0 the root of his own home directory). This could also be generalized into a hierarchical authority tree, allowing individual programs to run parts of them as more restricted users (for example, a p2p-application could generate separate processes for managing file storage and network connectivity, allowing the part that touches the network to run without any access to filesystem and thus reducing the likelihood of a bug in it from causing damage).

To summarize: the traditional access controls are designed to protect users from each other. This is not enough. A single unprivileged user needs an easy way to make sandboxes for programs to run in. If the computer is a house divided with walls to different rooms for each user, then all those users need the ability to further subdivide their own rooms with more walls, and they must be able to make/remove those walls without help from the janitor (administrator).

Re:No thanks

[shotfeel]

viruses and spyware are not "software"

Well, they're sure not hardware...

They are peices of bad code

Bad or not, if its code, its software, and it is 3rd party.

Personally, I would have modded the grandparent "Funny" if anything. Its the same thing I thought. Technically, it is all 3rd party software that's being downloaded...

Easy to assign blame

[onyxruby]

If I did something, than it's my fault. If I didn't do something, and didn't apply a patch that was available, than it's my fault. If I didn't do something and it happens automatically with default settings, it's Microsoft's fault.

Sick and tired of fixing spyware infested machines.

Rubbish!

[Any+Web+Loco]

Those holes are what LETS third-party software install its freaking self.

software, eh?

[crackshoe]

Q: Yes, but will people continue to do that with Media Center? Gates: You might well do it. We need to use approaches that block people from ever getting software onto the machine they don't want. Me: Great. Now let me get a PC from a major OEM without windows - oh, not that software?

What's that I hear dying?

[MoralHazard]

Sounds like Microsoft's Trusted Computing Initiative isn't getting as much executive support as it might've.

Remember that, Bill? When you said you were going to make all the Windows computers secure by focusing all your energies on securing your code?

Now, it's not your fault, and you won't do anything to fix it? Then why on earth did you tell everyone that you would?

I'm so sick of the lies

[gad_zuki!]

I hear them from the Bush administration almost daily and corporate america is getting a lot more brazen. No one fact checks, dissenting opinions are marginalized, and the corrections page doesn't have nearly the eyeballs the front page does. And that's assuming a correction is ever given.

This is the same mentality of shipping a crappy product and having tech support take care of the issues. Okay, fine, at least I have someone to complain to and I can return products, but with information you don't have that option. You complain to your peers, who are just an echo chamber. The fact that lying usually goes unchallenged in media makes for bigger more destructive lies.

The browser has holes, its a piece of software. This is way over the line. How did the information age become the disinformation age? Perhaps we officially entered the post-postman world where everything is a soundbite that flies through the subconscious and sticks there. Long corrections don't have the same stickiness, so lying is now smart business.

Keep it up Bill, you're making my next Apple purchase all the sweeter.

Disclaimer for the mods: Yes, many politicians lie. Apple isnt perfect, etc. But there is a difference between small and big lies. Lies which are harmless and those which cause destruction.

Re:I'm so sick of the lies

[killjoe]

The problem lies directly with the American people.

First of all they are utterly clueless and can't even discern between the truth and a lie. They are pretty much programmed to accept whatever somebody on the tee vee tells them.

Look at this (or any other election) for example. Is Kerry a flip flopper? Is he a coward? Did he get his metals from self inflicted wounds? Ask your typical american and they will say yes. Press them for details and you'll realiize they don't know shit, they are simply repeating what they saw on television commercials.

Same with Gates and Company. Ask yourself. Have you ever heard or read an interview with Ballmer or Gates in which they didn't tell at least one lie? Not a minor one either but a blatant out and out lie. They people are habitual and pathalogical liars. They will continue to tell lies until the press calls them on it. Since they buy lots of advertising don't hold your breath though.

Re:I'm so sick of the lies

[_xeno_]

The annoying thing with the media today is that they just report on what someone tells them to. What I mean is that they'll just rehash the talking points or press releases that are sent to them.

So you see things like "Bush said this, and Kerry said that." Which is 100% true. But there's no investigation into whether the quotes are actually, like, true.

So Microsoft will release a press release saying "We're improving security!" and then various media reports will say "Microsoft says it's improving security." But the media won't actually investigate whether or not Microsoft actually is improving security, they'll just report that Microsoft has said that they are.

About the only time you'll hear any discussions about the truth of any position anyone has is on various talk shows, where to "show both sides" you'll get two people who are representing "opposite sides" of a given debate. Directly opposite sides.

Since these people are soley debating for their side, we're ultimately left with no middle ground. Only two extreme views on a topic.

So while the two "sides" of the debate are represented, the media generally "let's the reader decide" which side they believe in. But since the veracity of the two sides has never been called into question (other than each side calling the other wrong), the average reader/listener/viewer has no way of judging complicated scenarios they don't really understand.

(For example, I don't really know what Kerry's position is on Iraq. I have no idea whether or not it's a good position, because I only hear polarized viewpoints on it. About all I know is that he intends to "do it differently" and "get international support." I have no idea about the details and don't know enough about international politics and warfare to judge it even if I did know.)

This is one of the main reasons I get all my news from the Daily Show with Jon Stewart. At least then I know it's all fake. :)

I'm currently up due to insomnia, so if any of that makes no sense, I'll try and post a correction tomorrow. It'll be in fine print and on the fifth page. :)

Re:I'm so sick of the lies

[njdj]

I hear them from the Bush administration almost daily and corporate america is getting a lot more brazen.

Politicians (especially the ones in power, regardless of party) always tend to lie. And salespeople have never been noted for truthfulness.

What has changed, gradually, over a couple of decades, is that the media no longer provide a check on politicians and corporate liars.

The purpose of the media used to be to provide information and critical comment. That's changed. A newspaper or a TV network makes more money if it's operated primarily as an entertainment. That means: nothing that requires the consumer to think, because a lot of people don't like to think. Not too many boring facts, either (unless they're sensational).

Don't be too hard on Gates. There will always be people whose goal in life is to make more money, by any means that works. The problem is that our society has lost the checks and balances that used to constrain people like him.

Ones not made by Microsoft

Especially the ones that you get while downloading the updates.

So the thing the users keep doing wrong is hook it up to the internet.

From TFA..

[mstefanus]

Q: What's your take on making Windows Media compatible with Apple?
Gates: We're big believers in interoperability.

BWWAAHAHHAHAHAHHAHAAAHHAAAA!!!!!!

Yes yes... ofcourse, interoperability within Microsoft products

Article is a troll

[ic3p1ck]

Mod article +5 Troll...

Wish there was a rating system for articles.

Re:Blame Game

[ladybugfi]

See the quote: "More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change."

Money is no replacement for clue.

Gibberish

[gruntled]

The purpose of Internet Explorer is to download third party files (by viewing Web pages). Mr Gates's claim that vulnerabilites exist because of such downloads is therefore nonsensical; it's like saying we could end deaths due to automobile accidents by banning automobiles. Yeah, there's a certain logic to that, but it sort of misses the point. To take a recent, ongoing example: A malevolent Web page can use an image file to compromise a Windows system. This vulnerability is not created by users who have somehow previously contaiminated the local environment; it's a part of the system's design. The OS was originally built to offer features over security, and maintaining backward compatability rather than fixing those issues would make it more difficult to coax existing users into upgrading (and would also make it easier for existing users to consider alternatives rather than upgrading). I lost two years of my life covering the antitrust trial, listening to this guy and his minions cheerfully perjure themselves, and he just can't seem to stop making it up.

Re:Bill Gates lecturing about security...

[Whizzmo2]

"I'm John Kerry, and I approved this plagiarism".

Re:Best quote from Bill...

[wan-fu]

It doesn't really help if you don't provide what site statistics those are from... if those are the figures for mozilla.org then I'd say IE is doing very well, but if that's something like msn.com then obviously it's a different story.

The user's fault? We can fix that!

[outanowhere]

Blame it on the user.

Again.

As usual.

As always.

Microsoft and especially Mr. Gates have both blamed the user for DOS and windows bugs, et cetera, ad nauseum, since the beginning.

It's one of the things that really encouraged me to dump windows. Being told personally, to one's face, by Microsoft and Mr. Gates that the problems with DOS and windows is my fault made it very easy to walk away from the huge investment in microsoft stuff.

Since the user is at fault, the user can fix it--like I did: dump microsoft.

Catch 22

[The+Real+Nem]

It is kind of a catch 22. If Windows had built in anti-virus software no one would buy 3rd party anti-virus software and Microsoft would gain a monopoly in the market. They would get their asses sued and everyone would complain that they have a monopoly or they have created an unfair environment. We've seen it before. If Windows doesn't have built in anti-virus software everyone complains they don't.

And even if Windows did have built in anti-virus software, can you honestly tell me, given their track record, that you would feel secure with it? If everyone used Windows built in anti-virus software wouldn't it be just that much easier to exploit and cause even more damage.

Re:infomechanics

[arkanes]

There's no such thing as "bit rot" per se - things like fragmentation can cause a gradual decrease in performance, but not failure. The term is used in software development because of the way old parts of source code don't get looked at and updated and touched.

Simply put - the "maintenance" that we refer to with software, and that's being compared to cars above is in fact no such thing. Every patch and update that's issued is to correct a _mistake_ in the software - not something that gradually failed because of wear. Cars need regular maintaining because they're physical objects in a physical environment and the stresses and imperfections of that environment cause real physical damage that needs to be repaired. Software "maintenance" is actually incremental development - it's correct mistakes that are in the original.

All that said, software (at least most of it) is far, far more complex than your typical car, and has had far less time to mature. The physical limits that a car operates in are well defined and well understood, and the vehicles are designed with that in mind. There are well known and well understood physical requirements and those requirements are easily tested. Software lives in a very different environment with a very different level of contstraint and a very different level of user expectation.

Re:infomechanics

[Doc+Ruby]

Software with modern complexity will always have defects. Accepting that fact, and designing for failure tolerance, is the kind of wisdom that has steadily improved automobile safety despite heavier use under less anticipated conditions by many more people. Software is no different, unless you have the magic to reduce software design and implementation errors to nothing.

I'm sorry, what!?

[rincebrain]

Last Q/A in the article:
Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?

Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.
[Italics and bolded sentence my own markup]

So let me get this straight, Mr. Gates. You have thousands of people working just on Internet Explorer, and yet...a thousand or two thousand people working on Mozilla have bested you?

Nothing is going to change, indeed, Mr. Gates. You're going to keep spewing the same old story, ignoring obvious holes in your own logic (third-party software is to blame for all security problems, true...but that doesn't mean your software should allow third-party software to install itself without the user doing a thing), denying any obvious falsehoods in your own statements (" We feel like we are pioneering an experience that to us is a clear thing most households will want." - Gates, regarding Windows Media Center PCs...I'm sorry, I didn't know you pioneered multicasting from a set-top box...I presume Linksys is paying you licensing fees for their video broadcast device, to name one alternative?), and hoping people will be stupid enough to follow it.

The saddest part of the above discourse is, Gates is probably right. People are, until told otherwise, going to keep using bug-ridden products, until they are shown that there are alternatives...I know many users who have never clicked Windows Update in their lives, and not because they've never used Windows.

I could be wrong, but I'm sensing a downward spiral, when M$ can announce things such as they did in their article, and not get negative feedback from the interviewer. Just my $0.05.

Critical assesment vs Belief

[quinkin]

It seems to me that social gullibilty has nothing to do with detection of a lie - instead it stems from the belief of an assertion with no critical evaluation. Critical analysis over unquestioning belief is a much maligned concept in most education systems.

Our children are being indoctrinated from a very early age to believe what authority figures (parents, teachers, the tv, etc.) tell them. Should we be surprised when a concept ingrained for 10+ years during the most formative childhood years translates to an easily misled populace?

Do not believe anyone. Do not believe politicians, scientists, priests, your parents, the police, and please don't believe the mass media.

Teach your children to think, not believe.

Q.

The whole attitude makes me angry

[zerojoker]

Q: Speaking of security, Internet Explorer has had well-publicized holes ...
Gates: Understand those are cases where you are downloading third-party software.

This is just a lie. I wonder if he really belives this bullshit.

Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans.

And here you can see that the whole attitude towards the security is weird at M$. I mean I don't want Anti-Virus or Anti-Spyware Software from Microsoft. I want the structural problems of Windows solved.
If you start MacOS X the root user is disabled per default. That is why Spyware doesn't have a chance. Even the most stupid user will think twice if he has to enter his system-password if he installs Software. Same with Linux. The whole Spyware-thing would be much much less trouble if the default install of Windows would create a user account.
And Windows has these capabilities. But at the moment this feature ist pretty much unusable because most of the software vendors don't give a shit about multi-user install. And why do they do this? Because M$ creates a default Admin-Account anyway. If M$ would change that, the software-vendors would adapt very quickly, like they did with SP2.
Same with Firewall: First install zillions of services which most of the users don't need at all. And instead of swichting these services off per default, you create a Firewall to fix it.

It's the whole "If we have to decide between usability and security, we will always go for usability" approach that bothers me...

Re:Check the history of the seatbelt in the car

[orac2]

The plural of "anecdote" is not data!

Even though you acknowledge the overall statistics, you then rely on one person's experiences for choosing not to wear a seatbelt in many circumstances to overrule the statistics.

To see why this is crazy, imagine asking a 1000 people all across the country to toss (fair and balanced) coins. Ask the 500 or so people who get heads to toss again. Ask the 250 or so people who get heads that time to toss again. And so on, through 125, 62, 31, 15, 7, 3, till you're left with 1 person. Now this 1 person has tossed a coin 10 times and it's come up heads every time! [1]

Now if you didn't know much about coin tossing, except a statistic that said they come up tails about 50% of the time, and you only knew that one person, should you believe her if she says "Well, the statistics say tails comes up 50% of the time, but from what I've seen, it's heads all the way!"?

Unless you know of a broad survery of many accident investigators who detect a tendancy for low-speed or low-traffic density accident injuries to be increased in either number or severity because of seat belts, then you must take what you're hearing with a hefty grain of salt, even if what they are saying is 100% true[2]. (By the way, I fail to see the difference in between accidently wrapping oneself around a telephone pole on a busy road vs. a quiet road.)

Don't forget there's an obvious potentail for observer's bias here too: you're not seeing his formal reports, but just the stories he's choosing to share with you in an environment which encourages entertaining conversation, not neccessarily statistically accurate conversation.

In the absence of such of survey, perhaps the best thing is to consider the failure mode you're really concerened about: it's not that wearing a seat belt is bad during the accident, but that you may be trapped afterwards. Put a box cutter or similar within reach, say in the door drawer. If you can't operate the cutter because of unconsciousness or severe injury, well, in your condition, you weren't getting of that car anyway .

[1] There's actually a well known stock-market scam which operates in very much this fashion.

[2] The furor over silicone breast implants is another good example: a lot of women honestly reported problems after breast implants, but when all was said and done, their problems were coincidental.