Ask Microsoft's Security VP

There's always lots of discussion on Slashdot about Microsoft's security problems, and whether Windows is or isn't more secure than other popular operating systems. In a "Let's clear the air" move, Mike Nash, Microsoft Corporate Vice President, Security Technology Unit, has agreed to answer 12 of the highest-moderated questions you submit here. (You can skip the "Microsoft and security in the same sentence?" comments we've all heard 1000 times, and ask actual questions, since Mike is answering for himself instead of having PR do it for him.) We'll post his answers next week.

What has changed?

[suso]

Besides the same old PR scripted answers that corporations like to give in order to obscure or downplay what is really going on. What assurance can you give us that Microsoft is more focused on security and that Vista is going to be any different from the previous incarnations of Windows? What proof can you give us? Information like "We have a new team doing X" or "our process for reviewing changes has gone to X" are helpful pieces of information to answer this question. What else have you seen in the way MS is developing Vista that is different from how you've developed previous products?

From what I've heard, even though most of Vista is being rewritten from the ground up with more scrutiny on what code goes into it, it will still have major flaws generated by the way Microsoft works internally as a company.

Re:What has changed?

[Libor+Vanek]

Please mod parent up - it's been 4 years since Bill Gates' statement "Security is priority" and we've all seen WMF bug in Vista beta...

Re:What has changed?

What answer could he possibly give to make you happy that hasn't been given before? If you look at books like Howard and LeBlanc's Writing Secure Code, and the various posts on the MSRC blog, and the Channel 9 videos about the MSRC, there's been a huge amount of information about what's been/being done.

If all that information's not sufficient to describe what Microsoft is doing, what additional information could Nash offer that would make you happy? Is it sufficient that the answer came from a "vice president"? Why does that make a difference?

Re:What has changed?

Weeeeeeelll...
It seems like words fail me.
You should already know the answers.
And know how the product's going to turn out.
And know that mono-cultures breed plagues.

Re:What has changed?

[cyberscan]

MS security promises sounds like the same promises of "ethics reform" promised by the Democratic-Republican Party

Re:What has changed?

"Information like "We have a new team doing X" or "our process for reviewing changes has gone to X" are helpful pieces of information to answer this question. What else have you seen in the way MS is developing Vista that is different from how you've developed previous products?"

After seeing the Vista demos, wouldn't their answers be more like... "We have a new team copying OS X" or "our process for reviewing changes has come straight from OS X" ?

Re:What has changed?

[Varun+Soundararajan]

His statement should start like this:
Ladies and Gentlemen, Microsoft also has a Security Technology Unit and I come here to represent it :)

Re:What has changed?

[Wolfrider]

My question is, Are you going to allow popular programs that have not been written securely to run on Vista by means of a "hack" or "tweak"?

What are you doing to prevent buffer overflow and similar attacks in the future?

Re:What has changed?

[coofercat]

Perhaps add something along the lines of:

Whilst it's impossible to give any firm commitments, would you like to give us some idea how much more secure Vista will be (compared to, say, XP)?

(Hint: I'd like to see "I'd expect 50% less critical vulnerabilities per unit time" or "most system owners will see 50% less spyware" or something along those lines)

Re:What has changed?

[electroniceric]

One major security difference between Windows and *nix is the need for many userland programs to run as Administrator. Clearly this enlarges the attackable surface area of the Windows platform by allowing attacks via applications that run as Administrator. Presumably this accounts for the decision to have XP Home users be Administrators by default.

What is Microsoft's plan for eliminating this problem? How will Vista address the tasks that require higher levels of privileges? What restrictions does this place on normal users? How do focus group users respond to these restrictions? Has there been communication with applications vendors to ensure that they are making the necessary changes?

Re:What has changed?

[kestasjk]

On the same subject:

Most of the most glaring Windows XP security problems (being in the Admininstrators group by default, being allowed to write anywhere by default, having the firewall off [pre-SP2] by default) were there to preserve compatibility with previous versions of Windows.
Will Vista comprimise on security, or compatibility?

Re:What has changed?

This was answered at the 2005 PDC. Next.

Re:What has changed?

[Audacious]

Many viruses et al exploit holes found within Microsoft's system. My question is, since original Windows (v1.0), how many such holes (and especially backdoors) have been found with each version of Windows? In other words - are the number of problems increasing as the complexity of Windows has increased or has the number of problems decreased as each version has come out?

My reasons for asking is because Microsoft has tried (over the years) to structure things more and more. So presumably fewer and fewer problems should arise from programming mistakes. Yet it seems that there continue to be more and more problems. But is it that there truly are more problems? Or have there just been so many attacks that people are simply lumping together all versions of Microsoft Windows in their minds and counting all of the previous viruses as part of the one big problem?

Re:What has changed?

[seudafed]

Vista has "User Account Control". Even though your user may be in the administrator group, it is not really running as administrator. In order to perform tasks such as install drivers, add services, etc, you need to run the app in elevated permission mode. This is either manually initiated by right clicking on the app in question and selection "run elevated as...", or automatically by the app which makes an API call that brings up a pop up asking the user if he is willing to grant the application elevated privileges. I actually had some problems with this...For instance, I was unable to relabel a partition in my standard user acct in the administrator group. I had to log in as the actual administrator account to do this (which strangely is still created with no password). Window's Defender add's another layer by catching events such as driver installation, service addition, homepage changes, etc, etc, and additionally prompts the user to allow or deny the action. In the current december CTP of Vista this creates quite a lot of popups, but I am sure in the future much of this will be hooked up to SpyNet and answered automatically if the user opts in. Additionally, IE7 runs as its own unprivleged user. Here is a somewhat outdated description of UAC: http://www.microsoft.com/technet/windowsvista/eval uate/feat/uaprot.mspx

Re:What has changed?

[Sun]

Dear Mr. Nash,

As someone who is a former Windows programmer, a Wine hacker and a security expert, I cannot escape the notion that many of Windows security weaknesses are a direct result of a deliberate design decisions made by Microsoft. This is not to say that Microsoft maliciously designed the entire system, starting with the API, going through the security and users system, and ending with the program features, based solely on "usability" and "convenience", with "security" either being discarded as unimportant or not being considered. Either way, it appears to me that many of the design decisions behind the way Windows were poorly made, security wise.

Vulnerabilities such as buffer overruns are implementation oversights. While the receive much hype for being easily exploitable, they are also a matter of issuing a fix and having it away with the problem. Vulnerabilities such as the latest WMF problems stem from lack of security consciousness when performing design, but low use of the relevant feature probably means that a fix is not very difficult to carry out. These are not the sort of problems I'm talking about.

To demonstrate what I am talking about, allow me to give a few isolated examples:

• Sending a WM_TIMER message to a program that did not specifically catch it will cause it to run an arbitrary address.
• Using the CreateProcess API command using a NULL as the "lpApplicationName" parameter creates ambiguity regarding what is the program to execute when whitespaces exists. Often, the command that the program is trying to execute is not the highest priority in the search, resulting in a user able to inject their own code into the application's context

The problem with such design decisions is that the resulting vulnerabilities may not even be with Microsoft applications. I have seen vulnerabilities for both of the above problems with non-Microsoft anti-virus programs. Microsoft's response under such cases has always been "this is not a vulnerability in our code", despite not mentioning anywhere within its documentation that you are required to catch the "WM_TIMER" event, whether you need it or not, or your application will be vulnerable.

In short, it is my opinion that Microsoft's development environment is hostile to secure programming, simply because of the sheer enormity of the API, and because applications may be affected by areas of the API they did not use. This means that producing secure code for Windows requires a level of expertise far outside the level required for producing code.

One thing that is worse with this type of problems is that they receive little attention. While none of the problems I mentioned above is first published here, you will not find either of them mentioned on BugTraq or Full Disclosure anywhere within the past year. This, I believe, is a direct result of MS's "someone else's problem" approach. This means that Black Hats have an attack vector open that programmers are likely not aware of. I have talked to Black Hats that told me candidly that they get in anywhere they want by exploiting the fact that ActiveX's have no certificate revocation. Once an ActiveX was signed by Macromedia, Symantec or Microsoft, it remains signed, even if a security hole is discovered in it. They just push an old, insecure (but signed) ActiveX to the victim's machine, and then exploit the newly opened hole in order to get in.

Even worse, these problems are not implementation problems. People use both CreateProcess' NULL as application name AND WM_TIMER's callback option, which means that no simple implementation fix will close the hole without breaking applications. Microsoft provides no way to revoke a signature on an ActiveX.

My question, then,

Re:What has changed?

This needs to be upmodded because it is by far the best question that has been asked thus far.

Re:What has changed?

[scotch51]

Agreed. Yea, that's piling on, but the parent comment was only "2" when I wrote this, and I don't have any points to award today.

Re:What has changed?

[innosent]

Anyone else read that and think of the scene in the South Park movie where Gates comes in and says how much faster the new Windows is, then gets shot? Asking an MS exec to give statistics on how much better (in any way, speed, security, etc.) the new version is compared to everything else is like asking a preschool student how much better his/her fingerpainting is compared any other painting: even if they just smeared everything together to create a big brown blob, their "8 times better" masterpiece should be hung in the Louvre. According to Microsoft, each new version of Windows is faster than the previous, yet Windows 3.1 ran fine on a 386/16 with 8MB RAM, but XP crawls on a machine 50 times faster. XP may do more, be more intuitive, and be a major improvement, but it certainly isn't faster. Odds are pretty good that if you need a few hundred people to maintain a piece of software on a full-time basis, your project is bloated, inefficent, and likely to be full of security holes.

Of course, this isn't just a Microsoft problem, plenty of open-source projects also fit this description, especially Gnome or KDE. Fvwm may not have been the ideal window manager, but it ran well on the same 386/16, and Gnome/KDE struggle on the same hardware XP struggles on.

Comments we've all heard 1000 times

Well you editors keep posting the same story 1000 times, so what do you expect?

You guys are in no position to lecture commenters when you live for the page churners.

Are you afraid?

[no_pets]

Are you afraid that if Microsoft Security isn't greatly improved in Vista that a chair will be thrown at you?

Re:Are you afraid?

Thats assuming that anyone in the slashdot crowd would have the physical strength to lift a chair. ;)

Re:Are you afraid?

[frodo+from+middle+ea]

with steve vowing to fucking kill you (TM).

Re:Are you afraid?

[Loether]

The GP was refereing to Steve Ballmer tossing a Chair in his office http://battellemedia.com/archives/001835.php

Re:Are you afraid?

[TheRaven64]

And how many people do you know personally that have been fucking buried by Steve Balmer?

Re:Are you afraid?

[Red+Alastor]

Are you afraid that if Microsoft Security isn't greatly improved in Vista that a chair will be thrown at you?

And in a more serious vein : How free are you to talk ?

Question #1

[SpaceCadetTrav]

Do you ever sneak onto Slashdot late at night and laugh at all of the whiney anti-Microsofters?

Differences Between Windows & Other Employers?

[eldavojohn]

Mr. Nash, what are the greatest differences and similarities between Microsoft Corp. and Data General Corp., your two most recent employers? Most importantly, how drastic were the changes you saw (not necessarily changes due to job function but changes in general)? What do you like the most and what do you hate the most?

Why does windows security suck so much?

[RouterSlayer]

No, seriously, why?

And do you really expect us to "buy" the BS DRM crapola in Vista?

Surely, you can't be serious!

How will Microsoft feel when Vista comes out and flops and Linux wipes the floor with it?

WIndows OneCare status?

[winkydink]

What is the status of the Windows OneCare program? Is a released product expected soon?

Re:WIndows OneCare status?

[Epicyon]

Looks like there's a beta available: http://www.windowsonecare.com/

Re:WIndows OneCare status?

[DrSkwid]

how amusing

Say it out loud

You can't help but say "Windows Wanker"

priceless

Most regretted design decision

[VitaminB52]

What is the Windows / Internet Explorer design decision that MS does, from a security point of view, regret most?

MS Security

[boogahboogah]

How are we to know that there are not more back doors built into Windows like the GDI back door ? How are we supposed to trust an operating system that has such obvious flaws built-in ?

How much longer can we hold on...

[iotashan]

About how long can we expect XP to have security patches before we're forced to migrate to Vista?

Re:How much longer can we hold on...

I hope you don't get modded up. Your question is just stupid. There are dozens of operating systems you can choose besides Vista. Nobody is forcing you to do anything.

Re:How much longer can we hold on...

[Afrosheen]

Dumb question. Check Microsoft's site for Windows XP EOL statements. I'm guessing it's about 3-5 years out but they know better than I do.

Re:How much longer can we hold on...

http://support.microsoft.com/gp/lifepolicy

for 2 years after vista ships

Re:How much longer can we hold on...

[Trevahaha]

XP Pro: 2011, XP Home: at least 2008
http://www.windowsitpro.com/windowspaulthurrott/Ar ticle/ArticleID/49056/windowspaulthurrott_49056.ht ml

Re:How much longer can we hold on...

[Overly+Critical+Guy]

Windows XP SP3 has been quietly moved to the end of 2007, a year later.

I have a question for you

[FidelCatsro]

Mr Nash , How in the world do you still have a job ?
I would of fire my Security VP if we had a track record like MS.

Re:I have a question for you

That's "would have", you insensitive clod!

Re:I have a question for you

[FidelCatsro]

To waste more karma (and correct that Would of / would have slip)
That was not a troll , I was inquiring into how someone with a track record like this is able to keep his job in a very competitive environment .
Microsoft's Security situation has hardly improved , yet there is little change beyond mere words and new slogans

A genuine question , perhaps asked a little abruptly .

Re:I have a question for you

[Shadow+Wrought]

That's because they work like the Sirius Cybernetics Corporation. The overt design flaws hide the inherent design flaws. His job is to provide lax security so as to distract people from the real issues with Windows. If he denies it, you know it's true.

Re:I have a question for you

[tomhudson]

Microsoft's Security situation has hardly improved

You have a strange definition of the word "improved" :-)

It hasn't improved at all - by most objective measures, every generation of product has been more severely b0rked than the previous generation.

Re:I have a question for you

being polite ..
Should have said , sunk into a rat infested sewer and caught the plague

Re:I have a question for you

[FidelCatsro]

That's about the ticket , I imagine .

Re:I have a question for you

[VitaminB52]

Yes, Microsofts security trackrecord sucks like a 1001-whores brothel - but if I remember correctly, mr Nash became security VP after most security "issues" had been coded into MS products. You can't blame him for the problems his predecessors left behind.

I don't envy mr. Nash's job - only his salary :) .

Re:I have a question for you

[FidelCatsro]

Well he hasn't really done anything to improve the ways they deal with security problems ..

Re:I have a question for you

[McNally]

That was not a troll , I was inquiring into how someone with a track record like this is able to keep his job in a very competitive environment.

Is it just me or is that a really ironic question coming from someone who's named himself a variation on "Fidel Castro"?

Patch Release Cycle

[skywalker107]

Did the WMF Patch now set a standard that severly high risk problems will be patched out of the standard patch Cycle? How did Microsoft come to the conclusion that is was important enough to go against what it promised it's corporate customers?

Re:Patch Release Cycle

[AgentUSA]

This has been answered before. Microsoft has stated that they will release patches out of cycle if there is an exploit in the wild that poses a significant enough threat to their customers.

Security versus Quantity?

[dada21]

As a Microsoft product user, it has always made me wonder what the User:Bug ratio might be. Do we see more bugs found BECAUSE more users are using a product?

Has Microsoft tracked the "security bug" to user ratio on their products and found that products with fewer users seem to have fewer bugs? If that is the case, I wonder if it is the normal process of higher supply leading to more people spending time looking for bugs.

It is like the population:innovation ratio -- as a population goes up, the amount of innovators being born goes up, too, leading to more innovations.

Re:Security versus Quantity?

[AVee]

And, besides the Uder to Bug ratio do you see a relation between the amount of code and the amount of bug? Is any effort made to reduce the amount of code, since, at least from the outside, it seems there is mostly more code being added to create more security...

Re:Security versus Quantity?

[calzone5018]

Wouldnt the population to innovation ratio stay pretty constant? Only a small % of people are inventers, and just because there are more people doesnt mean that there will be a higher % of inventer.

Re:Security versus Quantity?

[dada21]

Doh, you're right. I meant "quantity" of inventors, not ratio. I guess I should have said "does the security bug:user ratio stay consistent?" instead of does it go up.

Thanks for pointing that out.

Re:Security versus Quantity?

[c0d3h4x0r]

Udder-to-bug ratio?

Re:Security versus Quantity?

[Speare]

I can tell you, from my time at Microsoft long ago (Win3.1 era), that there were more internal bugs reported against the CLOCK.EXE program than there were lines of code. It's a bit misleading since it's such a subjective kind of app where everyone wants to have a say on how it looks in different clock face styles, but it also was used as a demonstration of a surprising number of GDI bugs at the time.

It was also interesting to note that there were clearly understood data overrun problems in the WMF stuff, even back then. WMF is basically just a fancy scene graph or display list, where it records GDI calls and regurgitates it into a drawing later. But the GDI API was not really well-suited to support that concept in the first place. A huge chunk of bug reports overall, even in those days, was to avoid breaking backward compatibility, even if it meant not fixing real design flaws.

Re:Security versus Quantity?

[ThaFooz]

It is like the population:innovation ratio -- as a population goes up, the amount of innovators being born goes up, too, leading to more innovations.

I would actually think that as the population increases, the ratio of innovations goes down as a large population requires maintaining a large infrastructure and the division of wealth/knowledge/etc increases. The quantity & significance of innovations may increase, though at the risk of collapsing in on itself.

I mean, take the real life examples of the India & China vs. the US and Europe. The enormous populations of former mean that there are a lot of innovators, and a lot of competition between bringing out some truly amazing stuff, but the same time said demographics are the biggest challenges facing nations with finite space and natural resources. Wherease the later may have fewer brilliant people, the nations tend to be more stable with a higher ratio of innovation.

Actually, I think that makes it even more analagous to MS vs. its competitors in terms of innovation and security problems.

Re:Security versus Quantity?

[Avohir]

the ratio I'd be interesting in hearing about is the ratio of bugs caught in internal beta-testing vs the ones that are found after release

Re:Security versus Quantity?

[Hosiah]

Do we see more bugs found BECAUSE more users are using a product?

OK, I've heard that logic enough times to be convinced. That's right, I'm totally sold! And there are more poor people than rich people, so really it must be that rich people have just as many problems as poor people, but being poor gets all the exposure so it must get all the negative press. Airtight infallible logic.

Re:Security versus Quantity?

[l00k]

Does the Udder-to-Bug ratio increase the chance of contracting cowpox, and, was the patch written with it in 1798 to prevent the virus smallpox a cheap hack of code?

New Browser?

[gasmonso]

Will Microsoft ship Firefox with Windows Vista in place of Internet Explorer to provide a more secure environment?

http://religiousfreaks.com/

Re:New Browser?

[Bogtha]

Of course they won't. Firefox doesn't support a lot of proprietary things that lots of intranet applications depend on. Can Firefox run HTAs? Does Firefox support VBScript? If Microsoft were to drop Internet Explorer for Firefox, they'd be leaving a lot of customers high and dry, requiring them to rewrite applications before upgrading to Vista.

Personally, I'd like to have an explanation as to why, despite the fact that it hasn't been in active development for ~4.5 years, people are still finding vulnerabilities in Internet Explorer 6 on a regular basis.

Re:New Browser?

[indifferent+children]

'd like to have an explanation as to why, despite the fact that it hasn't been in active development for ~4.5 years, people are still finding vulnerabilities in Internet Explorer 6 on a regular basis.

HTAs, VBScript, ActiveX, and other proprietary features that make intranet app development seem easy, but should never be allowed within 20 hops of the Internet.

Re:New Browser?

[ad0gg]

I actually wouldn't be surprised if microsoft limits IE to intranet and local(mshelp,iewidgets,vista's XML interface etc) use only. I really don't see any benefits for MS developing a web browser for external uses. Why continue patching IE when mozilla is being developed for free.

Re:New Browser?

[typical]

Of course they won't. Firefox doesn't support a lot of proprietary things that lots of intranet applications depend on. Can Firefox run HTAs? Does Firefox support VBScript? If Microsoft were to drop Internet Explorer for Firefox, they'd be leaving a lot of customers high and dry, requiring them to rewrite applications before upgrading to Vista.

I think that the move to tie IE to the OS was sort of reactionary, and the rush to try to do so was the cause of a lot of the security problems today. Lots of problems came from overlap in responsibilities and rights of a file browser versus a web browser versus a remote application executor. I think that there's really three different sets of tasks, and should be clearly separated, and what each is allowed to do clearly defined.

I can understand that Microsoft wanted to provide some sort of mechanism to run intranet "applications", stuff that's more application-like than a typical webpage is. Maybe it was politically necessary to use an "open" environment like the Web at the time to do this, and to use Microsoft's web browser as a platform. I'm guessing that making a single application to browse files, the Web, and handle remote applications might have sounded simpler to a user.

Honestly, though, most intranet applications that target IE aren't portable to other web browsers anyway. I'd rather that there simply be a piece of software responsible for running "remote applications", and that this be separate from a web browser -- and that the web browser place very strict conditions on what it allows the remote world to do to a computer. Maybe opening new windows makes sense for a remote application, but is potentially abusable (and thus not acceptable behavior) for a web browser. Yes, in theory this may be what trusted domains were meant to do, but they don't seem to have eliminated everyone's problems.

Vista

[gcnaddict]

I am in the Vista beta program, and the latest build has UAP implemented in a rather annoying way. Seeing as to how 5270 was nearly code-complete, will there be any change in how the UAP is implemented so as to not bug the user? I know many people in the beta besides me are bugged about this issue. (It takes 5+ steps to delete a shortcut on a desktop! Come on!)

Re:Vista

I have to agree with this. I also am beta testing Vista and also have noticed this also. I'm not completely annoyed at this as i understand it is there for security, but I would like to not have to approve every little thing i do to that much of an extent.

Re:Vista

[baadger]

Either way it's easily disabled. If Microsoft don't listen to your complaints then they sure will when it hits retail.

Security/user friendly tradeoff

[qwijibo]

Is there a general policy within Microsoft to help product teams make consistent security decisions? There are frequently issues where the decision has to be made between being more secure or more user friendly.

For example, file and printer sharing defaulting to off prevents people from unknowingly sharing their resources, but requires non-technical users who do wish to set up a small network to know more about the process than in previous versions.

Re:Security/user friendly tradeoff

[ettlz]

Furthermore, as Windows is (for better or worse) the most widely-deployed operating system, why doesn't it make a better job of educating users about security? (That is, why does it pester me when the AV or update is out of date, or the firewall is off, but doesn't remind me of the destructive potential of doing ordinary stuff as Administrator?)

WMF bug in Vista

[Libor+Vanek]

Hi,
after happening WMF bug, which is (according to Microsoft own statement) from Windows 3.1 (!!!) - even if it was hardly-happening in Windows 9x - what exactly you changed in your security process to prevent these happening?

Re:WMF bug in Vista

[TimTheFoolMan]

To elaborate, what does the security review process look like from the inside (such that other development teams might learn from it)? How does it differ from a code review? Why would this process *not* catch something like the WMF hole, given that this appears to be blatantly erroneous programming (assuming it wasn't intentional at the corporate level)?

My biggest concerns about MS today surround this process, which is completely invisible to the world, but which we rely on for having greater confidence in MS products. Understanding how MS approaches these reviews might make us feel better (or might depress us beyond reason).

Tim

Re:WMF bug in Vista

[TimTheFoolMan]

To the "Troll" moderator, have you even bothered trying to understand the technical issues? If so, please respond with an intelligent answer instead of just modding down an opinion that you don't like (and apparently don't understand).

This is not a trivial question, and everything in Microsoft's new "security push" is open to question until they respond in a more intelligent way than Stephen Toulouse's mind-numbingly ambiguous non-response.

Disagree with me if you want, but do so openly. Not like a mod-points-laden coward.

Tim

Re:WMF bug in Vista

[VitaminB52]

Disagree with me if you want, but do so openly. Not like a mod-points-laden coward.

Hi "TimTheFoolMan" - I didn't moderate your comment, but err... /. moderators can't moderate and comment (to) the same /. article.

Re:WMF bug in Vista

[TimTheFoolMan]

Understood. I was asking for discussion *instead* of blind moderation. I realize it's a bit after the fact though. :-)

Tim

Top priority for security in 2006

Given that security is a major topic on IT manager's minds these days with security flaws and patches practically making front page news of some publications, What do you feel is going to be the main focus for security in 2006 for yourself and the industry as a whole?

Re:Top priority for security in 2006

[booch]

I'd like to know how Microsoft would respond to the Six Dumbest Ideas in Computer Security. Especially #3, "Penetrate and Patch". It seem like they're trying to address the symptoms, without addressing the architectural issues. At least, I've not seen them make any architectural changes in the (what is it now, 5?) years since they decided to "concentrate" on security.

security && usability

[Russ+Nelson]

Security and usability often conflict. Microsoft has always erred in the side of usability, and, well, you can see the results for yourself. Do you have any magic wand to wave, or do you plan to give up usability?
-russ

flaws

[TCFOO]

Is Microsoft going to look for and fix any critical security flaws before releasing Vista?

Proof

[gid13]

Those that have been paying attention have repeatedly heard the same old arguments. "More eyes make more security", "Popularity increases the likelihood of being targeted", and so forth. My question is this: If Windows' undeniable popularity increases its odds of being targeted, how can one make a fair comparison of security between it and less popular OS's?

The Credibility gap

[skyryder12]

MS "bundled" it's web browser as part of the OS. This decision was in part brought about by legal challenges facing the company at the time. In my view, this was a very poor engineering decision, and the resultant "marraige" of browser and OS have led to repeated security nightmares for admins, companies and individual users. To my mind, the obvious solution would be to unbundle the two. But if MS did that, they would be admitting to perjury in court. I find this lack of judgement and integrity greatly disturbing, and this is a major reason I believe that Microsoft cannot be trusted to make the right, correct or best decision. This is not a hppy thought when it comes to my business. My question is, given this past behavior, why should we give ANY credibility to statements concerning security from Redmond?

Re:The Credibility gap

[Nazadus]

Ok, they _can_ seperate the two. It's software, it can be *completely* redesigned for that.
What they said was it is going to be exceptionally difficult to seperate the two and cost many man hours. They did not say it was impossible. I would suggest reading the transcripts. In software, all is possible... it just make take a _really_ long time though.

I think I would like to place your question in the context of:
I don't recall where, but I remember reading (so yes, this is third hand information probably) that Windows XP was supposedly "redisgned from scratch". If this is the case, then how did the recent WMF bug get into the code? That question is more rhetorical leading up to my real question of: How can we be certain that Vista won't face the same challenges? How much of it has been rewritten from scratch and how much of it was a copy and paste (and thusly leading to security vulnerabilities)? Obviously you, as a security dude, don't have completle control over this, but what have you done to prevent these things in Vista from showing up?

All I care about is the future... yes, it's a long time away, the stuff we have now works good enough, leaving us plenty of time to make the next step right. There is no sense in cutting corners now, except to please share holders (who will be pleased when you release early and get a little money from stock going up, but will be _more_ pleased when it's done right and stock goes way up when people find out how solid and more secure it is: Techies talk; They build most of the users computers in the first place).

Re:The Credibility gap

The problem is that most people (and even Microsoft is guilty of the same to a large extent) fail to distinguish between IE, the WebBrowser control and MSHTML.

I can't see much of a reason not to provide the option to get rid of Internet Explorer (which is just a fancy UI host for the WebBrowser control), however getting rid of iexplore.exe wouldn't have much of an effect at all.

It's simply impossible for Microsoft to pull out the WebBrowser control or the MSHTML related interfaces because doing so would break an immense amount of applications. The overwhelming majority of applications on Windows that need to display or parse HTML or need a quick-and-dirty in-app browser (RSS aggregator, e-mail application, etc) are using those components. The entire help system is based on rendering specialized HTML. JScript and VBScript are an integral part as well and also can't just be pulled out without again breaking a great number of applications. And so on.

IE's model and extensibility do make sense for local content, or intranet content (IMO IE still beats FireFox for deploying specialized intranet applications which need to be accessible through a browser).

That said, I would very much like to see an architecture where the web rendering part of the OS is pluggable, much like you once had the choice to go with MS' Java VM or Sun's Java VM but the end result was largely transparent to regular users but no production-ready 'free' drop-in replacement exists for MSHTML either.

Or alternatively that Microsoft just does away with ActiveX as far as web sites are concerned and instead replaces it with something that has a much better and finegrained security model (.NET comes to mind).

Re:The Credibility gap

[Hackeron]

Err, what about when will you stop promising great security 8 months down the line and show us a working product? - We are tired of hearing the same crap we heard back in 1998 and 1999 and 2000 and 2001 and 2002, etc about how the next version will be the one to fix security faults.

Re:The Credibility gap

[man_of_mr_e]

Every time I read or hear someone say this, it shows a huge degree if ignorance of the era. Yes, there are all these court documents about MS's fight with Netscape, but all this ignores that Microsoft had been planning to integrate IE much earlier than that.

As early as late 1994, when Microsoft first purchased Spyglass and Microsoft did their famous "about face" to become internet centric (Everyone forgets about that in these arguments), Microsoft had made plans for two successor versions of Windows 9x. The first was to be Windows 96 (code named Nashville) and the second was to be Windows 97 (code named Memphis). This was all part of their "road from Chicago to Cairo" (Note that Nashville and Memphis are both in Tn and that Cairo and Memphis are both in Egypt).

Windows 96 (Nashville) was the integration of IE into the shell. Originally intended to be a stand alone version of Windows 9x, but was later "componentized" into the shell team so that both NT and 9x could benefit.

This played right into Microsoft's plan to take on Netscape for sure, but it doesn't change the fact that Microsoft had designed this architecture long before their war with Netscape came up. There was no legal basis to their design, it was always planned to be that way.

Re:The Credibility gap

[man_of_mr_e]

XP was not "redesigned from scratch". That's why it's Windows version 5.1, the .1 indicates a minor version over 5.0 (Windows 2000). You heard wrong.

Re:The Credibility gap

This played right into Microsoft's plan to take on Netscape for sure, but it doesn't change the fact that Microsoft had designed this architecture long before their war with Netscape came up.

Err, no, Miscrosoft bought Spyglass to pick a fight with Netscape. Everything else followed after.

Re:The Credibility gap

[man_of_mr_e]

Not really. The infamous "meeting" between Microsoft and Netscape in which Microsoft offered to split the market with Netscape happened in June of 2005, roughly 7 months after Microsoft purchased the Spyglass Mosaic license, which happened in December of 2004.

Netscape and Microsoft's rivalry didn't start until late in 1995, until after Netscape went public and Microsoft clearly realized that Netscape was going to be big, and after Netscape rebuked them.

You have to remember, a LOT happened between 2004 and the end of 2005. Gates issued his "Internet Tidal Wave" memo in May of 1995. The decision to focus the company, and the products (including the OS) was made well before Netscape became "the enemy".

Patch Schedule

[jtdennis]

Microsoft recently deviated from their normal patch schedule to release the WMF patch. What is Microsoft's reasoning on trying to hold critical patches until a specified date every month instead of releasing it as soon as its ready?

Re:Patch Schedule

[musicon]

The patch release schedule is fairly well defined and documented, along with the rational behind it.

Will Vista Require DRM/TC Based Motherboards???

[ferrellcat]

What about future versions after that? Hong long until you make billions of PCs obsolete overnight?

Re:Will Vista Require DRM/TC Based Motherboards???

[Baikala]

A new, original, killer app that NEEDS (by design) a lot of computing horsepower may turn billions of PCs obsolete overnight, but a prettier new version of something that in general terms has the same functionality does not. The perception of 'need' may vary from people to people. If 98% of the PC user base don't think they 'need' a new office or windows version so bad that they are willing to spend a couple thousand dollars for a new machine capable to run it, well then no matter how memory or processor greedy a new version is is not turning "billions of PCs obsolete overnight"

Post questions question

[nizo]

Have you started drinking or taking drugs since seeing the questions sent to you by Slashdot? Are you emotionally scarred and bitter now?

Re:Post questions question

[thePowerOfGrayskull]

Perhaps a magic pill will ease any symptoms of post-slashdot stress syndrome.

Re:Post questions question

[geekee]

"Have you started drinking or taking drugs since seeing the questions sent to you by Slashdot? Are you emotionally scarred and bitter now?"

Based on the commnets posted, I think it's the /.ers who a scarred and bitter.

Re:Post questions question

[tomhudson]

"Have you started drinking or taking drugs since seeing the questions sent to you by Slashdot? Are you emotionally scarred and bitter now?"

Based on the commnets posted, I think it's the /.ers who a scarred and bitter.

More likely the drugs and booze started BEFORE. How else to explain the mess that is Windows Security.

Based on the comments posted, yes, /.ers are scarred and bitter - we've heard too many lies NOT to be a bunch of cynics. Microsoft is STILL the most hated company in the world, and nut just by techies and geeks. Just ask anyone who has had their work eaten by Microsoft.

Speed factor

[FortKnox]

Are many security flaws are due to features in windows that were under a time crunch and needed to be released? Perhaps due to bad testing or some other quality issue.

As an aside, great job Roblimo! What a catch for an interviewee! Not going through a PR person, either. Can't wait to see his replies.

Re:Speed factor

[Lewisham]

"Not going through a PR person, either. "

You did read the Blizzard interview didn't you?

Outside influences on security

[kalpol]

Has open-source software such as Linux influenced the way you think about security in Windows, and if so, how?

Question

[specialbrad]

Did you honestly expect to get 12 serious questions from a group like slashdot?

Re:Question

[ibjhb]

Do you honestly expect to get 12 serious answers from a group like Microsoft?

Re:Question

Do you honestly expect to get 12 honest answers from a group like Microsoft?

Re:Question

What's it going to take on your part to go from Vice President of Security to President of Security ?
Would it be some advances in Microsoft software security, or nothing really bad happening in 2006 ?

What is the basic approach to Microsoft security?

[kickabear]

Does Microsoft lean more towards rigidly enforced coding standards as a way to prevent exploitable bugs, or does the company focus more on brute-force bug detection during testing?

I know the easy answer is to say "both, of course" but a 50/50 split is unlikely. So, does testing take the backseat, or does the code?

SP vs Vista

[sinucus]

If security is really a prime concern of Microsoft, why is it that new OS's are now getting the main focus of the dev teams? I don't know the exact number of coders in Microsoft, but it must be above 300,000. Why not have dev teams specific to each OS performing their roles? Why push back SP 3 for XP to develop Vista? Any person who has ever worked in an company knows that most companies lag behind when it comes to OS deployment. Isn't supporting and fixing bugs/exploits just as important to security as releasing the newest incarnation of MS Windows, which just brings on a new onslaught of bugs/exploits of their own?

Re:SP vs Vista

I don't know the exact number of coders in Microsoft, but it must be above 300,000

At first, I thought you were just exaggerating, but then I realized you were including all the unpaid coders whose ideas are sto-- er, embraced by Microsoft.

Re:SP vs Vista

[QuantumFTL]

I don't know the exact number of coders in Microsoft, but it must be above 300,000.

Check out Microsoft on Wikipedia. They have approximately 60000 employees, and while it doesn't say the number of contractors, I would be shocked to find it is four times that amount. Also, remember that a large amount of these employees are *NOT* coders but managers, marketing and sales (that's a biggy), accounting, secretarial/administrative, researchers, and HR.

Re:SP vs Vista

How is the parent modded 5 and the comments that point out that the very basis of the argument is coming from the premise that msft has FIFTY times the manpower than it in *reality* does?

And just what would the parent have to say if MSFT delayed Vista for another year to focus on SP3? recockulous

Question from China

Hello, Mr. Nash.

I'm from China and I was wondering [remainder of message censored by People's Center For Internet Enhancement - Powered by Microsoft]

Re:Question from China

ROTFLAPMP!

Re:Question from China

ROTFLAPMP!

What the hell does that mean? "Roll On The Floor Laughing At Pissy Microsoft Product"?

Re:Question from China

[spoonyfork]

Editors,

Please, please, please select parent comment for inclusion. It isn't insulting and it gets the point across in a humorous but intelligent way. I and many others would love to read the response to it, whether it is taken seriously or not.

Re:Question from China

Though the GP is funny, it has nothing to do with security, which is what the interviewee is responsible for. The GP should be addressed to Ballmer and Gates.

Your Favorite Worm??

Whats your favorite worm that has affected XP and propagated with little to no user interaction?

MSBlast was real cute, Sasser was also pretty sweet, the myspace WMF was pretty clever, Obviously CODERED should be honored for its technical masterpiece and effectiveness?

Do you have any personal favorites?

Let's Rephrase That

[eldavojohn]

Mr. Nash, you used to work on Microsoft's marketing team and now you're in charge of security technologies, have you ever been to a conference or held a press release where every single person seems to be convinced Microsoft is evil or makes non-secure products (like this parent's author)? How do you deal with something like this? Do you try as hard as possible to convince them otherwise or do you instead try to focus on the better points of Microsoft's products?

Re:Let's Rephrase That

[dgatwood]

Or do you listen to them honestly, trying to find out how to make your products better?

When you read these questions, are you looking for nice sound bits, or are you actually willing to tackle the tough questions and learn from the responses to your answers?

In a related question, what is it like to have a target the size of a school gymnasium on your chest?

Re:behold

Let the astroturfing begin. My bet - at least 6 approved questions will be insipid, drooling, MS fanboyism.

Dear President Nash, how are yuo SO AWESOME?!!`1 Can I offer myself to you for free schexx0rings? CAN WE NAEM OUR BABY XBOX 360?!?211!

Flamebait I guess

[hackstraw]

Simple.

When are you going to start doing your job?

I hate to be so blunt but WTF?

A simple Google search of windows internet explorer has as the first two links from Microsoft's website about the product. Seems to make sense.

The next two links are government warnings about the security of their products.

So, what are your plans for doing something about Microsoft products?

(I'm not affected, I don't use them, but many others do).

Re:Flamebait I guess

[sinucus]

Also funny is how all the AdSense ads are how to fix/repair Internet Explorer and yet none of them lead to mozilla.com. Google is slacking in their relative ad department.

Re:Flamebait I guess

Add these to your hosts file:

127.0.0.1 pagead.googlesyndication.com
127.0.0.1 pagead1.googlesyndication.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 pagead3.googlesyndication.com

no more adsense

Re:Flamebait I guess

[drinkypoo]

Add to your adblock file:
/^.*\.googlesyndication\.com$/
no more adsense. except for the javascript-generated or server-side-generated versions.

Re:Flamebait I guess

[drinkypoo]

Er, I mean, /^.*\.googlesyndication\.com\/.*$/ (sorry)

Re:Flamebait I guess

I meant hosts as in /etc/hosts or C:\WINDOWS\system32\drivers\etc so it works for all browsers.

Re:Flamebait I guess

[sinucus]

I actually like seeing the ads. Every once in a while I see a website that paid for the ad that is better than the "free" links provided by google. On a side note, I also like clicking on the websites run by "fly-by-night" companies just to drive up their advertising costs.

Re:Flamebait I guess

[drinkypoo]

Right, but it causes errors. Inconsequential ones, but still... Why not just use the best browser (grin) and do it in a way that will prevent a socket from even being opened?

Re:Flamebait I guess

This is obviously coming from a moron who A) could never in his life do the job of a VP of a technical area and B) jealous of smarter people like Nash who probably makes at least 4x his income.

Re:Flamebait I guess

[c_woolley]

Try reading this:

http://download.microsoft.com/download/9/c/7/9c793 b76-9eec-4081-98ef-f1d0ebfffe9d/LinuxWindowsSecuri ty.pdf

Enjoy

Pre-installed

[schlichte]

This seems to be more of a problem on pre-installed systems. You get it home, set it up, and it basically boots the OS with its pants down as far as security is concerned.

I know when I bought my Gateway laptop it came with a default login as Administrator and to identify itself on the network, it used the OEM key as its name. I knew enough to change these options and many others myself, but many users do not.

Why is it that Windows offered pre-installed on machines doesnt at least come with some sort of brochure or pamphlet explaining the least a user can do to add any level of security?

Defaults

[Cro+Magnon]

Will Vista default to an Admin account with no password?

ActiveX?

Probably

Re:ActiveX?

[VitaminB52]

Uhm, yes, likely - ActiveX has seen many security advisories advising to disable it.
Maybe I should have phrased my question more carefully: what is the most regretted design decision, and why does Microsoft regret it so much?

Knowing why Microsoft regrets a design decision tells something about how Microsoft thinks about security issues. The why is for me as interesting and important as the what question.

Legacy Security Issues

[kortex]

Some in the industry believe that part of the problem with security gaps in MS operating systems stems from the fact that each new OS release has been entirely built on existing technology. The recent WMF scare seems to amplify the truth in that statement. Apple seems to have had a great deal of success rearchitecting OSX - will Microsoft ever be willing to start from the ground up on a new OS with security being a primary strategy from the outset?

How is that perjury?

Microsoft said that the browser was an integrated part of the Windows 98 Operating System. Un-bundling the two in a totally new OS built from the ground up has nothing to do with the anti-trust case. I fail to see, however, what the whole bundling problem is in the first place. EVERY OTHER OS does this, Linux, Mac OS. Who cares if it hurts companies that are trying to sell free things?

Re:How is that perjury?

[dc29A]

IIRC, Microsoft said (in court) that if they had to remove IE from the OS it would break the OS and render it unusable.

Re:How is that perjury?

[Soruk]

That didn't hurt Windows 95..

erm.. waitamo.. :)

Re:How is that perjury?

[rahrens]

Other OSes don't make the web browser such an integral part of the OS that it cannot be removed. If you try to remove IE, it'll just take you back to the previous version installed. On the Mac or Linux, you just delete the app, and use a different one.

When MS did that, it forced other browser makers out of the market, cause they couldn't compete with free. That was part of the reason they got sued. Unbundling the browser in Vista makes that gripe go away. (If thats what they're going to do...) But MS's focus isn't on the browser wars anymore, so it would be easier for them to let that go.

Re:How is that perjury?

[ad0gg]

konqueror and KDE? KParts relies on konqueror and kparts integral to the operation of applications written specifically for KDE.

Re:How is that perjury?

[rincebrain]

It is possible, though annoying, to disable HTTP functionality in Konq. And you can use other file browsers in KDE. :)

Re:How is that perjury?

[Hackeron]

khtml is the kpart konqueror uses to browse. It can even be replaced with the gecko engine from mozilla. Konqueror is just a wrapper to be able to browse directories, cvs, svn, view multimedia, etc.

Re:How is that perjury?

Also, you do not have to use KDE at all.

Re:How is that perjury?

[man_of_mr_e]

Microsoft said that removing IE from Windows 98, as it was designed, would break the OS and make it unusable.

This is totally different from designing a new version of the OS in a different way. It's like taking a car with a central wiring harness, removing that harness and the car breaks compared to designing a new car with a distributed wiring schematic with no central harness. The former doesn't preclude the latter, and designing the new car doesn't make the designers liars for saying that removing the central wiring harness would break the car.

Re:How is that perjury?

[man_of_mr_e]

Actually, the design of Windows is largely the same as the design of OS X and KDE in this regard. If you remove khtml from KDE, lots of stuff breaks. Sure, you can use Gnome or Busybox or something, but a distro designed around KDE would break if you removed khtml.

Similarly, Lots of stuff in OSX is designed around WebKit. Take away WebKit and tons of stuff breaks.

IE is no more or less "integral to the OS" as either of those. There's nothing magical about it.

Re:How is that perjury?

Yeah, most help files wouldn't work without ie to render them, hence it would be broken.

Re:How is that perjury?

[rahrens]

Magical or not, to 99% of users, IE isn't removable now, and wasn't then. It was that easy availability of a browser already installed that caught most users, and forced other browser makers to almost quit. /.er's may kow how to remove it, but my sister didn't know, nor do some of the other older users I know, and many of the younger ones as well. At least some of them were smart enough to have a Mac, and knew enough to use an alternative.

Re:How is that perjury?

konqueror and KDE? KParts relies on konqueror and kparts integral to the operation of applications written specifically for KDE.

No. Konqueror uses kparts to display content. Nothing depends on Konqueror.
Kpart are components designed to provide specific services. eg the khtml kpart is used to render html. There's no technical reason why someone couldn't write a kpart based on Gecko, and then have KDE use it for anywhere html was to be rendered.

There is no locked-in dependancy.

Binary/Backward Compatibilty

[CockMonster]

How does MS manage the backward/binary compatibility issues when fixing defects?

Audit of Software

[WebHostingGuy]

Certain open source projects such as OpenBSD have routine audits of the software to search and remove potential security problems. While I understand Microsoft Operating Systems are very complex Microsoft does have an enormous amount of talent and resources at its disposal. Is it possible that Microsoft will review all new operating systems in the future with the same sort of audit performed by others? Wouldn't you think this would be worth it to prevent mistakes which could be costly to end users?

Home vs Pro

[Cro+Magnon]

Will Vista have a watered-down Home version that has fewer security options than the Corporate version?

Re:Home vs Pro

[thePowerOfGrayskull]

Will Vista have a watered-down Home version that has fewer security options than the Corporate version?
I'd settle for one with that just had fewer security holes than the Corporate version.

Re:Home vs Pro

[RobertLTux]

as it turns out there will be about 3 "watered down versions" and counting oem version about 20 versions total (you want the "ultimate" version when "shopping" your bargin etailers)

Re:Home vs Pro

[seudafed]

Vista in all its various flavors will likely ship with Windows Defender (anti-spyware) and a two-way firewall, as well as the new User Access Control. OneCare will be an added subscription to the home version (adds AV, backup, system tuning), and Microsoft Client Protection will be the managed enterprise version of OneCare.

Sure

[Shawn+is+an+Asshole]

Also to be included in Vista: OpenOffice.org

Hell will freeze over before Microsoft includes Firefox. Where's the lock-in in that?

WinFS

What kind of better security over NTFS will WinFS have? any new features etc.?

Question...

If you were a tree, what kind of tree would you be?

Do you ever spend time with "average users"?

[Caspian]

Time and again, I've seen average end-users-- grandmothers, "soccer mom" types, businessmen-- whose computers are positively clogged to the gills with spyware, viruses, and other sorts of malware, the overwhelming majority of which they were infected with via the exploitation of security flaws in Microsoft software. I'm often tasked with disinfecting their computers.

How often do you (and the members of your team) spend time with average end-users-- not just in large corporate settings but in small businesses and (just as importantly) in real-world home settings? I believe that if you would spend time with Joe Average and see just how badly his computer's performance (not to mention his personal privacy and the integrity of his data) is suffering from the exploitation of certain bugs and design decisions (e.g. the fact that most end-users run with Administrator privileges) in Microsoft software, it would cause a significant shift in Microsoft's security strategy.

No matter how often $LATEST_WINDOWS_VERSION is touted as more secure than its predecessors, I still keep getting called to average homes to remove countless items of spyware which infected Windows systems via holes (and/or poor design decisions, e.g. the handling of ActiveX controls and the abilities they can have to alter files on the system) in Internet Explorer, and to this day (despite the wide use of antivirus software) most end-user systems I examine do contain at least a few viruses (which entered the system via Microsoft Outlook).

What are you doing to secure Joe Average's PC? Do you have any interaction with average end-users? And if not, why not?

Re:Do you ever spend time with "average users"?

[sinucus]

I think one of the quickest and easiest solutions to this problem is to NOT setup the operating user account to Administrative rights. Sheesh! How hard is it to give it "user" rights by default and force them to use /runas?!

Re:Do you ever spend time with "average users"?

[drinkypoo]

Running as Admin will not stop you from being stunk up. It prevents stinking up the entire system but your user profile still gets infected. (no HKEY_LOCAL_MACHINE but plenty of HKEY_CURRENT_USER... or whatever that virtual hive is called.

Re:Do you ever spend time with "average users"?

[Mancat]

Yes, but it stops the overwhelming majority of exploits, malware, viruses from infecting the entire system as you describe. In fact, few of them will successfully infect the user's account, as they are all designed to the premise that the user will be Administrator.

Re:Do you ever spend time with "average users"?

[budgenator]

in windows XP SP2,

1. log in as normal user,
   
2. download necessary software save to Desktop
   
3. right click saved software, run_as "admin"
   
4. Installer dies without error message!

WTF!
in Linux it works as I suspect it does in BSD/OSX as well as every other non-Microsoft operating system. Half the time I save something in the shared folder, I can't even open it when logged in as admin; That's why they ship with everybody as admin, run-as is completely broken!

Re:Do you ever spend time with "average users"?

Windows Vista already does this, it's one of the major changes. Prompts for an admin password when some installer wants right (in a slightly kludgier, but similar way to Mac OS X or KDE/Gnome's sudo in some distros).

Industry Standards, CMM?

[lmsig]

Does Microsoft employ industry standard software development best practices such as the CMM system? I work for a level 5 CMM software house and while most of the audit process is a joke there really are some good lessons to be learned from having explicit practices and for using an organization such as CMM to externally audit your practices.

Security vs. Useability

[EvilEddie]

Does Microsoft forgo security in order to increase useability or vice versa?

Will you ever sort and modularize Windows?

[tz]

The XP Embedded version can be created with or without IE or WMP, but I don't know how many DLLs have chunks of code designed to launch or provide IE or other MS product functionality (designed to give Netscape Users "a jarring experience" in the words of a Microsoft person). Is Microsoft ever going to sort and layer things so that there will be an isolated kernel, application layer, GUI, device drivers, (and if so, when), or is "Windows" going to continue to integrate things, e.g. "The Spreadsheet and Editor are now 'part of the operating system'"?

Rationale: Many security problems are due to everything running as Administrator, with privileges, or as part of the OS. One thing I like about GNU/Linux is that each part is separate, so Firefox runs on X which runs using services, which runs using the kernel, with only the kernel having privileges. Generally a buffer overflow problem in X, or Apache doesn't let someone format my hard drive. Also you can put something to analyze or intercept things between such layers - even things like ltrace or strace.

Re:Will you ever sort and modularize Windows?

[cyberdrop]

Editor is 'part of the operating system'!

Windows updates to unregistered machines?

[Spy+der+Mann]

Dear Microsoft Security VP:

I know a person who doesn't have his copy of Windows registered. His PC got infested by spyware, so my deduction is that his computer was probably used to send SPAM, spread viruses and whatnot. When He called me for tech support, I told him to download the Microsoft Anti-spyware from Windows update, but his answer was that it required a registered copy.

My question is this: If Windows updates make the Internet SAFER from hackers, spyware and viruses, why limit them to registered copies of Windows? (IMHO this is analogous to not giving the vaccine of the bird flu to illegal aliens)

What do you plan to do about this?

Re:Windows updates to unregistered machines?

[Tony+Hoyle]

Call yourself a geek... you don't know how to get around the validation?
It's not exactly hard (in fact there's a greasemonkey script that'll do it automatically every time) - I don't think MS expect it to be secure since it's mostly there for people who buy copies from dealers thinking they're genuine.

Re:Windows updates to unregistered machines?

[Spy+der+Mann]

That's not the point, the point is Microsoft's negligence regarding the welfare of the net, and what they're planning to do about it.

Re:Windows updates to unregistered machines?

[n0dna]

It isn't unregistered machines... its "not genuine", unactivated and/or pirated copies that can't get freebies. Even pirated copies of XP can get critical (and by the way, automatic) updates. You may want to have some basic understanding of your own question before you start demanding things.

Re:Windows updates to unregistered machines?

[4D6963]

Dude, I don't know what you're friend does, but I have.. I mean a friend of mine has a pirated version of XP SP2 Pro took off eMule and it updates very fine and all that. But I don't even, I mean my friend doesn't even update, cuz that's useless. Firefox and some shareware antivirus and anti-spyware is all you need

Re:Windows updates to unregistered machines?

Just an FYI, but some spyware and adware programs muck up the PC so bad that it's considered a "unregistered" and "unlicensed" copy even though it *IS* a legitimate copy . You can't use Microsoft's own product to fix the issue then.

I actually ran across this, and had to use third party tools, and a couple of windows tools to get it to be fixed so that I could download and run their spyware tool (which still didn't fix the issue).

How would Microsoft address this (and no, calling Tech support and waiting for an hour and then having the tech say 'call Dell' isn't an answer)?

Did MS culture change as promised in 2002?

[dpbsmith]

On January 17, 2002, p. 1, the New York Times reported, "Stung by Security Flaws, Microsoft Makes Software Safety a Top Goal" and quoted Jim Allchin said "Every developer is going to be told not to write any new line of code until they have thought out the security implications for the product" and that "the company was trying to change the culture of its software developers, who have been putting their emphasis on adding features to the company's software to increase its value."

In your opinion, has Microsoft succeeded in changing its culture so that every developer now considers security first, features second?

Re:Did MS culture change as promised in 2002?

In your opinion, has Microsoft succeeded in changing its culture so that every developer now considers security first, features second?

I thought rhetorical questions weren't allowed

Re:Did MS culture change as promised in 2002?

[javaxman]

On January 17, 2002, p. 1, the New York Times reported, "Stung by Security Flaws, Microsoft Makes Software Safety a Top Goal" and quoted Jim Allchin said "Every developer is going to be told not to write any new line of code until they have thought out the security implications for the product" and that "the company was trying to change the culture of its software developers, who have been putting their emphasis on adding features to the company's software to increase its value."

In your opinion, has Microsoft succeeded in changing its culture so that every developer now considers security first, features second?

I don't think that's _quite_ the right question to ask in relation to that quote, although it's not bad. How about "Please described what happened as a direct result of this security initiative. Did anything at all change? What specific things were different at Microsoft after this announcement ? Were any projects reviewed, shelved, or changed drastically as a result ?"

Have we not seen a large number of new features being added to Microsoft products, while at the same time also seeing a large number of security issues ?

How is the average individual, viewing things from outside of Microsoft, expected to think that this announcement was anything other than PR ? Would Microsoft security have really been that much worse without this initiative ?

Ok, maybe that's more than one question... but not really. We deserve an answer here- it seriously seems like that effort failed, if it was taken seriously... or did the effort apply to only new code, and all of the serious problems lately are in older code ? What happened ?

Re:Did MS culture change as promised in 2002?

[Rary]

"...has Microsoft succeeded in changing its culture so that every developer now considers security first, features second?"

Alternate question: Is it really a "developer" issue? What has Microsoft done to change its culture so that management now considers security first, features second?

In my experience, as a developer, it's usually (although not always) management that pushes for more and more new features, not developers. Developers are still trying to finish up the old features (ie. clean out the bugs, make sure it's secure, etc) when along comes the demand from "on high" that you hurry up and finish what you're working on and get to these new features that need to be out the door by this marketing-determined unrealistic date.

I've never worked at Microsoft, so maybe it isn't like that there. But I'd be surprised.

Re:Did MS culture change as promised in 2002?

[acarey]

Very insightful. Culture change is driven from above, not from below.

Re:Did MS culture change as promised in 2002?

I'd add to that:

Considering that this overarching emphasis on security was announced four years ago, and considering the continuing pervasiveness of MS security problems, how much longer can we expect to wait before this not-so-newfound concern about security results in perceptable improvements for end users? Sure, it could be worse. It could also be a lot better.

Do you think it is reasonable to expect that users spend several hundred additional dollars on on anti-virus software, anti-spyware, firewalls, and other measures just to keep their machine at a base functional level? Should corporations be expected to impose draconian network useage restrictions in order to protect network clients from being compromised, and to protect other users from those same clients?

Don't you wish you lived somewhere that wasn't so wet and cold?

security through obscurity & the many eyes

[largenumber]

What are your thoughts on security through obscurity? Do you believe the technique works? In what ways do you think the closed nature of Windows prevents the corollary many eyes principle from being used? Do you have any ideas on how Windows could utilize the many eyes principle?

WSUS Release Dates

[Mr.Fork]

As a Service Desk manager and network guru for my organization, I am responsible for ensuring that all workstation desktops are kept up-to-date and secure. Currently, Microsoft releases patches once a month, usually on the second Tuesday of the month.

With the current advances in smart viruses and malware, that release schedule seems unrealistic. OS security threats have been addressed with emergency patches, but that does not seem like a sustainable methodology.

What is Microsoft's long-range vision on OS patches to ensure that our Server and Workstation Operating Systems are secure, safe, and patched in a timely manner?

Security holes and MS image.

[Tibor+the+Hun]

Lots of us on /. have "great" memories of coming in on weekends, staying overtime, or coming in early to deal with bugs, viruses and various problems caused by no fault of ours, but mainly due to holes we could not see or prevent.
This kind of business, in addition to Bill Gates' wildass (and often incorrect) speculation about future technologies and sweat-dancing, chair-throwing antics of Ballmer has jaded our image of MS.

How does MS plan on restoring a serious security image with Vista, which does not seem to offer near the functionality or security of OS X or Linux? Apart from having a firm grasp on the OS market, due to previous monopoly tactics, what is MS doing to give us a better system than these two competitors

Rewriting Internet Explorer

[teklob]

I'm honestly not trying to troll here, but wouldn't it be easier to rewrite IE from the ground up? Have you guys considered this and ruled it out, or have you just not contemplated it. Not to vaguely bash microsoft, but a large percentage of PC and/or Windows power users would probably consider Internet Explorer 6 a write-off. Any thoughts?

Re:Rewriting Internet Explorer

[Stan+Vassilev]

"'m honestly not trying to troll here, but wouldn't it be easier to rewrite IE from the ground up?"

Also not to troll but wanted to add that they actually did rewrite a browser from the ground up. And their new platform comprises the following core technologies (I might be missing some):

dot NET 2
Avalon
Indigo

Some probably know that part of the reason IE6 got stuck in development for so long is that most of the IE team was transferred to work on the above vista technologies.

This is how Microsoft sees the Internet, rewritten from the ground up.. including rewritten standards and approach to design.

IE is mostly included to keep market share and compatibility with older products that use it. That said, IE7 seems to be steadily going in the right direction and I hope Microsoft somehow shakes off that "we gotta reinvent the wheel" pattern once Vista is out, and work on both improving their own technology (which is great, no doubt, except that it's mostly Windows-specific) and support for the existing web standards.

Re:Rewriting Internet Explorer

[Bohiti]

#1. IE is inseparably tied to the kernel, as they've told the courts.

#2. Even if they could rewrite, you've got to assume they'd end up with a very similar final product. They'd have to change some very core beliefs about how the browser should interact with the OS (ActiveX and #1) before you'd get what you're looking for.

Re:Rewriting Internet Explorer

[jonwil]

Just ask the people behind Netscape/Mozilla what happens when you try to re-write a rendering engine & browser from the ground up.

Re:Rewriting Internet Explorer

[earthbound+kid]

You spin your wheels for a couple years at first, then finally catch up and overtake the competition in features/performance/security?

Application software

[Cro+Magnon]

I realize that Microsoft cannot control what 3rd party software does, but will Microsoft's applications and games run under a limited account, or will they still need Admin access?

Re:Application software

[ZachPruckowski]

Furthermore, what steps will Microsoft take to ensure that 3rd party applications don't require running as administrator to install? That seems to be a large percent of the problem with Microsoft security, and it isn't MS's fault, per se.

Re:Application software

[LocoMan]

Isn't that how it should work in the first place, needing admin (or power user) privileges to install, but then being able to run normally as a limited user?. Just curious here, since AFAIK the main problem isn't that you need admin rights to install stuff, but that you need it for regular work.

Re:Application software

No. On a 'nix box I can install software to my directory tree and have it available only to me without any special priviledges. To install it to the base system tree and make it available to all users, generally requires admin priviledges. I understand that on Windows there is some capability to do this now but it is far from universally supported.

Windows software tends to be non-relocatable, stuck with hard-coded install paths, and registry modification requirements. The single-user unnetworked hobbyist desktop paradigm has yet to be expunged.

Re:Application software

[sadsfth]

I'd extend the above question to include:

What pressure is Microsoft applying to third party ISVs to develop software that works in a limited users account? We know the plans for Vista, but a very large number of users will continue to use older Windows versions which could be used with non-administration privileges but for the requirements of particular software (e.g. MYOB, Norton Antivirus, etc).

Limited user accounts could benefit more than any other technology in day-to-day Windows administration. Please no registry hacks;-)

Beyond Bugs: User Interface?

[timster]

We all know that a very important part of system security is the lack of fatal security bugs. This is a problem that has been very large with Microsoft products in the past, and is reflective of code quality. Fixing these bugs is crucial.

However, even when a security system doesn't have any bugs, it can still be very insecure. We can define "security" in a more general sense as "the extent to which a system is doing what the owner or user expects". The problem is not that the system is capable of malice so much as that the system is capable of malice of which the user is unaware.

How is Microsoft in the future going to design their systems so that users know what is really going on?

Whatever

[MightyMartian]

Look, we all know the drill by now. Microsoft looks bad. The guys get somebody who they think we'll all trust, he comes and says "ask me some questions", but at the end of the day, it's all PR. No one from Microsoft is going to honestly answer any question. Not yesterday, not today, not ever. The purpose of all these idiotic "ten questions" or "twelve questions" is purely PR, to try to make Microsoft look good, and quite frankly I have to ask myself why any employee of Microsoft would so willingly whore themselves out for this exercise.

Just ask him when he stopped beating his wife.

Re:Whatever

"Just ask him when he stopped beating his wife."

Then I suppose that the interview will consist of him saying "mu" twelve times.

With those many developers

There is something disturbing with security statements and the amount of developers.

With the amount of money and developers that are involved in Windows (or we are told to believe) how is possible that it has so many bugs (and _critical_ ones) ?. Don't tell us that "so large code base" and bla bla, because is hard to believe. May be is a safe bet to say, well we sell this, customers has to buy it, and we really ... don't care !. Can you make a statement about this ?

steps to instil confidence?

What steps have you taken/plan to take for Vista's release to clear the doubts people have started getting on Microsoft's vulnerability? One can see the shift in preference, from the admin to the grandma, away from windows, and the primary reason being the security risks people recently had (WMF, excel vulnerability, etc)

And where do you draw the line between security and userability? Windows still has good reputation for being user-friendly, but comes with a price of security, unlike OSX.

How do we inform users?

No matter how secure it is, users still want to install apps, games, and browser plugins. Most don't read or understand what they are doing. How can you protect the uninformed from themselves?

Internet Explorer W3C Support

[pingwin]

I would like to ask Mr. Nash if he has any information about when IE will be supporting everything other browsers do that are compliance standards to W3C? If Micrsoft is to make a product that is used by the majority of the world wouldn't it be in Microsofts best interests to give these users everything that is available?

interactions with the corporate side of Microsoft

[PrvtBurrito]

Donald Rumsfeld once said, "You go to war with the Army you have." What is your philosophy on how you work with a large organization such as Microsoft to balance security with the need to meet deadlines and to keep costs low? You know there are going to be exploitable holes (there always are) in an operating system, when do you and how do you know when to say, "OK, we are good to ship this." Does security of future Microsoft applications and operating systems correlate to costs spent on your team?

Oh come on, is this a joke?

[EllynGeek]

Microsoft's abysmal security record speaks for itself, no matter how much PR blather they pour over the holes.

strncpy()/memcpy() & buffer overflows

How many calls to strcpy() are made in the OS?

How hard would it be to replace each and every one with a strncpy()?

Surely, you must have done this by now?

As a coward, I don't expect you'll ever see this, but I felt that I should ask anyway.

Be honest

[chord.wav]

Be honest. Do you actually use IE to surf the Web?

Spyware

[PetyrRahl]

Mr. Nash,

In regards to spyware MS has already taken some steps to try and stem the flow (asking about running exe files, the Spyware Removal Tool, etc), however as a consultant I find many of my clients are still infested with the stuff. From my perspective it appears that many users are affected still by these programs and that they are either unaware of how to prevent them in the first place, or how to get rid of them. Many times it is significantly faster and easier (and in some cases, safer) to just format the machine in question and start from a clean slate. Does MS feel that spyware is still a major problem, and if so, what new measures MS doing in order to combat it?

Regards,
Petyr Rahl

Why not improve the default permissions?

[Colin+Smith]

The Windows security model really isn't bad in theory, in fact it's quite nice, I wish the standard Unix filesystem permissions were as flexible. However, the implementation of the permissions on default installs of Windows are absolutely terrible, it's a nightmare really tightening them up to make systems secure and useable.

So, my question... When is microsoft going to tighten up the default configuration of windows and make application vendors stick to good practice?

I'll make a wild guess at never, however until that's done, securing windows desktop systems is going to continue to be near to impossible.

Re:Why not improve the default permissions?

[massysett]

On a related note, it seems MS is afraid to change the default configuration of Windows file permissions because it would break existing apps that either were written for Windows 9x, or that were not written to conform to the standards of the Windows 2000/XP file tree. Would MS consider tightening the file permissions, even though it will break many existing apps, in order to demand better behavior from app developers and have a more secure system?

Also, it seems to me that Windows' dual focus on consumer machines and business deployments holds it back. For example, while backward compatibility with old apps is important for enterprises, it is not nearly as important for consumers, yet backward compatibility is one reason why the default XP file permissions have not changed. Has MS ever considered splitting Windows into separate versions--one for businesses and one for consumers--that would address the specific needs of each market? From what I can tell, XP Media Center Edition, XP Home, and XP Pro are not truly "separate versions" for the purposes I'm discussing here. For example, the future "Home" version could have even tighter security than the "Pro" version, on the assumption that the "Pro" machine is administered by pros. The "Home" version might break existing non-compliant apps, but that would be the price to pay for more security.

Re:Why not improve the default permissions?

[AntEater]

I'd like to build on this thought a bit:

Why doesn't microsoft make common use of the use of the administrator account a thing of the past? All of the pieces have been there since NT for Windows to use a strict separation of user versus Administrator accounts like we see with OS X and all of the Unix based operating systems? Having just recently setup an XP system for family, I noticed that the default install encourages, for all practical purposes, the user to run with Administrator privileges. Having worked as a Windows Administrator in a corporate environment I found that there are many things that were difficult for the end user to do without having Admin. rights. By comparison, I rarely get requests for things that require root access from users on a Unix/Linux desktops who do similar functions because the applications and system are setup assuming that root/admin. access will not be available to the user. In addition, it would seem that the default permissions for user files could be tightened up without creating a difficult work environment. As it is, the addition of security features in windows looks it has been treated as an afterthought, not an integral part of the operating system configuration - particularly for home users who are likely not to change from the defaults their system came with.

switch back?

Give me top three reasons (from security point of view) why I should swich back my granny's PC from the "other OS" to Vista?

Marketplace

[alfalfro]

Mr. Nash,

Security decisions are usually dominated by economic and business considerations; it's often been said that Microsoft will stop making insecure software shortly after customers stop buying it.

Let's say I'm a shareholder, explain to me why you should be spending money on security. Where and how much is the return on investment?

You will also have to balance many considerations when determining what security to implement. What are the major security tradeoffs/decisions you anticipate making this year?

It's funny that /. has this article today...

[master_p]

...when me and my company's sysadmin are trying all day long to get rid of a nasty new virus (nyxen.d) plus over 85 spyware programs installed on average on any pc on the network.

User privileges

[azpenguin]

Many users still don't understand the importance of creating user accounts instead of using the default administrator account. Will Vista work "out of the box" in a manner that will encourage those who are not technically savvy to work under a user account instead of an admin account?

Re:User privileges

[PeterJFraser]

I would like to operate under a user account. But, for example, you cannot setup "MS messenger" from a user account, which effectly forces all my children to have administrator privileges. Microsoft software is not alone. Numerious other packages have to have administrator privileges for no good reason.

Re:User privileges

Yeppers. You have to be logged in as an Administrator to play "Empire Earth." Dumb.

ActiveX and user permissions

[Florian]

Why does the default user account of Windows XP have administrator privileges? Why does it still include technology like ActiveX although Microsoft has developed safer technologies (such as .Net) that could replace it? Why do critical parts of Windows like Windows Update depend on ActiveX?

Industry best-practice out-of-the-box?

[ZiZ]

Mr. Nash,

There are a number of industry best-practices that any system administrator will tell you are vital for proper security. I will not claim to provide a complete list, but the two that seem to have the most frequent effect on an OS's percieved security are:

• Minimizing the number of services and processes running (preferrably via a service opt-in rather than opt-out policy)
• Performing all activities as an unpriviliged user, with some method of securely and briefly authenticating to higher permissions when required

Windows has been steadily improving on the first point, but the second point has long been a problem for administrators; there is no generally-used near-transparent way for a program to request higher privileges, for instance.

Worse, many third-party (and, for that matter, some Microsoft) programs will fail silently or with obtuse errors if you run them as less-privileged users because they demand the ability to, say, write to system areas - often without warning - and require heroic gymnastics by administrators to resolve (if a resolution is even possible).

Is this issue of least-privilige being difficult to acheive being addressed in future versions of Windows? What changes can we expect to come down the line soon and in the near future?

Re:Industry best-practice out-of-the-box?

I wrote a similar question, but it was much longer-winded. Several other people have raised the same issue in other articles. In my opinion, this is the best phrasing (better than mine too), and it is an important question. It's already hit +5, but, if others agree, perhaps a few can endorse this one with a reply as I have, because I'd really like to know the answer.

Biggest security threat?

[digitaldc]

What do you feel is currently the biggest security threat to the Windows Operating System and what are you all doing about it?

Re:Biggest security threat?

[rahrens]

Users!

Beta Testing

[Maximilianop]

Is Microsoft applying a more serius and complete beta testing enviroment for newer products like Vista?
I mean the "all the users of the world testing it" didnt seem to work very much good.
In fact I think the most capable guys when talking about beta testing, dont bother to free ride an uncomplete product, so the real testing done by users is way uncomplete.

As a final question, just for fun really

[stunt_penguin]

As a final question, not just for fun really as we are on the subject of security - this might make a fun closing question..

What's the worst security breach or virus infection that's ever happened to one of your machines at home or at work, and how long did it take you to resolve the problem? Did you lose any work, and did you need any help resolving the problem?

Comparisons with open-source

[yamla]

When counts are released showing the number of Windows security holes vs. the number of holes in Linux, the counts generally include software that can be installed from the original CD. With Windows, this includes MSIE, Windows Media Player, etc. On Linux, this includes thousands of end-user applications, programs that Microsoft does not include with Windows. Do you think these comparisons are fair? Would you rather see comparisons to minimal installs of Linux?

Product Activation

[Shawn+is+an+Asshole]

Will Vista still have the same anoying Product Activation that only affects legitimate users of the software?

Re:Product Activation

What is somebody intalls XP and it gets a virus since it isn't setup with a firewall and they figure they might as well reinstall it the same day after buying a router instead of praying some virus scanner will work? It is probably 'dumb' that they didn't have a firewall but why punish somebody with a legit key for trying to register it twice in the same day? Some websites say there are ways to reuse the activation after a reinstall but why make it a pain? Most people probably don't build their own computers so they most likely paid for windows anyway. Some people like to reinstall windows every once it a while to knock out all the bugs. Not everybody knows about ghost or dd or whatever to make hard drive images. Maybe the registry is full of crap, Maybe some programs or drivers just 'magically' stop working. People need to stop thinking that only 'pirates' want to reinstall an OS multiple times.

Did you expect anything posative to come of this?

[Roj+Blake]

Seriously, even the highest moderated questions will be inflammatory.

Do you actually expect to sway any minds on slashdot?

Current code base review/analysis

[Twillerror]

Over the last few years almost all the big worms and security holes have come about due to the dreaded buffer overflow. What steps has Microsoft made to sweep through your expansive code base looking for such things?

Inhouse security auditing and patching

[dtfinch]

We see news all the time about Microsoft vulnerabilities discovered by third parties, and later patched by Microsoft, but I can't recall many being discovered by Microsoft. I often imagine that it's because releasing patches for vulnerabilities previously unknown to researchers and the public creates an unnecessary risk by disclosing the vulnerabilities to anyone willing to reverse engineer the patches, and so the patches are held back until they vulnerabilities are rediscovered outside of Microsoft or until the next major product release, but I'm basing this on nothing more than speculation. What does Microsoft do inhouse identify and patch vulnerabilities that have not yet been discovered by third parties?

Microsoft DOES NOT have 300,000 coders.

[Caspian]

I don't know the exact number of coders in Microsoft, but it must be above 300,000.

Yeesh. This sort of quote reminds me of when I was a naive little proto-geek, wondering what sort of supercomputer my favorite MU* ran on.

Microsoft has only 60,000 employees TOTAL.

Of that count, surely no more than 50% (and probably much less than that) are programmers. Remember, that count includes not only the veritable hordes of management types and marketroids, but the guys who clean the toilets and the ladies who answer the phones. (And the ladies who clean the toilets, and the guys who answer the phones. And the guys who clean the phones, and the ladies who answer the toilets...)

So you're off by at least a factor of ten.

Re:Microsoft DOES NOT have 300,000 coders.

[sinucus]

As a rule of thumb I never trust wikipedia as absolute truth, but for this comment we'll accept it as true. I thought I had heard that there were over 200K developers on the 2K team, they might have just been contractual and not full time employees, namely Indian programmers. This is the reasoning for my 300K number.

Re:Microsoft DOES NOT have 300,000 coders.

Probably alot more accurate than your numbers. A couple different sources I found online say that they had 57,000 employees in 2003. Although they have been adding developers in places such as India, I don't think they added that many since 2003.

Re:Microsoft DOES NOT have 300,000 coders.

[Amouth]

You have to watch out with the "developers on the * team" i have seen some qoutes for some of the products before where they counted people who had MSDN dev subscriptions for the product..

Bug submission policy

[tringstad]

Why is there no way to submit easily reproducable and verifiable bugs other than by snail mail to a generic address, or worse, opening (and paying for) a support case?

And why does the phone number on this "report a bug" page:

http://support.microsoft.com/gp/contactbug

call a generic technical support & sales line, which ultimately will tell you that you must either open (and pay for) a support case, or submit your bug by snail mail to 1 Microsoft Way?

Is it Microsoft's stance that the inability of its users to report bugs makes its OS more secure?

-Tommy

Re:Bug submission policy

[belrick]

If there was an electronic way to submit bug reports there would be so much crap that real bug reports would get lost in the pile of crap, which would be bad. By putting a barrier, it forces people to put some thought into the submission.

Take the text that you've laboured so hard on (you properly did all sorts of problem determination to narrow the focus of the bug report, right? you documented that fully, right? ...) and print it on a sheet of paper and mail it. The five minutes to do that and get it mailed (next time you're near a post box) should be small in comparison with the effort to properly create a bug report.

Of course, if you include an email address in your report, there is no reason why they shouldn't make all subsequent communications electronic.

Re:Bug submission policy

I am a former MS support employee. You do have to open a support case for a bug, but if it actually IS a bug, and not a user error, the case is free.

Re:Bug submission policy

[tringstad]

I haven't bought a stamp in 5 years, and I'm not about to run out and do so now, or waste any of my other valuable time to send bug reports to Microsoft that will likely be ignored.

Sure, I don't _know_ that they'll be ignored, but given that the mailing address that is provided is "1 Microsoft Way", I don't have high hopes that the mail clerks are going to have the means to correctly determine which division of MS, let alone which department, my bug report should go to.

I understand there is a heavy burden in sorting through all the crap bug reports, but the burden should not be on the user, and a more technical approach for "raising the bar" than snail mail should be applied to technical persons.

-Tommy

Re:Bug submission policy

[tringstad]

You do have to open a support case for a bug, but if it actually IS a bug, and not a user error, the case is free.

No, the case is refunded, not free, and is dependent on whether or not MS agrees with whether or not the bug being reported is an actual bug, or "working as intended". You have to put up the deposit money on the support case first.

Personally, I'm not taking that chance.

-Tommy

Re:Bug submission policy

[Hosiah]

Dear God in Heaven, they still DO that? I would have thought way back when Neal Stephenson called them on this in his essay "In the Beginning was the Command Line".

I love that policy. I'll enact that one myself from now on, right here on Slashdot. Anybody who wants to contradict or criticize me has to pay-per-incident 95$ (the Neal Stephenson-quoted price - has it gone up?) in small bills to me first, and sign a non-disclosure agreement that their opinions will not be made public.

Re:Bug submission policy

[dcam]

This is very annoying. I found what I would consider to be a bug in IE, at the very least an inconsistency. I haven't checked lately to see if it is there, but it was about 6 months ago in the current version of IE6. The specific issue was the bookmarks in folders in the links bar were sorted differently to the bookmarks menu. Not a big issue, but certainly an inconsistency (although possibly by design).

There is no means of reporting this. I can pay for a phone call and hope that Microsoft considers it a bug, or I can send it is ms-wish@microsoft.com. I can't imagine that the latter would actually achieve anything.

Or more recently I believe I found a bug the way the .Net framework renders radio buttons, based on what I would consider to be a misreading of the standards.

Re:Bug submission policy

[typical]

If there was an electronic way to submit bug reports there would be so much crap that real bug reports would get lost in the pile of crap, which would be bad.

I'll admit that Microsoft has a harder task than the Linux folks, because most of Microsoft's users are less technically knowledgeable and less able to submit a good bug report.

However, you have to admit that most open source projects have publically-viewable and submittable-to bugtrackers, and that these projects continue to function. I was particularly pleased with one past experience with Red Hat's bugtracker, where a Red Hat engineer issued two updates to xorg for testing to me and another user and managed to fix a problem that we were running into within 48 hours of the bug report. Surely Microsoft can come up with *some* kind of karma-based or MVP-like system that allows people who can actually submit bug data worth a data to submit bug data?

Static Code Analysis tools...

[nweaver]

Perhaps the greatest improvement in Microsoft's security has been the result of static analysis tools developed by Microsoft Research.

What are the different tools, and what are the plans for making the different tools available to other developers?

Shit.

[4D6963]

Damn, why can't i find something smart to say right when I need. Ummm.. ummm... oh yeah! Why are Microsoft's Mac products better than the same products on Windows (example, Internet Explorer, I guess we can say Office too)?

Are you guys trying to make us like Macs better even through your products? oh wait, that has nothing to do with security :-(

XP's firewall

[fudgefactor7]

When Microsoft added a firewall to XP, it was a since first step; but why was the decision made to have it only work in one direction? Surely, a better solution would have been a firewall that worked for not only incoming packets, but for outgoing as well? And as a followup: why not add that functionality?

Re:XP's firewall

[holySherm]

I thought their firewall did work with outgoing packets as well? Doesn't it monitor if a server is started up and is asking for perm to use the net? Or is that still coming under the incoming-only thing because it is trying to get a response from another server/client? I'm just somewhat confused as to how their firewall works right now, sorry.

I'm looking for an answer here, please keep the flames to yourselves.

Re:XP's firewall

[Phil+John]

That functionality was only added in SP2, I believe the GP poster was referring to the original firewall in the original XP (pre service pack).

Re:XP's firewall

[Daltorak]

FYI, Vista's firewall is a two-way firewall.

More details: http://www.microsoft.com/technet/community/columns /cableguy/cg0106.mspx

Re:XP's firewall

[ad0gg]

IPSec on windows2003 lets define rules for outgoing packets. I wonder if that will make it to vista's desktop version.

Re:XP's firewall

why would that matter? they rushed out a firewall before they could do both ways but now theres sp2 and it does both ways.. that would be like asking why windows95 doesnt have a 2 way firewall.. who cares, everything should be using XP SP2 > now

Re:XP's firewall

[Nintendork]

IPSec has done this with Windows since 2000.

Re:XP's firewall

[cyberdrop]

I think a 2 way firewall is not the right thing for most users!
When a popup comes up most users click on yes/no without reading the text. And later they are confused because they dont get emails anymore. Some time later you get a phone call!

Monopoly abuse?

[Andy_R]

Microsoft has recently moved into the antivirus software market by bundling "Windows Security Center" with SP2. To my untrained eye, this appears to be exactly the same sort of illegal monopoly abuse that Microsoft has been convicted of in the media player market and the browser market. Can you explain to me why it's not?

VISTA users must still be administrators?

[arminw]

In current Windows systems, many programs will only work correctly if the user is granted administrator rights. Will MS lean on developers to write their software such, that a normal user status is sufficient? Much malware today silently installs itself without so much as a warning to the user. Will VISTA incorporate some sort of warning and ask for a password before ANY executable file can run for the first time or install itself deep in the system? Will users be told NOT to type password unless they are SURE the file comes from a trusted source?

Where's the proof?

[mrsbrisby]

Microsoft has the worst track record of any operating systems vendor in the security arena: It isn't enough to say that you deliver patches within a month of when you acknowledge the vulnerability, because people (a) can't or don't patch their systems and (b) modern Internet-host risk assessment isn't based on whether the site-administrator knows they're at risk, but how many, how frequent, and how damaging exploits are in the wild.

Administrative security issues aren't in question either- most targetted breakins are not performed with carefully engineered software hacks but with social hacks, and even the automated variety of these attacks tend to drown out any noise that would otherwise confuse a regular administrator.

When (if ever) is Microsoft going to take this overwealmingly serious problem and "fix it", and what is Microsoft going to do to correct their tarnished image? Are we going to see a monetary guarantee that Microsoft software is free from security defects (such as with Qmail and Dovecot)? Are we going to see Microsoft-endorsed blackouts of vulnerable Windows PCs where ISPs are (possibly monetarily) encouraged to shut down the connections of damaged Microsoft software?

Or are we going to see more "white papers" that say everything is fine, we're already better than everyone else, and stop asking questions?

One question

What fucking security?

Kerberos in Active Directory

[swamp+boy]

In hindsight, has the use of Kerberos in Active Directory accomplished the original objectives?

The downside to ease of use?

[TheRealDamion]

One of the so called strengths of MS Operating systems is ease of use via a graphical interface, applications and service configuration windows, with menus and context sensitive screens that guide anyone towards a successful setup of a server hosted service.

The problem is that this stance can lead to a situation where somebody with absolulely no experience with the service in question, making live a service such as a webserver which is poorly configured, opening up the server in question to any number of possible exploits.

My question is, are you considering this an issue at all? Can you think of any way to address this problem other than simply making it pointlessly harder to get things done?

Why using administrator privileges?

[herve_masson]

Most machines I had to deal with came preinstalled with as single user having administrator privileges. I know that dealing with a separated administrator account is not trivial, mostly because applications don't always support it nicely, but still: why don't we find promeminent alert messages & documentation about the problem that running as admin raises ?

Virus, Worm, Etc.

[spitek]

Microsoft being what it is, with the resources it has. Why would it not, want to and successed at creating an operating system with out these issues that allow Mac and Linux users to stick there tongue out at Microsoft for having so many Viruses and a like that we've lost count. So since you have the market share, why not truly be the best and write a system that doesn't have these issue but delivers the experience and services corporations demand from Windows. If you could do this, it would be over. Then the brand arguments wouldn't last. Anything else is futile, silly and patching or building upon something that "has issues".

Does it get lonely....

[PhyrricVictory]

Does it get lonely with just you in the group? Do you have lunch with the guy on the testing team and talk about when that open rec in the corporate ethics [sic] "department" will get filled?

Awww, just funnin ya. Sorry I couldn't resist.

OpenBSD

[hahiss]

How is it that OpenBSD is able to be so secure by design with so few resources and yet all of Microsoft's resources cannot stem the tide of security problems that impact everyone, including those of us who do not use Microsoft programs?

Re:OpenBSD

[pogson]

Obviously, the eye-candy in Windows is coded by salesmen not software engineers/programmers/analysts.

Shake a Legacy and move into the 1990s

[tz]

When will drive letters go the way of floppy disc drives (or at least let me add or remove a drive without completely hosing my system)?
When will we have actual symbolic links?
When will you ship with everything possible disabled until needed or manually enabled?
When will defragging a disk or some obscure network function not lock up every task?
When will you not install by default two thousand modem or other .inf files (or at least keep them in an archive)?
When will you not keep asking to insert a driver disk when the files are already in c:\windows\system32\ (and will "install" if I just point the directory there)?
When will you disable autoplay features by default, or at least make them prominent in a security area (instead of editing obscure system setting panels)?
When will you get rid of, split, or otherwise do something reasonable with the trash "heap" otherwise known as the registry?
Are you ever going to allow me to change my hardware and do autoconfiguration (Both MacOS and Linux will let me boot from a disk in another system, a CD, etc. and manage to find all the necessary and most of the exotic hardware)?

Re:Shake a Legacy and move into the 1990s

When will you ask one question per post?
When will you ask multiple questions about the same general topic?
When will you follow the rules of Ask Slashdot?
When will you ask about something that you know will be answered?
When will you ask about something that isn't so critical because this guy is answering without PR?
When will you not be a douche bag?

Ok Ok, that last one wasn't necessary, but you get the point.

Re:Shake a Legacy and move into the 1990s

[Sux2BU]

Except for the autoplay and everything disabled questions, what do these questions have to do with security? Most of these questions are of the type "when will Windows become Linux?".

Re:Shake a Legacy and move into the 1990s

[dedazo]

When will drive letters

You can mount volumes ala *nix in Windows just fine. I have mountpoints for all my external USB/Firewire drives so that they never get drive letters. On this system I have a hard drive which normally would be the D: drive but is mounted under c:\volumes; so are all my USB thumbdrives and a Firelite drive I use. Because you are posting this with the usual tone and hubris of someone who can't take 5 minutes to google a problem I'll just give you a hint: Disk manager. Other than that, good luck.

You'll never get away from drive letters because they would break too much legacy stuff. I don't mount my CD/DVD|RW drives either because I'm scared of how something like the Roxio shit I run will react, so I don't even want to go there. And still, I can have nine physical volumes on a 2000/XP/2003 box and just three drive letters.

When will we have actual symbolic links?

XP/2003 have file hard links and 2000 also supports directory simbolic links - I use one to 'alias' my 'home' folder at the root of the C: drive, and it works fine. Check out SysInternal's JUNCTION or XP's FSUTIL. Been doing that for years.

When will you ship with everything possible disabled until needed or manually enabled?

XPSP2 and 2003 ship locked down. It took them long enough, but they do now.

When will defragging a disk or some obscure network function not lock up every task?

Huh? Defragging takes no toll as far as I'm concerned, and the networking lockup issues are MUCH better in XP/2003 than they were in 2000 and NT4. In any case it's not like my Fedora box doesn't go stupid sometimes with unreachable SMB shares.

When will you not install by default two thousand modem

There are 1,400 files in the \INF directory on XP; most of them are 'compiled' PNF archives anyway. Why is this an issue? What, haven't you looked under your /dev directory lately?

When will you disable autoplay features by default

2003 and XP warn about 'active content' and are much smarter about autoplaying volumes than any other OS I've used, and that includes OS X. There might be a valid complaint here but I can't see it.

something reasonable with the trash "heap"

Ah, the registry. Let's not even go there because like most of the people who complain about it have no idea how it works or why it is designed that way. Yes, it's binary and it has its problems, especially when trying to fix a b0rked box, but... ah, let's not go there.

The two other issues you raise are valid.

Re:Shake a Legacy and move into the 1990s

[drew]

When will defragging a disk or some obscure network function not lock up every task?

Better yet, when will defragging become a thing of the past entirely?

Re:Shake a Legacy and move into the 1990s

[typical]

XP/2003 have file hard links and 2000 also supports directory simbolic links - I use one to 'alias' my 'home' folder at the root of the C: drive, and it works fine. Check out SysInternal's JUNCTION or XP's FSUTIL. Been doing that for years.

Hardlinks (IIRC, NTFS-only, though that's not much of a problem anymore) are not a replacement for symlinks.

Reparse points are not exactly symlinks.

Re:Shake a Legacy and move into the 1990s

[dtfinch]

All good questions, but you're asking the wrong person.

Windows Security For Rootkits Infecions

[hzs202]

Mr. Nash, over the past year there have been countless stories about MS Windows and its vulnerability to "stealth rootkit infections". For example, F-Secure reported, adware/spyware developer ContextPlus, Inc. is responsible for a large number of "stealth rootkit infections" related to its products. What is MS doing to secure its newly released OSes from dangerous kernal-mode rootkits built in adware, spyware and other applications?

Home Vs Business Security

[ObsessiveMathsFreak]

How will Microsoft handle the differences between the security enviornment for Home PC's vs PC's in Business enviornments?

Business PC's usually live in live in administrated, controlled networks, which hopefully have someone in charge of security on those networks. They also live behind firewalls, proxies and have shrinkwrapped as well as in house answers to security threats. Users have much reduced privilages, security policies are in effect and companies backup data and can even use imaging to secure against vunerabilities.

Contrast with Home PCs which live in small, largely unadministored networks. Many are still directly connected to the internet. These PCs may have no anti-malware technology at all. On top of that, users are uneducated and often do not even realise they have been the victims of security breaches. Typically, security involves extensive suites of specialist software that gobble ever more resources.

There are also intermediate security enviornments. Small to medium sized businesses may have sizeable networks, but fail to implement any real security policy due to time and budget constraints. Home users can also have sizable networks, with a multitude of internet capable devices in the one home becoming more commonplace.

Typically, Microsoft has offered essentially the same software framework for both Home and Business computers. Will Microsoft offer a one size fits all security framework also?

Why does MS believe.....

Why does MS believe allowing other people to program your computer from remote is OK?

As in WMF/outlook/excell and other stupid ideas that allow people to send (program) users to a outside website or do other nasty things like run just because you click.

And.... WTF were you thinking when you decided that every program that installs or runs should be allowed full access to everything in the system directory, including "DLLs" ?

IE Support and older iterations of Windows

[ARRRLovin]

With all the Windows and Internet Explorer users worldwide, Microsoft has announced that it is discontinuing support and security/vulnerability patches on older versions of Internet Explorer. Do you feel this is the most responsible decision to make, considering the impact it could have should a new exploit arise or are you banking (no pun intended) on the fact that everyone will eventually upgrade?

Why add DRM? Also, why not decouple IE?

[Bob_Villa]

Why are you adding in DRM controls to Vista that regular users are not going to want? It may come in handy for corporations wanting to control their documents, but I can't see how regular users would knowingly want a product that restricts their access to their documents or files.

Also, I think you could dramatically improve security by decoupling Internet Explorer from Windows. Have it be a separate program similar to Opera, FireFox, Safari, etc... Is there really a valid reason that Windows Explorer has to be driven by Internet Explorer?

Four questions from a long time Windows user

[MasterOfGoingFaster]

1 - Could you comment on how the "every-user-is-an-administrator" usage came about, and what Microsoft can do about this?

2 - Why is Internet Explorer used for Windows Update, rather than use a robust, spicific use application?

3 - Will Vista offer an option to install in a secured, locked-down mode, with most services turned off (in a BSD-like fashion)?

4 - Shouldn't Internet Explorer default Active-X use to "ask"? Why not?

Strong Passwords

[holySherm]

Do you think it a priority to require OSes to force users to use only 'strong' passwords (caps/lowercase/numbers/symbols/certain length)?

Since most security issues start with the user, why has the convenience of being able to never type in a password trumped the benefits that come with strong passwords for all users? Add to this the possibility that if most users begin using these passwords with your OS, they will carry them over to their passport accounts and other sites requiring passwords.

I tried to bring this down to just one combined question in a run-on sentence but it was just more organized in this format.

Off by Default

It has been repeated many times that Outlook's ability to spread viruses was due to the default setting of automatically running scripts that were emailed to a user, and that this could have been avoided by simply turning off this feature by default. It has also been claimed that OS X has improved their security by turning off unnecessary services like personal web serving by default. Does Microsoft feel this is a good way to improve security, and are they planning on doing this in the future? In theory, if a service has an exploitable bug, but it's off by default, then it still isn't a very good vector for spreading a virus or other malware.

Re:What is the basic approach to Microsoft securit

Are the recent problems with WMF a result of deliberate design decisions such as engineering a backdoor into WMF, as some have alleged, or due to poor or improperly implemented design, engineering or quality control practices? Or is it simply a case of the product being rushed out to meet impossible deadlines? This question could also be asked about other controversial current/upcoming products (and to be fair, not just Microsoft ones).

Vista Maintenance Time?

[BoRegardless]

My Dell M60 with Windows XP has near zero maintenance time, as I never allow it on the Internet. My Mac PowerBook with OSX also has near zero maintenance time and handles all my Internet work.

I am sure Vista will "work". What I do not have is lots of free hours to keep fixing something & adding layers of applications to keep Vista "working".

Is Microsoft going to guarantee Vista going to change this ongoing user maintenance issue?

Bo

Non-security Bugs

[hackwrench]

Currently in XP with all the patches, I can get Explorer to crash by clicking on Start, clicking on All Programs, and then right clicking on a group.

Also, I keep running into resource pool limitations. It is normal for me to have around 50 windows open about 20 of which are Explorer folders. I have always thought that resource pools were a bad design. There's no point in grouping "resources" together. When I run into the limitation, grouped taskbar items won't display, the Alt-Tab list won't display, new windows won't show anything, and context menus won't open.

Then there is the wrong icons, sometimes with a bold number showing up next to programs in the taskbar bug and the properly redrawing taskbar groups after closing a window and then clicking on the taskbar group. These are obvious bugs to fix, yet they go unfixed. Why?

Also, why is the much needed network stack update being withheld until Vista. I am tired of sessions timing out because the stack isn't distributing transfers across all sessions properly.

Re:Non-security Bugs

[Mr+44]

Currently in XP with all the patches, I can get Explorer to crash by clicking on Start, clicking on All Programs, and then right clicking on a group.

This is almost definitely related to a non-microsoft context menu extension you have installed. When the crash dialog comes up, look at the module that it has crashed in, and uninstall that software.

You can also use regedit to open up HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers and disable the entries one-by-one until the problem goes away.

Re:Non-security Bugs

[Mr+44]

and of course, I just noticed you said "clicking on a group". Also check the entries under HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandle rs

Re:Non-security Bugs

[jtorkbob]

He's the head of security, not tech support. Until you've made your issues reproducable on a vanilla system, I'd have to suspect that your issues arise from a software conflict or configuration issue. You seem like a power user, surely you have lots of software that binds to your context menu and interfaces with Explorer.

Just a hint, you can run explorer and iexplore windows in their own processes. Here's one guide for it:

http://www.winguides.com/registry/display.php/964/

Yardsticks?

[Murmer]

I've heard it said that if you can't measure it, you can't manage it; Microsoft has declared that it is now emphasizing security in its development cycle, which no doubt requires some changes in the way product development is managed. I'm wondering what sort of changes you have had to make to your process on the project management end, and what sort of internal metrics you are employing to measure the success rate of those changes.

Reward program for vulnerabilities?

Why MS does not have a program to acquire vulnerabities directly from security researchers? Wouldn't such reward program benefit us all: security researchers would be encouraged to look for vulnerabilities in MS software; the information about the vulnerabilities would not make it to the public before patches are available; and MS would have a list of contacts, code samples, and industry analysis data from security people all over the world? Is it true that MS cashes in every time there is a buzz caused by publicly released vulnerability (see this analysis)?

Legacy Code

[chill]

As the recent WMF issues have demonstrated, there is a lot of legacy code in the core OS. Some of it seems to date back over a decade. Much of it seems to originate in a time where security was no where near the concern it is now, and network connectivity was the exception and not the rule. While I understand backwards compatibility is important for some customers, has there been serious efforts to audit that old code? What about the idea of a clean break with ancient code?

  -Charles

Re:Legacy Code

[krbvroc1]

I thought Vista was supposed to be Microsofts opportunity to design in security from the ground up. However, the WMF vunerability impacted the current Beta Vista and a patch was released. Why hasn't a more thorough security audit been performed on Vista so it can be more secure? How much legacy code is included in Vista? Originally Bill Gates touted Longhorn as mostly new code.

Dear Mr. Nash

[max+born]

Will Windows ever be secure?

Compatibility with previous versions

[$ASANY]

It appears that many design decisions are influenced by a need to maintain compatibility with software designed to operate under previous versions of Windows. Breaking too many "legacy" applications is risky from a business standpoint, but it does tend to perpetuate architecure choices that may not meet current realities and may impose more significant longer-term business risks. Is Microsoft considering an architecure refresh in the future, or do you see continuing architectural components such as the registry and kernel-space user code indefinitely?

What do you see as a security flaw?

[Cmdr_earthsnake]

In my honest opinion, I find that what you classify as a security flaw and what you don't are quite flawed. It would interest me greatly to find out what you DO classify as neccesary checking criteria over what you call a flaw and what you don't, for instance that security.tombom thing wasn't actually classified as a security hole, so I think it begs the question of what is essentially classified as a security leak. Regards, earthsnake.

Vista Security for my Grandmother's computer?

What methods are you employing to give the tech un-saavy the ability to have a secure computer out of the box, above what XP attempts?

In the new age of spyware slipping through many cracks, can a home user rely on Vista to provide a more secure platform? Or will the usual suite of 3-4 anti-spyware programs in addition to anti-virus, etc, be required? (Contrary to what your Help Line tells people - MS Antispyware will not remove/prevent all spyware)

The sophistication of malware seems to be rapidly going beyond what the home user can deal with - or be expected to deal with.

What, if anything, can be expected in Vista that improves this situation?

users and auditing

[H310iSe]

As a windows desktop administrator since the bad old days of 95 and 98 I have to give you guys some credit for how far you've come; however there are two issues I'm faced with that continue to be problematic - user rights and security auditing.

Despite whatever SU-like features you have, on XP I still can't reliably install, or in some cases even run(!), programs under restricted user accounts, forcing me to give most of my clients admin accounts and just hoping for the best. How seriously do you treat this issue and what work is being done towards getting an OS that can be used in the real world with restricted user rights?

Auditing - finding, say, if user X has any write rights anywhere on a server, who has done what on the system in the past day, what files were modified by a program's install, etc. all these things are do-able but not easily, and not using just MS supplied tools. How about a toolset for administrators that give us (especially the part-time admins like myself who don't just live and breath security) easy access to the reporting, auditing, and security tweaking we need to do our jobs well. And no, configuring and interpreting the security logs in the event viewer doesn't count as an easy to use auditing tool.

Dependency Testing Software/Process

[rts008]

I watched the video of the interview with the "Kernal Team" with Rob Short ( http://channel9.msdn.com/Showpost.aspx?postid=1488 20) when reading about it on /. (http://developers.slashdot.org/article.pl?sid=06/ 01/03/1944204).

That was a very interesting interview, I was appreciative of most of their answers to Rob's questions.
In view of the recent WMF vulnerabilities, I did however have a question about the dependancy checking process and software referred to by the team. Who (and how) is the software programmed? I guess what I'm getting at is this: Who or what determines what the software and process involved checks, and how is that related to determining what is dependant on what, and how it fits into the security/vulnerability checking process.
I would have thought that this software/process would have caught the WMF problems that have recently surfaced.

By the way, thanks for taking the time to answer our questions!

Digital Rights Management Framework and

[andholio]

Microsoft is embarking on an ambitious DRM framework intiative that will hopefully tie a vast number of services, computing activities, and data into a seemless trust environment. Users can share Office documents through email and encrypt and tie those directly to their recipients to prevent forwarding and enable greater control over content. Where do you see this framework becoming pervasive as a part of Microsoft's enterprise security deployments? In other words, will organizations deploy the DRM-enabled Office Services, Windows Live, then have user machines tied into DRM through Vista? Does this solidify Microsoft's commitment to the Trusted Computing Environment and establish a common trust architecture?

What OS do you consider the most secure?

[avalys]

What modern, in-use, server operating system do you consider the most secure one available today? I'm talking about one along the lines of Linux (name the distro), OpenBSD, Mac OS X, Windows, and so forth. How about a desktop operating system?

Please name a specific answer for both questions, and please don't name something useless like DOS. Your answer must be something that a sane network administrator might choose for an internet-connected server and desktop deployment.

Separately, do you think that Mac OS X is a more secure _desktop_ operating system than Windows XP? Obviously there have been far fewer worms, trojans, and viruses for OS X than Windows. Is that really solely due to OS X's lesser popularity, or is it truly a fundamentally more secure system?

If you think Windows XP is more secure, why? What security features does it have that OS X doesn't?

Re:What OS do you consider the most secure?

[Nintendork]

Give the man a break. He comes to Slashdot, a community site where many people have made a religion out of hating Microsoft and you can't grow up for one post? Instead, you basically tell him to pick an OS that he feels is the most secure, but he can't pick a version of Windows because you're opinion that Windows is insecure is a very well known fact. Name one OS that doesn't have any vulnerabilities. Even something like SecureBSD would have known vulnerabilities if every inch was combed over like so many people do to Windows. It's not like a competent admin can't harden a Windows box, disabling unused features. Microsft and NSA have whitepapers on harding Windows. You should check them out sometime, then form an opinion.

Re:What OS do you consider the most secure?

[booch]

A better question (as far as likelihood of a truthful answer) might be: "Which non-Microsoft OS is .... ?"

Re:What OS do you consider the most secure?

[avalys]

I never said he couldn't pick Windows. Where did you pull that from?

I simply asked that, if he did pick Windows, he provide some concrete justification.

Re:What OS do you consider the most secure?

[jred]

There's no way in hell you're going to get a MS guy to admit *any* OS is more secure.

A better question would be:

OSX is generally considered a more secure OS than XP, mainly due to it's complete redesign base on BSD. Was any thought given to doing something similar? Take a BSD base and build the GUI?

For your consideration

[eyepeepackets]

Mr. Nash,

Do you or anyone at Microsoft really think you have any credibility on any level with anyone besides PHBs and fanbois or are you hoping that continued posturing in the face of reality will eventually pan out and all will be good again?

Seriously, do you guys live in a different dimension and only come over to this one to spew MS BS?

Thank you for your consideration.

Is it really a secure system?

[The_Crowder]

Does the creation of an antispyware tool by Microsoft mean that your team has failed in their role of creating secure software?

Re:Is it really a secure system?

[SchrodingersRoot]

just as a point of reference, Microsoft bought GIANT AntiSpyware and rebranded it. while not necessarily relevant to the meat of the question, i'm a pedant, and more importantly, i think that the acquisition, free distribution, and integration of the product into Vista could be seen as steps forward when it comes to Microsoft's ostensible commitment to creating a secure environment, even if their initial efforts were less successful than one might hope.

Why no AES in SSL yet?

[jonathan_lampe]

Why hasn't Microsoft added AES to its SSL stack yet? As a Microsoft developer, it's annoying to get beaten over the head when facing competing solutions that can use the AES (128-,192- and 256-bit) encryption algorithm in their SSL implementations.

(OpenSSL - including the Mozilla browsers - and Java SSL have all had AES support for a while. Most SSH implementations have also had it for a while.)

Re:Why no AES in SSL yet?

[spidereyes]

From http://www.windowsitpro.com/Articles/Print.cfm?Art icleID=48340

"Windows Vista will also bring changes to secure communications. With Vista, we'll finally see the use of 256-bit Advanced Encryption Standard (AES) to secure HTTP traffic. Vista will also use the Online Certificate Status Protocol (OSCP) for speedier certificate status checking and will implement some extensions to TLS that are outlined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 3546."

Code signing

[Chanc_Gorkon]

Code signing does not address the fact that a criminal who wants to do damage can still do damage. What is the big deal about code signing and what is it setup to fix??

WMF

[LoonyMike]

What is your comment on the allegations that the WMF bug was actually an intended backdoor?

you're not getting the right admin crowd

I honestly believe that the most technical competant engineers around rarely, or never recommend or use MS Windows themselves. It's normally the less technically able, managerially focused staff worried more about sticking with what they feel they know better, or believing something off the shelf from MS _must_ be fine that get the say and roll out MS solutions. Sometimes they are quite techy or have help from their MS hating staff who need the money who setup and automate builds in the old UNIX (from a decade ago) style at major corporations IME.

The problem with familarity with a system is that they don't realise how little they know of the underworkings of the system and so their feeling they know 90% of how a computer works is a) way wrong, probably closer to 30% and b) less anyway than the 98% knowledge of a true advanced techy admin who can hack the kernel or read asm language in their head on a small tight OS like NetBSD or Linux, which to be quite honest is actually a much more simplistic beast to understand fully. It's gained the techy crowd by simply being more geeky with the cmdline, so the better admins use it.

If Windows could drop the GUI (optionally) and have trivial bash like automation possible via an ssh session in the same powerful way people support unix at the moment (and consider it easy), it may gain some more respect and you'd get more security focused admins setting up windows installs. I know there is cygwin, but that just turns a windows pc in to something like a linux pc, only slower, less reliable and more expensive (MS licence needed).

My question summarised is: Your OS doesn't encourage geeks, so the best security focused minds install and support alternatives systems, so even if technically Windows _IS_ very secure it isn't necessarily going to show against other systems.

Will Compatibility ever be rejected for Security?

[jthrelfall]

IMHO - I find that the reason that Microsoft's products are insecure is because of the level of backwards compatibility that has been engineered into the product lines. While being able to run older applications is useful for many corporations that have difficulty in finding replacement apps, the sad state of affairs is that it is just that level of compatibility that hampers a full rewrite of the Windows core architecture. If Microsoft were to make a bold decision and create a truly new architecture that had the Windows look & feel but was based on sound secure coding practices, the possibility for exploits would be drastically reduced than with the current 'we have to make sure that the app written in Visual C ++ v2.0 still works' mentality. Backwards compatibility for older applications can be achieved with running the app(s) with a slim kernel & supporting services in a virtual machine that has very limited privileges. So my question is: Will Microsoft ever make the move to a newer, secure architecture, or can we expect Win9x compatibility with WinOS circa 2025?

Question #2

What has the MS Security department done in response to all the reports of flying chairs in and around Ballmer's office?

Customising and Installation

[nowhere.elysium]

Hi. I find myself wondering why I'm forced into using third-party software to create Windows installation discs that don't have programs like Internet Explorer, outlook express, paint, WordPad, msn et cetera? Would it not be possible to actually have a *working* application selection process during the installation? For example; I know that Windows update makes use of Internet Explorer specifically; wouldn't it be better to follow the open source model and have a specific updater program, that doesn't require a separate piece of software to provide a front end? Also, is WordPad really necessary? There's always notepad, and if someone needs to do any real word processing, they'll usually find a way to get hold of some kind of office software, whether it be your own or not is immaterial to me. You'll have to pardon my rudeness here, but paint is just a waste of space, as are all of the extras like movie maker and so forth. The gist of my question boils down to this; Windows is not, inherently, a bad operating system. There are some elements of it that I quite like. However, it would become quite a good operating system if all of the rubbish was siphoned out of it, and the installing party had more control over what went in. As far as I'm concerned, you can put whatever you like into the home edition of Windows; I use a legal license for Windows XP pro. and yet, I still find such unnecessary extras as paint, msn explorer, address book (incidentally, I'm not a fan of address software being built into any OS - I tend to use an email client, in this case outlook XP, to store such things), synchronise, remote assistance (I mean come on, seriously; anyone that actually uses remote desktop software usually has a proprietary piece of software to do it anyway). Anyway; I don't want this to become a rant. All I would really, really like to see would be a decent method of selection for software installation, please.

Question for the gentleman

[gaveawaymyname]

Do you ever drop your business card in those little buckets at restaurants for the chance to get a free lunch, and then when the burly man behind you is up to order, he glances at your title and decides to thank you in the parking lot by pounding you in the face until all you see in your vision is cryptic text on a solid blue background? Does he then call you at all hours of the day asking if you want to refinance your home or see barely legal girls naked? Does he make you give him an activation code to leave you alone?

Alright, seriously though... do you, as the VP of Security at Microsoft, ever find yourself laughing maniacally?

SP2

[towsonu2003]

Do you have a release date for MS Vista SP2?

RPC brute force protection

[ps3udonym]

There is a hole in Windows, MASSIVE, ugly hole when you take a look at the RPC calls. The problem is that there is no brute force protection when these calls are made over the network. What this means, is that you can send an RPC shutdown command with the username "Administrator" in a script and then just brute force crack the password to bring the machine down and then have your script spit back the administrative password. While we were testing this hole we were taking down servers with strong passwords in less than 10 min. Obviously this is a huge concern and one that hasn't been dealt with even though I have brought it to the attention of software team leads at M$ and simply increasing wait time in the event of authentication failure would fix it. Will this hole be fixed for the release of VISTA or will it continue to be a glaring security problem? Also, what other authentication processes have no brute force protection?

DRM

What are your thoughts about the Sony scandal and the upcomming DRM technologies ?

Next big thing?

[Randolpho]

By now, many of us have heard about Singularity, Microsoft's research OS with its ultimate goal of dependability (in which security plays a very large role). How does Singularity fit into Microsoft's long-term security and operating system goals? Will Microsoft eventually adopt Singularity and its inherent security? Will Microsoft adapt the concepts of Singularity to its current NT-based OS structure? Is there a third option coming down the pipe?

SSH?

I have noticed that Windows ships with Telnet for remote shell access and FTP for file transfers. However, both of the protocols send plaintext login information over the network, a major security problem. Since SSH was first created, as a secure RSH replacement, it has become a de-facto standard for secure remote shell access and file transfers in the Linux/Unix community.

Why hasn't Microsoft shipped an SSH client and server with Windows?

Re:SSH?

[toadlife]

My guess is because you can configure all telnet traffic (an any other IP traffic) to require authetication and/or encryption via IPSEC which is built in to 2000/XP/2003.

My other guess is that there is little demand for it among Windows admins. How many windows admins do you know that use the command line or scripts regularly to admin Windows. If I count myself, I know only one.

Linux

[towsonu2003]

Which Linux distros do you currently use? Please be honest...

Re:Linux

[bjinatj]

I would personally also like to know the answer to this question, and maybe what you are using it for.

Usage Control vs. Access Control

[DieNadel]

Mike, do you consider the implementation of a more complete control mechanism, that can handle mutability of attributes and ongoing usage, for granting/denying access or usage, like UCON_{ABC}?

Singularity

[debois]

Are there plans to incorporate ideas of the Singularity project (http://research.microsoft.com/os/singularity/, previous slashdot mention on http://slashdot.org/articles/05/11/03/1744230.shtm l?tid=190&tid=109) in future versions of Windows?

Why don't you just eliminate ActiveX?

Why doesn't Microsoft eliminate ActiveX controls entirely?

ActiveX is a horrible technology that I really believe is responsible for the vast majority of spyware and malware out there. Windows could be so much more secure if not for ActiveX. Why do you keep it around, especially when life is perfectly fine (cf. Firefox, Opera, OSX Safari) without it?

Dat's my question.

Tight Integration of Components and OS

One of the concerns you see expressed frequently regarding Windows security is the tight coupling between the OS and components, such as Internet Explorer.

1. Do you see the close integration of components such as IE with the OS as a problem for Windows security? If not, why?

2. If you do see this as a problem, what steps will Microsoft take in the future to address this issue?

DRM

[towsonu2003]

Do you have business contracts with other corporations such as Sony through which you profit as you add DRM controls to Vista? Do you have any business contract with Sony, for that matter?

Re:Why add DRM? Also, why not decouple IE?

[holySherm]

I don't think these would really be directed to someone in MSFT security. The decisions to do both of these things seem to be driven by marketing and maintaining market share, both of which can contradict decisions to improve security. If this guy had his way, he probably would decouple IE in vista and he wouldn't bother with DRM since that's just another thing he has to worry about securing, but the decision came from other areas instead.

Graceful degradation

[cyco/mico]

Mr. Nash,

As is often pointed out, one of the most important properties of a "secure" system is not how hard it is to break, but how graceful it degrades in case of intrusion or failure. I understand that Windows already implements some techniques in this vain (monitoring of background process, user feedback in case of suspicious behaviour). Many of these options are rather annoying, however, which often prompts users to switch them off entirely. What are the next steps you plan to make Windows degrade more gracefully? Will you try to automatize these processes (possibly with AI techniques), or will you try to "burden" the user with a more elaborate access privilige system?

Will there be a future demand for...

Developers, developers, developers, developers...?

Prevention or Cure?

[gmuslera]

How much of your job is involved in the process of creation (design, programming, etc) of Microsoft products vs detecting flaws (code/product testing for security probles) vs actually repairing bugs?

Some security problems could have been avoided picking right policies even in the design phase, others could have been checking legacy code (wmf anyone? since windows 3.1?), while the most visible action of the security section this last days is releasing patch for what was already done, released and then "discovered" to have poor design/programming/think around, sometimes a zero-day vulnerability.

Well, if we are doing a time distribution chart, i suppose i should ask too about percent of checking backward compatibility, is not the first time that customers had to wait like a week for fix of a bug actually being exploited (i remember a webdav problem in iis back in like 2002) and at least with the wmf one one of the explanations of the delay was checking compatibility.

Usability and Security

[kafka47]

The revised mantra of Microsoft application security has been "Secure by default", a strategy that was applied with varying degrees of success to many of your products in recent memory. In security circles, this might seem like a no-brainer, but for consumer-level applications the strategy can be a nightmare. For a company that spends so much on usability and ease-of-use for end-users, the act of explicitly prohibiting certain operations or features seems to fly in the face of that investment. The users get what is perceived as a broken product, and the administrators get the headache of decreased security (say, after they install a patch that break "secure by default"). For various reasons, these two contradictory approaches seem to serve neither usability nor security. In that vein, what other effective strategies have been considered? For years, the NSA has provided a unique service to the users of various products, including Microsoft Windows operating systems. They produce "hardening" guides for these products in an effort to ensure their continued security and viability in the wilds of the Internet. Has Microsoft ever considered producing guides like these, seeing as how they're the authors of their own products? In that vein, has Microsoft considered redacting the secure by default to enhance usability, yet instead produce tools or wizards that electorally enable hardening for your applications and OS'? /K

Re:Usability and Security

[kafka47]

(Re-post, with formatting.)

The revised mantra of Microsoft application security has been "Secure by default", a strategy that was applied with varying degrees of success to many of your products in recent memory. In security circles, this might seem like a no-brainer, but for consumer-level applications the strategy can be a nightmare. For a company that spends so much on usability and ease-of-use for end-users, the act of explicitly prohibiting certain operations or features seems to fly in the face of that investment. The users get what is perceived as a broken product, and the administrators get the headache of decreased security (say, after they install a patch that break "secure by default"). For various reasons, these two contradictory approaches seem to serve neither usability nor security.

In that vein, what other effective strategies have been considered? For years, the NSA has provided a unique service to the users of various products, including Microsoft Windows operating systems. They produce "hardening" guides for these products in an effort to ensure their continued security and viability in the wilds of the Internet. Has Microsoft ever considered producing guides like these, seeing as how they're the authors of their own products? In that vein, has Microsoft considered redacting the secure by default to enhance usability, yet instead produce tools or wizards that electorally enable hardening for your applications and OS'?

/K

Re:Usability and Security

[Nintendork]

"Has Microsoft ever considered producing guides like these, seeing as how they're the authors of their own products?"

You should actually look before asking questions. Microsoft has produced hardening guides at least since NT came into existence. In fact, for Windows Server 2003, NSA points you to Microsoft's guide for hardening.

Re:Usability and Security

[kafka47]

Point taken, yet my question (as badly worded as it may be) was directed to all of MS products and not just the OS.

Second question stands as well.

/K

Code Maintenance

[danpsmith]

With so much code being recycled between versions and with so many backwards compatibility issues for your customer base and the maintenance problems alone involved with these things, do you think it's ever possible for a Microsoft OS based off past models to be as secure as the alternatives? If so, how?

Culture and Security

[Hard_Code]

I have started watching videos at Channel 9 that explain in-depth the internals of some core Windows components, which has given me some perspective and respect for those developers. However, even from these videos it is clear that Microsoft has been in the past (and perhaps still is) ruled by a "cowboy coder" culture (revealed for example in the series on the Vista kernel in which they openly discuss their attempts at managing the "state" issue, and talk about the problems due to unscrupulous use of the registry).

I would like to think that Microsoft has finally "got the religion" about reliable code, unit testing, defensive programming, etc. (it seems that many historic decisions were made on disputable performance grounds instead of a long-term view of security implications, and now Microsoft is paying the price).

Is this the case (do you even agree with the premise) and if not, what is Microsoft's strategy for evangelizing safe and robust programming practices (as well as overall architecture) *inside* Microsoft? It seems that the best laid plans of kernel and system architects can be ruined by some guy working on the shell that is getty pressured by marketing to Hurry Up and implement that gee-whiz feature that will "impress" the customer.

(extra cheat question: Raymond Chen has recently posted about "decoy" windows and other hacks that MS has implemented to compensate for badly written application code - as a user, this does not seem to serve my interests. Instead of quiety accepting the misbehavior, I would like Microsoft to make these sorts of problems apparent in some manner to make the user aware of their software and demand better behavoir from developers of the software they purchase, and also to shame software developers into behaving well. Continually accommodating intentionally bad software seems to be a bad long-term strategy. Any comment on that?)

Re:Culture and Security

[sjelkjd]

>>Instead of quiety accepting the misbehavior, I would like Microsoft to make these sorts of problems apparent in some manner to make the user aware of their software and demand better behavoir from developers of the software they purchase, and also to shame software developers into behaving well. Continually accommodating intentionally bad software seems to be a bad long-term strategy. Any comment on that? What do you honestly think would happen here? You upgrade to Vista and application X stops working? Are you going to blame the author of application X or Microsoft?

Re:Culture and Security

[Hosiah]

I have started watching videos at Channel 9 that explain in-depth the internals of some core Windows components

Boy, I gotta move to where my local TV stations have content like that!

Alternate means of Security

[kenny9336]

Many security holes tend to be derived from undesireable code and/or applications being executed. Current firewall and antivirus software act by trying to identify malicious activity, of which there is currently over 100,000 different signatures to maintain. Currently, I have about 60 processes running. Keeping track of this 60 plust the other 40 to 50 I might use during my normal work week tracks a total of about 100 processes. This seems as though it would be much easier than trying to track over 100,000 signatures. Has Microsoft investigated whether it would be benefecial to have the main OS track approved processes(not just installers and main apps) to run? If so, what has prevented Microsoft from moving further forward in this manner?

2008 expiry of WinXP Home updates

[spyrochaete]

Mr. Nash,

I understand that MS has recently decided to extend the deadline to abandon official support of Windows XP Home to 2008. While many applaud this 1-year extension, others feel this deadline is insufficient. Considering this is the most popular operating system in the history of personal computing, will MS take responsibility for any damages caused by this deadline? (e.g., unpatched vulnerabilities resulting in spam and DDoS zombies, virus proliferation, identity theft, etc.) Is MS willing to reconsider this deadline?

Closed source still considered good for security?

[wahwah]

Source code unavailability was claimed to be good for security. Crackers can't read our code, so they won't find holes. It's harder to find holes by trial and error than by reading and analyzing the code. On the other hand, a lot of Windows source code has leaked into p2p networks some time ago. So crackers have a lot of reading. How does Microsoft security team feel about this?

Microsoft vendor relationship Secty expectations

Please see the context(no question is fair outside the bounds of an understood context) below to address the two separate questions.

How will you influence responsible parties in Microsoft to influence the vendors like Dell to ship secure by default?

Why does Microsoft presume the security relationship starts at the end user and not the OEM repackaging relationship?

Context of questions:
I recently received a new Dell XP pro machine to validate / update its security for a family relative. The machine was purchased and delivered in January 2006. The Machine was 26 critical service packs out of date from the dell factory. The restore disk would also reset the machine to this level presumably.

Assuming in this context that secure by default means patches on the machine as received and the restore disk are up to date at least within the same month of shipping.

The data in the post is classified PUBLIC by IT Security.
Any opinions are that of the poster not the company the poster is employed by.

Cost of full security audit of the Windows code...

[mikelang]

Considering the total cost of security flaws in terms of both lost revenues and company prestige:

Did Microsoft ever ask for independent security audit of whole existing Windows code and API designs?

If so, could you tell us, how big these costs were?

[I put design flaws, as the most recent WMF format flaws and many macro vulnerabilities were examples of these.]

Did Microsoft ever consider paying outside company for security review of every new component that is introduced to Windows?

Follow true TCP/IP Standards? Email?

[Stomkrow]

Is it possible that Microsoft could use readily defined IP standards instead of inventing their own or their own take on them? Ex. L2TP with a VPN connection. Spam is the scourge of the internet with 80%+ of all email traffic being spam. What happened with Coordinated Spam Reduction Initiative CSRI and sender ID? Can there not be one universally accepted email authentication method that can support the GPL and Microsoft? After all Microsoft has a very small market share of web and email servers wouldn't be in the best interest of ALL internet users for Microsoft to get off their IP and Patent fence long enough to actually do some good in the Spam arena??

Why not fix the current OS?

[Nom+du+Keyboard]

Why aren't you putting all your efforts into fixing the current Windows operating system, instead of writing a new one (Vista) essentially from scratch? While you obviously can't collect money from having people upgrade from WinXP to WinXP the way some will from WinXP to Vista, you'll still sell your OS on a majority of all new PCs, as well as having a chance to create something that isn't already the bane of many of our existences.

Put another way, how do you respond to the end user's need of: I don't need new features nearly as much as I need security and stability in my current features?

MSFT employee here

Hi, Mike,

I have just one question for you. Why do we STILL ship products with KNOWN security issues?

I'll even tell you how it works in the trenches. Folks build the product. At the end of it all a "Security Push" gets declared. For two to three weeks people pretend they care about security by coming up with potential security issues and assigning DREAD+VR scores to them. Then management arbitrarily sets the "bar" below which we don't fix potential and real security issues. This bar is usually very high, sometimes at around 8, because hardly anyone has time in the schedule to fix all issues found. Now, DREAD score 8 means that flaw will affect a ton of customers and cost Microsoft significant litigation. Some of very severe bugs slip under the bar just because they don't affect more than 10% of customers. Now, even this exercise is a joke, because most developers don't know what DFD is and how to put one together.

This wasn't even the most ridiculous part of the exercise. The most ridiculous part is security "code reviews". It's when feature owners walk into a room with a huge stack of printouts and pretend they can be reviewed in a couple of hours they've allocated for this. You can barely glance through this much code in this much time, 90% of security issues remain unnoticed during this "code review".

After all is said and done, product is only slightly more secure (SOME of the most ridiculous things have been fixed), and management gets delusional saying that product is now Fort Knox secure.

If you ask me, that's abomination, not a proper security process. Are there any plans to change it?

Re:MSFT employee here

Mod this up!

Re:MSFT employee here

[user24]

what on earth is a DREAD score?

some possibilities:
Dangerous Reality Eats All Desktops
Do Real Exploits Actually Do (this)
Dirty Rude Exploits Always Devour
Dominant Rats Eat Any Dinosaurs
Don't Realise Every Application Does (this)
Danger/Response-time/Enduser-impact/Actual-threat/ Dev-time?

ah, i could go on all day...

Re:MSFT employee here

Something that tells Mike that he's not bullshitting when he says he's a MSFT employee.

Re:MSFT employee here

[kindageeky]

Damage potential
Reproducibility
Exploitability
Affected Users
Discoverability


It's actually becoming an ad hoc standard for vulnerability risk assessment, used by many non-MS-oriented camps of security professionals. The same can not be said for the STRIDE system for classifying the type of vulnerability, which is obtuse and and disjoing... better approaches are the OWASP top 10, and the WASC vulnerability classification system.

Advantages of Divorcing Graphics and Kernel?

[Bravo_Two_Zero]

What are some of the discussions surrounding divorcing the graphics display subsystem from the kernel? I recall a blip about something similar in a story about the next (post-Longhorn) generation Microsoft OS. But, it's always seemed to be a big issue both with security and reliability (though the second part of that statement seems vastly improved in 2000/2003). Are there concerns other than the (likely) huge codebase for the existing kernel that preculde creating a version of, say, Longhorn with a text-only option with all the management bits happening via CLI or remote consoles?

Microsoft integrated approach to architecture

[recharged95]

Mr. Nash, Microsoft has advertised many times it's concept of the integrated approached to software architecture. What security concepts or technologies do you see in your software stack that supports the OS group's decision that this approach is the correct/superior choice? (examples?) That's considering many of your competitor's follow very different architectural philosophies.

In addition, with more [popular] 3rd parties not getting their DLLs/Drivers/applications "logo-certified" though the Microsoft process (i.e. conforming to the integrated architecture), how is Microsoft prepared to handled security breaches/defects from non-conforming plugins/3rd parites?

When will you eliminate ActiveX

[NatteringNabob]

Given the inherent insecurity of ActiveX, why not eliminate it completely?

The separation of code and data

[Asprin]

Does Microsoft have any regrets regarding its historical strategy of designing software that mixes code in with data (E.g., ActiveX, IE, VB Office, etc.) to make life easier for developers, despite the security implications and risks of such a strategy?

Will other legacy issues be checked?

As the WMF problem was due to old features being used in new 'unwanted' ways, how much of the legacy code that has been 'copied' to Vista will be checked for security, or will they be fixed as they arise?

Update CDs for users?

[SleepyHappyDoc]

When XP Service Pack 2 came out, Microsoft offered free CDs for customers who were unable to download the service pack. Now that a fresh install of Windows XP requires an internet connection to provide full security via updates, are there any plan to make available a regular update rollup CD for customers? I'd be willing to pay a (nominal, like shipping) cost for a regularly-issued CD I could use to deploy patches offline.

Re:Legacy Security Issues - Already in Progress

[Nom+du+Keyboard]

will Microsoft ever be willing to start from the ground up on a new OS with security being a primary strategy from the outset?

That's already what's essentially being done with Vista, hence the multi-year delay when they basically started over again.

Security Codebase, Development Model.

[Irvu]

Whenever the topic of Microsoft's security (or lack thereof) comes up the Windows codebase is mentioned. Many both inside and outside of the company seem to attribute most of the existing security problems to the trouble of maintaining old Windows code and backwards compatability. Gates himself drove this point home by flogging the point that Vista would be built "from the ground up".

What gets mentioned less is Microsoft's development model. Books such as "I Sing the Body Electronic" by Fred Moody paint a picture of a corporate culture focused on high-pressure development cycles, fast turnaround on new features, heavy code re-use, and a dependence upon of contract workers. This seems expecially relevant given the fact that the recent WMF bugs (which made non-tech news) were not "old" features relative to the age of Windows.

My question is; How much is the codebase to blame for problems and how much is the culture? And, what are you doing about them?

DRM

[Stomkrow]

Given the recent spate of ugliness regarding DRM in the marketplace what solutions does Microsoft intend on implementing to ensure consumer rights? Do you really think DRM will float with consumers or that it is destined a slow and terribly painful death? I know that I speak for a great many of us when I say that I fully intend on banning any and all DRM materials from my home and my business. PERIOD. There is no debate in this.

Security & Education

[SchrodingersRoot]

As a former PC tech, I have many of the usual horror stories regarding tens of thousands of spyware components on machines. Now, while I never objected too strongly to users having lots of spyware, as it helped pay my salary, I appreciated the fact that Microsoft purchased and made MSAntiSpyware available free. I'm also glad that Vista will be deployed with Windows Defender, along with automatic updates, and that IE will ship with security improvements, such as 'protected mode' and ActiveX controls disabled by default.

However, to me, this seems only half of the real battle when it comes to spyware (and other security issues). The other half, in my experience (And in GI Joe's, apparently), is knowledge. Education. I have noted that some systems, even heavily used systems, without tools like MSAntiSpyware, AdAware, and Spybot installed can have very little spyware, whereas even some systems with such tools can become heavily infested.

So my question is this: especially given that many of the users of Windows are less tech savvy than would be preferable, are there any plans to address the other side of the equation in Vista (or elsewhere), for security issues like spyware? A Security Tour, recommendations, help features, tutorials, etc?

For that matter (addendum)

[Caspian]

For that matter, if I have your attention, I wish to be a bit more blunt: If you give an average end user a computer with a factory install of Windows from Dell or Compaq and have them use it without any intervention from a techie or "power user", they WILL get tons and tons of spyware. Period. They will use IE instead of Firefox, they will click on pop-ups, they will blindly click "OK" to all sorts of dialogs, and within six months, they will be wondering why their computer "is slower than it used to be".

And if you ask them about security, they will tell you that they are running Norton/McAfee/Symantec, as if that makes them completely safe. (It doesn't, of course.)

I'm frankly curious as to whether or not you are even aware of this phenomenon. Many corporate people seem ignorant of life outside of the Fortune 500 world (where computers are managed by high-paid techies and significantly "locked down"). Outside of the Fortune 500 world and the geek world, it's hard to find a Windows system that isn't full of malware after six months of use. I cannot stress this enough. This is the rule and not the exception.

Re:For that matter (addendum)

It's simple why they don't worry about the average user. When the average user's computer slows down, they simply tell that person that the best thing to do is upgrade. Both hardware and OS.

Moving all unwanted code back to User Mode

[freedom_india]

Are you moving all unnecessary code (like nVidia drivers, mouse drivers, video drivers etc) back to User Mode and leave the Kernel pretty thin and safe?

I understand you moved Video drivers into Kernel mode in NT 4.0 for performance reasons on slow machines of that day.

Now that machines are much faster than ever before, are you moving back all Video Drivers/stuff back to user Mode so that Windows Vista can be MORE secure?

One question, sir

[BoldAndBusted]

Why should we trust what you say, or what your company says?

"PR do it" - "PR idiot"

[mkcmkc]

Mike is answering for himself instead of having PR do it for him.

For some reason I parsed that as "having a PR idiot do it for him". No idea why.

Trustworthy Computing

[user24]

Does Microsoft support Full-Disclosure? Given that it is stated on the Microsoft website in specific regard to security that "We share our knowledge, learn from others, and collaborate at every stage, so each successive partnership makes technology environments stronger"(1), it would seem that if MS does not support full-disclosure we must draw the conclusion that sharing knowledge, learning from others and collaborating is only permissible between MS and its industry partners. On the other hand, if Microsoft does support full-disclosure, this seems to be in direct contrast with facts such as that the average patch time is 46 days(2). If Microsoft really does support full-disclosure, why are patches not released sooner?(3) 1 http://www.microsoft.com/mscorp/twc/security/overv iew.mspx 2 http://www.washingtonpost.com/wp-dyn/content/artic le/2006/01/14/AR2006011400218.html 3 I realise this is a second question and hence may be ignored if you wish.

...Separate pls

[SpoonFlame]

We all understand the reasons behind code reuse (well mostly) but we also know that when a security hole is present it may ripple into many other system that may not on their own be vunerable. Why is it that windows still uses Explorer and IE (which are essencially the same..i think??)...tho i believe i read somewhere that the graphics and kernel will be separate now...this looks like an idea got from unix type systems...while i commend this effort i would like to know why the most vunerable parts of the system, or most likely attacked component are not compartmentalized so that breaching of these part does not ripple into other systems...which tho it may not solved the problem, will allow less to be compromized....a bug is only a bug if you can find it!!!

Microsoft Security

[MaxPowerDJ]

What kind of commitment (be it buying a vendor or development in-house) would it take from Microsoft to develop a fully integrated and feature-rich software firewall solution? Do you have plans for it? Can we expect some of that in Windows Vista SP1?

Secure right out of the box

[Nascar_Geek]

The number of machines being turned into zombies every month make it pretty obvious that many users don't know how to protect their computers from attack.

What do you see your company doing to make PC's running Windows products more secure right out of the box and to keep them secure with little or no input from the user?

Illegitimate copies and security patches

[23orgFlea]

Microsoft products (namely XP) have become ubiquitous around the world as the PC desktop operating systems, with this success microsoft has been very profitable. I think microsoft deserves both the success and the profit, after all they've(you) have worked long and hard and spent gobs of time and money developing and marketing the products. I believe microsoft has a right to protect it's property and revenue. What concerns me is that with the vast coverage of MS products, even a small percentage of the illegitimate(pirated etc) copies represent a massive installation base. Now that users have to authenticate their copy before receiving updates, this massive base is left vulnerable to attacks that not only put them at harm but also uses of legitimate MS products and virtually every other operating system user on the internet. Can you please explain the rational behind this decision and the perceived outcome and consequences this will have in the next few years?

Security for Morons

[chadjg]

I'm not very smart about computer security, but I can follow directions with precision, think about threats in a general way, and I care. What is your company doing for people like me? It seems that no matter what I do I have problems with your software. Ok, I'm still using windows 98, but why do I have to run two security apps plus the cheap Zone Alarm firewall just to stay functional?

Security vs Performance

[patman814u]

Mr. Nash, I recognize that security is a major concern for Microsoft and OS development in general. I'm wondering what Microsoft intends to do in regards to improving OS security at the expense of system performance? I'm sure that I'm not the only person who has recognized or commented on general security upgrades and patches degrading the performance of the OS.

Slashdot bites?

[rilister]

How do you feel about the at-least-slightly-prejudicial busted-up broken window icon Slashdot use to highlight this article?

realtedly: Do you believe the anti-Microsoft bias of Slashdot is peculiar to this forum or does it reflect a general antipathy in tech circles? Why do you care what the community at Slashdot thinks?

When are you going to get rid of Internet Explorer

[Kunt]

Dear Mr. Nash,
When are you finally going to kill Internet Explorer? It seems there's no way you can improve on it, so why not just replace it with a secure and usable product, such as Firefox? Or maybe you could ask Apple to port Safari to Windows? While you are at it, have them replace Windows also. Microsoft's products have plagued users long enough.

Networks

[perlfu2]

Will Vista come with a full range of networking/serving solutions? It would be nice to be able to employ a full range of services from one vista machine running just that, Vista. What I'm wondering is, can I expect to employ proxies, rule based firewalls, dns, and dhcp services just to name a few with future Microsoft software without having to purchase loads of software just to run what many other operating systems come with stock. Also, will ctcp be backwards compatible? What improvements can we expect to see from it? How will it effect network operation in a multi-os environment? -AKA is this another trip down the path of NETBIOS?

Is the new limited privileges IE mode vulnerable?

[Stan+Vassilev]

I hope my question is not too technical, but here goes:

One of the most important innovations in Vista regarding security is the revised user/privileges system, including the new "limited" mode IE (and potentially other web apps) will run in.

The basic goal is that even if IE has a flaw which allows malicious code to run from the browser, that it will not have the privileges to read/write/execute code, with the exception of writing in the IE temp files folder (the cache).

However to allow the IE plugins and IE itself to go on its business (such as download files to where the user wants), special 'broker' processes were introduced IE to talk to.

Apparently those processes have higher privileges. So if IE can command them to download code, doesn't it render the point about the privileges protection moot. If not why.

And another such concern. I suppose the limited IE mode applies only when the mshtml engine is launched from within the "official" IE shell.

However many apps use that shell, and since the malicious code retains the ability to write to the Temp Files, won't it be possible the reuse of "infected" cache via embeded IE to raise the privileges for execution and infect the system anyway.

Thanks.

SEH & Windows Error Reporting

[the+right+sock]

Error reporting, as I understand it, is a catchall function of SEH for unhandled exceptions. Most buffer-overflow attacks I've seen hijack SEH, specifically this default handler that is always present at a known address, to execute a payload.

Does MS receive a lot of feedback via this mechanism? What does it do with that information? Has MS looked into alternatives to this implementation (say, by dynamically loading a default handler into a process's address space at load time, instead of using a system handler with a predictable memory location)?

Trusted Computing Not

[Nom+du+Keyboard]

Microsoft seems to be tilting towards trying to convince all of us that TCM/TCP Trusted Computing hardware will be the panacea of all our security woes, when coupled with a TC-aware operating system (e.g. Vista). As should have been learned before in the uproar over the Pentium-III embedded serial number fiasco, many of us do not like this idea at all. Are you willing to create secure systems that do not require or force Trusted Computing hardware on us as part of the security process?

Re:Why add DRM? Also, why not decouple IE?

[Hatta]

I don't think these would really be directed to someone in MSFT security. The decisions to do both of these things seem to be driven by marketing and maintaining market share, both of which can contradict decisions to improve security.

Which raises a very interesting question for this fellow. How well do the microsoft security and marketing departments get along? How much is left undone because of a clash with the marketers? I would suspect quite a bit, but I'd like to hear it from someone who would know.

MS Security

[jaemz]

Given the recent decision by the governement of the united states regarding privacy (more so, the lack of it), how can we be sure microsoft isn't creating a back door in vista and giving the government the key.
What role do you see microsoft taking... are you for the privacy of the consumer, or the demands of the government?

If you had to store your Credit Card Number ?

[DrSkwid]

If you had to store your Credit Card Number, SSN, etc. on your computer, where would you put it/them ?

Re:If you had to store your Credit Card Number ?

This is very easy.

I keep a file with all my login names, passwords and service/website names in a plain text file. All the passwords have a common component that's simply substituted by an asterix in the text file and not listed anywhere in the file. The component is the only thing I have to remember, so I can make it as complicated as I want. (In my case, the component is composed of two parts inserted at a non-specific point into the password.)

I also keep important numbers in the same file, such as the numeric password for my internet banking. I simply split it into three digit chunks that are inserted on several lines into other passwords. All I have to do at that point is to pick out the specific chunks and reassemble my number. To make things more interesting, the chunks can have an extra identifier (such as a letter) so they don't have to be on consecutive lines. This not only breaks apart your important data, but also obfuscates your other data.

This system is probably not perfect but it will defeat most so-called crackers.

Re:If you had to store your Credit Card Number ?

On a sticky note, under the keyboard. Duh!

Re:If you had to store your Credit Card Number ?

[earthbound+kid]

Keychain.app, exactly the application that's designed to hold that kind of information.

My wish is that Apple would put a fingerprint reader into a future "MacBook" and let Keychain use that instead of authenticating passwords.

Hyper-Threading

[cperciva]

On March 2nd, 2005, I sent an email to the Microsoft Security Response Center (secure@microsoft.com) with a draft of my paper "Cache Missing for Fun and Profit", in which I described an information leakage attack against systems with shared caches in general, and systems with Hyper-Threading in specific. Among other things, I showed how this could be used to steal an RSA private key.

Over the following two months, I was told by three independent third parties that Microsoft was "very concerned" about this issue and had "several people" looking at it; but while one of your managers, Stephen Toulouse, claimed in an eWeek article that you commit to providing [researchers] with a progress report on the Microsoft investigation every time they ask for one, my repeated emails inquiring as to whether you had made any progress or intended to fix the problem at all went unanswered.

Since you've agreed to answer questions from slashdot, I'm going to try again: What action, if any, do you intend to take to protect systems against side channel attacks exploiting the shared caches on Intel Hyper-Threading processors?

oldies but goodies

[cosminn]

When will Microsoft just drop ActiveX? It's been pretty obvious that it's wrong to give a webapp so much power over your computer.

Microsoft has announced that it will be using UNIX-like permissions for its file system. Will this be part of the Windows Vista release? If not, when will this occur? Will this change imply that users will not need Administrator-like priviledges to run applications?

The Registry has proven to be a very complicated and vulnerable component of Windows. Will Microsoft ever move away from it? Do you have any plans/ideas for improving it?

How much security is Microsoft willing to compromise for ease-of-use?

Are there any plans to remove comonents from being so integrated in the kernel? Do we reallly need apps such as Internet Explorer, Media Player etc. to be a Windows component and have deep hooks into the kernel? This has been an issue for both security and stability.

Thanks for your time,
-Cos

Vista and beyond.

[Laurance]

I have read that Windows Vista is having a major focus on securty. These enhancements look good But my question is:

Will there be a point were Windows can not become any more secure without throwing out the old code and starting over with brand new code and is this what Microsoft is doing with the singularity project ?

http://research.microsoft.com/os/singularity/

Rootkit Capability Designed Into Windows

[ElboRuum]

Mr. Nash,

My concerns involve the most recent major "security" issue, that being Sony's rootkit debacle. Having recently been subject to a malicious rootkit on my home machine, and having seen the fallout caused by Sony's "legitimate" use of Windows architecture to "hide" its DRM rootkit from even administrative level users, I wonder the following:

If the most devastating forms of attacks (rootkits, malicious keyloggers, password stealers) can hide from even experienced users and cannot be revealed without the use of home-rolled utilities created by the users themselves or white-hat coders, how does Microsoft reconcile the fact that this ability to patch the Windows API exists through the very design of Windows itself with its commitment to security?

Even Sony, a legitimate interest, can't seem to resist the temptation of invading the user's equipment in the protections of its own interests. Sony seems to believe that it is perfectly OK to turn one's PC into a 'tattletale' with the very design of Windows, and this is a legitimate company with a long standing history of trust!

How can Microsoft stand by its statement of protecting user's privacy from malicious interloping if it provides and maintains the means for even legitimate companies to hide stealth, information-divulgent, privacy-invading software on users' machines knowing full well that black-hat coders use this avenue of weakness all the time?

Also: is/was Microsoft lying?

[rbochan]

And no, unlike the comments in the page topic, I'm not trying to be snarky...

Since Win2k/XP was supposed to be a complete, from the ground up, re-write after Win3.0/NT/9x, and Long^H^H^HVista is supposed to be a complete, from the ground up, re-write after Win2k/XP... why was code from 1990 included in these later releases?
Just what is going on with this latest security debacle? Are these supposed to be re-writes or recycles?

Re:Also: is/was Microsoft lying?

[c0d3h4x0r]

No one ever said for a moment that either of those was a "complete rewrite". If you heard that somewhere, you were misinformed.

Re:Also: is/was Microsoft lying?

[squiggleslash]

XP is based upon Win2K which in turn is based upon NT. NT was a ground-up rewrite, though some of the code from NT made it into the Windows 95, and some code - the Win16 subsystem that provides compatability with 16-bit apps under NT - came from the DOS/Windows (Windows 1.0-3.11) part (just as NT also contained OS/2 code.)

You can't lump NT in with Win3.0 and 9x, and W2K certainly wasn't a complete rewrite after NT.

Re:Also: is/was Microsoft lying?

[man_of_mr_e]

Wherever you heard that XP was a 'rewrite', you heard wrong. Vista isn't going to be a 'rewrite' either. I'm not sure where you get that information, but it's very wrong.

Re:Also: is/was Microsoft lying?

[Malc]

"Long^H^H^HVista"

You expect a Windows guy to understand that? The backspace key always works in Windows and certainly doesn't print out new characters.

Boxers or briefs?

Sorry, that was unprofessional. Let me try that again:

Vi or Emacs?

Long turnaround time for patches

[dmt99]

In general it appears that Microsoft takes a long time to release a patch once a security flaw is found. What is the bottleneck? Does it take that long to fix? Is it stuck in QA? What system do you use to prioritize the fixes?

Re:Why add DRM? Also, why not decouple IE?

[GroBeMaus]

IE = spyware's best friend.
I feel that many of windows vulnerabilities stem straight from IE. First,IE should never have been able to write to the registry. This has got to be one of the biggest errors MS has ever made. Websites adding spyware without user intervention was made possible by IE. As a seperate product, it could be setup with profiles like Firefox and not need to touch the registry. I really don't believe any programs should use the registry except for the windows system, but that's just me. So I guess my question is this. Do you see IE being decoupled from windows? I have no problem with it being included on the install CD as a seperate program, just not integrated into windows.

Balance or clicky-stuff vs security?

[gentimjs]

Where do you draw the line between "ease of use"/convenience vs security? By that I mean, when you get situations where security becomes inconvenient for the user (as the firewall stuff in XP SP2 has proven to be) what finally makes you stop and say "ok, security is more important than being able to click a weblink here" ?

Microsoft Patches

[Yerase]

Does Microsoft internally release Security patches (like the recent WMF patch) to it's own employees before releasing it to the general public? Not talking about for testing, but did Microsoft's employees & systems suffer the same "week of vulnerability" that the rest of their customers faced? If they didn't (meaning internally the patch was applied to systems before it was officially released), then do you think this is a kind of "rose tinted glasses" for Microsoft, effectively hiding the true scope of a vulnerability?

Q. for Mr. Nash

[Serious+Poo]

Hi Mike. Thank you for taking the time to address our questions here on Slashdot. My understanding is that the potential impact of many of Microsoft's security vulnerabilities occur as the result of a vulnerable service running with full administrative privileges. I also understand that these privileges may sometimes be based on the access rights the current user profile is running with. However, I suspect that it might be possible to limit the rights these services run with, regardless of the rights currently assigned to a user profile. This would help to limit the potential impact of a vulnerable service, which in turn could really improve the security of Microsoft's products. Has any thought been given to this, and if so, what is Microsoft's strategy to address this?

Homo v.s. Hetero

[mtenhagen]

Do you think a homogeneous os population will be beter then a heterogeneous one, considering security.

Isnt with a homogeneous population the change of pandemics much larger so any security fault will have a much greater impact?

If you believ a heterogeneous population is better (which is wat most research points at) how does microsoft use this information?

questions

[DigDuality]

Do you consider Microsoft's stance more of a marketing decision in order to force the populace into purchasing Microsoft products and further locking people in to a particular line of products, when it comes to Trusted Computing, or do you view it as more of a security move?

Also, i'd like to echo the want to know your thoughts about IE being imbedded into the OS itself and your thoughts about further imbedding other web accessing software. (WMP)

Fundamental Disadvantage?

[Moldz]

One of the advantages of open source, at least in theory, is that anyone can look through every single line of code in the OS to verify that there aren't any bugs that can lead to security problems. The idea that every part of the code is being examined by hundreds of programmers inspires a lot of confidence in a system, whether or not it is actually happening.

Do you think that Microsoft is at a fundamental disadvantage since it lacks this transparency?

In other words, does an open source model of development inspire more confidence in an Operating System compared to the model you use?

Passwords for Elementary School

What comments would you make about this Microsoft FAQ entry for Class Server:
(from: http://www.microsoft.com/Education/ClassServerFAQ. mspx )

Q.
Eight-character passwords are tough for elementary school students to remember. Is there a way to change to a smaller number of required characters?

A.
Yes. If you choose to use Class Server with a SharePoint portal, the user's portal password can be passed directly to Class Server for authentication. This way, a user need only remember their Active Directory (Network Domain) password. For access through the standard (non-SharePoint) interface, we chose eight-character passwords to help maintain Class Server security, which is extremely important to our customers (based on customer feedback). Microsoft is committed to continually helping improve data security.

In the meantime, as a workaround, you can suggest that the elementary school students pick a four-letter word and type it twice for their password (so they only have to remember one word--which may be easier to remember than eight characters).

My Questions: Windows - The Most Secure OS?

[KrisCowboy]

Microsoft Windows is historically a BadBoy - crashes, viruses, exploits, vulnerabilites etc etc. After XP, this situation has changed with the firewall and regular security updates. But the situation hasn't changed much.

The "Windows vs Linux" research is debatable. As the OS powering nearly 95% of PC market (sorry, I don't have any recent statistics right away. Let's say 95), how long do you think it will take for Windows(or any other OS from the house of Microsoft) to be the most secure Operating System there is?

Integration/Coupling

[gentimjs]

Has anyone in the higher levels ever considered that such tight integration might be detrimental to security? As it stands, if some remote user is able to expliot some vulnerability in my email client .. why should my system be engineered in such a way that the vulnerability in my email client lets then access my user preferances for my word processor or lets them change my system clock? To phrase it differently, what do I (the customer) gain in specific functionality from this tight coupling/integration (at the expense of security) that I would not have if this method was not used? -Tim Smith

Influences and Innovations

[coldsalmon]

To what degree are Windows security strategies influenced by other operating systems or security companies? To what degree do you feel that you are innovating in the area of security, and to what degree do you feel that you are learning from others?

Will Virtualization Play a Role in Vista Security?

[Hypervista]

With Intel and AMD building support for virtualization at the chip level and providing extensions to the IA-32 ISA in support of the new hardware based virtualization features(VT-x), does Microsoft have plans to leverage these new features to improve security of Vista?

Security vs. obscurity

[Andrej+Komelj]

We have all heard of a phrase "security through obscurity". Even more - there is probably a whole lot of people dealing with the clash between security and the ease of use of computer technology... What about Microsoft? Has the company ever conducted a survey or a research on the topic? Or created a sample test application monitoring user's reactions, frustrations and responses to notoriously complicated security bariers of the modern day (i.e. please enter your digital certificate password, again, ... and again, ... and for the umpteenth time). Wouldn't it help if the results of such survery would be publicly accessible for all application designers who usually tend to overestimate users' ability to comprehend benefits, risks and complications of a "totally secure" working environment? It would certainly be nice to see opinion of common users on the topic once for a change.

Simple, but vitally important question.

[gadgetman]

Hello, is anybody there?

HELP!

[ggeezz]

Can you please help me fix this! Every time I boot up a box pops up telling me that I have errors on my computer and I need this software to fix the errors. How do I get rid of the errors?

Was the WMF hole

[TheDoctorWho]

Was the WMF hole a bakcdoor MS put in specfically for that reason? Or was it really and truly and overlooked bit of code?

How can you protect the general public?

[PGillingwater]

Currently, there are hundreds of thousands, if not millions, of potentially vulnerable Windows systems connected to broadband connections, due to vulnerabilities like the WMF issue. Although we haven't seen any widely-deployed worms or other mobile exploits so far (maybe they exist, but are well hidden), many in the security community see this as a ticking time bomb, contributing to the already massive zombie armies.

How does Microsoft intend to address the security issues in the legacy base which will one day cause problems for even the best-maintained sites? For example, massive DDOS attacks, extortion, spam relays, etc.

Note that the following are not options, for a variety of reasons:
1) Upgrade -- many people don't see a security problem as a driver for upgrading;
2) Online updates -- only very recent systems including automatic updates, while older systems are used by people who can't manage this themselves;
3) Ignore -- this problem isn't going to go away. It can only get worse as more systems are infected.
4) Education -- too expensive, and affects Microsoft's reputational risk

Suggestions:
1) Offer a wildly-popular game or free download which fixes the bug as a side effect (disclosed of course);
2) Develop an "official" worm, which fixes the problem -- and release it into the wild.
3) Pay a bounty for grass-roots volunteers to fix them.

funding + resources = crap? why?

[c0n0]

Considering you *practically* have unlimited funding and the ability to find/hire extremely talented developers, what do you think is the #1 cause for so many security flaws in microsoft's products?

(e.g., we hire the wrong developers, our development procedures are not adecuate, we release our products too soon, we do it on purpose etc).

So, what's it like to be a liar...

[RailGunSally]

... with pants constantly on fire?

Internet Explorer

[mr.+mulder]

What new features or technologies can Windows users expect to see in upcoming versions of Internet Explorer (and IE OS integration) that will help protect them from spyware/malware, viruses, browser hijacking (inadvertantly installed BHO's)? Furthermore, has Microsoft considered any type of registry tracking tool to help assist users in removing unwanted software that may have hijacked thier PCs?

Why does MS insist on using faulty architecture?

[postbigbang]

The use of a registry has been criticized since its inception. Even though Microsoft has gone to lengths to remove user/root access from the registry, a hierarchical information manipulation system hasn't been implemented-- causing exploit after successful exploit.

Why should we have to buy firewall apps, virus mitigators, spyware removers and other products when an inherently strong and systematic approach to security would have prevented all of these problems?

Timely patch delivery vs. thorough testing

[Anonymous+Froward]

Short version: Would you please tell us how you evaluate timely release of your security patch and thorough testing of that same patch, and how you decide the release date?

A bit longer version:

Microsoft is often criticized of long delivery time of the patches for critical vulnerabilities of Windows and its related components, such as Internet Explorer. Indeed, it is not unusual for Microsoft to take months to release a patch for a known ciritical security vulnerability (for example this one). This makes a stark contrast with patch releases of many open source projects (such as Linux kernel) that are very quick to release their fixes.

On the other hand, many of us understand that any software has to be tested before it is released to public. And here comes the compromise between thorough testing and quick, timely delivery. Since it is impossible for anybody to do the testing against all possible configuration of Windows, somebody has to say, at some stage, that the risk of most of the users being exposed for extended time is far greater than the risk of some of the obscure functionality of Windows (and thus some users' system) broken by the patch.

This can be a tricky decision, though, and it all depends on some coorporate/project/whatever policy. So my questions are the following:

1. Who makes the decision to release a specific patch at some specific date for a critical security bug?

2. Is there any reward for that decision maker when the timely release of the patch is believed to have saved millions of Windows PCs from being owned?

3. Is there any punishment for that decision maker when the patch unfortunately breaks somebody's system and he/she complains (like lost revenue of one million dollars per hour because some unknown printer driver stopped working)?

4. Do you think your current decision making process is working well?

4a. If so, why is Microsoft often criticized for not releasing patches in a timely manner?

4b. If not, what are you planning to improve the process?

I'd ask a question but...

I'm sure he's a really busy man....

Businesses which rely on Microsoft security issues

[brailsmt]

There is an entire industry based on fixing Microsoft security flaws. Norton, Symantec, etc... all do a significant portion of their business working around Microsoft flaws. There are billions of dollars to be made off of Microsoft flaws, so much so that Microsoft recently decided they wanted a piece of the pie by purchasing anti-malware products. What incentive does Microsoft have for fixing flaws that support an entire industry, especially one which Microsoft itself profits from?

Design Decisions

[CPIMatt]

How much of your job is hampered by past design decisions, and how much input do you have to change designs that are fundamentally flawed?

It seems like you are fighting a losing battle for security if you cannot change the design of Windows and that of Microsoft applications to be fundamentally more secure. Change things like: not allowing data and code to mix, not allowing the user to run as administrator by default, and the list goes on.

-Matt

my questions

[wardk]

Mr. Microsoft Security dude,

So when is the security enhancement project going to kick off over there?

question 2:

What Mac do you use?

User Rights, Patch Philosopy

[Joseph_V]

1) As I understand it Vista will employ a more rigorous security framework in which capabilities require individual authorization and expire over time or with use. Can you elaborate on this? Will user/pass be required each time we install/change registry entries/access protected disk sectors? Is there any structural barrier that disallows me from subverting this mechanism through something as simple as a buffer overflow, for example a program that I authorize to edit my bookmarks to could potentially insert a trojan in that same directory named family.jpg, which googledesktop will likely find, index, and bring to my attention? 2) The recent accelerated patch was certainly a big PR win for Windows in most communities. Did the immediate quieting of the vocal security community help towards moving Microsoft into a more agile patching philosophy rather than the previous, batched philosophy?

E-mail

Do you ever send your loved ones an e-mail msg with "I luv you" as the subject line? Do you like forwarding jokes or a picture of Anna Kournikouva as an attachment?

Window's file handling vs. security

Every OS author has to decide how they are going to handle file deletions when a file is in use. The majority of operating systems clearly consider it important to honor existing file handles. But Windows currently uses the simplest solution to the problem by returning an error against the unlink call. The result being that Windows appears to be "protective" of the malware which is already running (and several time set to auto-start on next boot or login).

While Windows does offer MoveFileEx() function which can remove a file currently in use on next reboot, this has the following disadvantages:
- It is not seemless to the applications and several anti-virus/anti-spyware packages don't take advantage of this function
- Until the next reboot, additional file handles can be openned to the file
- It requires a reboot to take effect and does not automatically occur when all current file handles are closed

The majority of *nix flavors I have worked with have the concept of "unnamed" files such that deletion of a file that is in used results in a file loosing it's name. The current file handles are still honored but there is no longer a file name for future file handles to be established with. Once all file handles are closed, the file is automatically deleted and the disk space freed. Also, this functionality is seemless to the application and doesn't require any additional changes to the program.

Along the same lines, the cost and licensing conditions for the IFS DDK (Installable File System Device Driver Kit) seems to have impacted what open source security software is available for Windows. While lsof (List Open Files) is available in source form for *nix and provides output in a form that can be used in scripts, the closest Windows equivilent of FileMon from SysInternals is not available in source form or provide a way of piping or redirecting it's output in a script. And licensing incompatiablities between the IFS DDK and the General Public License (GPL) has resulted in such issues as ClamWin anti-virus project for Windows being unable to provide real-time scanning.

Is there any plans to address any of these issues?

Thanks

moo

[everphilski]

Uder to Bug

*swats tail*

NGSCB and actual users

[yakovlev]

How is Next-Generation Secure Computing base (NGSCB, aka Palladium) going to improve security for actual users?

It seems like most security threats would either already be covered by the current windows security model (if applications used it correctly) or are not helped by this new technology. Three major security issues right now are Trojan viruses as e-mail attachments (bad user practices), buffer overflows (simple bugs, often due to insecure programming languages), and insecure scripting languages as part of many applications, that turn any document into the equivalent of an executable (insecure applications by design.)

What does NGSCB do to remove or at least mitigate the effects of the above types of security issues, beyond what is already possible with existing security technologies?

What is Microsoft doing to ensure that application developers will make use of the existing security mechanisms (such as being able to run in User accounts) and will take advantage of the new security options provided in the upcoming version of Windows, such as NGSCB?

-Vital- Question!

[Quiet_Desperation]

Clippy or no Clippy?

How about Outlook

Some of the "greatest", or at least, most pressworthy Windows exploits have been made using Outlook. I don't think its a little known fact that Outlook's "other" name is Virus Construction Kit. Yet Microsoft have simply refused to address this huge security hole that is the Outlook/Office Suite. What, if anything, has been done to address the numerous security problems from Outlook. And simply repeating "turn off vb scripting" is not an answer.

No questions here anymore.

[Eric_Cartman_South_P]

I would have had a TON of security questions and concerns for you, but I moved to OS X so don't bother.

i wonder ...

[dominic.laporte]

1)Have you ever done an ask Mr Nash (via a memo or what have you) inside microsoft with assurance against being labeled as a whistle blower ? I am sure you could get tons of microsft insiders giving you internal security problems they cant even pass the moron PHB.

2)How many of the issues listed here (if any) and/or which ones will you take upon yourself to resolve in your next meeting with senior management ?

The Whole Rootkit and Kaboodle

[cez]

How do you feel about the Sony Rootkit fiasco, and what steps if any can be expected in the future to disallow the ease in which rootkits can be installed on the system, or for that matter files or trojans that can be hidden from the average user? Where does the newer version of DEP (Data Execution Prevention) fit into your future security aspirations and is there any possibility of a default tripwire type application to prevent the use of trojaned applications such as netstat that might manage to find their way onto an unsuspecting system?

Jeez, look up the answer yourself...

[Weaselmancer]

Dude, it's already been covered. Do a Google search for it.

Oh wait, nevermind.

Windows without a safety net.

[Terri416]

At the last D: All Things Digital conference, Mr B Gates KBE made the observation that "during the last year, if you had up-to-date Windows, you would have been safe if you didn't have" antivirus software also running.
If a Blue Badger (full MS employee) were to run his/her Windows machine on the MS campus without AV, would this behaviour be considered loyal, courageous, reckless, career limiting or grounds for dismissal?

It is both ways: XPsp2

[everphilski]

...and if you arent running SP2 on XP you have bigger problems

monopol a security risk ?

[jopsen]

Question: Isn't the biggest security risk in the world that allmost everyone uses the same OS ?

Vista: What about my fair use rights?

[c0d3h4x0r]

Top on my list of worries about Vista is that it may finally be the nail in the coffin for fair use rights when it comes to digital content. From HD-DVD to TPM to encrypted DVI, it sounds like Microsoft is going out of its way to further violate users' fair use rights with Vista. Doesn't Microsoft bear an ethical responsibility to look out for the fair use rights of paying customers? In your opinion, how bad is Vista really going to be in this regard? Doesn't Microsoft realize that this is a key reason that many people flock to noncommercial alternative software?

Windows Update

Are you going to enable users of Windows XP (or vista for that matter) to use WIndows update via Firefox, or will they have to continue locked in to IE?

will windows auto update get all of the updates?

windows auto update does not get of all of the updates will you and the optional updates to it?

Parent isnt offtopic you numnuts!

Its about security! UAP IS SECURITY!

Intrinsically less secure, or just a bigger target

[Angostura]

There is an ongoing debate about whether the relatively large number of Windows security issues and exploits is related to intrinsic security weaknesses, compared with other operating systems, or the attraction that its massive has on malware authors.

Where do you stand on this? Is the Windows family intrinsically more prone to security breaches, or are other operating system users simply protected by their favoured system's niche status?

Lets get down and dirty :)

[Jawshie]

Nash, lately we have seen an uproar of self-proclaimed 'secure' browsers such as Firefox and Opera. Millions of users use these and it seems that IE is losing its way. How will IE7 stack up against these other browsers and how will it be different from IE6?

Replies

[Useless]

I can see it now. Every response will look something like:

"LOL, this is not a PR person"

Decisions of the past & future...

Some of the decisions made in past incarnations of Windows (95, 98, 2000, and even the initial version of XP) were pretty clearly made in the interests of ease-of-access over security. Ancient examples are things like default network shares, optional password login (cancel on the "user/password" screen), and the default permissions environment in which applications could assume to be operating (e.g., assuming they could write to almost any directory/file on the system).

We all know that with Microsoft's shift to more security, many of these have been eliminated in later versions of the OS, but with such a change comes problems of third-party compatibility, and even compatibility of older Microsoft products, in some cases (e.g., such as some MS games). Some problems, such as the difficulty of running a user with reduced priviledges, are still difficult to implement in XP without breaking software, unless users have advanced knowledge (e.g., learning to use "Run As..."). This fact leads to most users running with much greater priviledges than is the norm on other operating systems. This, in turn, often leads to security problems in Windows than would not otherwise exist (or would have been mitigated). Why mince words? The simple fact is, an average home user can not run as a limited user without a great number of things breaking, and yet that is exactly how they *should* be running out-of-the-box for security reasons.

Is Microsoft prepared to break some of this old software in the interests of furthering the security of the new version of their OS? What tangible changes are being made so that users will be able to run as a limited user *and* actually have a functional system, without having to become an advanced system administrator to make it happen? For example, are there any tools planned to audit the priviledge needs of an individual application, and fix or advise users on how to get it working in a "limited user" environment? If not, then we are likely to still see a great many people running as "Administrator" or its equivalent all the time, and that is a big security problem for Windows that other OS do not face.

Skepticism about the recent WMF vulnerability

[OmniGeek]

There is a great deal of suspicion among software professionals that the recently-patched WMF vulnerability was a deliberate backdoor, whether with or without official sanction. Now, this may or may not actually be true, but the possibility that it IS, coupled with the (frankly, seriously limited) credibility of any Microsoft statement on the matter, surely damages Microsoft's reputation. As things stand, we'll NEVER KNOW for sure; this is not good for your credibility among technical early-adopters.

Given this state of affairs, would you be willing to show the before-and-after versions of the affected Windows source code to one or more well-regarded independent security experts for their analysis and public comment, under publicly-disclosed terms that both protect your IP and ensure credible and independent reporting and analysis? (I.e., provide enough of the code and tools to compile it and verify that it's the real thing, place an NDA on the code itself with permission to disclose relevant code excerpts under reasonable conditions, with no prior restraint on publishing the results of the audit, and with the full terms of the arrangement to be made public.)

I believe that agreeing to such an arrangement would go far to allay the damaging rumors of a deliberate back door, and would help to improve Microsoft's reputation as an honest software provider. Whatdo you think?

Why are known issues not fixed?

[Hackeron]

My question is there are currently 23 security exploits in windows xp that you have known about for many months and they are well documented on sites like secunia.com and securityfocus.com. With Microsoft's unlimited resources and focus on security, why arent they getting fixed?

Your own home PC

[sunderland56]

Do you have your own PC at home, and if so, do you maintain it yourself, or have a company IT guy do it for you?

If you do it yourself, do you follow all Microsoft-approved policies (have the firewall enabled, have auto-updates on, etc etc)? How long did it take you to set the machine up, and how much time each week do you spend on machine administration?

Do you honestly believe that an operating system where a normal user account can update the kernel and change system settings by merely browsing to a web page can really be considered "secure"??

What motivates you?

[TheUz]

Microsoft exists to make money for stock holders. To make money, you must resell your product every two years or so. If you produce a perfectly secure, robust operating system, will you not lose that recurring revenue?

I understand the open source motivation. I'm not selling my software, I'm giving it away in the hopes that it will be usefull. To that end, all my endevours are toward making the software perfect.

I do not understand why you would want to make your software perfect, as you will then lose your sales. "Why buy a new operating system, when this one is already exactly what I want?"

What is your motivation to make your software perfect?

Respectfully,
tomas

I stopped too soon in my explanation

[hackwrench]

It isn't the context menu itself that does it, I can open it and close it just fine. It's when I select open that it crashes.
I did as you said and looked at the crash report.
Here is what it says:
appname: explorer.exe
appver: 6.0.2900.2180
ModName: ntdll.dll
ModVer: 5.1.2600.2180
Offset: 00043345

Re:Legacy Security Issues - Already in Progress

[Bohiti]

The WMF vulnerability applied to Vista as well.

Security for whom?

[Angostura]

It seems to me that your job covers two fundamentally different uses of the word 'security'. There is the security in the sense of keeping a user's machine free of malware, but you are also charged enforcing digital content controls and ensuring that a user does not have the ability to use digital content on their machine in a way that the content provider has not sanctioned.

Day to day, which aspect of the job keeps you busiest and how do you balance the demands of the two aspects? Do you see any mutual conflicts between the two parts of the role in a world where digital rights management software and malware are sometimes hard to distinguish, from the end user's point of view.

Will create a completely customizable server OS?

[CheckeredShirt]

This is the type of questions I was going to ask.

I subscribe to the philosophy that added functionality equals added risk. A server OS that allows administrators to completely customize its functionality would also allow them to manage their risk.

Is Microsoft considering a server OS that allows administrators to completely remove unwanted components/applications?

I feel that I shouldn't have to patch a server for an IE vulnerability if nobody on that server should be using IE. That becomes even more true with WMP and Outlook Express.

Toy Story

[Lodragandraoidh]

Many IT professionals and computer scientists view Windows as a 'toy' OS. What would you say to convince them to use Vista over (insert industrial strength POSIX OS here) for their mission critical systems?

Wait a second...

[tgd]

Not to get off the topic here, but its funny when I see people complaining about the product activation in XP and how it only impacts legitimate users of the software.

With the huge amount of time and effort it takes to make internal hardware changes to a computer such that it needs to be re-activated (ie, searching for drivers, rebooting 50 times in safe mode when the XP drivers aren't right, etc), the five minutes it takes to re-activate Windows seems pretty minor.

Your statement also suggests that illegitimate users all know how to bypass it -- and I would argue that is, in fact, not the case. Technically knowledgable people stealing Windows can do it pretty easily, but it IS effective in preventing counterfeit or duplicate versions being in installed on white-box systems out of dinky shops, and prevents casual breaching of the license ("I got this new computer with XP, and I'm going to install it on my old one so I can use it as a file server")

Its a sign of how biased Slashdot, and how bizarre someone from MS would waste time on this audience that your dig was moderated +5 insightful and not troll.

Its also a sign, since this one will likely be modded "off-topic" and "troll".

Re:Wait a second...

I thought you were worth modding up so you got a +1 Insightful - seems that defending Microsoft in any way around here is a cardinal sin. I agree that activation is totally painless to be honest, and the people that gripe about it are generally the people who are trying to circumvent it!

Does anyone listen to you?

[Eli+Gottlieb]

I'm going to assume, for the moment, that you aren't as dumb as Windoze security tends to be. Why is there a difference? Do people listen to you, are you given a decent budget, or really should somebody else be doing your job?

Thanks for considering these questions.

[catahoula10]

1)Can a version of windows be made that allows the owner to choose which features to install? For those that do not want the caculator, the web browser, the mail program, or whatever..etc...

2) Can a more user friendly way to manage settings, permissions, and admin functions be implimented for those that do not have the experience in Sys-Administration?

3)Can MS make a built-in virus program that does not need a subscription for continued protection?

4)It would be nice to have linux type full user accounts on windows. Is this possible?

5)Can windows make a tool that cleans the registery and works like the /SFC tool?

Thanks for taking time from your hectic schedule to consider these and the other questions on SlashDot. ---

How often do you guys look to *nix approaches...

[vacorama]

I would think that with developing Vista, at some point you guys must have taken a look at how some of the linux and unix distros (especially Mac OSX) have dealt with similiar security issues... If so, how often does this happen, or is there any conscious effort to avoid asking yourselves that question...?

MOD PARENT UP!!!

[MajinBlayze]

These three things are some of the most widespread problems facing the Windows OS. Microsoft has put a lot of time and code into making software that could potentially be safe
windows permissions are very flexible, .net seems to more-or-less eliminate buffer overflow problems (when done correctly), and the .net web services could potentially replace ActiveX in a way that would result in better security.
There are two reasons this hasn't happened yet:

1. This requires a rewrite of old code
2. The operating system needs to be secure by default

What's your opinion on ActiveX?

I'm not asking for technical details in depth, I just want to know what you think of MS's creation of it in general.

A more Firewall Friendly network model?

[djmcdona]

Currently, Microsoft networking uses a proprietary port-mapper on tcp/135 for many protocols. Over-loaded port-mapping protocols make firewall implementation difficult because:

• the firewall has to understand the port-mapping protocol, which many (including Cisco PIX) do not
• arbitrary so-called "non-privileged" ports are opened by the port-mapping protocol
• the use of a portmapper precludes more granular firewall controls, such as permitting Exchange client connections but not file replication

Will Microsoft change their networking policy to be more firewall friendly, with specific ports for specific activities, so that those of us trying to use Microsoft OS's in N-Tiered environments can write a sensible rule other than permit ip any any?

Ease of Use vs. Security

[defile]

We, as customers, demand convenience. If I have a funny video, interesting application, or useful document that my friend or business associate needs to see, I want him to be able to get it as easily as possible. I want to drag it onto my IM window, or drop it onto an email message, or maybe even stick it onto his desktop so he sees it first thing when he comes back.

I crave this kind of tight integration between components. It makes life easier, reduces overhead, saves me time and money. Microsoft has no doubt been very successful at delivering this kind of infrastructure and reaps the benefits of it.

But there are some dishonest people in the world, and this tight integration and ease of use makes it especially convenient for dishonest people to get malicious software on my computer that pilfers my files, seizes my computer for use in some denial of service army, or watches my keystrokes to give someone the information they need to empty my bank account.

When a new worm finds its way into the open, 99.99% of the code being executed is code that Microsoft has written.

Forgive me for being blunt, but how does Microsoft stand a chance? I don't see a way to make Microsoft software more secure without making it less convenient to use. And anything that makes Microsoft software less convenient to use attacks its bread and butter.

Why isn't this a losing battle?

Offline security patches?

[thoth]

Are there any plans to make security rollups and patches available offline? As in, offer the latest patched versions of your various products on CD, available for nomimal shipping costs? This can't possibly cost much to administer, compared to auto companies who face product recalls when design/safety issues arise.

I know the service packs make it to Windows Update, but when something bad happens and a system needs to be reinstalled from the media it came with, that isn't practical. A new install from one or two year old media means an immediate download of dozens of megabytes of patches before the system is reasonably usable. Such a system might be compromised while the update occurs. Yes I can do X, Y, and Z to work around this, but try explaining to an average consumer where to download patches "just in case" and how to slipstream their own media, and you might as well tell them to just buy a new computer every year. I think it is unfair to push this entire burden onto customers, when updated media is cheap to provide.

When will MS take the admin role seriously?

[filesiteguy]

I find that my greatest concern with MS operating systems as desktops has to do with the elevated user privilages that are pretty much forced on us. Practically every piece of software I run across requires users to login as Administrator to install and operate. IIRC, there was a major move back in the Win2K days to encourage users to be more restricted. There was even a "run as" function in AD-based systems which allowed for an admin to execute an app after giving proper credentials.

However, it appers that the software community - and even Microsoft - has ignored this. I constantly see software which requires access to HKLM to operate even from a user's perspective. IMHO, if MS is going to be secure, this policy of running as Administrator needs to change.

Is it?

Running older programs under Vista

[greyfeld]

One of the things I have found most disturbing over the past 8-10 years is the lack of support for older programs that is found in the latest versions of Microsoft's OS. Most Windows 98 programs and almost all Windows 95 and DOS programs fail to run under Windows XP even with "compatibility mode". I realize that planned obsolescense is part of the current corporate scheme, but it would be nice if some of the great software of the past would be able to run on the latest and greatest.

To that end, what is Microsoft doing with regards to backward compatibility for software that runs on Win98, Windows 2000, ME and XP? If compatibility is going to be provided, how will you secure these portions of the OS so that the bugs of the past don't come back to bite you?

Outlook security question

[coastin]

Our company has web hosting clients that have been with us for several years, who rely on us for the quality of support we give them. Because of this we often get involved in solving security problems related to their use of various Microsoft products. Of these Microsoft products we seem to spend a great deal of time supporting Outlook and Outlook Express issues. Many times we get support calls where the client can not send e-mail via Outlook or Outlook Express. After testing to see if they can send via the web-mail applications we provide, we usually find that the problem is due to worm or virus infections of the above mentioned Microsoft products and that they can send and receive e-mail via web-mail.

Has Microsoft any plans to make Outlook and Outlook Express more secure and if so how?

Your opinion?

[DoctorDyna]

I've often thought that the individuals across the globe that spend the time figuring out where the security holes are in order to develop exploits tend to focus on microsoft products, perhaps in an effort to "bring the giant down." Do you think that a good deal of the fear alot of us have that Microsoft products tend to be less secure is the result of the focused effort of exploit developers?

Administrator Accounts

[Dangero]

Through windows XP Microsoft has opted to allow the default installed user account root access. This has allowed a lot of security threats to mitigate because when a user executes any code on windows that code has free rein on the entire system with admin permissions. In the future does Microsoft plan to move away from having the typical user log in as administrator and allow facilities for that to be a viable option? For example, will future windows OS's prompt for temporary admin access when needed, etc.

Request For Fruitful Business Relationship

This letter to you is as a result of information and esteem recommendation I received from the local branch of the International Chamber of commerce, on your credibility and reliability with regard to business dealings. Indeed it may come to you as a surprise but it was borne out of my sincere desire to share a mutual business relationship with you.

First, your strictest confidence in this transaction is highly solicited.This is by virtue of its nature as being utterly confidential and top secret with its success based entirely on mutual trust, cooperation and
an uncompromisable high level of confidentiality I am an Executive Director in the Nigerian National Petroleum Corporation and a member of the Contract Advisory Committee (CAC).

I am seeking your assistance to enable me transfer the sum of $26,500,000 (Twenty Six Million Five hundred Thousand United States Dollars) into your private/company account. The transaction I want to make with you is as a result of careful coordinated activities that have spanned a number of years during which contracts were awarded under my supervision. These
particular contracts of reference were awarded to two foreign contractors to the tune of $90,450,000.00 (Ninety Million, Four hundred and Fifty Thousand United
States Dollars) with my benefit carefully concealed within.

This contract has been satisfactorily executed and inspected as the Bulgarian firm is presently in the process of securing payment. It is of note that I am also in-charge of all foreign contract payment approval. As a civil servant in active government service, the code of conduct prohibits me from operating a bank account outside our country. Thus the reason for
seeking your assistance.

The desire is to present your private/company account details as a beneficiary of contractual claims
alongside that of the Bulgarian contractor, to enable me transfer the difference of $26,500,000.00 (Twenty Six Million, Five Hundred Thousand United States Dollars) into your private account. Upon conclusion of the transaction, it is my wish that the funds be distributed with 30% to you as the beneficiary. 10% for reimbursement of incidental expenses we may incure in
the process of execution of this transaction, and 60% for me to be managed under an investment program in your country with you as the managing partner.I would like to assure you that I have carefully and painstakingly
made all arrangements to ensure actualisation of the transaction which will be concluded within a few working days upon application of the necessary information and details.

The nature of our communication is of utmost importance hence you may reach me on my confidential lines FAX +234 1 759 7418.

Thank you and God bless as I await your urgent response.

Yours Sincerely Mr. Stanley Ademola, Contect me throuth the following e-mail
address edhugo@email.com

Focus on security

[burnin1965]

Do you believe that focusing marketing, press releases, and internal/external studies on comparisons of Windows security versus linux security is beneficial to Windows security or the perception of Windows security?

Aside from the fact that many of the reports we read seem seriously flawed it appears to me that focusing too much effort on the marketing aspect of Windows security has a tendency to backfire and just make linux look that much better in the eyes of consumers. Shouldn't the market speak for itself if Windows is adequately secure?

burnin

IPv6 Security for 2008 Federal Transition

[netrangerrr]

Will Vista/Longhorn integrate the entire "VPN Suite B" IPsec for IPv6 (And v4)
      IPsec:
      Protocol ESP [RFC4303]
      ESP encryption AES with 128-bit keys in CBC mode [AES-CBC]
      ESP integrity AES-XCBC-MAC-96 [AES-XCBC-MAC]

      IKEv2 Security Management:
      Encryption AES with 128-bit keys in CBC mode [AES-CBC]
      Pseudo-random function AES-XCBC-PRF-128 [AES-XCBC-PRF-128]
      Integrity AES-XCBC-MAC-96 [AES-XCBC-MAC]
      Diffie-Hellman group MODP 2048-bit [RFC3526]

When will Microsoft integrate secure neighbor discovery (SEND) RFC 3971 and Cryptographic Generated Addresses (CGAs) into products? Microsoft has been a major contributor to these security RFCs!

How about a remote management solution for the host-firewall to create a "Distributed Firewall"?

Re: IPv6 Security for 2008 Federal Transition

[netrangerrr]

This question is posed by David Green of the North American IPv6 Task Force/Army CERDEC/DoD IPv6 Standards WG. A formal reply to the North American IPv6 Task Force would be greatly appreciated!

Short question

[rossz]

Have you no shame?

Unchecked Buffers?

Why doesn't Microsoft fix all the unchecked buffers in the code base?

At this late date still uncovering unchecked buffers is incompetence. A real commitment to security would cleanse the code base of unchecked buffers as soon as possible.

Isn't it embarassing to Microsoft that these kinds of sloppy coding errors are still being found?

QA process for MS patches

[some_raisins]

I'm a Windows Sysadmin at a public university. I like to patch & reboot my servers the same day that critical updates are released, but I often run into resistance from my customers. I believe we're all on the same page as to what "critical update" means, but they'd like assurance that these patches have been fully tested before installing them on the production servers. I've always told them that Microsoft does way more QA testing of their patches before releasing them than I could ever hope to do, but I don't really know this to be true.

Could you give us some info about your QA process? What does your security team do, specifically, to test your patches before releasing them to the public? Do you test them on systems that have different 3rd party apps installed, such as antivirus & backup software? Do you have any lists of applications that you always test for compatibility with the new patches?

The Registry

[RooT+iO]

I watched a interview done between Channel nine and several leaders within the kernel development team and a question was addressed as to weather or not they would perfer that the registry never been invented. To sum up there response, they said they feel that if the registry was used for what it was intended for and stricter guidelines were set earlier on we could have avoided many of the problems we have today with the registry. I understand making drastic changes to the registry system would be a devistatingly painstaking task but would it not be one of the nessary steps to solve many of windows problems especially when dealing with security, not only within windows but within the applications running on windows? And has a major change to the registry structure and system ever been considered?

MOD UP

[cagle_.25]

Are you going to allow popular programs that have not been written securely to run on Vista by means of a "hack" or "tweak"?

That's one of the most important questions. Hope he has to answer it.

when you...

when you poop is it gold, or pure evil? or pure evil gold?

Twilight Zone Script Idea

[cmacb]

Twilight Zone Script Idea:

---

Everyone at school wanted to intern at Microsoft, but with my grades, sending off the application was just to satisfy my parents that I wasn't goofing off all summer because I'm lazy. Just to be sure, I even bragged to them about how good I thought my chances were of landing that hight-tech starter job.

Nobody was more surprised than I was when I got an offer letter, not an interview appointment but an actual offer letter, complete with starting date. There must be some mistake, but I'd be foolish to not take advantage of it. For the next week my casual bragging about my prospects turned into an almost 24 hour a day orgy of self promotion. Everyone I knew and many I didn't know had to be told that I was now an elite employee of Microsoft, the company that INVENTED computing and was responsible for all modern technological advances, or at least so I thought at the time.

Which of course made it impossible for me to do anything but sign on the dotted line when I arrived at MS HQ to find that I was being employed for the summer as nothing more than a "mail-clerk" for two of the buildings containing the loftiest executives in the organization. Well, I rationalized I could always lie about the nature of the job to my friends and family, who would ever know.

Hard to believe in this day and age there would still be so much physical mail, especially directed at a high-tech company such as Microsoft. But there was. My first few days were just learning the process, and realizing that I'd be working some long hours as the company had no respect for "snail-mail" or those who had to deliver it, so one guy had to do the work of three or more, sorting the mail into bins and in the case of the higher-ups, actually carting it to their offices. At least I got to meet on occasion some famous people, maybe this would come in handy some day.

One odd thing was that there was a particular hallway that seemed to be largely deserted. At the head of the hallway was a locked door with no name on it, but the title "VP: Microsoft Security Technology Unit". Outside the door were stacks of mail, so high they were tumbling into the hallway pretty much blocking it to my cart, but as there were no occupied offices further along the hall it made no difference. Still, I tried to neaten it up a bit for the first few days.

Then it started to get to me. Why didn't this guy read his mail? Or if he was on a long vacation or something, why not have a secretary collect it for him?

I got one of the largest mail sacks we had and collected most of the pile into it, but there was more than it would hold. This stuff must have been collecting for months, years maybe. Finally I tracked down the admin person who might have a key to that office. At least we could pile the sack and remaining mail inside rather than have it clutter up the hall.

I really had surprised myself in that I had started to take some pride in my lowly job. The admin, who was rather cute, and not much older than I was I'd guess wasn't nearly so enthused. Fortunately though her master key was close at hand and she didn't seem to have anything better to do the second time I asked her about cleaning up the mess. After all I was willing to do all the work, I just needed her to open the door. On the way up the elevator she mentioned that she had never heard of the fellow who's name appeared on most of these envelopes and magazines. She had also never heard of the "Security Technology Unit", much less knew that they had a Vice President that went with them. "They must all travel a lot" I quipped, knowing that this was the only empty hall in the building. As we rounded the corner to the hallway she added "For sure", with a look on her face that told me she had never been up here before either to see this locked office or the two dozen empty ones beyond it.

Well it would be nice to have this resolved I was thinking as she opened the door and we both gagged at the odor that wafted o

Re:Twilight Zone Script Idea

[PGillingwater]

Damn I wish I hadn't already posted in this thread -- my mod points would be rating this as "Funny -- Damn Funny!"

MSFT Employees perception of security as valuable

I actually had the privilege of interviewing for the position of security architect in the office group. This was shortly after the much ballyhooed "security stand-down" a few years back. During the interview, I interviewed with one of the more senior members of the team who began with...

"Security is a third-party opportunity. It's a red-herring. We're yelling about it now because that's what some exec wanted to do. In a few months this whole security thing will blow over and we'll get back to writing code. So... how are your QA skills?"

MSFT has the reputation for being much like a fraternity. I honestly don't know if this is true or not, but I did notice that Jeff LeBlanc had the office security architect position then shortly afterwards left the company. I also noticed that Howard Schmidt left the company as well. I'm not sure if there are any other security guys left there in Redmond save Brian L., and I must admit I've had some disagreements with him re: "platform" security.

Other than giving all the SDEs a copy of Michael and Dave's "Writing Secure Code," what is MSFT doing to encourage developers to consider security when writing code?

Is there anyone?

Is there anyone at Microsoft who can confidently say they have a good overview of the operating system anymore?

Or has it simply ballooned beyond human comprehension?

J.

misleading

[KGBear]

Over the last 20 years, my experience has been that Microsoft wishes to make computers so easy to use that people without any clue on how to use a computer can do so. As Microsoft continues to put ease of use and automation ahead of security concerns, without any attempt to actually educate users on how to operate a very complex and powerful machine, does any other attempt at security make any sense? I mean, it took you guys several years to realize that having Outlook automatically run scripts upon receiving a message will NEVER work safely. This is just one example of the same attitude. Do you intend to do something about that or are you waiting until you finally defeat Unix so that you can replicate its model?

Anti-malware market - conflict of interest?

[chiagoo]

Mr. Nash,

As I'm sure you're well aware, 99% of today's malware (viruses, worms, spyware, etc.) is targeted at Windows. These threats are able to spread almost exclusively due to underlying security vulnerabilities in the OS. Now that Microsoft is moving into the anti-malware market with such products as the free Microsoft AntiSpyware and subscription-based Windows OneCare, Microsoft is moving into a market dominated by companies who specialize in these security solutions. Isn't it a conflict of interest for Microsoft to charge money to fix problems created by its own security vulnerabilities, and why should users trust these solutions over others to protect them?

Microsoft's Reputation a Hurdle

[AverageWhiteGuy]

A lot of supposed technical developments (bundling IE and MediaPlayer into the OS) were inspired by less-than-pure motivations, so how does MSFT overcome the "trust me" challenges with users who feel burned?

Dumb Question

[Cranky+Weasel]

You advance your opinion, call into question their judgment and integrity,tell them they can't be trusted, and then ask for something to lend credibility to their claims.

You're not asking a question, you're looking for a soapbox. Since you claim them to be untrustworthy, there are no answers they could give that would convince you. So why ask this question in such an inane manner?

Third Party Vendors

[sconeu]

What is Microsoft doing to discourage third-party vendors from requiring that their apps run as Administrator.

For example, certain games or applications will not run as a limited user, and there is absolutely no reason for this. I will even name names:

• Mavis Beacon Teaches Typing
• The Sims
• "Friends" Trivia Game (Time-Warner)

I have but one question...

[Zebra_vim]

I know this has been asked before, but the only answers I've gotten are from people who know nothing about it -
My computer came with Windows XP Home Edition; why was there spyware the first time I ran AdAware on it? That's all I want to know.

Re:I have but one question...

[TeddyR]

Its installed by the OEM that bundled software on the system...

Security Vulnerability Reporting

[Efialtis]

I visit a lot of Security websites (its my job) to learn about the latest security threats to systems under my care. One of the best I have found it Secunia http://secunia.com/

Secunia has a listing of all Computer Operating Systems and their vulnerabilities. It also tracks the severity of those vulnerabilities, and how long it takes to get them fixed.

When comparing the Microsoft Windows family of operating systems to other systems, it appears that, while Microsoft doesn't have the largest number of vulnerabilities, it has the highest severity of vulnerabilities and it takes Microsoft longer to fix the vulnerabilities than it does, say Red Hat Linux, for instance.

My question is:
How accurate is Secunia's perspective on the security, vulnerability, and patch-up process of Microsoft's family of computer operating systems?

AND, if their information is accurate, why does it appear that Windows is more security-challenged than its competitors, like Red Hat, when it comes down to severity of the vulnerability and the time required to patch the vulnerability?

windows auto update

[Joe123456]

will windows auto update get the optional updates?

Why has Windows NT/W2K/XP security model...

[Hymer]

...not been a requirement for approval of software for Windows ?
and will this be a requirement in the future (preferably on XP and a must on Vista) ?
Why can software get a Windows logo without obeying the basic security of the OS ?
I suppose that you are aware that the only reason for people to run as admin are applications (third part, but some MS-apps. has also been seen) that require admin. right without ANY real technical reason (marketing and lazyness are not technical reasons).

MAKE A STATEMENT! ignore him

[doesnothingwell]

Idealic rant mode on: Why bother to ask him anything, just look Microsofts past performance. If legal says its ok, ship it, censor it, or ignore it. Its about the Profit stupid. Only a corporate beheading could fix windows. 1984 was supposed to be a comentary, a warning... not a business model. off:

A hopeless task?

[Art+Tatum]

I feel that Microsoft has actually made a reasonable effort to improve security in the operating system. But a vast number of users are uneducated on running as an unprivileged user. There is such a large installed base accustomed to running with full privileges that worms, trojans, and spyware quickly reach epidemic proportions. When we add to this the large number of uneducated developers and legacy software that don't take unprivileged users into account, it seems hopeless to fix the large-scale security problems, no matter how theoretically sound the architecture becomes.

Even some of Microsoft's products don't fully understand the issues of user separation. Visual C# 2005 Express is free to download and use but requires a registration to work past the first 30 days. OK, fine. I used "Run As" to install the application and enter the registration code. It started up, and everything was as expected. I closed it and started it as my regular unprivileged user and was asked for the registration code again, which now didn't work because it had already been sent to Microsoft. Winamp and Trillian also seem to store preferences in a place that isn't writable by unprivileged users.

Now, these things aren't the end of the world, but they do demonstrate that the mindset of developers isn't as well-trained on this issue as in the UNIX world, where user separation goes far back into the past. Is there any hope for educating enough developers and users to really negate the effect of malicious software on the network at large? Can Microsoft overcome what seems to be a serious case of not-invented-here syndrome and simply copy the most useful ideas from UNIX as directly as possible?

Progress towards foundationally secure OS?

[Theovon]

It is theoretically possible to write a secure program in C or C++. With a perfect programmer, all necessary sorts of bounds checking, etc. would be implemented in, and the program would work perfectly. But there is no such thing as a perfect programmer. As long as the language lets you make certain kinds of mistakes, then those mistakes will inevitably be made. Some idealists thing that you should eventually be able to find all such bugs. But there are those who suggest that the process is never-ending because bugs are added faster than they can be found.

Some people love to talk about how Linux is so much more secure than Windows. Part of that is hype. But part of that is due to the fact that much of Linux and surrounding userspace stuff was written more recently. Windows has a longer history and therefore has more legacy code. Although many types of exploits were understood by academics at the time Windows 3.1 and NT 3.1 were written, such concepts were not at the forefront of the minds of most professional programmers. More of Linux was written AFTER people became generally aware of this issue. My point is that, being written mostly in C, GNU/Linux is not any more fundamentally immune to security problems than Windows. Forget counting flaws. The fact that it's even POSSIBLE to implement a security flaw is a horribly shameful defect that both systems share.

Microsoft Research has developed this really neat thing called Singularity. Security is built in at every level. You can't corrupt another program's process space, because every executable and library gets its own isolated process. There's no shared memory. And on top of that, C#, with all of its implicit run-time checking is the language that you're required to use. Even if a security flaw were discovered, many of them could be fixed by modifying the C# runtime, thereby fixing the entire OS in one shot. Ok, so I don't remember everything exactly right, but the point is that this is a MAJOR step in the right direction. Singularity eliminates many security problems simply by making the impossible to implement in the first place.

This is not a jab: As with any reasonable company out to make a profit, Microsoft does not go out of its way to unnecessarily spend money. Reimplementing Windows from the ground up would be incredibly expensive. (Not to mention the emulation necessary for backward compatibility for applications.) But of all companies, Microsoft is the closest to being able to afford such a task. And with so many people, organizations, and countries dependent on the correct functioning of Windows, you have a responsibility to do the right thing. This would require a complete redesign of the OS, but seeing how often your own architects have complained about the dependencies in Windows not being a directed acyclic graph, I can only imagine that a new OS, based on a framework that enforces security, would be a lot easier to develop than trying to fix the monster you have right now.

My question is this: Is Microsoft ever going to work towards making a truly secure system, or are you going to continue the never-ending cycle of patching up your existing code base? Trying to fix bugs one at a time is a fundamentally flawed approach. So, does Microsoft have any intention of ever doing it the RIGHT way?

What kind of forces do you have to fight?

[LordWill]

the real point - Do you have the power you need to make changes to Microsoft products which increase Security? Can you overrule a sales executive's claim that Windows should ship with insecure default settings because 7,575,000 customers want it so? Can you assert to other departments that a change that costs million of dollars, but increases security is worth the money?

I bet these questions have been already asked...

[AnXa]

1. How much windows security has improved since WindowsXP SP2? 2. What have you done to prevent the most common security problem: Buffer-under-run exploits? 3. We all know that there ain't uncrackable/uncrackable operating system. How long do you think Vista will survive after it's shipping before it needs some major security fix? :) here is my questions. I think that this is good thing that we are able to ask things. :D Only thing that I'd like to ask non-security related questions too. :/

Security techniques

[Bob+Zer+Fish]

What new security techniques have you applied to your coding practices to try and remove the likelihood of security flaws? What do you feel that you do differently to others in the market, and do you feel that you can learn from someone else? Are there automatic programs/techniques (that you would recommend) and that we (i.e the rest of the industry) can use in our coding ?

Since when is MS a root CA? Why not sign exe's?

[kindageeky]

In downloading patches and software from various MS sites (support, MSDN, etc), I frequently have to ignore the warnings that an SSL certificate digital signature is not signed by a Certificate Authority, but instead is signed by Microsoft. Given the fact that it is not unprecidented for a Microsoft site to become compromised (even temporarily), isn't this practice putting loyal customers at risk? Also, it is the absolute exception that MS provides an MD5 or other hask to be verified via FCIV.exe or other utility to protect at least "power users" from running a trojaned binary. Why isn't there a comprehensive policy for in place for displaying validation hashes? With a little automation, it would seem the cost to fully adopt this practice would be pretty low for MS.

I'm speechless - by force

[Hosiah]

You can skip the "Microsoft and security in the same sentence?" comments we've all heard 1000 times, and ask actual questions,

So in other words, we can ask anything we want to as long as it doesn't cast Microsoft in a negative light. We'll be carefully scripting the questions through the filter of loyal Microsoft fanboys who'll just happen to have a pocketfull of mod points today. And then only 12 questions exactly, and we're reminded to give special considerations to somebody facing the world point-blank the way the rest of us do all the time instead of hiding behind a six-figure spin-doctor.

Thanks, but that answers every question I ever had about Microsoft. And mod-downs will trigger automatic reposts.

Re:I'm speechless - by force

you are trolling or blindingly stupid

Quelques questions

[solkanar]

I'm a 23 years old french student in an engineering school. I had no time to read -all- questions, so I apologize if they were asked already. In my school, there is an everlasting fight between unix users and windows user (students, teachers, professors... ) and I don't think I could get new answers to my old questions from Mike Nash (and many slashdotters would express it better than me), so I'll try to put it another way: "What question will you not answer ?" "OpenSource users are often asked "why use Open Source ?", so I would like to know "why use Microsoft ?" " "What do you think of people who belive education is better for security than fences ?"

Security implications of SP3's delay?

How is Vista going to be more secure than XP-SP2 when it comes out? Is SP3 going to bring XP up to Vista's level security-wise when it comes out in 2007?

Vision

[tyler_larson]

As the head of the Security Technology Unit, you no doubt have some vision of exactly how Microsoft products should behave. And since security and convenience are nearly always mutually exclusive, this hope and vision must, most likely, be "watered down" with compromises for the consumption of the rest of the company.

So the question is threefold:

• What is your pie-in-the-sky vision for how Microsoft product security would be achieved?
• What do you wish you could have that has to be sacrificed to gain or retain usability?
• What do you feel are the internal barriers (e.g. company culture, development methodology, and the like) that you must overcome in order to achieve your vision?

Backwards compatibility vs Security

[dcam]

Microsoft has always prided itself on providing very good backwards compatability in their software, even ensuring that applications continue to run even when they depend on specific Microsoft implementations (http://www.joelonsoftware.com/printerFriendly/art icles/APIWar.html>eg, see item under Two Forces at Microsoft). On the other hand Microsoft has been making security a high priority for the last 5 years, with some significant progresss. However these two aims come into conflict on occasion, for example the release of XPSP2 breaking some applications. How do you approach this problem and how do you plan to solve it?

Good Spy Bad Spy... How do You Know?

[offal]

Given the recent Sony debacle regarding DRM software opening up garage doors that were used to hide malware/spyware/etc, how can you realisticly know which is which within the OS? How can you accomodate "good" spys without opening yourself up to "bad" ones? Isn't it best to default to no spy until proven otherwise? Also, how about a boot disk a la Knoppix that one could use to identify and remove zombies/bots/etc easily without the need to reinstall?

Why Does Microsoft Break Standards.

Why Does Microsoft Break Standards without checking its effects?
This is not new the file sharing protocal of Windows it got from Sun. The wrap up for the samba reverse was that alot of the extentions where not well thought threw and had flaws. This has happened time and again since the first time if things have not change it will happend again.

Why is Microsoft affraid to completely publish all the interface information so that third partys can make sure they have not stuffed up?

Unix's, Mac OS, Linux and FreeBSD have complete standard documentation for all network protocals why should Microsoft be a execption?

If he asks where this is important to security responce with auditing tools and layer 7 firewalls. A audit tool knows what functions it should press for flaws in setup.

Question:Mr. Nash...

[mtec]

What kind of Mac do you have at home?

Secure Fonts

Having announced that a new font is classed as one of Microsofts "top five priorities", how does this make you feel?

Hardly Painless

[NMZNMZNMZ]

I'm a Windows XP user myself, and I completely agree with the Great-Grandparent. The activation nonsense is completely unnecessary and is only "painless" to those who don't like to tinker with or upgrade their systems. A few months ago, I upgraded my CPU and graphics card. After booting, Windows asked me to activate. While it's a simple, one-step process on a fresh install, it ended up being a half-hour's waste of time. Long story short: Windows refused to activate over the internet and I had to call up Microsoft's support center using the number provided. After some time of waiting, I finally was connected with a person. Needless to say, they didn't speak a word of english beyond repeating and interpreting numbers.

This has happened a few times since then when I do various system modifications, upgrades, reformat/reinstalls, etc. The calls are usually pretty quick (15 minutes) now that I've gotten used to dealing with them. But it's far from what I'd call "painless."

Pluggable Authentication Modules?

[ghbpiper]

Has anyone at microsoft ever considered using somthing along the lines of PAM (Pluggable Authentication Modules)? It would go a long way towards allowing windows to "play nice with others", as well as allow third parties to innovate new methods of authentication. Hopefully without the usual onerous licensing requirements. Perhaps something along the lines of PGINA? http://pgina.xpasystems.com/

Criminal Responsibility

[McFadden]

How does it make you feel, that because of the flaws in your OS, honest, hardworking individuals with legitimate businesses are now (through DDoS attacks) becoming the innocent victims of organized crime. Will you and your entire management team resign if the same mistakes are repeated in Vista?

The Big Question

Why, all the way back when Windows (or was it MS-DOS back then) was first networked, why was it not designed to be resilient to attacks from the outside? If MS had fixed this waaaay back with Windows 95 when the Interweb/nat/nets hit, then Windows would be a much better choice for servers. (far fetched, isn't it slashdot?)

Or, a simpler question that has been bugging me for quite some time, why in the world does Windows need to reboot every time you install a patch. That's like... prehistoric. I can update every single stinking thing on my Linuxboxen except the kernel and I wouldn't have to reboot. (Granted, I would have to restart some programs, but if you're running a critical server, i.e. a mail server, then downtime for rebooting goes into the question.

Or heck, can I even ask why Steve wants to bury everyone?

Trusted Computing (again)

[Vardyr]

There are many rumors flying around about "trusted computing," ranging from it merely being an encryption system, to intrusive DRM to please the media outlets, to Microsoft not allowing "unsigned code" to run on Windows. Can you clarify the purpose and abilities of the system and why it is good for the security, rights, wants and needs of general consumers?

Solution to Security and Backwards Compatibility

[Jonathan_Jeffus]

On the same note:

Mr. Nash,

Microsoft seems to be uniquely capable of solving the security problems with their older product line and maintaining backwards compatibility. Why not simply run older programs under a virtualiztion technology and completely change the foundation of Vista? Microsoft owns the I.P. involved with the OS and already owns Virtual PC. This would allow older products to perform without changes.

Individual users would run as non-administrators and a few other core changes could be put in place. If a developer wanted to release a product that ran directly on Vista the libraries would be similar so all he needed to do is re-compile and link and ensure his product worked with the new security settings.

On the other hand, older Windows programs could install transparently into a virtual "instance" owned by the current user and she'd never know any difference. Backwards compatibility would be ensured by the fact that they were in fact running under a "Virtual Instance" of Windows XP. It might even be possible to get some money out of businesses holding out with DOS/Win 3.x/Win95 etc. by offering "plugins" for virtualization with this technology.

Why doesn't microsoft do something like this?

Jonathan Jeffus

Re:Will create a completely customizable server OS

[ConceptJunkie]

You might as well ask them to rewrite Windows from the ground up. There's no de-coupling in any of the components of Windows and there never will be. You might as well as "Why don't you just fix all the problems in Windows?" Vista will certainly have some improvements, but the fact remains that it will still be burdened with 20 years of compromises for performance, bad design decisions, laziness and incompetence.

Deleting old program installs and the registry

[evanism]

Hi,

My biggest bugbear is simply keeping a system clean. When will Microsoft have the ability to completely clean/eradicate old software when my users ask for its deletion. Remove Programs is exactly that... it is not Remove Programs But Leave Folders Files and 600 Other Piles Of Cruft Lying Around To Clag Everything Up.

It is agitating having to blow peoples disks away every year or two just to get the registry/windows system/task manager/program files/My Documents, etc to a pared-back size.

Surely MS must be able to recognise every file and entry added as part of an install and subsequently remove it....

Re:Deleting old program installs and the registry

"Surely MS must be able to recognise every file and entry added as part of an install and subsequently remove it...."

You've just described the 3rd-party developer's job. The uninstaller only removes what the developers tell it to. There are other programs that can track the changes made by comparing before/after install. (Total Uninstaller basic is free)

DRM vs. Security in Vista

[c4ffeine]

It is my understanding that Vista will have extensive digital rights management (DRM) capabilities, the primary purpose of which is to prevent users from manipulating files in unwanted means, i.e. copying a movie. I am concerned that these capabilities could be exploited by viruses, worms, spyware, rootkits, and the like. Clearly, all such software would greatly benefit from the capability to restrict user capabilities; it could become nearly impossible to remove. How do you plan to have effective DRM tools without giving writers of malicious software such an advantage?

Culture change in Microsoft's approach to security

[J.J.]

Fact: The computer will always be compromised -- ref the Dancing Bunnies theorem.

Fact: Networks are chaotic places. In a network of any size (read: corporate) there will always exist vulnerabilities.

Result: The network, as a whole, will always be insecure.

Microsoft's traditional approach to security is very "box" focused: secure the OS. But the network is a collection of operating systems, and the dynamics of securing the network are very different from an individual system. Active Directory, and the ability to reliably apply consistent policies across a domain is the biggest step towards this goal to come out of Redmond, but that's as much a system administration feature as a security feature. There are gaping holes in the technologies available today to secure networks.

The corporate answer I'd expect is something along the lines of providing "opportunities for third-party software vendors" -- but I really think that's a cop out. Your customers lay the blame squarely at the feet of Microsoft. After all, Microsoft provides all the technology necessary to build a corporate network, but not the technologies necessary to secure it.

What is Microsoft's roadmap for providing security technologies that secure the network?

Thanks!
J.J.

Prying apart the system

[solune]

Many security experts agree: a diverse software structure is inherently more secure than a monolithic one. A system wherein the end user can determine his machine's makeup (browser, music playback, movie playback, etc) makes it much harder for would-be attackers to break in.

Does Microsoft ever plan to help the user separate programs--the browser, mediaplayer, etc--from the OS to improve security?

On a related point, taking into account the sucess of Firefox and other browsers, will microsoft ever at least separate their browser from the OS to improve stability, or will this major hole remain? It seems to me if Microsoft wanted to prove the superiority of their product they would do this to let the marketplace prove it for them.

Temporarily running as another user

[Trinition]

Performing all activities as an unpriviliged user, with some method of securely and briefly authenticating to higher permissions when required

Services, scheduled tasks and mapped drives have long been able to been run as another user. Windows XP also has some newers tricks. It has the 'runas' command line tool (yeah, Windows has a command line!). Also, when I go to a shortcut, there is an 'Advanced' button where I can specify to have the program run as another user. In fact, a recent policy change at work took away my ability to use that last feature, and it ticks me off!

Widows running programs IBM code

[luke69]

I remember reading a long time ago that IBM gave Microsoft code for Windows that made it act like programs on a Mainframe that if it didn't know a program the program would not run. Does Microsoft intend to use this code someday?

When will native userland .exe/.dll be forbidden?

[BeforeCoffee]

Microsoft has proven that the native userland .exe and .dll cannot be trusted. Security patch after security patch, month after month, Microsoft has shown that with a codebase as large as Windows/Shell/IE/Office, it is impossible to police all of the exploits. When will Microsoft finally drink the .Net kool-aid and start *requiring* all non-driver/non-kernel modules to run as CLR/.Net including their own?

I argue that:

• Security and stability bulletproofing the .Net runtime to the point of +99.999% is doable (as proof, arguably Sun's JVM is an example of a bulletproofed VM of comparable size to .Net's whose only remaining exploits would be found in 3rd party native .dll's.)
  • You'll need to get that stinker 'unsafe' keyword out of C# - hopefully no big loss there...
• JVM Hotspot and .Net runtime precompiling can produce reasonably fast execution.
  • Microsoft seems to be WAY too focused on micro-optimizations anyhow, please chill your techs out on achieving breakneck vertical scaling 1337-ness and give me some REASONABLE EXPECTATION OF STABILITY! On this point, a wider cultural and server technology embrace in Microsoft of horizontal scaling would be nice.
  • JRockit-style garbage collection technologies can reduce or negate any interruption to runtime from gc's.
• A single, system-wide VM that eats all available non-kernel memory, handles, and CPU is best for understanding and working hand-in-hand with the kernel
  • This is how I wished the JavaVM would work since it's such a hog, running two java.exe's kills me!
• Your users will forgive a one-time break with backwards compatibility (or being forced to have those crufty old native apps run fully virtual and sandboxed. (Sandbox written in .Net to keep you honest, big bonus points!))
• It won't matter what the conspiricy theorists say about Microsoft's ulterior motives for banning native userland code because if Microsoft does not do this, the competitors will and MSFT will be eaten alive by a better written OS/VM combo. Just let user .exe's running in .Net have the freedom they expect, and no one will fault you when the transition is over. Don't play catch up on this one, lead!
• You can remove many of your ever-increasing, annoying, and ignored modal dialog box security warnings from IE and the Shell - the .Net VM will just do the right thing and keep the user safe since that's how it was designed from the ground up. (Right?)

... And if you cheat ... If you give those goofball Office developers a backdoor to run native code when 3rd parties can't ... well, it won't be pretty! And like I said, Microsoft can finally chill out on the breakneck hand-assembly language-tuned speed thing; users want stability going forward and they'll buy bigger processors to keep things running smoothly just like they always have.

I know you can't do this for Vista, but you could do it for the next. Announce now and make this the real direction that the company is committed to. There's no shame in it, it's a positive step, and I know Mr. Softie has enough mojo left to make it happen.

Sincerely,
Dave

Re:Why add DRM? Also, why not decouple IE?

[heatdeath]

It may come in handy for corporations wanting to control their documents, but I can't see how regular users would knowingly want a product that restricts their access to their documents or files.

Because users want media. Companies that produce media are unwilling to distribute it in a DRMless world.

Also, regular users care if something can be done *easily*, not if it's possible to be done if I download this converter source code, and compile it, and then....yadda yadda yadda.

Security View Interface

[GaryOlson]

All security settings and interfaces are a right-click & multiple tab/button click deep. The command line security structure (sdset & sdshow) are obtuse beyond understanding. This makes security administration difficult, time consuming, and expensive. When will Microsoft create a security and permissions interface which is detailed, graphical, configurable with XML templates, and capable of being set as the default view both per individual user/system and enforced thru Group Policy?

Prevention of SSDT hooking: anti-competative?

64bit XP and Vista include PatchGuard, a kernel level component that prevents 3rd party applications from hooking the SSDT. While this functionality may prevent rootkit installation (though PatchGuard in the current CTP has already been broken), it also prevents most 3rd party security applications such as Norton Security Suite, McAfee, etc, from working. In light of the fact that all drivers will be required to be signed by Microsoft in 64bit Vista and forward, do you not think that prevention of SSDT hooking amounts to an anti-competative practice?

Security? What about trust?

[bzipitidoo]

Vista is going to be more secure than ever, so I hear. Great, but what does that mean? Secure users from virii, spam, spyware? Patronizingly protect users from themselves by keeping them in the dark and doing silly things like having a Registry and that Windows File Protection? (One prob with an idea like the Registry is now you have to have a whole suite of special purpose tools and system calls to use the Registry. Far better to have had plain old text configuration files, like the old .ini stuff, and protect those files as in /etc in Unix.) How do you intend to demonstrate that your security really works, and isn't just for show? Or is the meaning of security going to be warped to mean protecting Microsoft and content providers from piracy and reverse engineering, that is, even more stringent MS Genuine Advantage and DRM stuff? Not going to put any programs in there that appear to be something useful or even essential but which actually check the licenses of software and rat users out if there's a prob, are you? You guys have been trying to slip rat code in since Windows 3. Or even, are you going to help national security by putting in backdoors for the FBI? How can we know you won't try anything like that? Another scary thing is this Wallet idea where users can store all their usernames and passwords remotely on a server controlled by Microsoft. You can't trust content providers-- Sony BMG's rootkit, which used Windows Autorun to install, made that very clear. You chose HD-DVD over Blu-Ray, because Blu-Ray DRM is more onerous. Nice gesture, but we don't want any DRM at all.

Microsoft != Trent. I trust neither Microsoft's competence or intentions.

Why are all new files given execute access?

[Nailer]

ACLs on user Profiles and Settings directory mean that all new files saved to disk by a user have the execute permission turned on.

This makes it relatively easy to ask a user to look at a file they think is a document and run a program instead (displaying file.png.exe as file.png, and letting the file pick its own icon doesn't help either).

This should not be necessary. In the event new software needs to be installed, the user can simply click on a readable .msi file, be asked for their admin password, and (if the apps signature checks out) install their app.

Like Linux, or MacOS do.

So the question:
Will execute for all new files be on by default in Vista? If not, why?

I've actually already asked this question to Microsoft 3 years ago, on an area of microsoft.com that allows users to submit the ideas for WIndows 2003 server. I got a response too - the Microsoft engineer (I can get his name from my laptop if necessary) responded that 'the current situation is not ideal and may contribute to data loss' from security issues.

I'm asking the question again closer to the release date of Vista because I'm interested to see whether things will have improved in that three years.

What can still be learned?

[Lonesome]

Given all the recent advances at Microsoft, what do you think the Unix market learn from Windows?

What do you you think are the things that Microsoft/Windows still needs to learn from the Unix market?

Re:Will create a completely customizable server OS

[typical]

I remember a Slashdot article about an incident CMU when a Windows-based Diebold ATM kiosk crashed, leaving the desktop available, and students started music playing on the kiosk using some media player on the system. That system was *definitely* not locked down.

All kinds of stuff

[typical]

Window's Defender add's another layer by catching events such as driver installation, service addition, homepage changes, etc, etc, and additionally prompts the user to allow or deny the action.

This sort of thing only helps if the user is (a) technically knowledgeable enough to understand and answer questions and (b) willing to click on lots of dialogs.

Some of these things should never have been allowed in the first place.

For example, home page modification. I can't think of any legitimate reason for an application other than IE to be setting IE's homepage, other than *maybe* the network administrator setting it for the first time. Why can this even be modified at all by other applications? It's wildly abused, clearly is an interesting thing for malware companies to modify, and provides little benefit.

I think that a good chunk of security problems at Microsoft come from either unwillingness of people to say "this feature is insecure, so it's going to be dropped" (or maybe the security people *did* say something like this and got overruled, I'm not sure).

Look, if I go out to, say, the apache developers and submit a patch to add a feature, the first thing that they're going to care about is whether or not it opens a security hole. It's not that they have a checklist that says "check for security holes", it's just what any open source project is going to do. There are no customers saying "we want feature X" (where feature X introduces problems).

Occasionally, I watch people browse the web with IE, and I wonder just why various things are allowed (and some of these, sadly enough, Firefox does as well). The very first thing I think of when I see a feature in a web browser is "How can this be exploited, and if it can be, why was it allowed in?" Why can websites change the mouse cursor, position, depth, and size of windows, and appearance of scroll bars? There is very little trusted information on the screen, and these are three sources of information that can no longer be trusted under IE. Why throw it away without a really good reason? What significant benefit that cannot be otherwise provided do these features provide?

Basically, nobody seems to have gotten to veto these features. I imagine that somewhere, a customer must have asked for these, so they went in.

I can understand that if you're trying to run a company, you know that a new feature is probably a lot more compelling than the lack of a feature (which avoids some currently-theoretical attack) to a customer. But there is also clearly long-term reputation value involved with simply saying "No, this has security implications, so it's not going in".

Going waaay back up to the top of my post, I want to address the other problem, the "lots of dialogs" issue.

Microsoft has a problem with confirmation dialogs. A large number of common operations cause confirmation dialogs to appear. This is very much not good. If a user has to click "OK" constantly to get his work done, he becomes very used to constantly clicking "OK" on any dialogs that come up -- after all it is unlikely that any given dialog has any useful information. It feels like some developer wrote a piece of software, and a UI guy said "Nope, can't do that -- the user might inadvertently break something." So instead of making it harder to accidently invoke the command in the first place or making it harder for the situation to arise, a common solution seems to be throwing a confirmation dialog up on the screen.

Take deletion of files in Windows Explorer. There was a UI mistake made by Microsoft -- they introduced a single-key combination that is highly destructive -- DEL deletes all selected files. Some UI guy presumably said "You can't do that, guys", and the developers took that ever-so-easy way out -- to slap a confirmation dialog on the screen. They could have made "Control-DEL" delete files, or done something else to make it harder to accidentally invoke the combination, but instead they made the action

Half life?

[aug24]

Starting with a product that was not designed to be secure, moving towards the ultimate secure product, I would expect the security flaw find rate to follow a half life rule. In other words, in (say) five years half of the exploitable bugs would be found, in another five, half of the remaining and so on.

Do you agree, and what is the half life of the Microsoft Windows vulnerability count?

(I would ask "...compared to other systems", but I assume you don't study other systems in the same way)

Justin.

MSN Search Database vs The Feds

[daveaitel]

Mercury News is reporting that the Bush administration is asking search engines for portions on their databases. Google is apparantly going to trial to avoid handing their database over. Did MSN Search comply with the Federal order?

Why no AES in SSL when it's already in the Crypto?

[jonathan_lampe]

I also know that AES is implemented by the "Microsoft Enhanced RSA and AES Cryptographic Provider" on Windows XP and "Microsoft Enhanced RSA and AES Cryptographic Provider" on Windows 2003. Windows NT and 2000 appear not to support this cipher.

So...I guess my more specific question would be "why didn't Microsoft put AES support into SSL at the same time they put AES support into the underlying crypto packages?"

Zombie networks

[DrProton]

Zombie networks of windows machines are a huge problem, often being used to DOS and blackmail prominent websites. What steps are being taken by Microsoft to prevent windows machines from becoming zombies?

Malware and the Add in Add/Remove Programs

[databyte]

I'm concerned about downloading applications from the Internet but most people are not. I have friends and family that have the "dancing bunny" syndrome. They'll do whatever it takes to see a dancing bunny. You can add as many warnings, drop-downs, and checkboxes as you can - but they WILL see that dancing bunny. How do you protect users from themselves and all of the malware out there? I'm aware of malware today, how do I know it's safe for my computer to install that application? (Anti-Virus and Anti-Spyware only help during the infection, not in advance of it).

Take it another way, the Package Manager in Ubuntu (or any linux based OS) allows you to add functionality and applications to your computer in a "safe" manner. If I add Firefox via my Package Manager, the distro is controlling the manner in which applications are added into the system in a "safe" and controlled process. Why does the Add in Add/Remove Programs do nothing? Wouldn't it be great if we could have a list of clean and safe applications available online via the Add Programs applet? I should be able to add any single application from the Google Pack, without the Google Pack. Why can't I?

Thoughts?

Re: Ask Microsoft's Security VP

[SessionExpired]

Is it safe?

Best Method for StopSave on Workstation-W2K Server

[sard0nicpan]

Hello, Trying to figure out what forum to post this to was the most difficult part. I work for an office that had a forced relocation to another state (about 90% relocated, 10% were allowed to stay at the previous city--you know, the chocalate one). Our IT department was tasked with finding a way to make workstations in our old office (Which run either W2k or xp) unable to save anything anywhere to the local PC or local servers that remain. No one tells us why--I suspect there's a tax issue involved. State2 is where things can be saved, State1 rdp's to state2. In short order I found MS GPMC as a promising tool, however I'm no security expert-I'm a progammer. I need to pick your brains (brains...mmmmmm lol). What is your preferred method of achieving this? This seems silly to many (it does to us), however we are stuck with this inane directive and have to make it work. We already have WYSE terminals and we could dole these out to state1 users, but somehow this is not the preferred solution--go figure? So what is your preferred method of emasculating your PC's--don't blame me I'm just following orders.

The Windows Tree

[scotch51]

I've always been dismayed at the way the C:\Windows\ tree bloats by 200% - 300% - 500% and more over time.

• One lightly loaded system I support is as clean as I can keep it, but \Windows\.. has 10,000+ files, 1,800+ directories and 2,000,000+ bytes! No human I know can manage that level of complexity directly.

I've always been dismayed at the way uninstalling via \Control_Panel\Add_Remove Programs\ not only leave files behind in the \Windows\ tree but also in the C:\Program Files\ tree.

• Beyond being ugly-messy, it intuitively seems like a security nightmare to me.

Q: Isn't it time Windows stopped this madness not just by locking the \Windows\ tree away from applications by also by including an OS level uninstall function?

Security taken from *nix ?

[permittivity]

I apologize if the following questions have been posted. I tried to look/search thru all the postings but didn't find the following:

Which, if any, GPL *nix code has been reviewed or incorporated into the Microsoft operating system as part of a security measure?

Has any part of IPtables been incorporated as part of a security measure?

Do you feel as though Microsoft or a *nix (Mandrake, Ubuntu, SUSE, etc.) may be a more secure operating system for the non-technical baby boomers, i.e. my parents?

security vs. SaaS

[globaljustin]

Mr. Nash,

I am not as tech. knowledgeable as most /.'ers, but it seems to me that Microsoft has been using its security features as a gateway for consumers leading them to the land of fee-based, subscription SaaS (Software as a Service)...much like a casino advertises a free dinner buffet to attract patrons, but purposefully makes the building difficult to exit, so people will stay longer.

Do you agree that fee-based SaaS would be highly profitable for a company like Microsoft? Why/why not? If yes, then why doesn't Microsoft use its security features to bring in customers? If a company did what I described, would it be unethical?

_justin

Security Glitches, Windows Mobile

[ashudesai]

All the Windows Operating systems that have hit the market are riddled with security holes. It may sound rude but it seems like the security preventive measures/processes are just not good enough. Or you guys are just interested in getting the OS off the assembly line and out before finishing with all the "security testing".

- Apart from Vista security, my question is about the efficiency of your Live project that will scan a user's PC online. Your Anti Spyware was not good enough. Whats the guarantee of an online scan going screwy - another Blue Screen...with a glassy effect???

- What is your take on security with regard to the Windows Mobile Platform? Are there any efforts in providing some form of safety to future handheld 'vulnerability" - without turning the OS into bloatware.

Security

[egbegb]

The Microsoft .NET managed execution environment offers the best security according to Microsoft. Also, .NET CLR executes as fast as native C/C++. Therefore, why haven't Internet Explorer, Windows Media Player and a Office been ported to .NET? Wouldn't that have avoided many of the emergency hotfixes experienced in the last 3 years?

It's worse than that

[Spinlock_1977]

Various kernel experts beat me up here a few weaks ago when I complained that Vista will have the NT Kernel at its core. There's new features and some other improvements, but it's the NT Kernel. So the SAME ROOTKITS that give us today's botnets, DOS attacks, spam, etc. will require little, if any, tweaking to do their stealthy evil deads on Vista.

Homogeneity of the planet's operating systems fabric is the life-blood of viruses and rootkits. By releasing Vista with the NT kernel, Microsoft has blown a huge opportunity to isolate Vista from existing rootkits. Security has clearly taken a back seat to some other motivation, and I would venture to guess it is somehow, however distant and unlikley, related to Microsoft's bottom line, rather than that of its customers'.

Re:Will Compatibility ever be rejected for Securit

[v1]

speaking of backward compatibility... I have a program here called "Neko". It's not an application - it's something called a desk accessory. This is from back in the days of Mac OS 6'ish, where you could not have two programs running at the same time. (Finder quit when you launched an app, and then it relaunched when you quit the app!) Desk accessories like Calculator were the exception and could run while another app was running.

I am still amazed that this program, written in 1994, almost twelve years ago, still runs fine on my new mac.

Backward compatibility and security need not be mutually exclusive.