Microsoft Says "War on Terror" is Overblown

SlinkySausage writes "The endless security measures imposed on society as a result of the "war on terror" have become overblown and intrusive, according to Microsoft Redmond senior security analyst Steve Riley. He made the comments in a talk at day one of Tech.Ed Australia about software security. Riley also fessed up that Microsoft cocked up XP from a security perspective. "We let you down with XP," he said. Microsoft also showed a very interesting new desktop virtualisation technology called SoftGrid, which allows applications to be virtualised individually, rather than a whole OS. Think Virtual PC or VMware, but instead of virtualising an OS, just a single application is virtualised."

Karma gets even with MS!

[ArcherB]

I'm kinda glad that MS gets to feel the pain of "overblown and intrusive" security. Maybe they will understand that it is better to make things secure from the beginning, rather than overacting after the fact.
From TFA:

Steve's approach to security spans all horizons, not just information technology. He elaborated on this theory in an afternoon session today at Microsoft Tech.Ed entitled "Making the Tradeoff: Be Secure or Get Work Done". You are trying to get work done. Allow or Deny?

Re:Karma gets even with MS!

From TFA:

"It's measured against the current cost of leaving things as they are - if a couple of machines go down every week because of security vulnerabilities, that is a cost which can be measured and taken into consideration. However, if the cost is actually less than the cost of removing the problem , bizarre as it may sound, it might not actually be worth it."

Hmmmm.... Maybe Microsoft really does understand why I refuse to intsall Vista on my network.

Re:Karma gets even with MS!

[utopianfiat]

Agreed.

Moreover, if one machine goes down due to security vulnerabilities, and it has my social security number on it...

Re:Karma gets even with MS!

[StingRay02]

Maybe I missed it, but is no one else struck by the hypocrisy of Microsoft criticizing someone else's security measures. Right or wrong, how does their track record of horrendous failures in security qualify them to tell someone else how to do it right? Since when did failure become a path to success?

Oh, wait.

It's Microsoft.

Question answered.

Re:Karma gets even with MS!

[radl33t]

Since when did failure become a path to success?

Ever since scientific thinking birthed our enlightenment.

Re:Karma gets even with MS!

[cmacb]

Not to mention...

As Microsoft always does, now that the NEW version is out, they have suddenly become aware and willing to talk openly about how miserable a failure the OLD version was.

Microsoft continues to go to the bank on the basis of "You CAN fool MOST of the people ALL of the time."

How much longer will this formula work for them?

Re:Karma gets even with MS!

[Gr8Apes]

Well, even if they don't know how to properly secure something, I giuess they at least know improper security when they see it. They've certainly seen a lot of different ways to do it badly!

Re:Karma gets even with MS!

[nugneant]

Ten years ago, this would be a really exciting development. Too bad that now, when MS talks about "security", they mean "DRM"... I don't care if I was "let down" with XP, I'm sticking with it into the forseeable future, because at least I know that XP isn't wasting CPU cycles to cripple my content on my computer.

Fuck Vista.

Re:Karma gets even with MS!

[EdBear69]

As Microsoft always does, now that the NEW version is out, they have suddenly become aware and willing to talk openly about how miserable a failure the OLD version was. This is Vista marketing at its finest. And in the fine tradition of Microsoft Marketing, it's a FUD attack against the product with the largest market share, in this case WinXP. Never mind that the product in question is put out by the same company.

Re:Karma gets even with MS!

[moosesocks]

Microsoft's problems have largely lied in their management for the past 10 years or so.

Whenever the management makes one big push, as was done with Vista, things get screwed up horribly. You'd better believe that Microsoft has some very smart people working for them that know a thing or two about security.

The underpinnings of Windows that kept it compatible with old software have made it inherently insecure, and every tiny bug can result in a system-wide breach thanks to the fact that until recently, it was the standard procedure to run every process with unlimited credentials (and most software was written with this assumption in mind)

On my Linux box, Apache runs under its own account that has the permission to serve web pages in /var/www, and is restricted from doing *anything else* at a very low level in the operating system. Windows apps tend to be able to do whatever the hell they want.

The decision to maintain backward compatibility was most definitely made by upper-management, and the security repercussions were almost definitely brought to their attention at some point. It's not at all surprising that there are factions in Microsoft that disagree with this decision

Re:Karma gets even with MS!

[ozmanjusri]

Maybe I missed it, but is no one else struck by the hypocrisy of Microsoft criticizing someone else's security measures.

It's becoming very clear the current US administration is unlikely to win the next election.

Microsoft needs the US government to protect it from standards, open document formats, antitrust prosecutions and any other similar inconveniences.

Expect Microsoft to continue distancing itself from the Bush administration. They need plausible deniability so they can cosy back up with Bush's successors.

Riley is smart, and VERY entertaining.

[Jeremiah+Cornelius]

Too bad you have to read him - not see him in person.

Oh, and a pity he makes the fron page at Slashdot for stating the obvious!

Our way of life is not under threat!

[Ckwop]

In the United Kingdom we lost fifty or so people in the carnage of bombings last-year, in the United States you lost four or so thousand.

I don't for a second want to say that the loss of these lives through an unspeakable act of senseless violence is a trivial matter, but we need to put these figures in perspective. In the United Kingdom, more are killed in road traffic accidents in a couple of weeks than were in the July 7th bombings. In the United States roughly three times as many people are killed in gun accidents per year than 9/11.

Somebody even said to me that more people were killed putting their socks on in the United Kingdom than by terrorists last-year. It's probably true. This stuff is right in the noise level of the threats we encounter each day. It's dramatic when we see some idiots attempt to blow a car up at Glasgow airport but in terms of actual risk, these people are up there with being struck by lightning or having a bad reaction to asprin.

So why is there talk about trading liberty for security? Even though the security vs liberty argument is as flawed as the mythical man month, the point still remains - why do I need this extra security anyway? It's expensive, it costs me my rights and it's ineffective.

It feels like that we've forgotten what it is really like to be a nation threatend with annihilation. In the 1940s our country nearly didn't make it and we have the United States to thank for that as much as our own heroic airmen. That was a time where the agressors really could have destroyed our way of life. Yet we did not yield in the face our adversity. We held our resolve!

And we should hold our resolve now. In comparison to the Nazis these modern day terrorists are like flies trying to stare down a tank. I don't know whether to laugh or cry why we even take them so seriously. We should not give a shred of our liberty to these people - they are pathetic and worthless; you only need to look at the Glasgow "terrorist" attack to see this for yourselves.

Simon

Re:Our way of life is not under threat!

[rossifer]

In the United States roughly three times as many people are killed in gun accidents per year than 9/11.

Not to disagree with your overall argument, but this statistic is wrong. Three times 9/11 would be about 9000 accidental firearm deaths per year. According to the CDC, there are actually about 750 accidental deaths attributed to guns each year in the US (CDC Mortality Statistics - select "after 1999", then "intent -> unintentional" and "cause -> firearm"). Which is about 25% of 9/11.

I would suggest using automobile accidents in the US as well, since it only takes about three-four weeks of US automobile fatalities (~45,000/year) to equal one 9/11.

So why is there talk about trading liberty for security? Even though the security vs liberty argument is as flawed as the mythical man month, the point still remains - why do I need this extra security anyway? It's expensive, it costs me my rights and it's ineffective.

Hear! Hear!

Regards,
Ross

Re:Our way of life is not under threat!

[Xehn]

I saw a chart on digg a while back that your comment reminded me of. Here is the link. It isn't 100% accurate, but it does a great job of illustrating the point.

http://stpeteforpeace.org/real.threat.html

I just wish people would listen to reason when it comes to all of this.

Re:Our way of life is not under threat!

[Kjella]

Our way of life is not under threat!

I agree it's not under threat by terrorism. But, there are several issues that should be of concern which have far greater support among muslims, including but not limited to:

* Freedom of speech
* Women's rights
* Homophobia
* Religious law
* Forced marriage
* Repressed view of nudity and sexuality
* Female sex mutilation
* Honor killings

I know some of these are not tied directly to islam, but they occur mainly in islamic communities and islamic leaders are not doing enough to stop, or are even encouraging these practises. In general, I have the impression that many muslims are far more intolerant towards our way of life and hold values which I quite frankly find unacceptable. I'm not pretending Europe has had too many of these notions too long, 100 years ago women couldn't vote, 50 years ago people were being put on trial for erotic novels and 35 years ago being gay was a crime here in Norway. But in my opinion we have made great strides in recent years ensuring equality for all and that everyone is free to pursue their own happiness. The muslims are on the whole a very reactionary group that in my opinion is threatening to undo much of the progress we have made. What bugs me the most is the complete lack of symmetry - if we go to Saudi Arabia, they want us to respect their culture (or face Sharia). If they come here, respect for our culuture is slim to none.

Re:Our way of life is not under threat!

[n+dot+l]

You've got a point there, but it doesn't justify the idiotic overreaction we've seen.

Some guys with box cutters hijack some planes and smash them into buildings, killing thousands. Terrible tragedy, I agree, very much unlike random highway accidents. But that doesn't mean that the proper reaction to this is a direct attack on what's left of the values that made this a great culture instead of, say, securing the cockpit with a sturdy, lockable door.

From that perspective it makes sense to compare it to accidents. We usually react sanely to accidents by simply developing better safety mechanisms that directly address the actual things we've seen go wrong. That's quite unlike having some central authority prevent us from ever doing (or thinking or speaking speaking about) anything that might be unsafe (like, say, existing) ever again just because someone slipped on an icy sidewalk and died.

And you could argue that I don't know what I'm talking about because we're moving towards an overly safety-obsessed culture anyway, but that's the result of being a society that sues too much. If you and your buddies want to go out and do dangerous things in the middle of a field where you can't hurt anyone but yourselves, the police aren't going to rush over to stop you. Not at all the same as being constantly spied on and arrested if the watchers see something they don't like, and then being denied due process.

XP isn't that bad ...

[b0s0z0ku]

It's mainly the tight integration of the browser with the OS that is/was an issue. Don't use IE and don't run executables from unknown sources and 95% of the security issues go away. SP2 is actually a pretty decent OS.

-b.

WINE, Anyone?

[ArcherB]

Microsoft also showed a very interesting new desktop virtualisation technology called SoftGrid, which allows applications to be virtualised individually, rather than a whole OS. Think Virtual PC or VMware, but instead of virtualising an OS, just a single application is virtualised." I remember when it was called WINE!

Re:WINE, Anyone?

[_xeno_]

First, ignore all the comments pointing out that WINE stands for WINE Is Not an Emulator. You're using "emulate" in a different sense than the WINE acronym is. By "WINE Is Not an Emulator" it means exactly your point: WINE does not emulate a physical machine - or, in other words, virtualize the process. WINE implements a compatible version of the Windows API, but it does not create a virtual machine. It's best called a compatibility layer or something like that.

Cygwin does something similar under Windows for UNIX. It emulates a UNIX environment under Windows, mapping standard UNIX calls to Windows equivalents. WINE does the same in reverse - it maps standard Windows calls to UNIX equivalents. (Pedantic note: I know I'm misusing the term UNIX. Someone else can come up with better terms.)

In any case, WINE is not a virtualization approach. A Windows program run through WINE is executed directly by the hardware the OS is running on. WINE simply provides a loader that can load and execute EXE and DLL programs, along with compatible implementations of Windows API.

Short answer: you're right. WINE is not virtualization.

Should fix the article headline

[the+computer+guy+nex]

Microsoft didn't issue a press release, one guy voiced his opinion.

Let you down with XP

[chatgris]

They say this now, when there is Vista to buy. It's just part of Microsofts standard strategy... Release new operating system, try and make the old one look bad.

Re:Let you down with XP

[Farmer+Tim]

Release new operating system, try and make the old one look bad.

Not a lot of work involved there.

Re:Virtualizing Applications

[TheRaven64]

Or think 'operating system.' That's what an operating system does. It virtualises the computer's resources and multiplexes them for applications. It multiplexes memory and gives each process its own address space. It multiplexes disk and gives each process its own virtual disks (files). It (or a userspace delegate) multiplexes video and gives each process its own virtual screen (a window or virtual terminal). It multiplexes the speakers and gives each application its own sound device (a virtual channel). It multiplexes input devices and switches them between apps.

Everything old is new again.

Ironic

[ArcadeX]

I'd rather deal with airport security than install programs on my girlfriend's vista laptop...

Re:Ironic

[Jeff+DeMaagd]

Installing Windows makes airport security look efficient. The TSA makes Microsoft look thoughroughly efficient and competent.

SoftGrid isn't new

SoftGrid isn't new, nor is it a particularly close relative of WINE as some Linux enthusiasts suggest. It was a Microsoft acquisition, the former product name being Softricity. It's not just virtualization, it's packaging, so a single file, streamed from a server as needed, encompasses the program and all of its settings, creating a layer over the regular file system, registry, etc. with copy on write functionality; if the program tries to change the host OS in any way, it just adds to the shell of program specific settings within the single packaging file. Extremely handy for network admins who need to distribute programs, and want the performance of local apps (once the whole package is streamed, it runs locally, with the streaming order prioritized based on what the user is doing), but want the simplified administration of centralized programs with standardized configuration.

Choose "cry".

[khasim]

I don't know whether to laugh or cry why we even take them so seriously.

Consider what we COULD be doing with the money spent on this.

The Cold War ended. The world was as close to Peace as it has ever been. We could have been investing in so many things to help the human race as a whole.

Instead we're spending trillions of dollars "fighting" a few thousand nutcases who can't do any more damage to the world than we do to ourselves, every year, in traffic accidents.

Re:Choose "cry".

[Xtravar]

The Cold War ended. The world was as close to Peace as it has ever been. We could have been investing in so many things to help the human race as a whole. Hey man, the defense industry needs to eat, too! What, you expect them to go out of business in times of peace?

And this is the problem with militarily-funded businesses. They have incentive to not have peace.

Re:Choose "cry".

[MightyMartian]

The worst part about all of this is the lack of recognition that other parts of the world have been suffering under this very same breed of Jihadist for a lot longer than the US. Both China and Russia have been dealing with this religious nutcases for years prior to 9-11. Heck, part of the reason they're so widespread in the Muslim world is because Saudi Arabia has been exporting its maniacs so that they cease to be its problem.

The West now only concerns itself because suddenly we're the direct targets of their actions. Those actions are wildly successful because they're so visible. The fact that automobile accidents are far more deadly, or that more people die due to choking than the terrorists could ever hope to kill is besides the point. Those aren't sexy, top-of-the-hour, bonechilling, fingernail-biting, paranoia-inducing stories.

I have pointed out to people who think that Jihadists are getting ready to blow up their supermarket that the people of Leningrad and London put up with attacks of such intensity, such lethal effectiveness and such destruction that it makes a hole in the Pentagon and two downed office towers look like a joke.

Re:Choose "cry".

[Entropius]

Grandparent wasn't saying that the world would have been at absolute peace without the US invading Iraq.

But the world was doing pretty well -- sure, the Middle East was trying to kill itself, but it's *always* doing that. The people with the *serious* militaries, however, were at peace. We had a golden opportunity to *not* spend our national wealth on the military; for the first time there were really no serious military threats to Western democracy. We could have done something useful... ... and instead, we go start a dumbshit war that's wasted more American blood and money.

Re:Choose "cry".

[wild_berry]

Peace was not disrupted by the United States

But the intervention across the globe by Western governments since the end of WWII is that disruption of peace which makes enemies of those we and our governments have screwed over.

Re:Choose "cry".

[Hijacked+Public]

That is a popular idea, and true to an extent, but it isn't the whole picture.

Many political entities throughout the Middle East and Africa are making war to consolidate power in their own country and use the West as a convenient scapegoat. This isn't much different from what the neo-cons, to use a contemporary example, have done in reverse in the West. Invent some boogeyman, convince your people you can protect them from him, and they will support you.

On a conceptual level Sayeed Kotb's ideas aren't all that different from Leo Strauss'.

Sure many Western governments have encouraged conflicts. Directed them to their benefit. Provided the raw materials. But the total absence of all Western influence wouldn't bring peace, a great many people can still be killed with machetes.

Re:Choose "cry".

[Pragmatix]

I always wonder what we could have done with the hundreds of billions of dollars we have spent fighting in Iraq, if instead we spent it on alternative energy research. It always seemed like a better long term strategy to me.

Re:It's not terrorism that threatens it

[telbij]

Okay, I can't speak for Britain, but come on man, have some faith in your own culture. The only thing preventing first-generation immigrants is nostalgia, if they're old enough. However the younger generation will easily be indoctrinated into the culture quite rapidly. Especially western culture which has already proven powerful enough to invade the whole world. You know, previous generations of immigrants did not magically integrate. It takes time, but it's inevitable. Sure the old culture is subtly changed over time by this influx, but it's a good thing. Do you really want to inbreed yourselves until your eyes are all half an inch apart and your culture is as flavorless as the food you eat?

What's the big security problem with XP?

[xxxJonBoyxxx]

Riley also fessed up that Microsoft cocked up XP from a security perspective. "We let you down with XP," he said.

What's the big security problem with XP? It installed by default with a firewall that denied inbound connections. It allowed people to easily give the kids and the wife non-admin access to a shared system. It automatically tells me when new security patches are available from Microsoft, and it always installs them without incident. It even complains (through a tray icon) when my virus-checker's images were getting out of date. I've been running the same XP system on my laptop now for about three years; I haven't had any spyware, viruses or worms yet, and the system still boots as fast as the day I got it. So...what's the beef with security?

Re:What's the big security problem with XP?

[twitter]

Vista is not selling, so XP must be killed. They do this with every OS, so you might as well imagine that it's 2011 and Win9 is out and they let you down with Vista.

Re:Virtualizing Applications

[Paracelcus]

WINE?
Uhh, I thought we were already virtualizing applications with "http://www.winehq.org/"

Security or Convenience

[twitter]

I love that false choice. If you have to chose between the two, you don't have either.

Re:Security or Convenience

[lymond01]

Sorry, but did you just say you can have something be both secure and convenient? I'd love to see an implementation like that because it's never been done in the history of all things.

Not so fast. When was the last time you locked the bathroom door?

"We let you down with XP"

[Chris+Mattern]

But now we have something *new* that fixes all those problems! Really! So hand us more money, now!

Chris Mattern

Re:I'm still curious...

[Dystopian+Rebel]

Now, understand - there is always someone inconvenienced. I'm not talking about a perfect system. I'm literally asking, does the average American (or Brit, etc.) really feel that they've lost something specific?

Sir, I suspect that one of the reasons why you don't hear an answer is that some of your interlocutors are frozen in disbelief.

Although the USA may try valiantly, not everyone who displeases the government can be incarcerated. People think Guantanamo is bad; the US prison system is a systemic Guantanamo fit to burst with the highest percentage of incarceration in the world.

Do all the people who are not incarcerated have any reason to be concerned? If the government is above the law and there is no law to protect them, the only protection they have is their sleepy ignorance of their vulnerability.

You would call their sleepy ignorance proof that they have no cause for worry. Coincidentally, there's a group of men in the White House who agree with you.

The terrorists have already won ...

[seyyah]

because I just found myself agreeing with Microsoft ...

Tiny Sliver of Hope

[rossz]

People might get the wrong impression that I think all Muslims are murdering terrorists. Not so. There a lots of them who find the actions of the extremists repugnant. The problem is we rarely, if ever, here from them. Print a comic "insulting Mohammad" and there is rioting in the streets. An Islamic extremist murders a bunch of children and the silence is deafening. This MUST change.

Re:What's smart about a false choice?

[Thrip]

With real user and process separation Also available on Windows. I cry bullshit on that. I used to hear for a long time "So many people say Windows is insecure, but they run as Administrator all the time. They should run as an unprivileged user." And that sounded reasonable, so I pretty much believed it. So the next time I had to use Windows, I made an unprivileged account, and discovered that the restrictions placed on unprivileged users are so arbitrary and absurd that it's essentially impossible to work that way. You can't even change your own file associations. I had to keep logging in and out of my user and admin accounts all day to get anything done.

Maybe things have improved in Vista, but the user separation on Windows XP seems to be designed to drive you insane.

Just perfect

[HangingChad]

The endless security measures imposed on society as a result of the "war on terror" have become overblown and intrusive, according to Microsoft Redmond senior security analyst Steve Riley.

I agree with Microsoft on something. Great, just perfect. Now I have to get ready for the 4 horsemen, a rain of fire and the end of time.

On the plus side that means I won't have to mow this week.

No, OP is correct

[brunes69]

"Run As" is no solution at all. It is the Windows version of sudo, which is fine for things that SHOULD REQUIRE admin access.

But why should I require admin access to change file associations? Or to install a print driver?

"Run As" is just a crutch around poor design.

Re:No, OP is correct

[Grishnakh]

I call BS on this.

First, print drivers have no reason to be kernel-mode. None whatsoever. Printers are either connected through ethernet (the proper way), or USB (the cheap way). Either way, there's no reason for kernel-mode drivers; user-mode drivers can do all the work of formatting the data to be sent to the device. Notice that in Linux, all printer drivers are user-mode, and are usually actually called "filters", since they're just changing the data, not directly interacting with low-level hardware. Usually, all that needs to be done is convert the file to Postscript or PCL or some other printer control language.

However, the norm on Linux systems is that root sets up printers and printer drivers, because it's easier that way and makes more sense: the printer is a system-connected device, not one which each user should have to set up himself. So root sets up the printer with CUPS, and then users just have to select it and print to it.

As for file associations, there's no reason for this to be inaccessible by users. If I want to open .jpg images with "mirage" instead of "kview" by default, why should I not be able to set that? This is an issue purely about user preferences, just like what I want my screen saver and desktop background to be. How would "security vulnerabilities" have anything to do with this?

Re:It's not terrorism that threatens it

[Grishnakh]

I disagree.

It used to be this way with immigrants from Europe, etc. However, it is not this way with Islamic immigrants.

A recent poll in Britain found that most second-generation immigrants want Sharia Law to be instituted there. This isn't the first-generation immigrants from Pakistan and elsewhere; this is their kids, who grew up in Britain. The first-generation immigrants don't seem to be causing any problems; they just want a decent life and job. Their kids are embracing the ways of radical Islam. The same thing is happening in France.

There was a movie about this a while ago, called "My Son the Fanatic". Check it out.

SoftGrid? Wha?

[bussdriver]

Virtual machines per application?
So next they will want to save RAM and speed things up with pass-thru hooks like what is already done with the virtual network interfaces but taken to the next level... It seems like a bad progression towards an actually working OS... How about we get the OS to WORK with the memory protection and better manage abstracted hardware??

Am I the only one who sees virtual machines as a solution to problems that mostly shouldn't exist or at least not to the severity that one would seriously consider that a solution?