Slashdot Mirror
MS Security VP Mike Nash Replies
You posted a lot of great questions for Mike Nash last week, and he put a lot of time into answering them. As promised, his answers were not laundered by PR people, which is all too common with "executive" interviews with people from any company. Still, he boosts Microsoft, as you'd expect, since he's a VP there. And obviously, going along with that, he says he likes Microsoft products better than he likes competing ones. But this is still a great look into the way Microsoft views security problems with their products, and what the company is trying to do about them.
(1)
What has changed?
by suso
Besides the same old PR scripted answers that corporations like to give in order to obscure or downplay what is really going on. What assurance can you give us that Microsoft is more focused on security and that Vista is going to be any different from the previous incarnations of Windows? What proof can you give us? Information like "We have a new team doing X" or "our process for reviewing changes has gone to X" are helpful pieces of information to answer this question. What else have you seen in the way MS is developing Vista that is different from how you've developed previous products?
Nash: We have been thinking about security at Microsoft for some time. I would say it started back when we decided to do Windows NT back in the early 90s. There has been a big change in the way we approach security from a quality point of view that started in much more depth when Bill wrote the Trustworthy Computing Memo back in 2002.
What happened then was that we decided we were going to get much more focused on security since it was such a huge issue for customers. Remember, we were right on the heels of Code Red and Nimda and we had to do something. For the .NET Framework 1.0, Visual Studio 2002, ASP .NET and for Windows Server 2003, it started with a security push where we took the teams offline relatively late in the product cycle, taught the teams what it meant to write secure code, had them do threat models and code reviews, etc.
What is interesting is how much of this had to do with educating our engineers on what it means to write secure code and changing the culture. I will give you examples of both.
Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated.
Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization.
A key thing that came out of our experience with Blaster in 2003 was something called the Security Development Lifecycle (SDL). Really the SDL is the formalization of work we were doing previously. Remember Blaster exploited a vulnerability in Windows Server 2003 -- a product that had been through a security push (it also affected Windows XP). When we did the post mortem on how the vulnerability happened, what we realized was that while there were huge improvements in the quality of our code between Windows 2000 and Windows Server 2003, there was still more work to do. In particular, we needed to have: 1) a documented, repeatable process, 2) internal education so that everyone involved in the product release process knew what to do, and 3) a checkpoint in the release process to make sure that this process was followed.
The key things about the SDL is that we basically have to update it every six months because the threat landscape changes, the scenarios we support grow and we learn more.
For Windows Vista, the key things that will make it great are a combination of the most rigorous execution of the SDL to date -- more training, newer tools, threat modeling, more comprehensive review of file parsers, review of code to identify and remove use of banned (risky) APIs and a whole lot of penetration testing.
As a part of this, a lot of work is also being done to change the default configuration to make it safer and more secure. We have done a lot of work to make the system work well for standard users (so that not everyone has to be an admin), but for users who still need or want to be logged on as an admin on their system we make it clear to them when they are about to do something that requires administrator privilege. The user can configure their system to either ask them if they want to escalate, or ask for a password when the system tries to elevate them. We have also gone through all of the system services in Vista to see which ones have admin privilege, verify which ones really need it, and for the ones that don't, remove it.
For Windows Vista we enhanced the engineering process with some new checkpoints in the engineering cycle. One such checkpoint requires that every team developing a system service in Vista go through the process of using a new Vista least-privilege operational model. A team of internal experts had to sign-off on the plan for each service, and in a significant number of cases, teams avoided creating a service altogether when an alternate approach was possible.
While quality is an important approach to improving security and safety, it's just one part of it. There are also some key features we have added to Windows Vista to make it safer and more secure. For example, we have taken the anti-spyware technology that we acquired from GIANT Company Software, improved it and integrated it into the operating system in something called Windows Defender. While the anti-malware technology will also be available to users who have licensed copies of Windows 2000 and Windows XP, for Vista the integration is pretty slick, which makes it much easier for customers to be protected. For Vista, we also improved the firewall built into the operating system. It's bi-directional and is designed to work well with IPSec.
Given the changing landscape on the Internet, and the continued focus on the Windows platform, sadly I know there will be vulnerabilities and exploits that target Windows Vista. Invariably, as we make it much harder for people to find and exploit vulnerabilities in Windows Vista, I am certain of two things: 1) the number and severity of both vulnerabilities and exploits on Windows Vista will be reduced, making the switch to Vista compelling if ONLY for security reasons, and 2) we will continue to focus on security even after we ship Windows Vista so that the work that comes after Vista will be even better.
(2)
Security/user friendly tradeoff
by qwijibo
Is there a general policy within Microsoft to help product teams make consistent security decisions? There are frequently issues where the decision has to be made between being more secure or more user friendly.
For example, file and printer sharing defaulting to off prevents people from unknowingly sharing their resources, but requires non-technical users who do wish to set up a small network to know more about the process than in previous versions.
Nash: This is an old issue that we have made quite a bit of progress on. At Microsoft we had a long history of turning things on by default in the spirit of making user's lives easier and showing off our key features. I have to admit, that in my past I have actually been part of the problem. As the director of product management back in 1995, I was part of the team that drove the decision to turn our web server, Internet Information Server (IIS), on by default in Windows NT Server 4.0.
What the events of the last 5-10 years have taught us (or at least taught me) is that the more you have turned on, the more attack surface area the system has and therefore the more vulnerable it is. If you assume near perfect quality or that there is no one out there trying to attack you, it might even be an ok decision. But since you can't, we need to be more selective about what things we turn on by default.
Consider the case of Code Red. That worm attacked a vulnerability in the ISAPI filter of the index server of IIS. Let's assume for a minute that you don't know or care what the ISAPI filter of the Index Server of IIS is. Even in that case it turns out that if you turned off the Index Server in Windows Server 2000 SP3, that ISAPI filter was still installed. So while you might have thought that shutting down the index service makes you less vulnerable, it turned out that you were not.
So coming out of the whole Code Red experience, we created the Trustworthy Computing Initiative (TwC). One of the key principles of TwC that drives the Security Development Lifecycle is the principle of Secure by Design, Secure by Default and Secure in Deployment (or what we call SD3).
The principle of Secure by Default says that unless most users are using a feature, it should be turned off by default. What we have also learned along the way (and my Code Red example shows this) is that you can't just look at the user visible features, but also need to look at the underlying services. So if the customer feature is off by default (or turned off by the user) then the underlying components that support them should also be turned off when the high level feature isn't using the service.
But you make a great point about complexity. If we turn more things off by default, we need to make it easier for users to turn things on when they want to use them. For example, in Windows Server 2003 SP1, we added something called the Security Configuration Wizard that is designed to help users configure their systems with as much turned off as necessary. The benefit of turning things off by default is two fold: 1) it protects the individual system from being attacked if a vulnerability exists in the feature because the feature is turned off by default, and 2) it also protects the populations of systems because the worm or virus can't assume that the feature is on and therefore the systems aren't broadly exploitable through the vulnerability.
I should note that while we usually think about what features to turn off, Secure by Default is also about what features to turn on. A great example of this is the firewall in Windows XP. Back when we first shipped Windows XP in 2001, we included a firewall, but turned it off by default. Why? Because many of the influential users we spoke to said that they had a firewall and didn't want ours turned on. They also said that they had too many apps that would be negatively affected by having a firewall on by default. That was a good answer for the small percentage of users who had their own firewall, but for most customers it was a mistake. In hindsight, consider that if we had the firewall turned on between October 2001 and August 2004 (when we shipped Windows XP SP2 with the firewall on by default) that Slammer and Blaster might not have been an issue for Windows XP customers to the extent it was. And with Zotob, this was also the case. By the way, for customers who have a third party firewall, or for OEMs that install a third party firewall, they can always turn ours off.
The Windows Security Center, first introduced in Windows XP SP2, is designed to make it easy for end-users to verify that the right security features are turned on and configured properly. We're going to make it even better in Windows Vista.
This is as much about culture (reminding people of the goal of safety and security being job #1) as it is about process (making sure that the default state of the feature is considered in the context of what most people need).
(3)
Top priority for security in 2006
by Anonymous Coward
Given that security is a major topic on IT manager's minds these days with security flaws and patches practically making front page news of some publications, What do you feel is going to be the main focus for security in 2006 for yourself and the industry as a whole?
Nash: The answer for me and for Microsoft is simple. The main focus for security in 2006 is nailing the security quality and features for Windows Vista and Windows Longhorn Server. Don't get me wrong, this doesn't mean that we don't care about the security of older products or products besides Windows, but given that Windows Vista and Windows Longhorn Server are going to be the most significant releases of Windows in the last five years or so, we know that they are going to be used broadly by a large set of users for sometime--so getting it right is critical.
As I noted above, we have the opportunity to apply the best practices in secure design, threat models, code quality, default configuration and penetration testing and more rigor than we have ever had in the past. We have also added some new features like a bi-directional firewall and Windows Defender to make the system safer and more secure. As the project becomes feature complete, we must verify that the system is secure and addresses the issues that are raised in testing.
There is also real work here for the industry as well. Some of this has to do with making sure that applications and security products work with Windows Vista. New applications need to work well for users who have standard (non-admin) user accounts. At the same time, we need to make sure that security products work well on Windows Vista. For example, no one is going to move to Windows Vista unless they have great anti-virus software that works well on it.
My other goal for the industry is that third party applications and internally developed applications adopt our Security Development Lifecycle. Here's why: As we improve the quality of Windows, we're making it harder for people to find vulnerabilities and therefore harder to write exploits. As a result, there will be a natural tendency for security researchers and exploit writers to move up stack. We are already seeing this. As we have learned, the only approach that scales here starts with a well defined process, taught through broad education and verified prior to shipping to drive accountability. The good news here is that we have documented our process pretty clearly and made it easy to learn. Checkout http://msdn.microsoft.com/security to learn more about it.
For customers, the top priority has to be defining and executing their security plan. I spend a ton of time with customers, many of whom have done a threat analysis of their environment and built a security plan. I am still surprised by the number of customers who have a plan but have not had a chance to execute it. The good news is that most have executed their security plan -- so the top goal for them is to reassess their environment and make sure that they are responding to new threats. We've also created a great set of tools to help customers (Developers, IT Administrators and End-Users) be more secure on our platform.
While we want customers to be evaluating Windows Vista, it's super important that business customers in particular, who have NOT yet deployed Windows XP SP2, think seriously about deploying it. While a large number of enterprise customers have deployed Windows XP SP2, many still haven't. While I get that not every desktop will get upgraded to Windows XP SP2 between now and Windows Vista, I think it's critical that laptops and Internet facing desktops move to SP2.
(4)
Outside influences on security
by kalpol
Has open-source software such as Linux influenced the way you think about security in Windows, and if so, how?
Nash: The open source approach has influenced the way I think about security, but I am not sure it's in the way you would have expected. The theory that more eyes makes software more secure is a premise that drove some anti-Microsoft PR back in late 2002, which caused my team and I to respond. My first step was to dig in and try to understand the open source process to see what I was missing.
I learned a few things. The first thing I learned was that while having lots of people look at code sometimes found issues, none of this mattered if there wasn't a good process to close issues. I spent some time reading Linux websites that contained reviews of Linux code. I was surprised by two things: 1) the lack of consistency in the way that software was reviewed, and 2) the lack of accountability to verify that things that were found actually got resolved. Then Blaster hit 10 months later in 2003 and I realized that like Linux we could also suffer from a lack of closure. So we invented the Secure Development Lifecycle, of which the key feature was that it drove consistency and accountability. Here is the background story . . . .
After Blaster happened, I wanted to find out who was responsible for the buffer overflow that was exploited and hold the individual accountable. But once we looked into it, we realized that there was not a documented a process that the developer was supposed to follow that would have prevented the mistake, nor did we have a set of procedures for our developers to verify that a secure development process was utilized. The Security Development Lifecycle is basically the institutionalization of these very things: a documented repeatable process, clear education and accountability. What I learned here was that because we have the ability to establish processes and reinforce them at every level of management that we had an opportunity to make our software do something that the open source approach couldn't replicate.
The second thing I learned about security from the open source approach was about serviceability. One of the things that proponents of the open source approach always talk about is the fact that with open source you don't have to wait for an official patch, since you can download the code, recompile it and create your own fix. I can't imagine this working at scale, since most users could never do this. For the customers who can manage to knit their own patches, the problem is that some distributions sometime update a component with new fixes but they don't always include some of the fixes that more sophisticated users may have done on their own. This effectively undoes the home built patch.
The key learning for me was four-fold. First, it is super important that we have our updates available on all supported versions and all supported languages at the same time. Second, we need to do whatever we can to make sure that our updates are available when vulnerabilities are publicly disclosed. Responsible disclosure helps us a lot since people can confidentially report things to us in return for acknowledgement when we do issue the update. Third, we must have great quality when we do issue the updates. If our updates break things, then people won't trust them. In my mind, the definition of our products is the product that we ship PLUS the latest service pack PLUS any security updates we shipped after the latest service pack. If we don't test our security updates in a broad set of scenarios, then we are likely to break something.
Finally (fourth), it's important that we have tools to simplify the process of deploying updates since it reduces the barriers to deploying the updates and increasing the likelihood that customers are up to date. That is why we have invested in tools to make patch deployment much more straightforward like Windows Update, Microsoft Update, Windows Server Update Services and Systems Management Server.
(5)
What is the basic approach to Microsoft security?
by kickabear
Does Microsoft lean more towards rigidly enforced coding standards as a way to prevent exploitable bugs, or does the company focus more on brute-force bug detection during testing?
I know the easy answer is to say "both, of course" but a 50/50 split is unlikely. So, does testing take the backseat, or does the code?
Nash: My short answer is actually a third choice, which is better design. This starts with really understanding the security threat that a feature might introduce to the system and making sure that the design of the feature or component is designed to reduce the risk. Then we go to implementation which, as you note, is partially about better standards which must be taught through education, but must be reinforced with tools to verify code quality wherever possible.
We also do spend a lot of time using a combination of ethical penetration and interface testing. While bug detection is critical, it really is a last resort -- in some sense the guard rails on the road to safe driving on the road of software engineering. Just like driving your car on a windy road, safety starts with better driver (in this case developer) education.
All of that said, if there is one thing I have learned in the last four years in this job is that there are no silver bullets in security. Instead we make progress through a combination of investments.
(6)
Why add DRM? Also, why not decouple IE?
by Bob_Villa
Why are you adding in DRM controls to Vista that regular users are not going to want? It may come in handy for corporations wanting to control their documents, but I can't see how regular users would knowingly want a product that restricts their access to their documents or files.
Also, I think you could dramatically improve security by decoupling Internet Explorer from Windows. Have it be a separate program similar to Opera, FireFox, Safari, etc... Is there really a valid reason that Windows Explorer has to be driven by Internet
Nash: First, a point of clarification. I assume in this case, you are talking about the Rights Management Services (RMS) client that is now integrated into Windows Vista and not the DRM technology that is used to protect media content that has been built into Windows for some time. In the case of RMS, you are right that corporations see value in protecting their information and controlling the usage of that information. A key piece of feedback we got from customers using the current version of RMS was that setting it up was hard, so we integrated the RMS client into Windows Vista. That said, some customers may not use it. You would only use it if an RMS-enabled application such as Office was installed and a user opted in to use that feature in Office.
We also believe that over time, that regular users will also want to protect their own information. For example in the future, home users may want to protect and control the usage of information such as lists of their friends, photos, banking account information and other personal data.
In terms of your question around Internet Explorer, there are two real aspects of this: 1) the platform implications of having IE in Windows, and 2) the user experiences that are possible with having IE in Windows.
From a platform point of view, decoupling IE would break a lot of things. There are many applications that depend on IE for rendering HTML and for accessing the Internet. Think about email applications, Internet-aware clients like the AOL Explorer or even Microsoft Money that use IE to render HTML in the application. Not only would this break a lot of applications, but it would also put a huge burden on developers who would now have to write their own HTML rendering capability.
From an experience point of view, a key goal for Windows has been to integrate the local experience and the remote (Internet) experience from a user interface perspective. Integrating the web browser into the operating system was a key part of delivering that experience for customers. The area where we can do much better is making sure that the kinds of things that can be done by a remote site is less than what can be done locally--this is especially true for sites that you don't know or don't trust. A key enhancement to the browser for Windows Vista is something called Protected Mode IE. The browser starts with minimal access to system and user resources. For example, when a remote site is accessed, the site will not have privileges to install software, copy files to the user's Startup folder, or hijack the settings for the browser's homepage or search provider. Of course users always can choose to use other browsers and even have other browsers be set as the default on the machine.
I do believe that the progress we are making with IE in Windows Vista will address many of the concerns people have with IE security today.
(7)
Do you ever spend time with "average users"?
by Caspian
Time and again, I've seen average end-users-- grandmothers, "soccer mom" types, businessmen-- whose computers are positively clogged to the gills with spyware, viruses, and other sorts of malware, the overwhelming majority of which they were infected with via the exploitation of security flaws in Microsoft software. I'm often tasked with disinfecting their computers.
How often do you (and the members of your team) spend time with average end-users-- not just in large corporate settings but in small businesses and (just as importantly) in real-world home settings? I believe that if you would spend time with Joe Average and see just how badly his computer's performance (not to mention his personal privacy and the integrity of his data) is suffering from the exploitation of certain bugs and design decisions (e.g. the fact that most end-users run with Administrator privileges) in Microsoft software, it would cause a significant shift in Microsoft's security strategy.
No matter how often $LATEST_WINDOWS_VERSION is touted as more secure than its predecessors, I still keep getting called to average homes to remove countless items of spyware which infected Windows systems via holes (and/or poor design decisions, e.g. the handling of ActiveX controls and the abilities they can have to alter files on the system) in Internet Explorer, and to this day (despite the wide use of antivirus software) most end-user systems I examine do contain at least a few viruses (which entered the system via Microsoft Outlook).
What are you doing to secure Joe Average's PC? Do you have any interaction with average end-users? And if not, why not?
Nash: I personally spend a ton of time with end-users -- often friends and family, but also people that I meet through my job at Microsoft. I have a wife, three brothers, a sister, five sisters-in-law, three brothers-in-law, two parents, one mother-in-law, a father-in-law, one uncle, two aunts, one living grandmother, three kids (although they are all too young to use a PC), five nephews and seven nieces, so I get a lot of calls from family members asking for tech support. It's actually amazing how much their feedback has driven decisions in our security strategy. I will give you two examples:
Right after Blaster happened, my uncle Ken called me to see how I was doing with everything going on with the event. My uncle is a little strange (although he is my only uncle, so I really don't have anything to compare him to) and he sometimes calls me "nephew." He said, "Nephew, what should I do about this latest Blaster thing?" I told him that he should turn on Automatic Updates and turn on his firewall. When he asked me how to do it, I talked him through the dialog boxes and we got him setup. In this process, I learned two important things. The first was that that the process of making these changes was a pain in the neck. The second was that when we really should have changed the default configuration for Windows Update.
When we shipped Windows XP Gold in 2001, we introduced Windows Update for the first time. At the time there were two options that the user had to choose from when they installed Windows: 1) tell me when updates are available, or 2) download the updates and tell me that they are ready to install (the default). When we shipped Windows XP SP1 about a year later, we added a third option which was to download the updates and install them. The problem was that when we added this third option (the best choice for most people), we left the second option (download and tell me) as the default. I am not sure why we did this, but my guess is that no one thought it through. So what did my experience with uncle Ken influence? A few things. First, we created a webpage at www.microsoft.com/pypc that included a little program that turned on your firewall, and helped you turn on the third option for Automatic Updates. We also changed the default setting for Automatic Updates in Windows XP SP2.
My second story is about my grandmother, Estelle (I am 42 years old and not too proud to tell you that I call her Nanny). Nanny got her first PC in 1992 soon after I came to Microsoft. In 1995 she got her second PC -- I was excited about Windows 95 and so was she. In late 2001, I sent a mail to all of my family members telling them that I would only help them with their PC if they were running Windows XP, so my grandmother ran out and bought an XP machine.
In February of 2004 I was down visiting Nanny in Florida. I was on my way home from a business trip, so I was only there for about a day. When I got to her house she fed me breakfast, looked at the latest pictures of her great-grandsons and then said to me that she needed some help with her PC. When I powered the thing on, it was clear that something was wrong. The machine was very slow and you could see the icons on her desk being drawn pixel by pixel.
It turns out that her machine was massively infected by spyware. She had gotten some mail offering her $10 to take an online survey which she had taken seven times. Without realizing it, each time she completed the survey and tried to claim her $10, she had agreed to the terms of a software license and downloaded spyware on her machine. She had effectively sold her $900 PC for 70 bucks. It took me about three hours to get her machine running again. I went back about a month later and installed Windows XP SP2 (beta at the time) on her machine, but what I realized was that we had a much bigger problem with spyware.
With that visit came the vision for Microsoft's anti-spyware strategy and our focus on delivering an anti-spyware solution.
Today, I travel a bit more prepared for situations like the one I encountered at Nanny's house. I have 512MB memory stick with me in my briefcase that includes a copy of Service Pack 2 for Windows XP, the latest beta of Windows AntiSpyware and the current month's release of the Malicious Software Removal Tool.
(8)
Windows updates to unregistered machines?
by Spy der Mann
Dear Microsoft Security VP:
I know a person who doesn't have his copy of Windows registered. His PC got infested by spyware, so my deduction is that his computer was probably used to send SPAM, spread viruses and whatnot. When He called me for tech support, I told him to download the Microsoft Anti-Spyware from Windows update, but his answer was that it required a registered copy.
My question is this: If Windows updates make the Internet SAFER from hackers, spyware and viruses, why limit them to registered copies of Windows? (IMHO this is analogous to not giving the vaccine of the bird flu to illegal aliens)
What do you plan to do about this?
Nash: This is a great question and one that we struggled with as we established the policy. First, I should clarity one thing. While the Windows AntiSpyware offering is only available to users of licensed copies of Windows, we do make our high priority security updates available to unlicensed users of Windows, primarily in order to prevent unlicensed Windows systems from posing a threat to the Internet if they get infected. Although, we do remind unlicensed users of Windows to get genuine.
At the end of the day, Microsoft's first commitment is to protect our paying customers. We made a decision last January to make Windows AntiSpyware technology available to licensed Windows customers at no charge. When we first acquired GIANT Company Software, the plan was to make scanning for spyware a free service on Microsoft.com, but charge for the technology that blocks spyware. The theory was that frequent scanning was a good substitute for people who didn't want to pay for the blocking capabilities. Within a few weeks of running the beta of the anti-spyware technology we realized that this premise wasn't valid since while it's easy to detect and remove the primary spyware infection, spyware often brings with it more spyware and detecting and removing the secondary and tertiary infections was much harder. So we made the decision to include this blocking capability in all licensed copies of Windows.
So the question is, why not protect non-licensed users from spyware? The short answer is that spyware primarily affects the machine that has the infection. Part of the value of owning a licensed copy of Windows is that you are protected from spyware. If you don't pay for your copy of Windows, you aren't protected.
It's hard for me to feel too bad for the person who you know who doesn't have a licensed copy of Windows and is infected. They are using stolen software. I have heard the arguments that Microsoft has lots of money and shouldn't care if people are using our software illegally. I don't buy it (no pun intended). You could make this argument in many other cases, but we don't tolerate people eating a meal at a restaurant and then not paying, or stealing a candy bar from a convenience store or taking a TV from an electronics store. In this case, your acquaintance wants the free meal, but can't understand why we don't throw in dessert.
If your acquaintance installed their own pirated copy of Windows, I recommend that they get a valid copy and install it. If they got their pirated copy of Windows preinstalled on a PC, then they should report the company that sold them their PC and we will use the information to get the vendor to make things right, and will get your acquaintance a valid license in return for the information.
(9)
MSFT employee here
by Anonymous Coward
Hi, Mike,
I have just one question for you. Why do we STILL ship products with KNOWN security issues?
I'll even tell you how it works in the trenches. Folks build the product. At the end of it all a "Security Push" gets declared. For two to three weeks people pretend they care about security by coming up with potential security issues and assigning DREAD+VR scores to them. Then management arbitrarily sets the "bar" below which we don't fix potential and real security issues. This bar is usually very high, sometimes at around 8, because hardly anyone has time in the schedule to fix all issues found. Now, DREAD score 8 means that flaw will affect a ton of customers and cost Microsoft significant litigation. Some of very severe bugs slip under the bar just because they don't affect more than 10% of customers. Now, even this exercise is a joke, because most developers don't know what DFD is and how to put one together.
This wasn't even the most ridiculous part of the exercise. The most ridiculous part is security "code reviews". It's when feature owners walk into a room with a huge stack of printouts and pretend they can be reviewed in a couple of hours they've allocated for this. You can barely glance through this much code in this much time, 90% of security issues remain unnoticed during this "code review".
After all is said and done, product is only slightly more secure (SOME of the most ridiculous things have been fixed), and management gets delusional saying that product is now Fort Knox secure.
If you ask me, that's abomination, not a proper security process. Are there any plans to change it?
Nash: Wow this is a great, yet difficult question. First, I should say that there is a great process for security quality called the Security Development Lifecycle (SDL) that is designed to make sure that we act consistently as a company. This means having a well documented, repeatable process, great education that teaches people how to follow the process and the accountability to make sure that process is being followed consistently. A part of this accountability is something called the final security review (FSR) that my team executes on behalf the company to make sure that the process is actually being followed. At the end of the day, the product group that ships the product is accountable to make sure that the process is followed.
I often get asked the question, "who has been fired for shipping insecure code at Microsoft?" My usual answer here is that we are still learning a lot about security at Microsoft and that most of the security issues that we deal with don't come as a result of carelessness or disregard for the process, but rather new vectors of attack that we didn't understand at the time.
One of the key things that will make this work is consistent execution across the company. I won't say that we have or should have the same level of rigor across all of our products (Windows deserves more scrutiny than say, a game), but we must apply the process appropriately. Generally speaking, Microsoft product groups are following the process consistently. That said, Microsoft has over 60,000 employees, so it's not a huge surprise that we have some people who just don't get it. While it's not a huge surprise, it's also not acceptable. If we have a group that is not aware of the process, then we have an education issue. If we have a group that is knowingly ignoring the SDL or deprioritizing it, at best we have an accountability problem and at worst an HR problem. The only way that I can help is to know about it so I can have it addressed appropriately. While I see that you posted this question anonymously, I encourage you to contact me directly through email and we can meet to discuss this. I assure you that I will protect your identity. If you are not comfortable with this, call my direct line at Microsoft (using an outside line--so that caller ID is blocked or from a conference room) and I promise not to ask your name.
As I have said many times, the Trustworthy Computing Initiative is a journey that we started in 2002 with measurable improvements along the way. In this case we clearly have a problem that needs to be fixed so that we can improve.
(10)
Why no AES in SSL yet?
by jonathan_lampe
Why hasn't Microsoft added AES to its SSL stack yet? As a Microsoft developer, it's annoying to get beaten over the head when facing competing solutions that can use the AES (128-,192- and 256-bit) encryption algorithm in their SSL implementations.
(OpenSSL - including the Mozilla browsers - and Java SSL have all had AES support for a while. Most SSH implementations have also had it for a while.)
Nash: This is a great question. The AES was approved as a FIPS algorithm after Windows XP was released in 2001. Adding it to Windows XP RTM was basically not possible. Our approach for cryptography was and is to support a pluggable model and enable replacement in our platform in a broad sense. IE and IIS depend on the platform (OS) cryptography capabilities, so adding this capability was an operating system change vs. a change in the browser, as was the case with Mozilla.
While it's fair to say that we could have just dropped AES support into the platform, the approach for pluggable crypto enables a lot more flexibility for customers. For Windows Vista, we added support for pluggable cryptography, which we refer to as CAPI next generation or CNG. With CNG we not only add support for AES, but also add support for Elliptical Curve (ECC) Cryptography and the Sha-2 family of hash algorithms.
We are currently looking at the feasibility and benefits of making this capability available down-level. I should also note that in contrast to the existing AES implementations that have not been through an evaluation, we plan to get our implementation evaluated to meet FIPS guidelines and requirements.
(11)
VISTA users must still be administrators?
by arminw
In current Windows systems, many programs will only work correctly if the user is granted administrator rights. Will MS lean on developers to write their software such, that a normal user status is sufficient? Much malware today silently installs itself without so much as a warning to the user. Will VISTA incorporate some sort of warning and ask for a password before ANY executable file can run for the first time or install itself deep in the system? Will users be told NOT to type password unless they are SURE the file comes from a trusted source?
Nash: One of the key enhancements in Windows Vista is something called User Account Control, which in my mind is a fancy name for standard user that works. There are really two parts of User Account Control. The first is a significant set of changes to Windows Vista so that the system doesn't require admin rights in places that shouldn't, while still protecting the system in cases that should require admin. I will give you a simple example that illustrates what I mean. In Windows XP today, you need to be an administrator to run the clock applet in the control panel, but as it turns out there are cases where the user shouldn't need to be an admin to run this applet. For example, a standard user should be able to LOOK at the clock. In addition, while changing the time on the system should require admin privilege (to maintain the integrity of system logs, etc.), when I travel from Seattle to Boston, I should be able to change the time zone of the system so that I know the local time and show up for meetings on time, etc.
So in Vista we separated these functions so that standard users can do the things that standard users need to do, but still require admin for the things that need protection.
The other thing added is something we call protected admin. This is a mode that administrators run in by default. If someone is configured as an admin, their basic execution happens as a standard user. When they try to do something that requires the administrator privilege, the system prompts them to see if they want to elevate to admin to complete the task, and if they consent, just that task is elevated (this is more secure that SUPERUSR ON in Unix that elevates the entire session). When the task completes, the high privileged process is torn down. The system can also be configured to require a password on elevation.
As you note, this also has a lot of implications around application compatibility and a ton of work is being done to help ISVs building solutions for Vista to make sure that their applications run as standard user if appropriate.
For existing (legacy applications) we find that most applications break into one of four categories: 1) applications that already run well as standard user, 2) applications that really do require admin privilege (system utilities for example), 3) applications that check for admin privilege, but don't really need it, and 4) applications that require admin privilege for a some portion of their functionality.
For applications that run as standard user, we are set. Similarly, applications that really should require admin privilege run as they should. If a standard user encounters such an application, in the home (e.g., non domain joined scenario) the standard user is prompted to have someone who has admin privilege type in a password to elevate the system to run the application as appropriate. We call this the "over the shoulder" elevation case.
For applications that check for admin, but don't really need it, the situation is usually that the developer of the application didn't want to take the time to test the application in both the standard and admin user modes, so they put a check in at initialization. We have a pretty good list of these applications, so for the ones we know about, we put a little compatibility shim in the software so that when one of these known applications check to see if the user is running at admin level, the system will report back that they are even though they are a standard user. This preserves application compatibility, but provides no risk on unauthorized escalation since the user really is just a standard user.
For applications that require admin for some part of their execution, we are providing guidance to the ISVs on how to re-factor their applications so that the components that the end sees don't need the privilege and the ones that do need to can be isolated and componentized so that most users don't encounter the escalation.
(12)
OpenBSD
by hahiss
How is it that OpenBSD is able to be so secure by design with so few resources and yet all of Microsoft's resources cannot stem the tide of security problems that impact everyone, including those of us who do not use Microsoft programs?
Nash: First, I should say that OpenBSD includes a relatively small subset of the functionality that is included in Windows. You could argue that Microsoft should follow the same model for Windows that the OpenBSD Org follows for their OS. The problem is that users really want an OS that includes support for rich media content and for hardware devices, etc. So while OpenBSD has done a good job of hardening their kernel, they don't seem to also audit important software that are used commonly by customers, such as PHP, Perl, etc. for security vulnerabilities. At Microsoft we're focusing on the entire software stack, from the Hardware Abstraction Layer in Windows, all the way through the memory manager, network stack, file systems, UI and shell, Internet Explorer, Internet Information Services, compilers (C/C++, .NET), Microsoft Exchange, Microsoft Office, Microsoft SQL Server and much, much more. If a software company's goal is to secure customers, you have to secure the entire stack. Simply hardening one component, regardless of how important it is, does not solve real customer problems.
Second, it is not completely accurate to say that OpenBSD is more secure. If you compare vulnerability counts just from the last 3 months, OpenBSD had 79 for November, December and January compared to 11 for Microsoft (and that includes one each for Office and Exchange - so really 9 for all versions of Windows). I encourage you to look at the numbers reported at the OpenBSD site to verify that this is true.
("Bonus" question added by Mike Nash)
Differences Between Windows & Other Employers?
by eldavojohn
Mr. Nash, what are the greatest differences and similarities between Microsoft Corp. and Data General Corp., your two most recent employers? Most importantly, how drastic were the changes you saw (not necessarily changes due to job function but changes in general)? What do you like the most and what do you hate the most?
Nash: Great question. First, its been a while since I worked at DG (I left DG for business school in 1989). That said, I would say that the biggest difference between the two companies is that while DG was fundamentally a hardware company, Microsoft is first and foremost a software company. DG was primarily focused on driving a business based on selling hardware and software was a necessary component of that business, but not something that was valued on its own. In contrast, Microsoft's basic premise is that the hardest problems can be best solved with software and as a part of that the power of hardware can be realized best through great software.
The second biggest difference is while DG always measured itself in terms of other companies (Digital was the big deal back when I was at Data General), Microsoft is a company that is constantly trying to reinvent itself. As a result, Microsoft is much more self critical, but at the same time willing to make long term investments to address both new opportunities and short comings. The Trustworthy Computing Initiative is a great example. Soon after Blaster happened, a lot of people I spoke to (inside and outside Microsoft) asked me if Blaster was evidence that the Trustworthy Computing Initiative was a failure. My response was just the opposite. I was super glad that we had taken the time to focus on and improve our security. If we hadn't things would have been much worse. At the same time, Blaster did provide some pretty clear guidance on some changes we had to make around Trustworthy Computing (TwC). More than that, it reminded us all that we would have to continue make some major changes in TwC as we continued to learn, so we should just plan for it. That approach is mostly a matter of culture and frankly if the leadership of DG had had a similar point of view, their might be a DG today. For sure it's why there is great change and innovation at Microsoft more than 30 years in. And yeah, it's hard work.
What has changed?
by suso
Besides the same old PR scripted answers that corporations like to give in order to obscure or downplay what is really going on. What assurance can you give us that Microsoft is more focused on security and that Vista is going to be any different from the previous incarnations of Windows? What proof can you give us? Information like "We have a new team doing X" or "our process for reviewing changes has gone to X" are helpful pieces of information to answer this question. What else have you seen in the way MS is developing Vista that is different from how you've developed previous products?
Nash: We have been thinking about security at Microsoft for some time. I would say it started back when we decided to do Windows NT back in the early 90s. There has been a big change in the way we approach security from a quality point of view that started in much more depth when Bill wrote the Trustworthy Computing Memo back in 2002.
What happened then was that we decided we were going to get much more focused on security since it was such a huge issue for customers. Remember, we were right on the heels of Code Red and Nimda and we had to do something. For the .NET Framework 1.0, Visual Studio 2002, ASP .NET and for Windows Server 2003, it started with a security push where we took the teams offline relatively late in the product cycle, taught the teams what it meant to write secure code, had them do threat models and code reviews, etc.
What is interesting is how much of this had to do with educating our engineers on what it means to write secure code and changing the culture. I will give you examples of both.
Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated.
Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization.
A key thing that came out of our experience with Blaster in 2003 was something called the Security Development Lifecycle (SDL). Really the SDL is the formalization of work we were doing previously. Remember Blaster exploited a vulnerability in Windows Server 2003 -- a product that had been through a security push (it also affected Windows XP). When we did the post mortem on how the vulnerability happened, what we realized was that while there were huge improvements in the quality of our code between Windows 2000 and Windows Server 2003, there was still more work to do. In particular, we needed to have: 1) a documented, repeatable process, 2) internal education so that everyone involved in the product release process knew what to do, and 3) a checkpoint in the release process to make sure that this process was followed.
The key things about the SDL is that we basically have to update it every six months because the threat landscape changes, the scenarios we support grow and we learn more.
For Windows Vista, the key things that will make it great are a combination of the most rigorous execution of the SDL to date -- more training, newer tools, threat modeling, more comprehensive review of file parsers, review of code to identify and remove use of banned (risky) APIs and a whole lot of penetration testing.
As a part of this, a lot of work is also being done to change the default configuration to make it safer and more secure. We have done a lot of work to make the system work well for standard users (so that not everyone has to be an admin), but for users who still need or want to be logged on as an admin on their system we make it clear to them when they are about to do something that requires administrator privilege. The user can configure their system to either ask them if they want to escalate, or ask for a password when the system tries to elevate them. We have also gone through all of the system services in Vista to see which ones have admin privilege, verify which ones really need it, and for the ones that don't, remove it.
For Windows Vista we enhanced the engineering process with some new checkpoints in the engineering cycle. One such checkpoint requires that every team developing a system service in Vista go through the process of using a new Vista least-privilege operational model. A team of internal experts had to sign-off on the plan for each service, and in a significant number of cases, teams avoided creating a service altogether when an alternate approach was possible.
While quality is an important approach to improving security and safety, it's just one part of it. There are also some key features we have added to Windows Vista to make it safer and more secure. For example, we have taken the anti-spyware technology that we acquired from GIANT Company Software, improved it and integrated it into the operating system in something called Windows Defender. While the anti-malware technology will also be available to users who have licensed copies of Windows 2000 and Windows XP, for Vista the integration is pretty slick, which makes it much easier for customers to be protected. For Vista, we also improved the firewall built into the operating system. It's bi-directional and is designed to work well with IPSec.
Given the changing landscape on the Internet, and the continued focus on the Windows platform, sadly I know there will be vulnerabilities and exploits that target Windows Vista. Invariably, as we make it much harder for people to find and exploit vulnerabilities in Windows Vista, I am certain of two things: 1) the number and severity of both vulnerabilities and exploits on Windows Vista will be reduced, making the switch to Vista compelling if ONLY for security reasons, and 2) we will continue to focus on security even after we ship Windows Vista so that the work that comes after Vista will be even better.
(2)
Security/user friendly tradeoff
by qwijibo
Is there a general policy within Microsoft to help product teams make consistent security decisions? There are frequently issues where the decision has to be made between being more secure or more user friendly.
For example, file and printer sharing defaulting to off prevents people from unknowingly sharing their resources, but requires non-technical users who do wish to set up a small network to know more about the process than in previous versions.
Nash: This is an old issue that we have made quite a bit of progress on. At Microsoft we had a long history of turning things on by default in the spirit of making user's lives easier and showing off our key features. I have to admit, that in my past I have actually been part of the problem. As the director of product management back in 1995, I was part of the team that drove the decision to turn our web server, Internet Information Server (IIS), on by default in Windows NT Server 4.0.
What the events of the last 5-10 years have taught us (or at least taught me) is that the more you have turned on, the more attack surface area the system has and therefore the more vulnerable it is. If you assume near perfect quality or that there is no one out there trying to attack you, it might even be an ok decision. But since you can't, we need to be more selective about what things we turn on by default.
Consider the case of Code Red. That worm attacked a vulnerability in the ISAPI filter of the index server of IIS. Let's assume for a minute that you don't know or care what the ISAPI filter of the Index Server of IIS is. Even in that case it turns out that if you turned off the Index Server in Windows Server 2000 SP3, that ISAPI filter was still installed. So while you might have thought that shutting down the index service makes you less vulnerable, it turned out that you were not.
So coming out of the whole Code Red experience, we created the Trustworthy Computing Initiative (TwC). One of the key principles of TwC that drives the Security Development Lifecycle is the principle of Secure by Design, Secure by Default and Secure in Deployment (or what we call SD3).
The principle of Secure by Default says that unless most users are using a feature, it should be turned off by default. What we have also learned along the way (and my Code Red example shows this) is that you can't just look at the user visible features, but also need to look at the underlying services. So if the customer feature is off by default (or turned off by the user) then the underlying components that support them should also be turned off when the high level feature isn't using the service.
But you make a great point about complexity. If we turn more things off by default, we need to make it easier for users to turn things on when they want to use them. For example, in Windows Server 2003 SP1, we added something called the Security Configuration Wizard that is designed to help users configure their systems with as much turned off as necessary. The benefit of turning things off by default is two fold: 1) it protects the individual system from being attacked if a vulnerability exists in the feature because the feature is turned off by default, and 2) it also protects the populations of systems because the worm or virus can't assume that the feature is on and therefore the systems aren't broadly exploitable through the vulnerability.
I should note that while we usually think about what features to turn off, Secure by Default is also about what features to turn on. A great example of this is the firewall in Windows XP. Back when we first shipped Windows XP in 2001, we included a firewall, but turned it off by default. Why? Because many of the influential users we spoke to said that they had a firewall and didn't want ours turned on. They also said that they had too many apps that would be negatively affected by having a firewall on by default. That was a good answer for the small percentage of users who had their own firewall, but for most customers it was a mistake. In hindsight, consider that if we had the firewall turned on between October 2001 and August 2004 (when we shipped Windows XP SP2 with the firewall on by default) that Slammer and Blaster might not have been an issue for Windows XP customers to the extent it was. And with Zotob, this was also the case. By the way, for customers who have a third party firewall, or for OEMs that install a third party firewall, they can always turn ours off.
The Windows Security Center, first introduced in Windows XP SP2, is designed to make it easy for end-users to verify that the right security features are turned on and configured properly. We're going to make it even better in Windows Vista.
This is as much about culture (reminding people of the goal of safety and security being job #1) as it is about process (making sure that the default state of the feature is considered in the context of what most people need).
(3)
Top priority for security in 2006
by Anonymous Coward
Given that security is a major topic on IT manager's minds these days with security flaws and patches practically making front page news of some publications, What do you feel is going to be the main focus for security in 2006 for yourself and the industry as a whole?
Nash: The answer for me and for Microsoft is simple. The main focus for security in 2006 is nailing the security quality and features for Windows Vista and Windows Longhorn Server. Don't get me wrong, this doesn't mean that we don't care about the security of older products or products besides Windows, but given that Windows Vista and Windows Longhorn Server are going to be the most significant releases of Windows in the last five years or so, we know that they are going to be used broadly by a large set of users for sometime--so getting it right is critical.
As I noted above, we have the opportunity to apply the best practices in secure design, threat models, code quality, default configuration and penetration testing and more rigor than we have ever had in the past. We have also added some new features like a bi-directional firewall and Windows Defender to make the system safer and more secure. As the project becomes feature complete, we must verify that the system is secure and addresses the issues that are raised in testing.
There is also real work here for the industry as well. Some of this has to do with making sure that applications and security products work with Windows Vista. New applications need to work well for users who have standard (non-admin) user accounts. At the same time, we need to make sure that security products work well on Windows Vista. For example, no one is going to move to Windows Vista unless they have great anti-virus software that works well on it.
My other goal for the industry is that third party applications and internally developed applications adopt our Security Development Lifecycle. Here's why: As we improve the quality of Windows, we're making it harder for people to find vulnerabilities and therefore harder to write exploits. As a result, there will be a natural tendency for security researchers and exploit writers to move up stack. We are already seeing this. As we have learned, the only approach that scales here starts with a well defined process, taught through broad education and verified prior to shipping to drive accountability. The good news here is that we have documented our process pretty clearly and made it easy to learn. Checkout http://msdn.microsoft.com/security to learn more about it.
For customers, the top priority has to be defining and executing their security plan. I spend a ton of time with customers, many of whom have done a threat analysis of their environment and built a security plan. I am still surprised by the number of customers who have a plan but have not had a chance to execute it. The good news is that most have executed their security plan -- so the top goal for them is to reassess their environment and make sure that they are responding to new threats. We've also created a great set of tools to help customers (Developers, IT Administrators and End-Users) be more secure on our platform.
While we want customers to be evaluating Windows Vista, it's super important that business customers in particular, who have NOT yet deployed Windows XP SP2, think seriously about deploying it. While a large number of enterprise customers have deployed Windows XP SP2, many still haven't. While I get that not every desktop will get upgraded to Windows XP SP2 between now and Windows Vista, I think it's critical that laptops and Internet facing desktops move to SP2.
(4)
Outside influences on security
by kalpol
Has open-source software such as Linux influenced the way you think about security in Windows, and if so, how?
Nash: The open source approach has influenced the way I think about security, but I am not sure it's in the way you would have expected. The theory that more eyes makes software more secure is a premise that drove some anti-Microsoft PR back in late 2002, which caused my team and I to respond. My first step was to dig in and try to understand the open source process to see what I was missing.
I learned a few things. The first thing I learned was that while having lots of people look at code sometimes found issues, none of this mattered if there wasn't a good process to close issues. I spent some time reading Linux websites that contained reviews of Linux code. I was surprised by two things: 1) the lack of consistency in the way that software was reviewed, and 2) the lack of accountability to verify that things that were found actually got resolved. Then Blaster hit 10 months later in 2003 and I realized that like Linux we could also suffer from a lack of closure. So we invented the Secure Development Lifecycle, of which the key feature was that it drove consistency and accountability. Here is the background story . . . .
After Blaster happened, I wanted to find out who was responsible for the buffer overflow that was exploited and hold the individual accountable. But once we looked into it, we realized that there was not a documented a process that the developer was supposed to follow that would have prevented the mistake, nor did we have a set of procedures for our developers to verify that a secure development process was utilized. The Security Development Lifecycle is basically the institutionalization of these very things: a documented repeatable process, clear education and accountability. What I learned here was that because we have the ability to establish processes and reinforce them at every level of management that we had an opportunity to make our software do something that the open source approach couldn't replicate.
The second thing I learned about security from the open source approach was about serviceability. One of the things that proponents of the open source approach always talk about is the fact that with open source you don't have to wait for an official patch, since you can download the code, recompile it and create your own fix. I can't imagine this working at scale, since most users could never do this. For the customers who can manage to knit their own patches, the problem is that some distributions sometime update a component with new fixes but they don't always include some of the fixes that more sophisticated users may have done on their own. This effectively undoes the home built patch.
The key learning for me was four-fold. First, it is super important that we have our updates available on all supported versions and all supported languages at the same time. Second, we need to do whatever we can to make sure that our updates are available when vulnerabilities are publicly disclosed. Responsible disclosure helps us a lot since people can confidentially report things to us in return for acknowledgement when we do issue the update. Third, we must have great quality when we do issue the updates. If our updates break things, then people won't trust them. In my mind, the definition of our products is the product that we ship PLUS the latest service pack PLUS any security updates we shipped after the latest service pack. If we don't test our security updates in a broad set of scenarios, then we are likely to break something.
Finally (fourth), it's important that we have tools to simplify the process of deploying updates since it reduces the barriers to deploying the updates and increasing the likelihood that customers are up to date. That is why we have invested in tools to make patch deployment much more straightforward like Windows Update, Microsoft Update, Windows Server Update Services and Systems Management Server.
(5)
What is the basic approach to Microsoft security?
by kickabear
Does Microsoft lean more towards rigidly enforced coding standards as a way to prevent exploitable bugs, or does the company focus more on brute-force bug detection during testing?
I know the easy answer is to say "both, of course" but a 50/50 split is unlikely. So, does testing take the backseat, or does the code?
Nash: My short answer is actually a third choice, which is better design. This starts with really understanding the security threat that a feature might introduce to the system and making sure that the design of the feature or component is designed to reduce the risk. Then we go to implementation which, as you note, is partially about better standards which must be taught through education, but must be reinforced with tools to verify code quality wherever possible.
We also do spend a lot of time using a combination of ethical penetration and interface testing. While bug detection is critical, it really is a last resort -- in some sense the guard rails on the road to safe driving on the road of software engineering. Just like driving your car on a windy road, safety starts with better driver (in this case developer) education.
All of that said, if there is one thing I have learned in the last four years in this job is that there are no silver bullets in security. Instead we make progress through a combination of investments.
(6)
Why add DRM? Also, why not decouple IE?
by Bob_Villa
Why are you adding in DRM controls to Vista that regular users are not going to want? It may come in handy for corporations wanting to control their documents, but I can't see how regular users would knowingly want a product that restricts their access to their documents or files.
Also, I think you could dramatically improve security by decoupling Internet Explorer from Windows. Have it be a separate program similar to Opera, FireFox, Safari, etc... Is there really a valid reason that Windows Explorer has to be driven by Internet
Nash: First, a point of clarification. I assume in this case, you are talking about the Rights Management Services (RMS) client that is now integrated into Windows Vista and not the DRM technology that is used to protect media content that has been built into Windows for some time. In the case of RMS, you are right that corporations see value in protecting their information and controlling the usage of that information. A key piece of feedback we got from customers using the current version of RMS was that setting it up was hard, so we integrated the RMS client into Windows Vista. That said, some customers may not use it. You would only use it if an RMS-enabled application such as Office was installed and a user opted in to use that feature in Office.
We also believe that over time, that regular users will also want to protect their own information. For example in the future, home users may want to protect and control the usage of information such as lists of their friends, photos, banking account information and other personal data.
In terms of your question around Internet Explorer, there are two real aspects of this: 1) the platform implications of having IE in Windows, and 2) the user experiences that are possible with having IE in Windows.
From a platform point of view, decoupling IE would break a lot of things. There are many applications that depend on IE for rendering HTML and for accessing the Internet. Think about email applications, Internet-aware clients like the AOL Explorer or even Microsoft Money that use IE to render HTML in the application. Not only would this break a lot of applications, but it would also put a huge burden on developers who would now have to write their own HTML rendering capability.
From an experience point of view, a key goal for Windows has been to integrate the local experience and the remote (Internet) experience from a user interface perspective. Integrating the web browser into the operating system was a key part of delivering that experience for customers. The area where we can do much better is making sure that the kinds of things that can be done by a remote site is less than what can be done locally--this is especially true for sites that you don't know or don't trust. A key enhancement to the browser for Windows Vista is something called Protected Mode IE. The browser starts with minimal access to system and user resources. For example, when a remote site is accessed, the site will not have privileges to install software, copy files to the user's Startup folder, or hijack the settings for the browser's homepage or search provider. Of course users always can choose to use other browsers and even have other browsers be set as the default on the machine.
I do believe that the progress we are making with IE in Windows Vista will address many of the concerns people have with IE security today.
(7)
Do you ever spend time with "average users"?
by Caspian
Time and again, I've seen average end-users-- grandmothers, "soccer mom" types, businessmen-- whose computers are positively clogged to the gills with spyware, viruses, and other sorts of malware, the overwhelming majority of which they were infected with via the exploitation of security flaws in Microsoft software. I'm often tasked with disinfecting their computers.
How often do you (and the members of your team) spend time with average end-users-- not just in large corporate settings but in small businesses and (just as importantly) in real-world home settings? I believe that if you would spend time with Joe Average and see just how badly his computer's performance (not to mention his personal privacy and the integrity of his data) is suffering from the exploitation of certain bugs and design decisions (e.g. the fact that most end-users run with Administrator privileges) in Microsoft software, it would cause a significant shift in Microsoft's security strategy.
No matter how often $LATEST_WINDOWS_VERSION is touted as more secure than its predecessors, I still keep getting called to average homes to remove countless items of spyware which infected Windows systems via holes (and/or poor design decisions, e.g. the handling of ActiveX controls and the abilities they can have to alter files on the system) in Internet Explorer, and to this day (despite the wide use of antivirus software) most end-user systems I examine do contain at least a few viruses (which entered the system via Microsoft Outlook).
What are you doing to secure Joe Average's PC? Do you have any interaction with average end-users? And if not, why not?
Nash: I personally spend a ton of time with end-users -- often friends and family, but also people that I meet through my job at Microsoft. I have a wife, three brothers, a sister, five sisters-in-law, three brothers-in-law, two parents, one mother-in-law, a father-in-law, one uncle, two aunts, one living grandmother, three kids (although they are all too young to use a PC), five nephews and seven nieces, so I get a lot of calls from family members asking for tech support. It's actually amazing how much their feedback has driven decisions in our security strategy. I will give you two examples:
Right after Blaster happened, my uncle Ken called me to see how I was doing with everything going on with the event. My uncle is a little strange (although he is my only uncle, so I really don't have anything to compare him to) and he sometimes calls me "nephew." He said, "Nephew, what should I do about this latest Blaster thing?" I told him that he should turn on Automatic Updates and turn on his firewall. When he asked me how to do it, I talked him through the dialog boxes and we got him setup. In this process, I learned two important things. The first was that that the process of making these changes was a pain in the neck. The second was that when we really should have changed the default configuration for Windows Update.
When we shipped Windows XP Gold in 2001, we introduced Windows Update for the first time. At the time there were two options that the user had to choose from when they installed Windows: 1) tell me when updates are available, or 2) download the updates and tell me that they are ready to install (the default). When we shipped Windows XP SP1 about a year later, we added a third option which was to download the updates and install them. The problem was that when we added this third option (the best choice for most people), we left the second option (download and tell me) as the default. I am not sure why we did this, but my guess is that no one thought it through. So what did my experience with uncle Ken influence? A few things. First, we created a webpage at www.microsoft.com/pypc that included a little program that turned on your firewall, and helped you turn on the third option for Automatic Updates. We also changed the default setting for Automatic Updates in Windows XP SP2.
My second story is about my grandmother, Estelle (I am 42 years old and not too proud to tell you that I call her Nanny). Nanny got her first PC in 1992 soon after I came to Microsoft. In 1995 she got her second PC -- I was excited about Windows 95 and so was she. In late 2001, I sent a mail to all of my family members telling them that I would only help them with their PC if they were running Windows XP, so my grandmother ran out and bought an XP machine.
In February of 2004 I was down visiting Nanny in Florida. I was on my way home from a business trip, so I was only there for about a day. When I got to her house she fed me breakfast, looked at the latest pictures of her great-grandsons and then said to me that she needed some help with her PC. When I powered the thing on, it was clear that something was wrong. The machine was very slow and you could see the icons on her desk being drawn pixel by pixel.
It turns out that her machine was massively infected by spyware. She had gotten some mail offering her $10 to take an online survey which she had taken seven times. Without realizing it, each time she completed the survey and tried to claim her $10, she had agreed to the terms of a software license and downloaded spyware on her machine. She had effectively sold her $900 PC for 70 bucks. It took me about three hours to get her machine running again. I went back about a month later and installed Windows XP SP2 (beta at the time) on her machine, but what I realized was that we had a much bigger problem with spyware.
With that visit came the vision for Microsoft's anti-spyware strategy and our focus on delivering an anti-spyware solution.
Today, I travel a bit more prepared for situations like the one I encountered at Nanny's house. I have 512MB memory stick with me in my briefcase that includes a copy of Service Pack 2 for Windows XP, the latest beta of Windows AntiSpyware and the current month's release of the Malicious Software Removal Tool.
(8)
Windows updates to unregistered machines?
by Spy der Mann
Dear Microsoft Security VP:
I know a person who doesn't have his copy of Windows registered. His PC got infested by spyware, so my deduction is that his computer was probably used to send SPAM, spread viruses and whatnot. When He called me for tech support, I told him to download the Microsoft Anti-Spyware from Windows update, but his answer was that it required a registered copy.
My question is this: If Windows updates make the Internet SAFER from hackers, spyware and viruses, why limit them to registered copies of Windows? (IMHO this is analogous to not giving the vaccine of the bird flu to illegal aliens)
What do you plan to do about this?
Nash: This is a great question and one that we struggled with as we established the policy. First, I should clarity one thing. While the Windows AntiSpyware offering is only available to users of licensed copies of Windows, we do make our high priority security updates available to unlicensed users of Windows, primarily in order to prevent unlicensed Windows systems from posing a threat to the Internet if they get infected. Although, we do remind unlicensed users of Windows to get genuine.
At the end of the day, Microsoft's first commitment is to protect our paying customers. We made a decision last January to make Windows AntiSpyware technology available to licensed Windows customers at no charge. When we first acquired GIANT Company Software, the plan was to make scanning for spyware a free service on Microsoft.com, but charge for the technology that blocks spyware. The theory was that frequent scanning was a good substitute for people who didn't want to pay for the blocking capabilities. Within a few weeks of running the beta of the anti-spyware technology we realized that this premise wasn't valid since while it's easy to detect and remove the primary spyware infection, spyware often brings with it more spyware and detecting and removing the secondary and tertiary infections was much harder. So we made the decision to include this blocking capability in all licensed copies of Windows.
So the question is, why not protect non-licensed users from spyware? The short answer is that spyware primarily affects the machine that has the infection. Part of the value of owning a licensed copy of Windows is that you are protected from spyware. If you don't pay for your copy of Windows, you aren't protected.
It's hard for me to feel too bad for the person who you know who doesn't have a licensed copy of Windows and is infected. They are using stolen software. I have heard the arguments that Microsoft has lots of money and shouldn't care if people are using our software illegally. I don't buy it (no pun intended). You could make this argument in many other cases, but we don't tolerate people eating a meal at a restaurant and then not paying, or stealing a candy bar from a convenience store or taking a TV from an electronics store. In this case, your acquaintance wants the free meal, but can't understand why we don't throw in dessert.
If your acquaintance installed their own pirated copy of Windows, I recommend that they get a valid copy and install it. If they got their pirated copy of Windows preinstalled on a PC, then they should report the company that sold them their PC and we will use the information to get the vendor to make things right, and will get your acquaintance a valid license in return for the information.
(9)
MSFT employee here
by Anonymous Coward
Hi, Mike,
I have just one question for you. Why do we STILL ship products with KNOWN security issues?
I'll even tell you how it works in the trenches. Folks build the product. At the end of it all a "Security Push" gets declared. For two to three weeks people pretend they care about security by coming up with potential security issues and assigning DREAD+VR scores to them. Then management arbitrarily sets the "bar" below which we don't fix potential and real security issues. This bar is usually very high, sometimes at around 8, because hardly anyone has time in the schedule to fix all issues found. Now, DREAD score 8 means that flaw will affect a ton of customers and cost Microsoft significant litigation. Some of very severe bugs slip under the bar just because they don't affect more than 10% of customers. Now, even this exercise is a joke, because most developers don't know what DFD is and how to put one together.
This wasn't even the most ridiculous part of the exercise. The most ridiculous part is security "code reviews". It's when feature owners walk into a room with a huge stack of printouts and pretend they can be reviewed in a couple of hours they've allocated for this. You can barely glance through this much code in this much time, 90% of security issues remain unnoticed during this "code review".
After all is said and done, product is only slightly more secure (SOME of the most ridiculous things have been fixed), and management gets delusional saying that product is now Fort Knox secure.
If you ask me, that's abomination, not a proper security process. Are there any plans to change it?
Nash: Wow this is a great, yet difficult question. First, I should say that there is a great process for security quality called the Security Development Lifecycle (SDL) that is designed to make sure that we act consistently as a company. This means having a well documented, repeatable process, great education that teaches people how to follow the process and the accountability to make sure that process is being followed consistently. A part of this accountability is something called the final security review (FSR) that my team executes on behalf the company to make sure that the process is actually being followed. At the end of the day, the product group that ships the product is accountable to make sure that the process is followed.
I often get asked the question, "who has been fired for shipping insecure code at Microsoft?" My usual answer here is that we are still learning a lot about security at Microsoft and that most of the security issues that we deal with don't come as a result of carelessness or disregard for the process, but rather new vectors of attack that we didn't understand at the time.
One of the key things that will make this work is consistent execution across the company. I won't say that we have or should have the same level of rigor across all of our products (Windows deserves more scrutiny than say, a game), but we must apply the process appropriately. Generally speaking, Microsoft product groups are following the process consistently. That said, Microsoft has over 60,000 employees, so it's not a huge surprise that we have some people who just don't get it. While it's not a huge surprise, it's also not acceptable. If we have a group that is not aware of the process, then we have an education issue. If we have a group that is knowingly ignoring the SDL or deprioritizing it, at best we have an accountability problem and at worst an HR problem. The only way that I can help is to know about it so I can have it addressed appropriately. While I see that you posted this question anonymously, I encourage you to contact me directly through email and we can meet to discuss this. I assure you that I will protect your identity. If you are not comfortable with this, call my direct line at Microsoft (using an outside line--so that caller ID is blocked or from a conference room) and I promise not to ask your name.
As I have said many times, the Trustworthy Computing Initiative is a journey that we started in 2002 with measurable improvements along the way. In this case we clearly have a problem that needs to be fixed so that we can improve.
(10)
Why no AES in SSL yet?
by jonathan_lampe
Why hasn't Microsoft added AES to its SSL stack yet? As a Microsoft developer, it's annoying to get beaten over the head when facing competing solutions that can use the AES (128-,192- and 256-bit) encryption algorithm in their SSL implementations.
(OpenSSL - including the Mozilla browsers - and Java SSL have all had AES support for a while. Most SSH implementations have also had it for a while.)
Nash: This is a great question. The AES was approved as a FIPS algorithm after Windows XP was released in 2001. Adding it to Windows XP RTM was basically not possible. Our approach for cryptography was and is to support a pluggable model and enable replacement in our platform in a broad sense. IE and IIS depend on the platform (OS) cryptography capabilities, so adding this capability was an operating system change vs. a change in the browser, as was the case with Mozilla.
While it's fair to say that we could have just dropped AES support into the platform, the approach for pluggable crypto enables a lot more flexibility for customers. For Windows Vista, we added support for pluggable cryptography, which we refer to as CAPI next generation or CNG. With CNG we not only add support for AES, but also add support for Elliptical Curve (ECC) Cryptography and the Sha-2 family of hash algorithms.
We are currently looking at the feasibility and benefits of making this capability available down-level. I should also note that in contrast to the existing AES implementations that have not been through an evaluation, we plan to get our implementation evaluated to meet FIPS guidelines and requirements.
(11)
VISTA users must still be administrators?
by arminw
In current Windows systems, many programs will only work correctly if the user is granted administrator rights. Will MS lean on developers to write their software such, that a normal user status is sufficient? Much malware today silently installs itself without so much as a warning to the user. Will VISTA incorporate some sort of warning and ask for a password before ANY executable file can run for the first time or install itself deep in the system? Will users be told NOT to type password unless they are SURE the file comes from a trusted source?
Nash: One of the key enhancements in Windows Vista is something called User Account Control, which in my mind is a fancy name for standard user that works. There are really two parts of User Account Control. The first is a significant set of changes to Windows Vista so that the system doesn't require admin rights in places that shouldn't, while still protecting the system in cases that should require admin. I will give you a simple example that illustrates what I mean. In Windows XP today, you need to be an administrator to run the clock applet in the control panel, but as it turns out there are cases where the user shouldn't need to be an admin to run this applet. For example, a standard user should be able to LOOK at the clock. In addition, while changing the time on the system should require admin privilege (to maintain the integrity of system logs, etc.), when I travel from Seattle to Boston, I should be able to change the time zone of the system so that I know the local time and show up for meetings on time, etc.
So in Vista we separated these functions so that standard users can do the things that standard users need to do, but still require admin for the things that need protection.
The other thing added is something we call protected admin. This is a mode that administrators run in by default. If someone is configured as an admin, their basic execution happens as a standard user. When they try to do something that requires the administrator privilege, the system prompts them to see if they want to elevate to admin to complete the task, and if they consent, just that task is elevated (this is more secure that SUPERUSR ON in Unix that elevates the entire session). When the task completes, the high privileged process is torn down. The system can also be configured to require a password on elevation.
As you note, this also has a lot of implications around application compatibility and a ton of work is being done to help ISVs building solutions for Vista to make sure that their applications run as standard user if appropriate.
For existing (legacy applications) we find that most applications break into one of four categories: 1) applications that already run well as standard user, 2) applications that really do require admin privilege (system utilities for example), 3) applications that check for admin privilege, but don't really need it, and 4) applications that require admin privilege for a some portion of their functionality.
For applications that run as standard user, we are set. Similarly, applications that really should require admin privilege run as they should. If a standard user encounters such an application, in the home (e.g., non domain joined scenario) the standard user is prompted to have someone who has admin privilege type in a password to elevate the system to run the application as appropriate. We call this the "over the shoulder" elevation case.
For applications that check for admin, but don't really need it, the situation is usually that the developer of the application didn't want to take the time to test the application in both the standard and admin user modes, so they put a check in at initialization. We have a pretty good list of these applications, so for the ones we know about, we put a little compatibility shim in the software so that when one of these known applications check to see if the user is running at admin level, the system will report back that they are even though they are a standard user. This preserves application compatibility, but provides no risk on unauthorized escalation since the user really is just a standard user.
For applications that require admin for some part of their execution, we are providing guidance to the ISVs on how to re-factor their applications so that the components that the end sees don't need the privilege and the ones that do need to can be isolated and componentized so that most users don't encounter the escalation.
(12)
OpenBSD
by hahiss
How is it that OpenBSD is able to be so secure by design with so few resources and yet all of Microsoft's resources cannot stem the tide of security problems that impact everyone, including those of us who do not use Microsoft programs?
Nash: First, I should say that OpenBSD includes a relatively small subset of the functionality that is included in Windows. You could argue that Microsoft should follow the same model for Windows that the OpenBSD Org follows for their OS. The problem is that users really want an OS that includes support for rich media content and for hardware devices, etc. So while OpenBSD has done a good job of hardening their kernel, they don't seem to also audit important software that are used commonly by customers, such as PHP, Perl, etc. for security vulnerabilities. At Microsoft we're focusing on the entire software stack, from the Hardware Abstraction Layer in Windows, all the way through the memory manager, network stack, file systems, UI and shell, Internet Explorer, Internet Information Services, compilers (C/C++, .NET), Microsoft Exchange, Microsoft Office, Microsoft SQL Server and much, much more. If a software company's goal is to secure customers, you have to secure the entire stack. Simply hardening one component, regardless of how important it is, does not solve real customer problems.
Second, it is not completely accurate to say that OpenBSD is more secure. If you compare vulnerability counts just from the last 3 months, OpenBSD had 79 for November, December and January compared to 11 for Microsoft (and that includes one each for Office and Exchange - so really 9 for all versions of Windows). I encourage you to look at the numbers reported at the OpenBSD site to verify that this is true.
("Bonus" question added by Mike Nash)
Differences Between Windows & Other Employers?
by eldavojohn
Mr. Nash, what are the greatest differences and similarities between Microsoft Corp. and Data General Corp., your two most recent employers? Most importantly, how drastic were the changes you saw (not necessarily changes due to job function but changes in general)? What do you like the most and what do you hate the most?
Nash: Great question. First, its been a while since I worked at DG (I left DG for business school in 1989). That said, I would say that the biggest difference between the two companies is that while DG was fundamentally a hardware company, Microsoft is first and foremost a software company. DG was primarily focused on driving a business based on selling hardware and software was a necessary component of that business, but not something that was valued on its own. In contrast, Microsoft's basic premise is that the hardest problems can be best solved with software and as a part of that the power of hardware can be realized best through great software.
The second biggest difference is while DG always measured itself in terms of other companies (Digital was the big deal back when I was at Data General), Microsoft is a company that is constantly trying to reinvent itself. As a result, Microsoft is much more self critical, but at the same time willing to make long term investments to address both new opportunities and short comings. The Trustworthy Computing Initiative is a great example. Soon after Blaster happened, a lot of people I spoke to (inside and outside Microsoft) asked me if Blaster was evidence that the Trustworthy Computing Initiative was a failure. My response was just the opposite. I was super glad that we had taken the time to focus on and improve our security. If we hadn't things would have been much worse. At the same time, Blaster did provide some pretty clear guidance on some changes we had to make around Trustworthy Computing (TwC). More than that, it reminded us all that we would have to continue make some major changes in TwC as we continued to learn, so we should just plan for it. That approach is mostly a matter of culture and frankly if the leadership of DG had had a similar point of view, their might be a DG today. For sure it's why there is great change and innovation at Microsoft more than 30 years in. And yeah, it's hard work.
The responses only serve to indicate that MS still doesn't get it. The underlying tone demonstrates the same hubris that has always been the hallmark of MS, sorry.
It's nice they have all this process in plce. But I hve noticed that just about every "security update" that microsoft has produced thanks someone outside Microsoft for finding the issue. This is commendable for sure, but it's also a sign that Microsoft internally isn't finding these issues.
.. from personal experience i can tell you there are other major companies that don't even acknowledge help.
On Microsoft giving credit to third parties I'd definitely say that is commendible
It is now RMS (Rights Management Services).
By changing the name they made it less evil. Yea Microsoft!
Auron may be different, Cally, but on Earth it is considered ill-mannered to kill your friends while committing suicide.
That was a shockingly good interview. Kudos Slashdot. Thats the kind of quality we had around here five years ago. Real solid questions, excellent answers. Keep up the good work.
;-)
(And they'll be just as good when posted again this afternoon, Zonk)
I just checked eEye's upcoming vulnerabilities page .. and it looks like Microsoft has at least 3 serious unpatched vulnerabilties. Including one that they have know about for over 206 days.
h tml
http://www.eeye.com/html/research/upcoming/index.
What's that about.
Funny, I bet I heard about RMS before, just dosnt sound right for some reason in this context...
http://www.intellipool.se/ - Intellipool Network Monitor
A guy asks why not decouple IE from the OS -- an obvious security problem, given that users typically run as Admin (aka root), so any buffer overflow becomes a flaw that threatens the entire box.
Mac OS, Linux and the BSDs manage to decouple the browser. I'm assuming with Mac OS, it is somehow possible to share the browser's code. Microsoft has a technolgy called (originally) OLE. The point is, one app can embed another app in it. The apps don't have to run with root rights: folks couple together Word and Excel when both run as user, and they do it all the time. Here's the answer the Microsoft guy gave:
"In terms of your question around Internet Explorer, there are two real aspects of this: 1) the platform implications of having IE in Windows, and 2) the user experiences that are possible with having IE in Windows.
From a platform point of view, decoupling IE would break a lot of things. There are many applications that depend on IE for rendering HTML and for accessing the Internet. Think about email applications, Internet-aware clients like the AOL Explorer or even Microsoft Money that use IE to render HTML in the application. Not only would this break a lot of applications, but it would also put a huge burden on developers who would now have to write their own HTML rendering capability."
That seems to imply that the OLE-like features require the stuff to be part of the OS, but that just isn't true (in my experience). Perhaps there are some extra features that come from having the browser in the OS, but in general, that just isn't necessary -- and given the security problems, just isn't worth it.
At that point, it is hard to believe the guy -- either he's trying to tell a lie, or he's not informed, or he is informed, but the story is very complicated and he doesn't manage to tell it.
Of course, others have said Microsoft put the browser into the OS in order to kill Netscape.
http://www.thebricktestament.com/the_law/when_to_
I find his answer to question 8 (Windows updates to unregistered machines?) frustrating. He basically comes to the conclusion that "If they didn't buy it, they shouldn't get updates." This is fine in a happy play world, but people with illegal copies are effectively attacking everyone else by becoming infected with worms and other malware. Their policy to only offer updates to registered copies doesn't really help them sell more copies... it just hurts everyone else even linux users, because the worm/virus traffic eats up everyone's bandwidth to some extent, at the least.
Today, I travel a bit more prepared for situations like the one I encountered at Nanny's house. I have 512MB memory stick with me in my briefcase that includes a copy of Service Pack 2 for Windows XP, the latest beta of Windows AntiSpyware and the current month's release of the Malicious Software Removal Tool.
Sounds like a good recommendation - how about shipping Vista with a flash drive with the latest security software on it, with a short guide on how to use it and how to disinfect your PC?
Interesting (possibly useless) mentions from questions & answers:
'Firewall' mentioned 13 times
'Blaster' mentioned 10 times
'Focus/ed' mentioned 14 times
'Trust/worthy' mentioned 10 times
'Key' mentioned 15 times
'XP' mentioned 17 times
'Explorer' mentioned 6 times
'Vista' mentioned 35 times
He who knows best knows how little he knows. - Thomas Jefferson
Shame on YOU!
A first post has to be witty, smart and entertaining.
And all this without being off topic.
I understand that in the heat of the moment, after refreshing the slashdot page for the 5th time in a few minutes, the urge to quickly make a first post is overwhelming. A bit more flare next time please.
Things you could have said:
- Yes, but does he run Linux?
- In Soviet Russia, security specialist interviews YOU!
- My eyes, the goggles... combined with a tldr
- Request if said security expert has mr. Ballmers pass, and if so, does it have the words: Bill, Gates or chair in them.
Endless possibilities there.
Now as a followup I'd REALLY like to see the same interview (possibly even the same questions) put to the guy in charge of security at Apple.
That would really put things in perspective
If these responses are genuine then it's clear to see that MS is taking security more seriously. However, their methodology leaves a lot to be desired. The Security Development Lifecycle can't be a seperate function but needs to be an integrated part of the normal Software Development Lifecycle (notice they're both SDL). It starts at the level of the code jockey; I get the sense that they don't really know the competence level of the people they have writing code and they certainly haven't drummed the idea of secure code-writing into their heads. If that's true, all the rest of it doesn't matter. Security review has to start at the code writing level and work its way up slowly; given the market pressure, I don't see that happening.
GetOuttaMySpace - The Anti-Social Network
All those talented (?) professionals, and all those plans and schemes and "... documented, repeatable processes & checkpoints in the release process to make sure that this process was followed"...and it all comes down to Uncle Kenny. The building is full to the rafters with brains, yet one simple conversation with a user and the entire project meets an otherwise delayed milestone. Un-be-lieveable...
Uncle Ken, if you're reading this, give Nephew a swirley if he doesn't cut you a fat bonus, 'cause your instincts are top notch. Except, of course, that you run Windows, but I'm sure the 'XP family pack' gets a workout, so at least the price is right.
If so, I hope the employee who asked the question above succeeds in maintaining his anonymity.
My work here is dung.
If you notice the entire list of answers, there are a few buzz words being thrown around. Unfortunately, memos and discussion of security since NT hasn't resulted in anything more than lip service. Yet, when a genuine MSFT employ jumped in, Mr. Nash sticks to his buzz words and fails to provide any substantive response.
Listen, Mr. Nash, having a process is great but the key is foster an environment where those processes can be followed. Furthermore, there must be accountability on a per department basis. If X product consistantly comes out with security problems then those departments must be punished with tighter oversight and/or restructuring. Until Microsoft can show to the world that it values security by taking action against those departments that fail to provide secure applications, no one is going to take you seriously. Trust me, when your job could be on the line for putting out crappy software, people will change.
In late 2001, I sent a mail to all of my family members telling them that I would only help them with their PC if they were running Windows XP, so my grandmother ran out and bought an XP machine.
So M$ even forces close family to upgrade! Win2K wasn't that out of date in late 2001.
init 11 - for when you need that edge.
With spending like this, exactly what are "conservatives" conserving?
A good interview for the most part, but I have to take issue with this bit:
How about feeling bad for everybody that gets spammed by people using these machines as zombies? It's not just the person using an illegal copy that is negatively affected by their infection.
Bogtha Bogtha Bogtha
But I hve noticed that just about every "security update" that microsoft has produced thanks someone outside Microsoft for finding the issue. This is commendable for sure, but it's also a sign that Microsoft internally isn't finding these issues.
This is in no way unique to Microsoft or technology companies in general. There is a corporate mentality at most companies that lets you question and doubt but only to a small extent. That is why outside consultants exist. What Microsoft has to do is embrace these third party groups who are basically doing the work for them for free.
It reminds me of the article about Lego in the latest Wired. They went out and grabbed 4 of the biggest Mindstorm geeks and made them intimidately involved in the design of the new version while paying them with Lego.
It really is what we have always said is Linux and open-source's greatest advantage. Lots of eyes outside of the original coders looking and tearing apart.
[...] but given that Windows Vista and Windows Longhorn Server are going to be the most significant releases of Windows in the last five years or so [...]
By the time they are released, the will have been the only releases of Windows in the last five years.
I think this is pretty insightful. Too bad I don't have mod points
In late 2001, I sent a mail to all of my family members telling them that I would only help them with their PC if they were running Windows XP, so my grandmother ran out and bought an XP machine.
He's a VP at Microsoft, and treats his family like the BOFH! I would think that if I didn't want to be in a "forced upgrade" situation, that having this guy in my family would be perfect. No such luck. He must be really popular at family reunions.
Look at the tomato! Isn't it sad? He can't dance! Poor tomato!
He certainly was candid about the whole thing. The one question I never got to ask was, "if Gates or Ballmer offered you the top 100-200 engineers and a large budget, would you reimplement Windows from scratch using all of your preferred security methods?"
God knows they have the resources!
I understand their compulsions. They have gone the whole hog in reviewing code, SDL SD3 etc etc. And then it comes down to this. Each software release is going to take longer and longer and longer and longer. But what they still fail to understand is Grandpa's and Grandma's :-) When they visit a website and they are prompted to click okay 10 times... They will still do so.. When they are prompted to enter their password they will still do so :-(. How many people bother reading those messages anyway.
First, thanks for answering my question.
Believe me - I noticed the lack of FIPS validation too. In fact, my company (Standard Networks - http://www.standardnetworks.com/ was more or less forced to develop an FIPS 140-2 validated AES implementation ("MOVEit Crypto" - http://www.standardnetworks.com/uploads/media/MOVE it-Crypto-FIPS-140-2-Overview.PDF) for Windows (and later, Linux) to get around this Microsoft limitation. If a FIPS-approved AES algorithm HAD been part of the base Microsoft OS, it would have saved us a lot of extra work and money.
He is a VP afterall. I am glad that he took the time out to answer questions and it appears that his answers have been thought out and written well, but he just sems to be missing the point.
The decoupling of IE from Windows question pretty much sealed it for me. I do not care how much money you make being a VP, if you have ANY clue at all about programming and/or security, embedding the browser into the OS is a bad idea. And the excuse that the email client needs it is just a joke.
MS does not care about security if they did they would get someone who actually understood the real problem to do the work.
Is this guy really the MS security VP? I find some of his answers amazing. About his uncle he says "I told him that he should turn on Automatic Updates and turn on his firewall. When he asked me how to do it, I talked him through the dialog boxes and we got him setup. In this process, I learned two important things. The first was that that the process of making these changes was a pain in the neck. The second was that when we really should have changed the default configuration for Windows Update."
It seems pretty amazing to me that the VP for Security for one of the biggest IT companies in the world should have to have this type of learning experience.
If Microsoft is serious about security, they need to treat it like they treated reliability. Eventually about 50% of their resources were spent on testing. (One tester for each developer.) I'm sure that this was a battle, but eventually the developers saw the benefit and bought into it. Hopefully Microsoft will eventually devote developers exclusively to security, and in nontrivial numbers.
Asking developers to do a security review at the end of the development cycle is about as effective as asking them to do some testing at the end.
He doesn't come to that conclusion - MS still allow illegal users to install "high priority security updates".
In any case, even if they did allow illegal users to manually run updates via the Windows Update site and install the MS AntiSpyware tool (instead of any of the free, non-MS options out there), they can't guarantee that the illegal user will do that. Just as they can't guarantee that normal users will do that. So there could well be only a relatively-insignificant drop in worm/virus traffic.
It's interesting how he doesn't address the fact that MS is putting the Internet community at a higher risk because of their own philosophy that you shouldn't pirate. :-p Definitely a stance of "taking care of our company's profits are more important than helping against profit losses caused by problems from our community in general".
It's also, from having used Windows, interesting that he doesn't say that critical security updates still are sent despite Windows copies not having been activated. Isn't this just about non-critical (non security) Windows Update services?
I have a feeling I'm wrong though as a VP should know better, especially to find arguments to make him look better, but I'm pretty sure I'm seeing regularly autodownloading security updates on XP copies using invalid keys, still on SP2.
Beware: In C++, your friends can see your privates!
Actually, to be fair, he answered my question better than I expected. Of course I had low expectations to begin with. But I can see that he was trying and gave some examples of things that are changing internally like SDL. Still, to say that Microsoft has been focused on security since Windows NT wasn't a good way to start out his answer. :-(
"We know our old stuff is filled with security holes but that's because we didn't really care before.
The new stuff will rock! GO BUY IT NOW!
Oh yeah... open source sucks too!"
The guy even blew off valid questions from MS Developers.
That's talent... this guy should run for President.
Hmmm witty sig or funny sig? Maybe elitest techy sig!
The other thing added is something we call protected admin. This is a mode that administrators run in by default. If someone is configured as an admin, their basic execution happens as a standard user. When they try to do something that requires the administrator privilege, the system prompts them to see if they want to elevate to admin to complete the task, and if they consent, just that task is elevated (this is more secure that SUPERUSR ON in Unix that elevates the entire session). When the task completes, the high privileged process is torn down. The system can also be configured to require a password on elevation.
Is it just me, or is this exactly what sudo has been doing for over 25 years? Good Unix admins don't run sessions as root. They run regular user accounts and execute their admin commands using sudo to elevate just that process. In fact, at least Fedora is set up to automatically prompt for root credentials when a regular user tries to run a command that requires root privileges..
Congratulations on the fine innovation you call "protected admin," guys!
According to Google, no one has ever said "SUPERUSR ON" before this guy.
I mean, I know it's his job to use MS stuff, but hasn't he tried the competition enough ot know that the command in question is called "su" and that most people just use "sudo" to do superuser commands one at a time? I mean, I know I'm being picky by calling out his semantics, but this is pretty basic stuff for anyone who has ever used a *nix, and as a security guru it seems like he should have at least dabbled until he got the gist of using OpenBSD, or whatever.
"In late 2001, I sent a mail to all of my family members telling them that I would only help them with their PC if they were running Windows XP, so my grandmother ran out and bought an XP machine."
Wow. A Microsoft Employee forced his own grandmother to upgrade...
...but given that Windows Vista and Windows Longhorn Server are going to be the most significant releases of Windows in the last five years or so...
I have heard this BS every fucking time MS released a new update (latest SP2 for XP)... why should we belive this after 20 years of lies ? (well, ok, maybe not lies... just promises)
"OpenBSD had 79 for November, December and January"
/dev/fd.
"I encourage you to look at the numbers reported at the OpenBSD site to verify that this is true."
Am I missing something?
http://openbsd.org/security.html
I count 2:
- Jan 5, 2006: Do not allow users to trick suid programs into re-opening files via
- Jan 5, 2006: A buffer overflow has been found in the Perl interpreter with the sprintf function which may be exploitable under certain conditions.
Neither of these are remote vulnerabilities, either.
In late 2001, I sent a mail to all of my family members telling them that I would only help them with their PC if they were running Windows XP, so my grandmother ran out and bought an XP machine.
In February of 2004 I was down visiting Nanny in Florida. I was on my way home from a business trip, so I was only there for about a day. When I got to her house she fed me breakfast, looked at the latest pictures of her great-grandsons and then said to me that she needed some help with her PC. When I powered the thing on, it was clear that something was wrong. The machine was very slow and you could see the icons on her desk being drawn pixel by pixel.
all my windows customers that call and say, "there's something wrong with my computer, it's really slow," get a short sales pitch on switching to ubuntu. to date 100% have switched, and i have had 0 complaints. it's the best way to upgrade any windows installation.
When you recognize love in another and realize how precious it is, everything else seems so insignificant.
Perhaps we should start a petition so that no researched with be shared with M$
I have no idea how he came up with his numbers for OpenBSD security issues. There may be a lot of security issues with third party packages, but where the heck does he get his information from?
"I sent a mail to all of my family members telling them that I would only help them with their PC if they were running Windows XP, so my grandmother ran out and bought an XP machine."
dude wtf?...... that's cold!!
Although it is clear from the response, Microsoft is serious about improving their security their methodology is seriously flawed. Creating a product by rigorous design is good but inserting a seperate security check at some later time is tantimount to writing software that is "hopefully secure". If security is a feature you design as a feature from the start. Anything else you will get somthing less than desirable. Simply put: If you wait till some later stage to check if the system is secure, chances are it won't be or if it is has some exotic side effects that are undesirable.
Very few features that are not designed end up working correctly. It is too costly to write software by hoping features show up out of the blue. This is why you try to design things. If I read this right, Mike Nash believes that one can write software and then apply a "security process" at some later date which seems to fly in the face of everything I've learned about software design.
Wow, so much for 'only 1 remote hole in 8 years'. OpenBSD really sucks!! Hmm ... wait, I go to their website and I count ... hmm .. 2 security patches, and they are halfway through their release cycle.
... 79 ... maybe he just miscounted? While he is generally correct that Windows has (many) more projects and code lumped with their OS than OpenBSD, if he had *any* idea what OpenBSD was, he'd realize they did much more than 'just harden their kernel'.
Did Mr. Nash even go to the website of the right project? Hmm, let see 2
I can only conclude, Mr. Nash does not know what he is talking about. Thus, with OpenBSD sitting at the 'top of the heap' in the list of secure operating systems, it looks like he hasn't even investigated their process for lessons he could have applied to Windows Vista. How could he when, apparently, he doesn't even know who they are!!
This apparent ignorance does not inspire confidence. Sadly, I have to predict, that security in Windows Vista will only be 'better than the last version of Windows'. It could have been much more if Microsoft had only looked around to see who was doing it right, and how. I fully expect hackers will eat Vista alive shortly after it is released...
That is a very nice idea. Can we, can we, can we??? Pleeeaaassse!
How about not generating an organizational culture of fear? Anyone who has taken an introductory psychology/behavioral theory course knows that while the threat of punishment works as a deterrent to deviant behavior (like letting bugs slip through the cracks out of laziness/apathy) some of the time, the promise of a reward for doing things right is much more effective.
If I were a Microsoft executive charged with the task of elevating security standards, I would institute some kind of incentive system for secure code. None of your team's applications required a Tuesday patch this month? Here's a check. You found a vulnerability of which we were previously unaware? Here's a bigger check. Keep up the good work, valued one!
He didn't seem to answer the actual Microsoftie in the trenches who was saying that the processes that are in place are not working. His comments about repeatable processes reminds me of the production line school of thought, that if you can work out how to do something right once, you need only document it and the factory worker can do it over and over again like a robot.
This has been applied to software development for a long time, and certainly not only by Microsoft. Sadly software developerment isn't a factory job; it is creative, and so you must treat it differently. Quality Assurance isn't something you test in at the end, it has to be a consequence of the entire process. When you are designing something new you have to think from the very start about the security model.
I don't believe code review will help security - as in my experience code review will only deal with issues of syntax and adherance to coding standards. One way to do it is not to use a language which permits so many potential issues such as buffer overruns that can result in a system being owned.
Dr Phil talks about setting yourself up for success, and I don't think Microsoft has learned this yet. They are still coding the same way as always, only added on some 'processes', rather than giving the developers the ability to deal with security as a priority higher than shipping.
"great" mentioned 18 times.
You can just hear the managerspeak twang.
"for users who still need or want to be logged on as an admin on their system we make it clear to them when they are about to do something that requires administrator privilege. The user can configure their system to either ask them if they want to escalate, or ask for a password when the system tries to elevate them. We have also gone through all of the system services in Vista to see which ones have admin privilege, verify which ones really need it, and for the ones that don't, remove it. "
Why does this take 5 years? I mean, it's obviously the largest problem with Windows (unless maybe IE-integration), and it took 5 years? I mean, OS X has had this for like 4 years or something, and Linux has Sudo (or something) that does the same thing. Why is it boring and useless when someone else does it, but critical and innovative when MS steals it 5 years later?
he actualy mentions this in one of his awnsers, in exchange for other people finding problems and telling microsoft before they tell the whole world they get credit for finding the problem. if microsoft found the problem before they released they probably fixed it before release
Try to show some minimal reading comprehension. His claim is that OpenBSD is only one part of the "stack", and the other parts that Theo doesn't care about have all the common issues.
Think about email applications, Internet-aware clients like the AOL Explorer or even Microsoft Money that use IE to render HTML in the application.
G GGGGGGGGGGGGHHHH. This is a NEW feature???????????????? Why the hell does a website EVER need any of these capabilities?
Am I the only one who doesn't want my financial package rendering HTML from the internet?
For example, when a remote site is accessed, the site will not have privileges to install software, copy files to the user's Startup folder, or hijack the settings for the browser's homepage or search provider.
AAAAAAAAAAAAAAAAAAAAAAAAAAARRRRRRRRRRRRRRRRRRGGGG
The other thing added is something we call protected admin. This is a mode that administrators run in by default. If someone is configured as an admin, their basic execution happens as a standard user. When they try to do something that requires the administrator privilege, the system prompts them to see if they want to elevate to admin to complete the task, and if they consent, just that task is elevated (this is more secure that SUPERUSR ON in Unix that elevates the entire session). When the task completes, the high privileged process is torn down. The system can also be configured to require a password on elevation.
Well, at least they finally figured out how to use sudo.
Enigma
That's when XP came out. Obviously everyone cool had it by 9:15 am, and even the old grandmas should have had it by noon.
Am I the only one who finds it hilarious that Microsoft uses RMS to mean Rights Management Services? (DRM)
640YB ought to be enough for anybody.
Please find for me where, on the OpenBSD site, there are 79 vulnerabilities. He still makes that statement. Show me it's true.
And it isn't too bad.
.NET (Developer tools are laughable in Open Source), etc. I'm not saying any of those products are even close to perfect... but they are currently the best. The instructor was convinced that Exchange can't support how many emails that companies need yet, I just came off a build of Exchange that supports 19,000 users across thousands of geographic sites, all managed from a single location. Is it sheer hatred, or is it totally just idiocy on the part of those guys? I'm not trying to stereotype... I'm trying to understand. I would say 90% of the problems that the Unix/Linux guys laughed about with Microsoft, I could have fixed easily because it was an error on THEIR part, not Microsoft's.
I'll give them credit where it's due... I think XP is a great piece of software, and *knock on wood*, I haven't had any real problems with it. I think the worst of Microsoft's reputation comes from the Grannies and Grandpas who don't know how to use a PC properly -- and their problem is really twofold -- they have the largest operating system in the world, and they have also got the biggest percentage of neophytes who use it. It's really just breeding ground for virii, spyware, and the like. For a reasonably seasoned computer professional, Windows XP works flawlessly.
I will however, complain on a number of points. First, I had a friend who was a developer for the new version of SQL Server. I say *was*, because he quit. There is a *lot* of bureaucracy in Microsoft, and my friend hated it. Every time work was done, there was a meeting on the 'milestone' or whatever... and people would take turns ratting each other out to say that "So and so didn't do this" or whatever -- it was an extremely competitive, hostile environment. He now works for Yahoo, where he says the attitude is much more lax and people are encouraged to take it easy and work together. I think this attitude is also why Google has amongst the happiest employees and most production coming from its offices in the shortest amount of time. The layers of bureaucracy aren't as thick as they are at Microsoft, because Management and Employees aren't so clearly defined as they are in MS. There's a definite separation of powers there, and it causes a lot of friction and causes a lot less to get done.
As I mentioned yes, I've drank the Kool Aid. I think however, I can still keep an open mind. I recently attended a Red Hat systems administration class. I think I was the only "windows only" user there -- most of the people were Unix admins of some sort. I managed throughout to keep my mouth shut, because some of the distinct hatred of Microsoft was so reminiscent of Ballmer throwing chairs. I felt out of place at a very snobby party, because every few moments the instructor was there critisizing Microsoft and its products and I always was tempted to ask -- "So what does Open Source have to offer that can compete with Microsoft's products?" This is true in a lot of areas -- Exchange, BizTalk,
I know I've said enough already to get modded troll -- supporting Microsoft -- the horror! But look folks, I'm a Windows administrator with great admiration for Linux and Open Source. I run Ubuntu at home, my web site is served off of Red Hat Enterprise 4, and Firefox is the default browser on all my machines, Windows or not. But I know where Linux has strong points, and I know where it has weak points. After taking the class, and passing the test... I can honestly say that in any network *I* set up, I'd never use Linux as a domain controller. I'd use it for web serving, databasing, maybe a handful of other things. But it's not that Microsoft's solution is necessarily the best in itself.. it is the best in CONJUNCTION with other products. Those products, not suprisingly, are also Microsoft products. So I can create my Windows domain, set up users, set up a file server, set up shadow copies, and then all administrative tasks become idiot proof. My users can restore prior copies of files automatically that they delete or simply screw up.
The price is always right if someone else is paying.
Notice the word "default". You can be sure that when you install BSD on your pc, and connect it to the net, it will be running without problems for a long long time. Try that with a windows install. Instead, he just uses the infamous 'count vulnerabilities' argument, which just doesn't hold because you cannot compare a vulnerability that requires already an account on the system with one that gives root permissions from just any externel connection.
Furthermore my last OpenBSD install supported all my media hardware, and I could use xmms, mplayer, my tv card etc etc without problems. I would actually say that OpenBSD could be a very good candidate for people that just want to use their pc for multimedia without going through much pain.
molmod.com - computing tips from a molecular modeling
The question from the employee described a situation I've seen all too often, the "Emperor has no clothes" syndrome.
Management on high sets a policy and directs lower level management to develop a process, and perhaps the process gets developed and perhaps it is even a good one, but the implementation of the process properly requires more resources and less management pressures to get other priorities met (like a ship date).
The interactions between levels of manangement then almost invariably leads to the situation where the people at the bottom learn that people above them don't want to hear bad news, no matter whose fault it is, and soon learn that telling the truth leads to whacks on the head while telling half-truths, or putting a spin on the truth results in "atta-boy"s.
Multiply that by two three or four layers of management and you get this guy's response. He doesn't even realize after hearing the question that his policy is considered a joke by the lowest layers.
The funny part is, there are smart people in the lower layers and they can compare the corporate public communications of each layer of management and see how things get distorted; since they already know the lowest layer, it is ironic that they get one of the best views of the company!
I think the reason for most of these issues to be found externaly is the sheer number of external users vs internal testers and the unique scenerios they deal with on a daily basis. Even if you were to take the entire MS workforce of about 60,000 people and have them do nothing but search for issues, that number would still be dwarfed by the number of people externaly using/inspecting/trying to break their software (I'm assuming here, though I beleive its a pretty reasonable assumption). Also, the way people use their systems internal to MS (even in testing scenerios) is going to be at least slightly different than in companys A, B and C. While I agree that MS should continue looking for issues internaly, it's impossible to expect the limited number of employees who are dedicated to security testing to find every issue in every posisble scenerio with varying permutation of systems, users, and knowledge. Given infinite time, a thousand monkeys with a copy of Windows will find an issue ;)
The message from Microsoft: Never visit your grandma without your 512MB flash stick full of patches and antispyware progs.
From the answers it's obvious things are moving in the right direction, but there's also a lot of "I'm making it sound as if security is important, but it's really just everyone trying to save their ass".
You can't expect any company to be honest and just say "ok what the heck: yes we're not superhumans, the code base is huge, lots of bad decisions in the past, & we have lots of smart coders, but some less smart ones, and trying to improve on this whole bunch of stuff while remaining compatible is HELLA hard. But we're trying".
Non-technical users would assume MS is just being monopolistically-lazy about it.
I wish I still had some mod points. I was going to post the exact same thing. Somebody give this guy a +1, Insightful!
There are only 10 kinds of people in this world... those who understand binary and those who don't
So while OpenBSD has done a good job of hardening their kernel, they don't seem to also audit important software that are used commonly by customers, such as PHP, Perl, etc. for security vulnerabilities. At Microsoft we're focusing on the entire software stack, from the Hardware Abstraction Layer in Windows, all the way through the memory manager, network stack, file systems, UI and shell, Internet Explorer, Internet Information Services, compilers (C/C++, .NET), Microsoft Exchange, Microsoft Office, Microsoft SQL Server and much, much more
I think he needs to be very careful with that statement, I'm by no means a Windows expert nor can I even program Windows applications in any way shape or form (once a nux user always a nux user :))
I'm not too sure about memory protection with MS but from what I can gather they dont have a non-executable stack region. Also, from the look of the Windows exploits that I've seen they remind me of linux type nop slide style exploits that hit the net 5 years ago. The only way to nab OpenBSD is creating heap based injections and again I havent kept on top of OpenBSD all that much either so that itself could even be outdated, therefore improved.
Where the failing with the MS model lays (which it has always been) is that they rely on the programmer to handle architectual issues (sort of like the HT inefficeny discussion that was being spoken about on /. a few months ago) while when dealing with *nix its different because they deal in proper abstraction of hardware and always have.
Now they are saying when Vista comes out (which mind you is just the os and not the compiler) its supposed to implement all this new abstraction now all of a sudden? What happened there? its taken a 200B+ dallor business 5 years to actually obtain compentent programmers that can write this? while the guys at Berkley have had it for nearly a decade?
It seems to me that they cant just go off and do this and expect legacy apps to just suddenly work after all these rapid system changes. Especially when dealing with memory management? or will it? again i'm not a Windows programmer so I cant really say. So maybe others who know better could comment.
Worse to that I could futher pull apart that comment by the way hes stating that "Microsoft cares about what applications people use" how the hell does that work? Last time I checked Microsoft wont audit anything that isnt Microsoft (which up to this point has been a bit of global embarressment for them) but what hes crapping on about are application sets that are not directly associated with the OpenBSD project any way shape or form?
Also hes saying that they audit c/c++ how ambigous is that? and how the hell is that going to work? is MS implementing idiot proof automated security checking in their compilers? I dare say that would be a mission and a half to complete.
My overall sum of that comment sort of reminds me of a politican who promises all these wonderful things before the election just to get votes....
Automatic Updates once installed an update and restarted a PC in my lab without asking for permission to restart. It interrupted a long term test of a digital system, and required me to redo two days worth of testing. Take your Automatic Updates and stick it.
Reading between the lines, Microsoft has only been really serious about security for about 4 years now. I suspect that all Windows installations will be reasonably secure by 2020 or so. You don't get a huge company like Microsoft to change overnight and you don't get all their users to change overnight either. Even if Vista is the most secure system on the planet, a lot of users will resist upgrading to it for years.
I'm not convinced that their security process allows them to assign responsibility as much as they think it does. In my experience, developers in this industry don't stay on the same project for very long and bounce around to other companies a lot. By the time bugs start getting found in IE7, the developers responsible for them may have already left the company. And how does their process deal with outsourced work?
Something bothered me about having tiger teams do security audits on code, too. While programmers familiar with the issues that can cause security breaches are indeed hard to find, his answer seems to assume that the team just looks at the code and moves on. In a more comprehensive audit process, regression tests would be written against every function reviewed. Sure it'd take time but you'd end up with a complete set of regression tests too, and then you only have to look at new code to make sure you don't have to write a new test for it. That's how they did it at Data General when I worked there.
I'm not buying his idea that DRM allows the average user to protect their information. DRM won't allow the user to prevent his name or email address from being sold around the globe. It might protect information they created with their computer, but only by refusing to speak to untrusted systems, further cementing Microsoft's stranglehold on the market. It'll also make it a lot more difficult to release those incriminating memos and make whistleblowing more difficult. Which I'm sure are on the corporate agenda.
As for his answer about decoupling IE, a simple solution to the problems he thinks up would be to simply document the interface a DLL must export to provide that functionality. Then if you want to use Mozilla's HTML renderer instead of IE's, you can just drop in the correct DLL. And if you don't want system-level HTML rendering, you could just drop in a dummy DLL or delete it entirely. Requring developers to check for this and deal gracefully with it would also be a good idea.
Question 8 was a fun one. He seems to assume that every PC on the planet must come with a licensed copy of Windows. While it might be true that the average user would have difficulty getting around the Microsoft tax, we all know how to do it -- build your own computer from scratch. However, like Nash I have no sympathy for the Windows-pirating user. My reasons are different though. There's plenty of free software around that you can use to be productive with your computer. Whining that none of the rest of your (probably pirated) software will run on a free OS will get you nowhere with me. You have no excuse for your piracy and you're just making things worse for the rest of us. Grow the up and take some responsbility for you actions.
I find it amusing that Microsoft happily bundles all bug reports for all distributions of Linux under the heading "Linux" but in question 12 he quickly disclaims that they had 11 vulnerability counts for Windows but oh one of those was for office and one for exchange so that's really only 9 for Windows itself. Can you say double-standard? I bet if you looked at just the OpenBSD kernel itself and not all the applications you can install on it, you'd come up with a number a lot smaller than 9, too.
All in all I think it was a great interview. Usually I can't read through one of these without getting queasy from all the PR crap. This guy seems to at least be trying to do the right thing even if his thinking is colored by where he works. I think it will
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Hmmm...it looks like Microsoft coughed up FIPS AES into Win2K3sp1, thought it still isn't in SSL. (http://csrc.nist.gov/cryptval/aes/aesval.html - #290)
I suggest they make it PROMPT you before rebooting, and if you don't click "stop" within a specified time it reboots. If you are going to be using a system as a QA box, you should configure it as such (disable automatic updates).
SDL sounds nice, bit it misses the point. Bugs are going to happen. When are OS designers going to recognize this and provide decent protection? One of the main purposes of an OS is to protect applications from each other, but I don't really see this happening. Why should running code inside IE allow the attacker to do anything other than acess the internet or view the users cache and cookies? Why should running code in WMF be able to do anything other than drawing?
After he even gave you pudding.. sheesh.
He took the questions and answered them. Were you people expecting him to come pleading for the mercy of the wise and all seeing linux gods or something? Were you expecting him to say "Oh well.. we know linux is better.."
If so, please just give it up now, change your sig to reflect which complete bias you currently support so we can more easily filter things around here.
I work in a very security oriented company, we design software used by I believe all the fortune 5 and 95% of the 500 at the last count. He made one really valid point in my eyes. As much as OpenBSD can harp about how secure they are can they harp about how they include all the usability functions and features that XP does in the default install?
I'm a fiscal conservative, it's a pity we don't have a political party anymore
Without saying 'everything' what are the actual ranked or prioritized security issues at MS for Windows?
DRM?
Spyware?
Integrating tools that already exist into the MS sphere?
Patch management?
Time -to -fix cycles?
Better security architecture?
Other?
I get a creepy feeling that Mr. Nash gave either "Everything is important to us" or "You don't understand how much less complexity everyone else has to deal with" as a template answer. Which is unfortunate because it's a little self serving. openBSD based Mac OS has the same suite of features and complexity that MS Windows does, for example. Most Linux/Unix on the SERVER side has as much complexity as Windows to deal with.
I just don't follow how not only is MS's own feature creep and out of control change management/version control problems a virtue but apparently it's my cross to patiently bear.
All we're really looking for Mr. Nash is MS's competant management of OUR expectations. What are YOUR priorities and how do you plan to address them.
I like how he made his own relatives upgrade before he would help them. Strongarming HIS OWN RELATIVES before he will help them with problems in HIS COMPANIES' OWN SOFTWARE THEY PAID FOR. It takes a special kind of arrogance not just to do this, but then TO ADMIT IT!
This guy BLEEDS microsoft Teal. Or whatever color they are.
We get it that embedding a good HTML rendering engine adds user value. Apple also got that, and implemented WebKit right into the system. HOWEVER, on the OS X side of the fence, the Finder doesn't rely on it, and it's not hinged with Safari. Software Update (the Windows Update counterpart) is a solitary app with a table for a list of updates, a rich text field for the description and another rich text field for license agreements in a secondary dialog.
Microsoft, if you can hear me, a standards-compliant IE engine embedded into Windows *would* be good (for the purposes of a short post, I'm leaving the but-IE7-will-not-be-standards-compliant, lock-in and monopoly issues as an exercise for the reader here) but it does NOT mean that it's fucking neat to build it into all of your apps - or in extreme cases build apps on top of it or in it where it's not at all needed. It also doesn't make for a good time when the next vulnerability in your rendering engine comes along.
Seriously, knock it off.
Sure. I'll email/call and ask. Anyone have direct contact info? Email me - roblimo at slashdot org - if you do, please.
- Robin
"Part of the value of owning a licensed copy of Windows is that you are protected from spyware. If you don't pay for your copy of Windows, you aren't protected."
The bulk of people who get spyware or viruses are licensed Windows users. Even if you are a valid licensed user, it's no guarantee you are protected.
"It's hard for me to feel too bad for the person who you know who doesn't have a licensed copy of Windows and is infected."
Ok - Mr Nash, in that case, can you sell me a Windows 98 licence for my libretto 110 it's only a P75, with 32mb of ram.
Or how about a NT4 Server licence for my P200, 256mb.
Or how about an Office 97 licence, as I really don't neeed or use all the new features of the new versions of Office.
The intervew is interesting and informative, but it's too long, so I took the freedom to shorten it a bit for those who don't have the time:
(1) What has changed, but cut the bullshit this time.
Nash: Sorry, can't cut the bullshit.
(2) How do you manage the secure/user friendly defaults ratio?
Nash: Well, we want it to be secure by default and so on, but marketing says "we want features" and we comply...
(3) Top priority for security in 2006?
Nash: Praying like hell we nail it with Vista.
(4) Did OSS influence the way you think about security in Windows?
Nash: Yea.
(5) What is the basic approach to Microsoft security?
Nash: Too complex to really say, so, I'll instead distract you with some vague statements.
(6) Why add DRM? Also, why not decouple IE?
Nash: We don't have DRM, we have RMS. Which is entirely different. Name that is. As for IE: too late now :P
(7) Do you ever spend time with "average users"? They are all infested with trojans!
Nash: Yea I know, so is my uncle and my grandma.
(8) What about Windows updates to unregistered machines?
Nash: Well, we thought about it long, long time. And basically: if it has nice GUI, then you gotta pay (like AntiSpyware), but if it's just patches, we don't really care, so there.
(9) MSFT employee here. I'm so drunk right now, and I wanna bash MS so much right now, OMG!
Nash: We have your IP dude!
(10) Why no AES in SSL yet?
Nash: Could we add AES in XP like an update? Sure. But then we thought: naaah. But it'll be in Vista so stay tuned.
(11) VISTA users must still be administrators?
Nash: If you wanna run most of the existing software, ya. But we shuffled around some things. Admins now will get nag screens to fill their login info, but on the other hand we made it so user account can now LOOK at the clock!
(12) How is it that OpenBSD is able to be so secure by design?
Nash: Cuz it sucks!
(13) Differences Between Windows & Other Employers?
Nash: They were hardware, we are software. Also at MS we have big budget to reinvent our marketing campaigns, where at DG we didn't.
Disclaimer: I don't claim this to be too accurate or in fact accurate at all, so take it for what is is..
I think being "intimidately" involved in things will be my new goal. It sound very mobsteresq.
The Security Design Lifecycle is part of the daily process of work on software development at Microsoft. It has a fancy name because you do different things at different parts of the cycle, and it has specific signoff points, but it's not like it's something you do all at once at the very end. Threat models are done before code is written. Code reviews include checks for certain known badness. Tools are run at check-in time to look for things like buffer overruns. Tools are run post-build to look for other types of errors.
The whole point of documenting the security part of the lifecycle was specifically so we can be educated on how to apply security thinking to our daily development process. In fact, I remember when they put little advertisements on all the tables in all the cafeterias about this very point.
It's a whole process that is integrated into the daily development cycle.
Neil
What a super interview!
He didn't answer _my_ question. *snort*
But otherwise, here you have it folks, straight from the proverbial horse's mouth:
1. Ummm, Vista will fix that.
2. Bad security -- the user did it!
3. Ummm, Vista will fix that.
4. Windows updates!
5. Design better users...
6. Ummm, Vista will fix that.
7. Design better users...
8.
Everything in the Universe sucks: It's the law!
I'd say my reading comprehension was just fine. Sure, the OS is 'part of the stack' ... a vague and incomplete truth ... hardly insightful. OpenBSD doesn't audit 3rd party software that is not part of the base system. Microsoft doesn't audit all the software on you average Windows PC either. Plus I doubt a Microsoft code audit will equal an OpenBSD code audit any time soon ... especially if they are not doing everything they can to build on the lessons learned by others.
...through PR agents. Thats mainly because he is a VP and has to do PR all on his own.
I have to admit, the answers were very slick. He has doubletalk capabilities that far surpass that of any politician. I was looking forward to the responses, as most of the questions that were picked were the ones I wanted to see anwers to.
In the end, it sounds like inconsequential rhetoric. As the very first comment says, Microsoft still doesn't get it.
I'm god, but it's a bit of a drag really...
Microsoft doesn't publish security flaws found internally unless they pose an extreme risk of discovery or exploitability. Very few (if any) people or companies do. Hell, go look back through old branches of OpenBSD and you'll see a litany of flaws silently patched over the years.
Grrrr. I have three licenses for Windows XP for my two desktop machines, neither of which even run Windows XP as their primary operating system. So my copies of Windows are licensed and up-to-date.
It ticks me off that Microsoft won't help unregistered users of Windows. As a direct result of Microsoft not offering antispyware, etc. etc., I suffer the consequences. My computers are hit by spam. My computers are hit by viruses. But my computers are fully licensed!
Microsoft seems to be missing the point. By providing full updates, antivirus, and antispyware even to unregistered users, they would be directly benefitting registered, licensed customers.
Oceania has always been at war with Eastasia.
Ah, but Explorer is not the only shell for Windows, there's Litestep, Blackbox for Windows (and its offspring), and for the truly hardcore, progman.exe :-) (it still runs on W2K last I tried, although you do have to create all the groups yourself, and no system tray too)
The only way he could get 79 vulnerabilities for OpenBSD would be to count the applications in the ports tree. And that's not "counting the whole stack", that's more like counting all the 3rd-party software available for installation.
So let's do that for Windows: every application that can be installed. All the thousands of them. And with the glory that is cygwin, that will pretty much include everything in the OpenBSD ports tree too!
No, this doesn't make sense.
Let's use another criteria: effort to secure, *before* deploying any apps.
So I follow NSA/NIST/CIS/CERT/MS guidelines and proceedures for installing a Windows server that I intend to expose to the Internet. I install, patch, configure, etc. This takes hours of actual effort.
For OpenBSD I install it and plug it in. If there are any relevant errata I may patch it. This takes wall time, but about 5 minutes effort time.
And when I'm done both, which one do I have a hope of actually being able to trust? With which one am I pretty sure I didn't miss anything?
There's spin and there's outright lying. This fellow is crossing over into the lying.
As the highly computer literate relative, I have had to put my foot down as well. My time isn't limitless. More than half of my family run drastically outdated software on even more outdated hardware, and the phone rings a lot. I tell most of them there's nothing I can do. New software and new hardware.
Sounds heartless, but my family would suck every last minute out of my life if they could.
It's funny. I have contractor cousins. I would never dream of saying, "Shingle my house for free. Here are some old shingles."
I would never charge family for the help. The flip side is that excepting for very specific circumstances, I often won't help at all.
This hardly seems fair, if Microsoft's established SDL identifies and fixes a vulnerability in the development process, then it's not going to have a patch released for it to begin with. Before eEye gets there hands on this product, it's already been run through the MS ringer. Who knows how many thousands of things MS has fixed before that point.
... what do you expect? We're dealing with thousands and thousands of developers and product lines here. Educating those developers, holding people accountable to a standard, and putting controls in place is all that really can be done. I guess that's all, on with the accusations of being a mindless MS zealot ;)
In a product as complicated as Windows, geared towards an audience as general, varied, and uneducated, there are going to be problems! This is an unavoidable fact of life, so what we can do is introduce controls to mitigate those problems. What we can do is design products that address issues in general, so that even if something does slip through the cracks, other items are in place to pick up the slack and minimize the input.
I have do disagree with the general statement that this was just a bunch of HR tripe, it couldn't be further from the truth. Ok, I can acknowledge that he touts the SDL as a panacea to all MS security woes, but he also makes some excellent points and mentions some changes that really will make a difference. Specifically, talking about minimizing the number of services, what those services do, and what context those service run under is HUGE. Further, creating an environment that is friendly towards people operating their system in a non privileged mode is also huge.
Further,
This interview shows some shocking stupidity from Microsoft. (Much more than I would have expected.) For example:
What the events of the last 5-10 years have taught us (or at least taught me) is that the more you have turned on, the more attack surface area the system has and therefore the more vulnerable it is. If you assume near perfect quality or that there is no one out there trying to attack you, it might even be an ok decision. But since you can't, we need to be more selective about what things we turn on by default.
It took them 5-10 years to realize that? And he indicates that he may be the only one who figured it out? The entire development community has been screaming this fact at them for at least 10 years!
The principle of Secure by Default says that unless most users are using a feature, it should be turned off by default.
Well duh! It also makes sense to turn off features most people don't use, as they suck up resources! Wouldn't users computers seem faster if all those unused resources were turned off?
What we have also learned along the way (and my Code Red example shows this) is that you can't just look at the user visible features, but also need to look at the underlying services. So if the customer feature is off by default (or turned off by the user) then the underlying components that support them should also be turned off when the high level feature isn't using the service.
Again, duh! How could a technology company possibly be this stupid?
But you make a great point about complexity. If we turn more things off by default, we need to make it easier for users to turn things on when they want to use them. ... The benefit of turning things off by default is two fold: 1) it protects the individual system from being attacked if a vulnerability exists in the feature because the feature is turned off by default, and 2) it also protects the populations of systems because the worm or virus can't assume that the feature is on and therefore the systems aren't broadly exploitable through the vulnerability.
Actually, it's 3-fold. 3) it also keeps users computers running better! But that's beside the point. Why wouldn't you strive to make all of your features as easy to use as possible? (And by easy, I don't mean having a dumbed-down interface or lots of dialogs that give users warnings they won't understand. I mean usable.) It can only decrease the amount of tech support calls you have to outsource.
All I can say is "Wow!" I never imagined that in 2006 Microsoft would still be this complacent about security. This is shockingly awful.
Mike Nash made a snide remark that "I should also note that in contrast to the existing AES implementations that have not been through an evaluation, we plan to get our implementation evaluated to meet FIPS guidelines and requirements." Might have been true when he said it, but it's no longer true. OpenSSL completed its FIPS 140-2 approval earlier this month. See http://www.linuxelectrons.com/article.php/20060122 164238268 for an article about it; the approval (certificate #626) should be posted at http://csrc.nist.gov/cryptval/140-1/1401val2006.ht m before too long.
Have you tried Eclipse? It blows the doors off of anything MS has done IMO and I've used Visual Studio for years.
I recently attended four night classes on Java. Eclipse was the development platform.
When building GUI's in swing, the components would often collapse into points when dropped on the screen. The only way to get them back was to close the project and reopen them
Spaces in XML files in areas that should have been ignored caused application builds to fail. These were very difficult to track down.
I would try a build twice, with some specific failure resulting, and I would be unable to find the problem. I'd close down Eclipse, reopen it, and it would work fine.
I don't know how much time we spent fighting the tool on insignificant little issues that should never come up. I do know that I wrote a letter to the institution explaining that i would never attend another course with them again. I said that the platform provided should be solid, otherwise they are wasting my time.
I also downloaded the software onto my system, and tried to retrace our steps at home, with exactly the same problems.
I never had any problems of this kind during my limited exposure to Visual Studio.
He hears someone has an unregistered copy of the operating sytem, and he feels sorry, because he calls that illegal. And he simply makes things up regarding OpenBSD's vulnerabilities.
Try reading Mr. Nash's responses and substitute the word "Reliability" or even "Quality" for "Security" and I think most of what he says will ring truer. By using the term "Security" MS buries the problems with MS software in the broader morass of security breakins, viruses, etc. And, if you think that what I am saying has a grain of truth in it but that MS does this as a political device well, this is the same message they give their developers.
When Vista ships it will have been more than five years since the last OS upgrade, Windows XP. Yet IE7 will not include CSS3 compliance or ECMAScript 2.0 and E4X. By Nash's definition these are platform components and not part of IE. Does that mean we will have to wait for the OS after Vista before we see these things in IE8?
Before you say "IE7 runs on XP", yes but that's only because Microsoft has decided to back-port the HTML rendering engine updates they are going to put in Vista. Make no mistake, IE7 is driven by Vista's needs and schedule. IE7 will stay in beta all during 2006 because there's no way they will nail it down until Vista is done.
You want to know what those OpenBSD bugs are? Visit http://openbsd.org/security.html#38
Note that there have only been 6 (!) bugs since V3.7 (almost a year old now; 3.9 Beta is already available), none are remote exploitable, and all have been fixed!
And Nash talks about the software stack? The ports for Apache and Sendmail have been audited and patched, the sendmail patches are sent up-stream and the Apache patches... well, I guess it's a fork at this point, but still secured.
Oh, well all know that MS has an affinity for BSD-licenced software -- is it any surprise that their attempt at "write xor execute" memory came after OpenBSD's did?
The answer to the AES question reads
... was basically not possible" in any way related to a "pluggable model"?
"The AES was approved as a FIPS algorithm after Windows XP was released in 2001. Adding it to Windows XP RTM was basically not possible. Our approach for cryptography was and is to support a pluggable model and enable replacement in our platform in a broad sense."
I don't get it. How is "adding it
I keep on hearing people bashing the interview, but did you expect him to come out and say, "We screwed up!". I think he made good points about the culture and how they are trying to change it form competition to security. I can understnad culture changes, my company only has 110 employees, but changing the culture is very difficult. Also, how many other companies have been able to develop a user friendly product that is as expansive as Windows and don't say Linux, most people can't even get past the installation.
Here's him responding to the MSFT techie:
I often get asked the question, "who has been fired for shipping insecure code at Microsoft?" My usual answer here is that we are still learning a lot about security at Microsoft and that most of the security issues that we deal with don't come as a result of carelessness or disregard for the process, but rather new vectors of attack that we didn't understand at the time.
"We are still learning" ? Do they have mental midgets working at MSFT?
How many buffer-overflows have been found in MSFT code? After the first one or two, why hasn't anybody been fired for it?
How many problems have been found due to incorrect defaults?
Yeah! Let's do that:
http://openbsd.org/security.html and http://openbsd.org/errata.html
I count 2 security vulnerabilities, and 2 reliability vulnerabilities. That makes 4. For the entire period of November, December and Januari. This guy can't count. Apparently, he plucked the number 79 out of thin air.
The kernel does hardware steering on a monolithic unix kernel, you know? And don't tell me Windows has decent support for 'rich media' when it can't interpret half of the newer media formats out there.
The 2 security vuln's are not only for the OpenBSD kernel, but for the entire userland as well, which nicely includes Perl, the GCC compiler, a real mailserver (sendmail), a GUI (Xorg with FWWM), 3 different shells, a browser (Lynx) and tons of other functionality you can't find in a default Windows install.
You seem to be an expert on this; why not put it into practice, instead of outright lying to a half a million slashdot visitors.
What amazes me is the high level of uniformity to this particular behavior. In psychology, nearly the only rule is that there are exceptions to the exceptions to the exceptions (infinitely repeating). This seems different though -- I've been watching it carefully for a few years now, and I've virtually never seen anything that could even be counted as a partial exception (i.e. giving a partial answer to the question that was actually asked).
If you question the validity of this observation, I'd just like to say: "That's a great question!"
The universe is a figment of its own imagination.
given that Windows Vista and Windows Longhorn Server are going to be the most significant releases of Windows in the last five years or so, we know that they are going to be used broadly by a large set of users for sometime--so getting it right is critical.
At the rate they are going now, they will be the only releases of Windows in the last five years by the time they are ready.
If I don't put anything here, will anyone recognize me anymore?
I think Mr. Nash didn't understand the point i was trying to make.
An infected illegal copy of windows can infect LEGAL copies, and spread spyware, malware, etc. Very few people I know, are aware of the existance of Windows Antispyware. Heck, most people are not even aware of antispyware at all.
In other words, what Mr. Nash is saying is: If you come to us and are registered, we can protect you. But you better do it before someone with an unregistered copy of windows infects your machine.
I wouldn't give a cent if unregistered machines were the ONLY ones affected. But they also affect registered machines, and don't stop there: They affect DNS servers, e-mail servers, and web servers - whether they're using registered copies of windows or not. Botnets are NOT A MYTH. They are a reality, and I'm sick tired of getting SPAM spread by those.
Last week one of our webservers (it was a shared host, NOT owned by us) began spreading javascript viruses which exploited the Windows() vulnerability. Have you considered that this infection could have come from an unregistered machine? If that machine had automatically downloaded (yes, for free) Windows Antispyware, we wouldn't have to worry about viruses spreading to the office's network.
My point was being proactive, but apparently Microsoft is more interested in getting money than in providing a good product in the first place.
This sounds a lot like sudo to me...is it possible that the people at Microsoft actually believe this to be a novel idea? Apparently, they haven't really taken a look at how things are done on *nix...maybe that is why everything they make sucks...
>they just don't have the results to back it up
Two words: IIS 6.
In a few more words: are those many holes (too many) being found in old code or new code? If Microsoft's push is working we'd expect to see the newer code being the safer code and the worst problems happening on older code. And indeed, the latest horror (WMF) was in code that dates back to the Reagan Administration.
The results most users want are the ability to hook a computer up to the Internet and surf the web. XP Service Pack 2 can stay up on a raw Internet feed for more than a few minutes. That's real, if arguably pathetic, progress. It's still not safe for surfing but at least the design changes in Vista are close to what security specialists have been advocating all along.
You would've MS fanboy'd the same, regardless of how anyone responded, just as long as someone gave you the opportunity to redefine pap.
:)
Your unripe jibe assumes his answers could have come in any form, ranging from the use of sign language, to mumbled replies, wheezed through a trachael tube. All you've got going is a weak attempt to hang a label on your victim, simply because you missed out on first post. (I've had two in two days...that must really rile you)
Thanks for taking a run at me...better luck next time
I'll go along with the idea that DRM could provide some kind of protection from my kid or my neighbor or someone else of low risk from "stealing" my information.
But I also believe that's about where the benefit ends. I don't think the government will really be stopped by this, especially in the current "war on terror" domestic spying environment; there will always be embedded rights/keys for national security purposes.
I can also see that people we NEED to get stuff from (healthcare providers, banks, etc) will probably also demand the same kind of blanket access and sharing privileges that they make you sign onto right now.
AFAIC, conventional public-key encryption provides all the DRM I'll ever need and since the trust relationships are exclusively under my control, it's the only one you can really rely on.
OK, so I've noticed a big problem with your cars. You see, people regularly die in them. Pretty often. Probably at a rate of one or two a day. Maybe more, I'm not actually at all intelligent or willing to take the 30 seconds it might take to find the stats on google. Hey, I'm a slashdotter. Ignorance is, mostly, bliss. At any rate, I can't believe you haven't included a few basic ideas that might make your cars much safer.
First off, your cars could be much more sturdy. I've noticed that, for the most part you use sheet metal, some plastic and a lot of alluminum to fabricate your little death sleds. You should probably look into plate steel and titanium. The fact that you haven't already shows that you are obviously don't like your customers. Nevermind that these extra features would raise the price significantly, but we're talking saftey here. I also understand that these ideas would make cars much heavier, thus resulting in higher fuel consumption and slower vehicles, but in the interest of safety this should be a small trade off. And don't worry about design. People won't care how it looks just as long as it keeps them safe.
Secondly, I've noticed a bunch of huge holes in the safety of your cars and trucks. Sure, you like to give them nice, cute names like "doors" and "windows" but, really, they pose a huge risk! I mean, look at the typical window. Anything could come through that. The windsheild, too. Not to mention the big hole that's supposed to let people in and out greatly reduces the structural integrety of the entire vehicle. I shudder to think about all those four door, 8+ windowed harbingers of death and maiming that have been set loose on our nations highways. I think you should really think about replacing them with a series of hatches and slits, or, better yet, cameras. The average driver shouldn't mind getting in through a small trap door on the roof. Works for tank drivers and other professionals who have to rely on really secure vehicles in combat areas, so it should work for every driver everywhere.
In other areas, you could also improve. I mean, what's with your dealerships not performing repairs on stolen vehicles? I had a, um, friend who took a stolen Ford in for an oil change and your guys just wanted to call the cops on him. You call that customer service? He was going to pay and everything, you know. Why should you care if he stole it? At least he's driving a Ford. It's not like you can't make more. That dealer had a bunch before he took it, anyways. Not like he could afford one of your new models, so you didn't even loose out on a sale.
I'd also like to suggest that you remove the obviously ill-concieved link between the fuel tank and the engine. I mean, what happens if I put something bad in the tank? What's to stop it from going all the way into the engine? I guess that's kind of the point of connecting the two, but it should stop. I can't be trusted (and neither can your other customers!) to know where I should fill up and what I should put in.
Also, why won't all parts work in my car? I mean, I'm really ticked because the new Saab alternators are the bomb and they just don't fit in my car. I also understand that Ford parts don't fit in a Saab, but that's more your problem than theirs because, well, Saab is just better and they have a cooler president and neat features like a cool name and, among the people I hang out with, it's popular to drive one. Plus, not as many people die in Saabs. Must be because they're better cars.
Anyways, just a couple of ideas I have. Hope you take them into consideration. I mean, afterall, you're not trying to make a car for everyone, just the one that makes slashdot happy.
Sincerly,
Jester6641
Slashdot reader 909919 and expert on everything.
Jester
Warning: This sig may be legally binding in England.
In 2005, Microsoft released 55 security bulletins. Let's assume that all of them were found by external parties.
None of us has any idea how many security vulnerabilities were found and fixed internally by MSFT employees before their products shipped. I suspect it's quite a bit higher than 55 bugs.
It's simply asinie to conclude that MSFT can't find and fix security issues just because 55 of them got past Microsoft's developers.
I still don't understand why people obsessivly follow vulnerability COUNTS. They are, quite literally, useless. One can, like any statistic, twist it to whatever purpose one needs. Somone should be implementing a method of quantifying the IMPACT of vulnerabilities (which should be independent of OS popularity). After all, sure, oBSD had 77 vulnerabilities, but how many of those are vulnerabilities that can only be triggered in esoteric circumstances. XP may have had 11, but the WMF flaw (which, I will admit, was technically a design flaw), could be triggered by simply browsing the web with IE!
The processes are NOT a joke. They're right processes and they totally, 100% make sense. It's just that management is more accountable for shipping _something_ than for shipping _something_without_security_holes_, so they're unwilling to allocate the time necessary to find and fix majority of issues (you can't really fix them all in a reasonable timeframe). So security push gets confined to a few weeks of time instead of being a continuous process that starts before the code is even written. It's not like you're encouraged to ignore security the rest of the time, but the schedule is usually so tight there's no time to think about big picture.
Also, accountability problem does exist. People who check in atrocities often remain unidentified and unpunished. This is why the process doesn't work really. If all code was properly written to begin with and the only thing remaining would be to find all the issues at the seams between pieces, Microsoft security process would be sufficient. Trouble is, some folks who work there are incapable of writing quality code. The only skill they really need to remain employed, though, is they need to check in things on schedule, no matter the quality of the stuff they check in.
Another misconception I want to remove - security push is not the only measure Microsoft takes. You're supposed to outline the security considerations at the time when you design your feature, and there are other things you need to do. BUT, security push is strictly enforced, where design docs are hardly ever read by anyone except the dev him/herself.
wasn't that a big guy with a beard?
-- it's ridiculous how many people misspell ridiculous... (damn, damn, damn...)
Overall, I was rather impressed. (Kissing my karma goodbye for going against the prevailing sentiment...)
You've got to admire the way he ducked the issue of DRM-as-in-media on a technicality, though.
It's become all too clear in recent weeks that DRM-as-in-media technology is, by its nature, integrated rather deeply into a system. It's also become clear that when such a deeply-integrated technology has bugs, they can become major security flaws.
As the original question suggested, I doubt any average user really wants DRM technology supported by Microsoft and on their home PC. So you have an issue with Media Player supporting DRM, and potentially denying the ability to play content you've legitimately purchased if things go wrong. You also have the need to avoid third party software compromising a system a la Sony/XCP. That means there are at least two valid, DRM-as-in-media security concerns, which are completely independent of anything to do with secure documents and MS RMS (my new favourite abbreviation :-)).
The way he sidelined possibly the most damaging question in the entire interview like that was rather clever, IMHO. Blatant, not fooling anyone, and ultimately bad PR since he failed to tackle something that's going to be an increasingly important issue early, but still clever...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Comment removed based on user account deletion
What isn't mentioned here is the real reason the IE integration happened in the first place: as an excuse to require bundling it with Windows during the antitrust proceedings regarding their browser. So, there is another aspect: 3) the legal arguments we could make by tightly coupling IE into the OS, allowing us to say that the OS needs IE to run.
But isn't this inconsistent with what he is saying about a security model of having the least functionality enabled by default? Now, any security issue within IE becomes a security issue with every application that uses it. One might argue that it would be less secure for each application to have its own HTML rendering engine because it would be that many more parts of an application to look at. But, really, do all these applications even need HTML presentation? Wouldn't designing for security preclude making some applications capable of HTML rendering? Why does Microsoft Money need HTML capabilities as part of its core functionality?
As an example of the sort of perfectly ethical flexible thinking that rigid security trips up, consider this: a computer that had XP and dial up access, but not the latest patches. (I assume it was a legit copy of XP-- it wasn't my machine, so no idea.) It couldn't download the patches. Cleaning off the malware so it could didn't work. Only took about 30 seconds of being connected before a worm hit-- not enough time to D/L the patches. So, thought I'd download all the latest patches onto my Linux box and burn them to CD. Then I ran into MS Genuine Advantage, which I tried to get around by seeing if I could find the Service Packs on file trading networks like BitTorrent. Would be a simple matter to verify the downloads with md5sum, sha1sum or similar, except MS doesn't post cryptographic hashes of their files. I think Service Packs on file trading networks do not violate copyright, but I suppose they do. MS shouldn't have that be a violation. MS is too reckless that way. They do something to stick it to the pirates, and step on a few legit uses. I expect clueless organizations like the RIAA to not understand the implications of their efforts. But for MS to do the same sort of dumb things doesn't speak well. Can we trust MS not to do incompetent stupid stuff like Genuine Advantage? Of course not. Maybe MS could at least give file trading networks an unambiguous green light for trading patches? I suppose not. But I wanted the questions asked anyway. Oh well.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
My guess is that Microsoft doesn't release hotfixes for undisclosed vulnerabilities, and rolls them into other security updates and service packs. They only issue security notices for publicly disclosed flaws (those found by third parties).
While you might argue that this is simply PR motivated, and you'd probably be right, there is also another issue. It's clear that attackers have been reverse engineering patches to figure out how they work, and then exploit the vulnerabilities on unpatched machines. If you don't disclose a vulnerability you found, and then silently patch it, it's highly unlikely anyone will reverse engineer it and use it to attack others.
It's a dillemma, for sure. And i'm not entirely certain either camp is right on the issue.
If you need web hosting, you could do worse than here
Microsoft bashing aside, I have to appreciate that he responded to these questions. I mean, come on - this is essentially the home of the enemy for him, and he's unlikely to get much out of it... so props to him for taking the time to respond anyway.
:)
Still a Mac user though.
The Mike Nash interview and other MS statements about security never mention reliability. I don't see how a system that continually hangs up and crashes can be secure.
It's helpful to translate Microsoft's Mike Nash words from the typical corporate-speak to plain English:
..." In saying this, he is revealing that whatever changes have happened
are very recent, and that the support from above was lukewarm.
... "
"It's now clear to us that security is a competitive and business priority."
This is after billions of dollars have been lost every year since 1998.
"Culture is a huge issue as well."
This seems right. Microsoft has a culture in which programmers are treated as badly as they can be convinced to accept. This internal culture is the same as Microsoft's external culture, in which customers are also carefully monitored, and are treated as badly as they can be convinced to accept.
If you analyze this part of this paragraph, it is possible to read between the lines and understand what is really happening:
"Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization."
Even though Microsoft's Mike Nash is a "Vice-President", he actually has very little power. The people who have the power are treating him the same way programmers are treated. He says he gets "great support", but mentions the word "exceptions".
Probably the correct interpretation, in my opinion, is that Microsoft top managers have wanted Microsoft programmers to be sloppy because then people will buy more copies of Windows; people will then want fixes to problems, and, often, people will buy another computer when their present one become slow because of malware. For more discussion of Microsoft's sloppiness by me and others, see this Slashdot comment: Why no check of user code? Sociology.
He says,"It's now clear to us that security is a competitive and business priority." That's correct. Microsoft has taken advantage of the ignorance of customers for years, but now the customers are beginning to be less ignorant, and beginning to see that the security vulnerabilities they read about are Microsoft vulnerabilities, not Linux or Apple vulnerabilities. This is a much more serious threat than even the top managers at Microsoft realize. Microsoft has a bad name among computer professionals now, but the effects are still to be felt in the future. This is similar to the bad name that IBM made for itself in PCs. At one time, IBM had 100% of the PC market. That percentage dropped extremely rapidly when people had an alternative.
He says, "Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago,
He says, "For Windows Vista, the key things that will make it great..." This has always been the party line, the trick: "The next version of Windows will be a good one." But my opinion is that it won't. If Microsoft ever delivers a good operating system, most people will never switch again. Why would they? Many computers are used in business, where the usage is very limited. Microsoft top managers know this.
He says,
"For example, we have taken the anti-spyware technology that we acquired from GIANT Company Software, improved it and integrated it into the operating system in something called Windows Defender. While the anti-malware technology will also be available to users who have licensed copies of Windows 2000 and Windows XP,
The user interface of Microsoft's version of th
Well first let me say that I have NEVER used any OS other than Microsoft's until last night! I finally got fed up with their inferior shit and bit the bullet. I backed up all my data, exported my emails and address book to Thunderbird, backed it up and the wiped my main computer and installed Ubuntu "Breezy Badger" 5.10. I have attempted numerous times with numerous flavors of linux to find a replacement and none of them came even remotely close to Windows "User-Friendlyness". That has changed. Mark Shuttleworth you are my hero!
Now with that said, I came here today and read the remarks from the VP and am someone suprised. I was reading and thinking damn, Vista is gonna be better. Maybe I shouldn't have switched to linux after all. Then BAM like a 10 ton elephant landing on my head, there it was a MICROSOFT EMPLOYEE (and likely a program from his comments) telling the world that all the hype and focus on security is BULL SHIT!
There is one thing however that really did impress me about the VP and his comments. He made it very very clear that if the ANONYMOUS COWARD that works at MICROSOFT wanted to help IMPROVE THE PROCESS (i am paraphrasing here) that he could contact the VP in numerous ways and he would NOT BE IN JEOPARDY over his COMMENTS.
That definitely signals to me that there is a change going on in the thinking at Microsoft. Granted it may not be working, yet....but they are FINALLY trying!
Hopefully by the time "Vienna" hits gold they will have their stuff together and it will have been built from the ground up by security conscious programmers and not put thru a security review after development is finished.
For me, an important issue is that it is difficult (but not impossible, see the Mozilla Control project) to substitute a different rendering engine in place of IE's. Microsoft's real "crime" was making it relatively simple to include their browser engine in other applications, and making it relatively difficult to have a different engine be included in it's place.
I was developing an Windows application that required an embedded web control. I looked at the Mozilla Control but the control is tied in to specific versions of Firefox/Mozilla. Every time a user downloaded an updated copy of Firefox/Mozilla, my app would "break" until a matching copy of the control was released. A "test" version of the control for Firefox 1.5 was released on 12/15/05, no "release" version is out yet. For commercial applications to implement a Gecko-based ActiveX plugin instead of IE's - Mozilla needs to include a plug-in as part of its release when it puts out browsers. Otherwise, IE isn't going to go away (in its executable or ActiveX incarnations)
Question one: "The key things about the SDL is that we basically have to update it every six months because the threat landscape changes..."
This is bad. You are still chasing vulnerabilities. As Marcus Ranum says:
10 check for vulnerabilities
20 if vulnerable patch
30 goto 10
This is a vicious circle that you will never escape, and you will always be behind. Think DEFAULT DENY.
"The user can configure their system to either ask them if they want to escalate, or ask for a password when the system tries to elevate them."
This is sudo. Good idea. But does it really always prompt before escalating? Does application code have the ability to use Administrator privileges without calling the 'caniescalate.askme' call?
"We have also gone through all of the system services in Vista to see which ones have admin privilege, verify which ones really need it, and for the ones that don't, remove it."
Why do services have to run as admin? Can't they fork or run an unpriveleged thread, that communicates with the privileged portion to do its important functions? What about jails? These things are all old ideas in Unix.
"...we have taken the anti-spyware technology that we acquired from GIANT Company Software, improved it and integrated it into the operating system in something called Windows Defender."
If your code was written securely there would be no such thing. Period.
Life is too short to look at the other questions, moving on...
When the first unchecked buffer flaw is discovered in Vista you'll know M$ is still blowing smoke about being serious on security.
> You could argue that Microsoft should follow the same model for Windows that the OpenBSD Org follows for their OS.
.NET), Microsoft Exchange, Microsoft Office, Microsoft SQL Server and much, much more.
Yeah, right...
> So while OpenBSD has done a good job of hardening their kernel, they don't seem to also audit important software that are used commonly by customers, such as PHP, Perl, etc. for security vulnerabilities. At Microsoft we're focusing on the entire software stack, from the Hardware Abstraction Layer in Windows, all the way through the memory manager, network stack, file systems, UI and shell, Internet Explorer, Internet Information Services, compilers (C/C++,
He really doesn't know what he is talking about, does he? The OpenBSD project does not "harden" only their kernel, but their complete operating system. And what's more, quite some third-party non-OpenBSD packages are being patched by the OpenBSD team to make them more secure. The included Apache server is one such example, as are the numerous applications available via the ports system.
What Nash calles "the entire software stack" are just their very own products. Well, obviously you care to secure the products you yourself develop.
So, while it looks quite impressive, Nash's argument is just plain rubbish.
> Second, it is not completely accurate to say that OpenBSD is more secure. If you compare vulnerability counts just from the last 3 months, OpenBSD had 79 for November, December and January compared to 11 for Microsoft (and that includes one each for Office and Exchange - so really 9 for all versions of Windows).
Oh, please! When are people (especially "security people" like Nash) going realise that the number of vulnerabilities is not the only thing that count. The severity of the vulnerabilities count just as well, if not more. And let us all agree that the vulnerabilities of Windows are far more severe than those of OpenBSD.
Is Microsoft looking to buy software such as coverity? Symantec uses it in house and they are a massive security/storage shop. What automated tools does MS have to scan its code?
Further comments indicate that MS is following a very heavy SDL process. This may work, but it adds a lot of inflexibility in the design process (think specs, reviews, control gates, more reviews, product delays, etc.). A heavy SDL may work for US DOD environments or high-availability products (like NASA missions), but is it really necessary for all of MS's code? Does it hinder innovation or encourage it? Are other processes better or faster such as agile methods where one is designing for test but without a heavy SDL (CMM-style) process. The internal MSFT chap had some interesting comments about the heavy "process" and how it was window-dressing(C)2006 Microsoft.
The comments about IE further show that MS is not reducing the coupling between components. The tighter the interfaces, the tighter the coupling, the more complexity, and hence the harder to test and secure the beast.
For more info see some of Bruce Schneier's writings:
http://www.itconversations.com/transcripts/119/tr
Also see the 2003 report on MS and threat to US National Security:
http://www.networkworld.com/weblogs/security/0035
Ummm, yeah... It's funny how that one follows the DREAD+VR score question. These are *advisories* too, as in published ones. I wonder how many internal, unpublished vulnerabilities we're counting? And why those last three months?
Lastly, it says NOTHING about the severity of them. The WMF hole was just earlier this month. There were a good, solid couple weeks where there was NO Microsoft patch available and your computer could be pwn3d from a damn WMF file renamed to be an "image" and displayed in IE. There was *one* website counter out there, mentioned on isc.sans.org, that counted something like a MILLION hits, presumably all or mostly all of them being infections. The OpenBSD ones are usually incredibly theoretical race conditions that might elevate a local user's access. Holes, yes, but not the "OMG we're screwed if we look at the internet" type holes...
A fully patched IE had something on the order of a few weeks where it WASN'T vulnerable to a known hole. And by "vulnerable" I mean that someone could take full control of your computer.
It's not even unique! They just put up a flaw for MS Agent, whereby those stupid, annoying Clippy-type characters can walk over windows and disguise them, tricking unsavvy users into allowing things they ought not.
No offense to Mike, but you KNOW that stupid statistic only impresses stupid marketing types. The problem being that there are too many of those. You CANNOT compare the two with a simplistic counting scheme.
Many admins, including myself, are currently supporting third-party software they know to be designed incorrectly in this aspect, and have had no luck applying the little political leverage they have to the ISV to get it fixed.
In my example the people who coded the application in question did not know about the difference between HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER, or between %TEMP% and Program Files. There have been several major version upgrades since we first noticed this, none of which have addressed the problem.
How can we help Microsoft help the ISV help us?
It doesn't matter that he was way off, the correction will never get printed prominently if at all. The sound bite "79 Vulnerabilities" will echo for weeks or months.
Or just upgrade that crappy old Wintel to Ubuntu, or another distro provided you can trick it out for her. Get everything set up and neither of you will have to worry.
Then you can spend you visits being with your Grandma rather than with her computer. Odds are she only wants a computer to check/send e-mail, maybe write and print a letter, trade digital photos and listen to music. None of that requires MS Windows and all of is far easier to do on OS X (you know it is, just admit it) or even on a highly tuned desktop like Ubuntu (you know that, too). She won't love you any less when her computer no longer needs fixing. You'll get more good will drinking coffee (or harder) with her than from an age of MS Windows repairs.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Tell me exactly HOW your Windows servers are 'piles of doodoo' as you so eloquently put it. My machines get a LOT of usage (19,000 users that span every state and a few continents), and they all sit and hum along just fine.
If you don't know how to administer or set up the machine, don't blame the software. Blame your stupidity or lack of willingness to learn. I have not had any real big issues with any version of MS's server products. I have more problems with XP machines and that too, is user error and sometimes bad drivers/software.
The price is always right if someone else is paying.
I use visual studio .net, myself and another developer
here have had problems where ( vb.net, winforms app )
something goes wrong with a control that we have written,
the IDE removes parts of the definition of the control
from the container it is in. It basically leaves the
definition of the class type, and all the "wiring" that
the controls needs to visually present are removed. So,
the app still compiles, but the control is now missing.
Spent a lot of time trying to fix it, I got my project
working by looking at all the properties and _load stuff,
and making *sure* that nothing could throw at design time.
That fixed my project. The other guy here took my advice,
but did not manage to fix his problem with it. Microsoft's
advice was to put the control into another project ( or,
preferably, into another solution ). That fixed his problem,
but it should *not* be nessesary.
And the whole thing sucks, because removing the control the
way it does is not much different from your compiler deciding
to remove lines of code that dont compile.
VS 2005 appears to fix my coworker's problem, but it is too
new to move too just yet ( they are trying to release ).
Another issue I have had with this gen of tools is that after
"a while" of running the IDE( days, not hours ) it will
occasionally start giving error messages on stuff that has
not changed in forever. Get out of the IDE, restart, recompile,
everything is fine. Medium sized project.
The previous gen of tools, I was doing ASP.net stuff at a place,
after "a while" of running the IDE, I would start to see "panic"
messages from the compiler ( they would contain the text 'EMIT'
near the beginning, then advice ( in some cases ) about how I
should make my project smaller ).
Dont get me started on having to declare a variable as
"decimal( 19, 8 )" rather than just "decimal" in SQL ( 2000 ),
because "decimal" has zero ( 0 ) decimal points to the right
( so it is no different from "int" ).
Point?
Microsoft products are not without their flaws. I am sure that
you had the experience you related, but, if you do enough MSIDE
work, you will likely run into "fighting the tool on insignificant
issues..." type problems there also. Especially if you ( as I have,
many times ) try to use the tools in ways the developers did not
envision or "care" about. Microsoft != "great software",
more like Microsoft == "Ok software, gets better with time, plenty
of flaws, they usually push out the really bad ones with time".
OSS != "sucks", more like "developed by developers, going to have
a few rough edges and bugs, but by and large works pretty well at
what the developers want it to do".
emt 377 emt 4
Have you actually read any of these "reports"? Here's the description for both of the critical vulns:
A vulnerability in default installations of the affected software that allows malicious code to be remotely executed and could lead to arbitrary commands being executed.
Oh, THAT's terribly descriptive. It could be anything! What software? Where's the proof? For all we know, they could be just saying that. Then they pick some random patch in the future and claim they knew about it all along. Do you think such a post to (say) the Debian security mailing lists would be taken seriously? What a load of crap.
Tech support people aren't supposed to be slaves to their family any more than anyone else. It's a masive pain in the ass to support older OSes, espically really old ones like Windows 95. Expecting a family member to spend hours and hours fix your PC, no matter how old or broke, for nothing is like expecting a family member who's a dentist to come over to your house and bursh your kid's teeth for him because he doesn't want ot learn.
Like anyone else, the time we support people have is finite. After you remove the manditory stuff from my day (sleep, work, commuting, eating, housework, etc) I have maybe 4 hours of time that I can designate as I please. This man has a family, so I imagine his is much less than that. Well, if you are family, and have a computer problem, I'd be happy to spend an hour or two of that occasionally helping you. I will not spend all of it every day for a week reworking some old peice of crap because you refuse to get something newer.
I have the same courtesy for my family in return. This year I had to do a real 1040 for the first time, I've been able to get away with an EZ in years past, but my finances are quite a bit more complex now. Well it looked rather daunting, so I called my father, who's a businessman and quite a financial wiz, to ask what I should do. He said "Get Turbotax", which I did. I expect that he will provide me assistance and answer my questions for free (as I do the same with his computer questions). I do not expect him to spend hours holding my hand for every line on the 1040 form when there's a product I can buy that will do that.
Most of windows vulnerabilities so-called came from things like 'blaster' worm. Blaster worm attacks a certain port. Now, in windows XP the port is closed. Period.
Wow. I wonder who wrote that Wikipedia article on OpenBSD? Whoever it was, he seems amazingly knowledgeable.
There are many things I don't know. Now I do, thanks.
"Nash: First, I should say that OpenBSD includes a relatively small subset of the functionality that is included in Windows."
Easy there little fella. A default install of OpenBSD leaves me able to run multiple servers as well as including many applications (albeit console based) that I can use to be productive right away. There is more to OS functionality than Notepad and Minesweeper.
Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
So I follow NSA/NIST/CIS/CERT/MS guidelines and proceedures for installing a Windows server that I intend to expose to the Internet. I install, patch, configure, etc. This takes hours of actual effort.
Okay, your Windows server comes with IIS, FTP server, file sharing, domain controller, etc., etc. Not to mention Internet Explorer. And if it's not a true "server", you've also got Windows Media Player and a whole bunch of other stuff.
For OpenBSD I install it and plug it in. If there are any relevant errata I may patch it. This takes wall time, but about 5 minutes effort time.
Are you counting your patches for Apache, and Perl or PHP or whatever other CGI, and so forth? Are those considered part of OpenBSD?
By the way, part of the reason OpenBSD is more secure is that when there's a patch they can patch it. Microsoft has no way to update the versions of its CDs in stores daily. If OpenBSD were sold as the release version from three years ago, it wouldn't be as secure as it is now.
It took Mike Nash 5-10 years to learn common sense? Sheesh, I picked up on this when I first looked at the Services list in NT. "What are all these things? Why do I need them? Why not shut some of them down? Why are there dependencies on this service that force me to keep it running despite the fact that I'll never use 99% of its functionality?"
Evasion'd. Regarding the decoy acronym, I only recognize two definitions for it: Root Mean Square and Richard M. Stallman.
Unacceptable. During the antitrust hearings in the Judge Penfield Jackson era, didn't someone demonstrate completely removing IE from Windows 98? Admittedly 9x is dead and NT server has advanced two generations since then, but still, why does my NT server have to have IE on it? Why does it have to have Portable Media Serial Number Service? Why does it have to have DCOM if I'm not going to use it? DirectX? ClearType?
It all comes back to my first paragraph, about "reducing the surface area", a.k.a. the "bottom-up" apporach to building a server. It's fiendishly difficult with what Microsoft provides. Then again, they're not pushing for that market at all, but still, Nash is making it sound like bottom-up is what they care about when there are obviously indications of the opposite situation elsewhere in the company's portfolio.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
You have to remember just what IE actually IS.
Firstly, IE is the MSHTML rendering engine which many applications use to render HTML (including HTML Help and MSDN Library, just to name 2)
Secondly, it is the SHDOCVW activex control which is a wrapper around MSHTML and can be embedded in any application to give it HTML rendering
Thirdly, it is a set of internet dlls (like WININET.DLL and others) that provide internet functionality (such as http and https data transfers and other things) which are used by MSHTML and also by other apps that dont use MSHTML.
Forthly, it is the iexplore.exe program which is basicly a wrapper around the SHDOCVW control to provide an actual browser.
And Fifthly, it is the shell services (IE and shell/explorer are linked together and would be difficult to seperate)
As for the shell/IE integration, there are reasons why it is there. For example, try to access a ftp:// url with IE, it will open in an explorer window.
"They have it backward and this is why their competitors who have it the right way are doing so well. And IMHO, it is unremediable at this point."
You mean like Apple, that can't be bothered to patch known 10 year old exploits?
Vote for Pedro
"t is now RMS (Rights Management Services).
By changing the name they made it less evil. Yea Microsoft!"
So is PGP evil too?
Vote for Pedro
I still dont understand why people (and companies) are reluctant to install XP SP2...
I run XP SP2 on my home machine and the only things I found that needed to be upgraded were Norton Anti-Virus (updates that are part of the normal update cycle anyway), NuMega SoftIce (considering the low-level stuff SoftIce does thats hardly surprising) and possibly Nero Burning Rom.
I dont use the XP firewall (my WiFi broadband router will block anything trying to come in).
Any corporation that hasnt A.Recieved a definitive notice from specifically stating that is incompatible with XP SP2 or B.set up a test system, installed all the apps they use on it and found that there is something they use that is incompatible with XP SP2 and doesnt have a compatible upgrade they can use (or afford) or C.Rolled out XP SP2 to everyone
is not a very good company.
Not rolling out XP SP2 because "some of the apps we use might break" is not good enough IMO, they should test these apps and find out that they dont work before saying no to XP SP2. (obviously this applies to large corporations with dedicated IT staff and not small shops)
Unfortunately, my comment on these is negative.
LONG ANSWER:
What is it that I have learned from these Q and A from the MS VP? That the future hold more of the same, unfortunately. Once again the main focus, that I have percieved, is the age old MS push to purchase the new product. Nowhere did I find anything related to current products widely in use throughout the world.
There are huge amounts of win98,nt,2000 OS machines still in use, and sadly, the advice is simply upgrade. How will the (MS) SDL improve security for these older OS machines? Why is it that the issues of the OS in use RIGHT NOW are attended to by the word "upgrade" and "buy". This stance by MS will of course sit well in monetary and buisiness terms, but aggravates many users. Why is it that MS has not made an OS than can be upgraded without the "purchase" of a new version. We all know the answer. We all know the story.
So my take on this is simply more of the same, the rest is simply "blah blah blah we have a new SDL blah blah blah I have family too blah blah blah explorer will still be intergrated blah blah blah".
SHORT ANSWER:
Upgrade Upgrade Upgrade.
And as for this statement:
" 1) the number and severity of both vulnerabilities and exploits on Windows Vista will be reduced, making the switch to Vista compelling if ONLY for security reasons,"
Have I heard this before?
We are watching!!!!!!
Here endith the whinge.
It strikes me that it's not coincidence that most of the questions posed to him were about security. My perception is that users are thinking more about security. Even the Microsoft coder who posted anonymously bashed him for their security (admittedly, posting anonymously means that we can't really speak to his veracity either).
I think Nash was for the most part playing the game of saying that they're making great strides in security so much that he hopes we'll all come to believe it.
It just reminds me too much of Charlie Brown kicking the football. I've spent too much time fighting the poor design and security of Windows to believe it just because he says it. They can hang whatever catchy name they want on their security initiatives, they haven't worked as yet. Color me skeptical.
Hot Damn! It's the Soggy Bottom Boys!
Hell, go look back through old branches of OpenBSD and you'll see a litany of flaws silently patched over the years.
Flaws? Bugs? Not all bugs are capable of causing a DoS or remote exploit.
OpenBSD users are warned of IMPORTANT errata. However users can always upgrade to -stable at any point and as often as they wish.
They are not "silently patched" when you consider every single patch is commited to an open CVS.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
His claim is that OpenBSD is only one part of the "stack", and the other parts that Theo doesn't care about have all the common issues.
/bsd, it is the whole system which is installed by default. This includes the install media images, installer, filesystem layout and permissions, mount options, defaults in configuration files, all the installed userspace utilities, some 3rd party applications like Perl, Apache and Sendmail and good documentation helps retain security for people who are willing to read, etc.
I think you need to show some minimal reading comprehension because he did NOT say that. He refered to OpenBSD as securing only one part of the stack and refered to that stack as being the kernel.
Well this is just completely wrong. Maybe he is trying to perform a subtle attack on OpenBSD as he would on Linux ("Linux is a kernel"). However OpenBSD is not just
Now lets see, OpenBSD audits and takes care of their own Apache tree. So he is WRONG on that for the installed by default www server in OpenBSD. They audit the version of Sendmail which they provide. So he is WRONG on that for the installed by default mail server in OpenBSD. They audit the version of Perl which they provide in a default install. Se he is WRONG yet again. Same deal for all the userspace stuff installed by default which is NOT the kernel.
Mike Nash is either a very stupid ignorant man, or a deceitful liar.
I expect nothing less than SCUM from Microsoft though.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Are you counting your patches for Apache, and Perl or PHP or whatever other CGI, and so forth? Are those considered part of OpenBSD?
Apache and Perl are considered a part of OpenBSD and they are maintained in-project seperately from the official Apache and Perl.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Same with tcpdump, because they don't trust the official developers.
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
I'm very sensitive to the quality of writing in anything I read. I was surprised that the quality of the OpenBSD entry in Wikipedia was so good. Mostly good writers are good at writing about social things, or good about writing about technical things, but not both. But OpenBSD is a social and technical story, and the writing puts both together in an informative and interesting way.
Yeah, NicM did a great job of editing it, he wrote big wads of it after he and I did the initial information collection. I've still got some stuff that was cut out of it to put into new articles.
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
Its sad to see such bigotry, but then what can one expect when the site itself promotes it.
There are many responses that claim my *** OS has no problems hence it must be secure. An OS in minority will not be targeted by active hackers. That does not mean that the OS is secure, only undiscovered. If Linux was in the majority, even dominate, then it would constantly be being hacked, infected, compromised, etc. Same argument applies to every OS ever used or thought of.
I just hope those using the argument that "no bad things" == "all good things" are not developing mission critical hardware or software. If they are, please let me know, so I can avoid those products and stay alive and healthy.
Every software and OS has its good and bad points. The dominant ones will always be targets of attacks (both verbal and otherwise).
Mike Nash has made excellent points, of which not one person here has specifically illustrated being done better by any other OS. (I expect more rhetoric in response to this, but my argument still stands.) There is not one single OSS software or OS that is putting into practice secure software development practices that Nash has so well illustrated. It cannot be done, because the OSS model is contrary to such practices. One has to have almost dictatorial rule to ensure security-minded development is enforced, and this would go against the grain of OSS developers. Hence, OSS software will never be as secure as commercial software or OS's.
Please don't waste space by more rhetorical responses, but actual specific, intelligent examples and logical presentations. This last request is just a dream as their are still bigots without a single logic bone in their body.
Here is an excerpt from a question in the Slashdot story from someone who claims to be a Microsoft employee and sounds like he is. His complaint exactly fits my understanding of how Microsoft is managed. Notice that Microsoft VP Mike Nash pretends to answer the question, but doesn't answer it. That fits with my assessment, in my parent post, about the real role of Mike Nash.
Hi, Mike,
I have just one question for you. Why do we STILL ship products with KNOWN security issues?
I'll even tell you how it works in the trenches. Folks build the product. At the end of it all a "Security Push" gets declared. For two to three weeks people pretend they care about security by coming up with potential security issues and assigning DREAD+VR scores to them. Then management arbitrarily sets the "bar" below which we don't fix potential and real security issues. This bar is usually very high, sometimes at around 8, because hardly anyone has time in the schedule to fix all issues found. Now, DREAD score 8 means that flaw will affect a ton of customers and cost Microsoft significant litigation. Some of very severe bugs slip under the bar just because they don't affect more than 10% of customers. Now, even this exercise is a joke, because most developers don't know what DFD is and how to put one together.
This wasn't even the most ridiculous part of the exercise. The most ridiculous part is security "code reviews". It's when feature owners walk into a room with a huge stack of printouts and pretend they can be reviewed in a couple of hours they've allocated for this. You can barely glance through this much code in this much time, 90% of security issues remain unnoticed during this "code review".
After all is said and done, product is only slightly more secure (SOME of the most ridiculous things have been fixed), and management gets delusional saying that product is now Fort Knox secure.
If you ask me, that's abomination, not a proper security process. Are there any plans to change it?
Something to add to my parent comment -- Facts about Microsoft's interest in security: 206 Days Overdue.
You're not being picky, you're just showing your lack of intelligence and deductive reasoning. As if an executive at MS would have had experience working with "*nix". And another free clue, not all "security gurus" focus on bits/bites. The ones who focus on strategy and business risk management aren't wasting their brain cycles over the "*nix" usage of the term sudo and they're counting a lot more money in their pockets than you are.
Look like they are going to implement sudo in vista. Can Sudo author sue them for taking his idea,he is unemployed last time i visited his site.
I think it would be nice if microsoft could discover problems such as spyware before Mr Nash's nanny became a victim. In the question concerning regular users, Mr Nash references his family and how changes have been made based on interactions with them, perhaps interacting with a few more of the millions of users might help out...
Alright, I have to admit ignorance here with regards to Vista but I would like like to know what sort of awful big brotherish things MS is implementing into Vista.
/apologies for the newbish ignorace.
Will I be able to keep my precious collection of mp3s, pr0n, divx/xvid movies, etc on a Vista machine without fear of Vista's new "features" deleting them or changing their properites in some way? Can someone in the "know" answer this rather than postulating/guesses. Thanks!
> At one time, IBM had 100% of the PC market
No, IBM never had 100% of the PC market. In 1984 when the first Mac shipped, Apple and IBM each had about 50% of the PC market.
No, he's just a smart guy. For all its flaws, he knows that he's got a better chance of them being safe with XP than some random, older version (after users have added all the software to make it work with everything on the net today). He also knows he'll have less work to do this way-- why should he have to spend his whole life supporting old stuff?
I'm not a MS-fan, but I was fairly impressed with this guy. I find your argument silly. If it was supposed to be funny, your delivery was off.
So your the one that had everything turned on, on NT4. Gee thanks you made me a ton of money fixing things during the Nimda worm. Fixing peoples web servers that didn't know they were even running a web server.
Really what good engineer would turn on everything by default? Do you leave your house in the morning with all the doors and windows open? If you did you wouldn't need to carry your keys with you. You would never lose that key. Also by leaving the door wide open when you get home you will not have to open the door just walk right in. "Ease of use!" Right?
Most of you comments were quite straight forward and not much marketspeak, thank you, BUT your answer to my biggest problem with your broken OS is the set up of users and Administrators and allowing your software partners such as Intuit to write software that ONLY runs under Admin rights is filled with BS.
What is the deal that anything and everything can write to the %systemroot% folder? Where you the one that opened that up too? It din't used to be that way. On 3.51 and NT4 you could lock down the systemroot to read and execute only for users. Why would a user EVER need to write to the system files? Right here is the cure for about 80% of the worms and virsuses out there. Where you you find them? In the system32 folder where else! If the user didn't have write access they could NOT get in there. What is it are these fixes so simple that you can't see them???? Why is a UNIX type OS more secure? Users can ONLY write to where they can do no harm. You MUST enter a password to write or change any system files. Yea this isn't ease of use BUT it is secure with no frills or bells. It just works. Yes it is a hassle to put in the password to make a change but it a bigger hassle cleaning shitware from a machine and having my personal information broadcasted to the world through the shitware that as infected my machine in order to have the "ease of use" to not have to put in the password.
Your right just fancy phrases for something that was right in the begining. For one thing if you fix this, this isn't an enhancement it is a FIX!. Your user rights management is BROKEN! So call it what it is a patch, a fix, whatever but it isn't an enhancement.
You see I am old enough and been around long enough to remember that NT3.51 through NT4 the user set up did not set up every user as an Administrator. When you set up a new account on a server they where just a "user". You had to go in and give this right if needed. This is the way things are suppose to work. Who's grand idea was it to change that in the first place?
Yes I have been a Windows Engineer since 1992 and used to swear by your products. Now I only work on Windows I don't use it personally or in business. I only come out and fix your broken Windows network when it breaks for a lot of money that you shouldn't have to be spending. 29 servers that were running W2K are now happily running RedHat. Our maintiance costs have dropped 60%. (yea right "Get the Facts") I didn't really want to switch but watching things with MS server get worse especially when it comes to security instead of getting better and to cover your tracks with MarketSpeak. Well sorry maybe you can bullshit the comsumer you can't bullshit me. I did the permament Windows fix. Disk 1 of Fedora
Let me educate you on your lack of knowledge about Linux. The "sudo" command does exactly what you say your enhancement of the user account does. It will run a command under root (There really isn't a SUPERUSR account) for just that command. During the excuition of the command you will need to give your password in order for the command to run. After the command has run it drops you out of root. During the runtime it is ONLY this process running as root. All other processes are running under the normal user account. You don't have to login under root to change things and you don't need to do a "su" command and "Switch User" to root to make changes. The s