Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft vs. Computer Security

Posted by Zonk on from the looking-for-the-right-tactic dept.

ArieKremen writes "The Slate has a piece written for the average user attempting to explain why Windows is `still` grappling with security issues. Although Gates made security and privacy top priority four years ago, not much progress has been made." From the article: "Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed 'critical' have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer." An interesting look at the whole issue.

1 of 439 comments (clear)

  1. Re:No Progress? by Anonymous Coward · · Score: 5, Interesting

    I work at Microsoft.

    The other day, we had to have a little talk with one of our developers; he didn't understand why it was bad that his application generates an error message that writes the administrator password to the Event Viewer logs. What was that I heard about every developer being thoroughly trained in secure coding practices?

    Even though security is supposedly top priority, we find ourselves unable to force our developers to adhere to policy and write code that can run under a non-admin or non-system account. The higher ups steam roll over us when we fight the fight.

    The problem is that there are two groups at MS; the business side, and the technical side. The business side calls the shots, and they don't listen to the technical side.

    Sure, there's plenty of talk about security, but no real action. PR is cheap.

    "The whole article is a troll....Its filled with 'feelings' and 'impressions' by people cited as experts, without examination of their claims - nor an inquiry to factual matters."

    The article is correct. The reason it is not filled with objective evidence is because there currently no objective, agreed upon method of measuring code or system security. In the absence of objective data, the opinions of experts are the best thing we have.