Slashdot Mirror
Microsoft No Longer a 'Laughingstock' of Security?
Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"
I have to sometimes wonder how, when security is considered so important, how Microsoft has been allowed to take so long. It's also a bit funny to consider how high the bar is set that they get credit for achieving "no longer the laughingstock..." status.
It kind of reminds me of the cell phone industry and their "high" standard where they get away with advertising braggadocio like "the provider with the fewest dropped calls". It's funny, I grew up with a phone infrastructure where I never experienced a dropped call -- granted, a less complex (wired) achievement, but had "wired" phone service been invented today, I suspect the standard would have been "less dropped calls", too... because maximized profit dominates the industries' collective motivations, not quality products.
(Case in point... if you'd ever owned the amazing Harmony() remote controls before they were bought by Logitech, they were wonderful devices -- rock solid, great feel to them... now, they're sexied up with cheap buttons, lousy feel, and questionable reliability. And get ready, Logitech just bought Slimline devices. Thought the Squeezebox was a great gadget? Better get the remaining quality ones before profit-think forges it into a cheap crappy imitation of it's former self.)
And, to save you all a little time.... mod(self, -1, offtopic);
I'm sorry, respect in security is like with all kinds of respect. It is earned, not demanded or bought.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Now we just snicker and giggle!
Great minds think alike; fools seldom differ.
As a $1000 per hour Foundstone security consultant (you'd know my name, I'm extremely famous - ok I'll give you a hint, my name rhymes with Fan Darmer), I am inclined to agree. MS products are now completely secure. I know, because *I* can't hack them.
He keeps saying those words... I do not think they mean what the thinks they mean...
Now, Microsoft has Windows and IE asking so many security messages, that the users automatically say yes, once again, reducing all of their efforts to ashes. And you still can't run IE under a separate user account.
This is my sig.
Inasmuch as this constitutes any sort of admission that Microsoft products were not always exemplars of good security, it should not be forgotten that Microsoft has always insisted that they were.
So really, they are not saying anything different than they have always said. "Back then" when their products were insecure, they insisted that their products were secure. Now, they are admitting that "back then" their products were not secure, and are continuing to insist that their products are secure.
Why should we believe them? Once bitten, twice shy, and with good reason.
I concede that MS is not the laughingstock that it once was, but they are a ways from the respect that some of their competitors of similar scale (cough*IBM*cough) have long since earned. Eliminating the repeat vulnerabilities such as the recent ANI vuln might be a good place to start.
I'm thinking (in part to stroke Theo's ego a bit) set OpenBSD as the security standard out there. Every OS, compare it security-wise to OpenBSD. Put a "percentage" for how secure, then we can see hard numbers for how securly an OS is out of the box.
Karma Whoring for Fun and Profit.
...now if you'll excuse me, I have to go delete the spam that was sent from a botnet of computers that are running a series of a particular OS that shall remain nameless...
So Microsoft is so secure that those botnets with hundreds of thousands of zombie computers running Windows will disappear overnight? Great!
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
I think a good example of this is how many security problems have been found in IIS in recent years. For example, go to the MS Security Bulletin site and look up bulletins for IIS 6.0 compared to IIS 5.0 -- http://www.microsoft.com/technet/security/current.aspx.
There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.
ÕÕ
I'm just surprised that the various governments of the world have let so many state secrets get locked up in Microshaft's closed, insecure standards. If Microshaft ever folds, the only people that will be able to access those old documents that tell you how to turn off that automated attack system of yestercentury are the Chinese hackers.
Resistance is futile. Your technological distinctiveness will be added to our own. You will become one with the morgue
They should really set their goals a little higher... You could as least aspire to fix everything, even though you probably won't.
There's no question that Microsoft is responsible for some of the most powerful computing initiatives in the world today.
Redmond's other bots will want to set the record straight.
Rich And Stupid is not so bad as Working For Rich And Stupid.
Yeah, you can. Right-click and choose "Run as..." or pull up a command prompt and use the "Runas" command specifying a separate user and pointing to "C:\Program Files\Internet Explorer\iexplore.exe"
It may not be exactly like that in Vista but it works perfectly in XP even if explorer has been blocked for alternate users.
Resistance is futile. Your technological distinctiveness will be added to our own. You will become one with the morgue
It's not funny any more.
Was it ever?
Help stamp out iliturcy.
Sorry, I don't see why this story is even here. Microsoft has been telling bald-faced lies about their security for at least a decade. What's different this time?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
No longer a laughing stock?
Mate, people have stopped laughing, not because Microsoft has changed but because we've become so desensitised to the security issues it no longer brings the same attention it used to; its expected.
If Microsoft do want to correct their security issue, they need to start at the bottom and work their way up; they need to go through their product, they need to document, clean up, remove parts that are security risks, replace parts which are added because they're nice rather than needed. They need to stop the lie that 'computers are easy to use' when in reality, they're complex machines that actually might require a bit of book reading and learning (to the screams of the ignorant out there).
They also start needing to stop re-inventing the wheel and start working in groups; yes, groups are inefficient but like any brain storming, issues are raised which the original author might not have thought about - when you're an organisation all thinking along the same line, you can't adequately scrutinise the specification for every possible scenario - that is why standardisation is desirable. Issues of compatibility and security can be raised, and addressed. Microsoft on the other hand thinks because it has the cash and are a big organisation, it can address all the concerns internally.
I think they'll be a laughing stock until they find a way to make all those funny videos of Steve Ballmer go away. Jeez, that guy cracks me up!
I had asked Microsoft's Security VP, Mike Nash, about the problem of infected pirated machines. And what did he say?
"It's hard for me to feel too bad for the person who you know who doesn't have a licensed copy of Windows and is infected. They are using stolen software."
In other words, we ALL are suffering spam, viruses and worms because Mike Nash got picky about not providing security to "stolen software".
It $hould be clear now that Micro$oft got their prioritie$ $traight. Right?
...but I'm still laughing. :-)
StarTrekPhase2 - The Five Year Mission Continues!
hahahahaahahahahah! *falls over* hahaha haa lmao lol hahahahahahahahahahahahahahahahahaahahahahahaahaha ha... *breath* haha... ha ahhhhhhhh Nope, still works.
Poor security makes money for Microsoft because Corrupted PC's Find New Home in the Dumpster.
Still finding 'em.
Need I say more?
So, we are supposed to trust a group INSIDE Microsoft, who comment on Microsoft products?
Sorry, tits or GTFO.
Microsoft Security in its software has never been funny to its victims. From my perspective; Scott Charney's observations are like observing a battered wife rationalize the need to live using wires, and tubes.
I have to say I have used many OS's and really have never had a security problem with any of them. That includes Windows in most iterations. Most of the security stories I have heard have been from other people on the net. The odd time I have attended to a friend or relative's machine, it has almost always been because of something they themselves have done. I still maintain that the main source of computer (including security) problems is with the users themselves. Not saying the others are liars but if the expectation is that you can protect users from themselves, then that is an unrealistic expectation.
Windows is still a disaster, and I think I know why people don't care. It is the "Big target" rational nonsense.
Microsoft has been successful in seeding in people's minds that "all computers are insecure and the only reason why Windows *LOOKS* so bad is that they are so many of them, and if [apple][linux][foo] were as popular, there would be just as many security holes."
It is a plausible argument when one is ignorant, as most are, of the basics of security. Unfortunately, the argument is getting traction and letting them off the hook.
They're still funny. We just needed to catch our breath and rest our aching sides.
In line with microsoft's pronouncement,
I want to recognize how much respect and admiration everyone at Slashdot now has for all my posts.
---
Cool-- did that change anything? No. The fact is, that compared to the AS/400, microsoft operating systems are festering mounds of viruses that crash without warning at 10 times the rate. Compared to linux, microsoft O/S are boxers with glass jaws.
Instead of adding all of these new features in Vista (which sucked a ton of performance) they needed to shut down all the buffer overflow exposures (which have been avoided because they cause a 1-3% performance hit).
When we stop getting major Trojans, worms, email viruses, IM viruses, etc. then microsoft will get the respect they are proclaiming unilaterally they are getting.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
All modern operating systems are still struggling to catch up to the Atari 800.
Even now it sits impenetrable with layer one security from both the Internet and power grid in my closet!
This sig is alpha and shouldn't be viewed on production machines
"we were the laughing stock of security" - so it was like that. So then, you were serving faulty, lacking products to customers ?
Read radical news here
The biggest problem is, of course, the HTML control.
Until Microsoft abandons the entire "security zone" model and makes the HTML control default to a secure or "closed" state completely under the management of the calling application Windows security will never be anything but a joke. The recent hole in Yahoo Instant Messenger, for example, is primarily Microsoft's fault... because the "security zones" should not be able to "fail open". Blaming Yahoo for not 'sanitizing' the input is nuts.
No other HTML rendering library works this way. The two leading alternatives... Mozilla's Gecko and KDE's KHTML (and thus Apple's Webcore)... both implement a closed sandbox. If an application wants the page to have more capability, it must explicitly install hooks to grant it that capability. This way when an application renders a page using Gecko or KHTML there's no possibility of there being prepared holes to attack. In addition, when they DO install a controlled hole in the sandbox, they know that they're the only agency doing so... there's no concerns about some insecure ActiveX control in the system becoming an avenue of attack.
Until Microsoft completely changes the API for the HTML control they won't solve their image problem, and they shouldn't expect to... because until they do this, they have a problem and the image only reflects that.
ActiveX use in the HTML control, of course, is completely insane. Given all the layers of bandaids and patches and dialogs and settings and security levels wrapped around them, it's actually less effort to explicitly install a plugin than to open IE up to the point where you can use a "trusted" ActiveX control. They need to deprecate and eventually eliminate this.
There are other problems, too. Applications have to parse command lines completely, using their own code to break them up into arguments and perform wildcard expansion. Both OS X and Linux use the UNIX "exec" call, which doesn't require the application to add this additional evaluation step. Many of the "URI" related holes found in applications on Windows... including several recent ones involving IE, Firefox, and Second Life... are due to this flaw in Microsoft's APIs.
There's a second flaw in their URI handlers, and that is the inability to separate internal handlers that may expose more powerful capabilities than a sandboxed object should have access to with the ones that are designed for use by untrusted documents. The 'patch' to fix this is to try and sanitise the list of URI handlers that each application will use. This, like any other "sanitization-based" approach, is inherently flawed. They need to create a second registry that only supposedly secure applications will use... and then they won't need to worry about web pages containing links to ".CHM" files.
(Apple, by the way, has copied this flaw from Microsoft. But at least they don't share the rest of the burden)
The lack of a standard mechanism to bind network services to specific interfaces is a third problem. In UNIX most network services have traditionally been run from inetd, so if you replace inetd with something like xinetd or tcp wrappers you can prevent services from listening to anything but the local interface "localhost". This means that a firewall on UNIX is an extra defense, where on Windows it's the only way to keep insecure protocols from accepting connections from external sources.
For Microsoft to get the same reputation for security that UNIX based systems have earned, it will have to correct these flaws. The easiest way, perhaps, would be for it to BECOME a UNIX-based system. It wouldn't take much, so much of the API is already inherited from Microsoft's one-time infatuation with UNIX, and they ship a subset of teh UNIX API with Windows in the POSIX subsystem.
Or, though it would be less desirable from the point of view of people who have to write portable code, they could implement their own secure APIs and make the existing ones a deprecated and eventually optional add-in.
But so long as they keep the current API unchanged in all details, though, they can not solve these problems they're faced with.
I love this comment. It's such an interesting insight into the mind of a Microsoft guy:
Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.
I don't know anyone who thinks a major bridge in major US city in the richest country in the world not collapsing is an "unrealistic expectation". I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal. Comparing that to a major bridge disaster that never should have happened is kind of a strange comparison though.
AccountKiller
Ha ha.
Ha ha ha.
Ha ha ha ha ha ha.
Ha ha ha ha ha ha ha ha ha ha ha.
Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha.
Nope, you're still the laughing stock.
6F 9E A9 1E 96 9F 74 27 ED B8 81 6D 0C 4E 1E 78
My other Sig is a 229.
Now *that* was funny!
they will tell you.
"stop laughing, please. We're secure, really, why are you laughing harder, stop that."
I guess they just need to say it 9 more times for it to stick
cause saying means more than doing.
Ass-immo-lated...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
I'll concede, in the last six years, some improvements were made. They did, it's true.
So they're trying. Therefore, they are not on the bottom rung anymore. Is this true? Can we think of anyone with a worse reputation?
They're fighting against "unrealistic expectations". I disagree: Had they applied forethought and design to their devices, they would have had less of a fight, and with them all of their users.
So, we jaded cynics all immediately noticed the crux here: this is a marketing offensive. "C'mon, we're not all bad".
This begs th question: Why now? What are they up to?
They aren't a laughing stock because it just isn't funny anymore.
No Nyarlathotep, No Chaos
Know Nyarlathotep, Know Chaos
M$ are saying they are no longer the laughing stock of security.
This must mean that M$ admits that they used to be (that's a big jump for them).
Furthermore why should we believe them as anyone who cares about security (well almost everyone) has jumped ship and uses something else (linux/mac/BSD/solaris/whatever). No one is likely to be tempted back because we know vista already has more holes than other OSes and M$ is now the laughing stiock of DRM.
A great writeup about the "boiling frog" problem we have. Don't miss the followup article either!
Security Absurdity: The Complete, Unquestionable,
And Total Failure of Information Security.
http://www.securityabsurdity.com/failure.php
Thank you for brightening my otherwise dreary Friday morning!
Microsoft not a laughingstock of security... (wipes tears of laughter from eyes)
And there aren't millions of zombies and botnets pumping out spam and phishing teasers to all us good little Windows users...
is that MS is no longer a laughingstock. The bad news is, now we're crying instead.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
It is not for you to determine when you are, or are not, a laughing stock.
;)
The subject of a joke does not get to determine whether or not it is funny.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
...the first to admit then that all other operating systems and vendors have said the same thing time and time again, including yours truly "Linux". Don't get cocky.
I was once inside of Microsoft and called for tech support 2 times. Both times i was directed to a support person in india on the other side of the world from hp. The asked me to do an application sharing session with netmeeting and both times ASKED ME TO CHECK AUTOMATICALLY ACCEPT REMOTE CONNECTIONS. I can't imagine how many people actually did this, but i refused. HAS MICROSOFT'S SECURITY BEEN REDUCED TO ONE CHECKBOX?
All I see is hand-waving "I bet there are tons of unpatched holes in IIS" sentiments in your post. I'd like to see proof that there exist unpatched IIS holes, not vacuous appeals to emotion.
You're perfectly aware if you'd said the same thing about Apache you'd be flamed to hell and back around here. I'm just keeping you intellectually honest.
Yes, they had.
But the problem was that that port was left OPEN on machines that DID NOT NEED IT OPEN.
With security, you CANNOT rely upon the end user to keep current on patches. Your system HAS to be able to defend itself WITHOUT those patches.
And the simple way to do that is to not have ANY open ports by default.
Security is a process. You are arguing about the high end, theoretical levels
The reason is that u get the window idiot here who claim that virus etc. attack Windows BECAUSE there are so many, Even with the virus writers saying that they attack windows because of the ease of doing it. But if Windows becomes more secure than Linux and OSX, then they will retarget weaker systems. The good news for /., is that finally we can put to rest that piece of FUD.
I prefer the "u" in honour as it seems to be missing these days.
Do you remember that guy in 6th grade who farted in all-school assembly? I sure do. That has been a long time. You don't forget it when somebody--a person or an organization--does something really stupid. We won't forget about Microsoft's security screw ups for decades.
Read why: http://brandonlive.com/2007/01/31/vista-myths-users-will-just-click-ok/
MS's improvements have followed a progression, just like everything they do. There isn't all that much difference between Windows and any other OS, aside from age. Comparing Windows to BSD is kind of insane, given how old BSD is and how long they have had to find the security holes.
Now teh Lunix and OSX are another story- their "reputations" for security are based exclusively on spin and obscurity, in a "OMG, look at the other guy!!!" effort to say that, since someone else's product may (or, as in reality, may not) be worse than theirs, that somehow means they are "secure". Teh Lunix and Apple have relied too long on MS-bashing as their method of "improving" their product... but ever since the release of Windows Server 2003, there has been a huge shift. They are now forced to compete on the merits of their software and code... and are being found lacking.
Rather than improving their products, they engaged in MS bashing. Now that the market has become more security conscious, Apple and Lunix are being hoisted by their own petards.
It's kind of interesting how computer software is about the only real case where a market-driven system actually works. But the true irony is how the market losers (Apple, Lunix, Open Office and IBM, Mozilla, Real Networks, etc) are the ones driving governments to interfere in that market dynamic. I guess we can just chalk it up to hypocrisy being the only core value of conservatives.
I'm sure GWB's aspirational goal was to turn Iraq into a secular democracy...
Up for it.
They have used that excuse many, many times in the past. "Hey, look, we're not that bad. Other OSs have bugs too. Right?" Then they usually proceed to name the other OSs. I think I can make my point with one example/question. If MS security is so great, how come the zombie armies that phishers and spammers use to do their dirty work, are made up of almost exclusively MS machines? Don't give the tired old story about them being the predominant OS either. Don't blame the users either, because the average to low end user has always been MS's target market. In other words, they should have known better.
I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal.
That's not what they're being asked for. What they're being asked for is for systematic holes to be eliminated, so they don't have to keep being patched over and over again. I've listed some of the systematic holes in the design that they keep getting bit by in the message I posted just before yours.
The thing that really bothers me is that people are accepting the argument that holes Microsoft created are not Microsoft's fault. People are blaming applications that didn't sanitize untrusted content before passing it to insecure APIs, rather than blaming Microsoft for not providing a secure API they could use instead.
They integrate everything in the core operating system. This tends to result in more bugs because it's more difficult to keep the code clear and understandable. This translates into longer and more difficult development cycles, unexpected side effects when implementing or fixing something and bloated packages.
The end result is that Microsoft needs more and better coders to understand the pile of spaghetti windows must be by now.
Is that where they've set their bar? "Let's not be the laughing stock?" I can relate to that actually. Given how complex software & it's design process has become it certainly is a realistic goal to get software out the door that just "doesn't suck." However, I'd prefer if my server OS vendor aimed a little higher.
If we're past the laughing phase then it's only because we're moving to the silent shunning phase.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
My girlfriend recently called me because the wireless internet connection on her laptop stopped working. After screwing around with it for awhile, updating the drivers, etc, I noticed a small notation on the latest driver that it would only work if the actual firmware on your card was greater than version XX. After updating the firmware, the wireless worked again.
The apparent cause of the problem? Windows update happily auto-updated the wireless driver, neglecting to check that the firmware was compatible, and neglecting to also offer a firmware update. MS Security might have improved, but I don't think their reliability has. Many big corps tread carefully with update patches for this very reason.
why do we blast Microsoft for its desire to see these machines taken offline?
The problem is that Microsoft does NOT desire to see these machines taken offline. If that was the case, they could have set a virus that would disable network connectivity on infected machines, as a "security measure". I would vote for this measure! We'd get rid of thousands of botnets in one pass.
Instead, They keep these machines ONLINE, unpatched, and vulnerable to botnet infection.
Most computer users are so accustomed to Microsoft's products being insecure, that they don't really notice the insecurity any more.
If Microsoft product security has improved so much, they why do we still have all those Windows zombies spamming us each day?
.. and it becomes true. MS has been engaging in this kind of 'talk it up' behavior for years. "Okay, we admit we weren't that secure before.. but NOW, /now/ is a much different story." The sad part is, it works. If they repeat it often enough, loudly enough, and with enough different voices, the people responsible for making purchases will believe it's true. A prime example of this is the Linux v Windows TCO "debate" -- which didn't exist until MS spent millions of dollars to /make/ it exist.
Really. It wasn't until I used Windows and scanned a few machines that I realised just why personal firewalls appeared at all. Didn't occur to me that there would be so much exposed.
Deleted
Here's what it is. The desktop icon for IE's right click brings up IE properties, not, IE the process properties. But, if I do the icon for IE's shortcut on the taskbar, then yeah, I can run as another user. Not too shabby MS.
This is my sig.
You know, the little things, like always remembering your </i>, and never forgetting to preview your work.
Glass houses.
Projectile stones.
Whatever.
Somebody please explain to Mr. Charney that his Jedi mind tricks may work on the general public but we're not falling for that!
An onion pretty much describes the MS security model. Take a core, wrap some layers around it, then add more annoying layers to protect the existing layers. And not every layer has to be from the same kind of onion.
Coding practices can only get security so far... MS needs to revamp their security design.
He sort of reminds me of the Black Knight from Monty Python's Holy Grail.
Have gnu, will travel.
What's really funny is that 20 years ago, wired long distance carriers were waging advertising battles over who had the clearest call. Sprint's "Pin Drop" ads probably set the bar in this respect.
So, while you take the wired phone service for granted, it hasn't been that long since call quality was a very important part of a consumers purchasing system.
Go back another 20 years to the '60s and you still had a significant portion of the phone network that was manually switched by human operators.
I'm very surprised by this discussion for two reasons.
First, nobody has seemed to point out that the man raised over $5,000, and thus his loss wasn't quite as bad as the full $7,500.
Next and much more importantly, though, the man is making an important statement that police officers do not have the right to invent laws. The entire democratic process is based on police officers and judges having to follow laws that have been established by representatives voted for by the people. To bypass this process and allow police officers to do whatever they want because "it's not that much trouble" only opens the door to abusive law officials. He's out $2,500, for something that is at it's root a very worthy case (whether he should have just shown the receipt is a different issue, but I would argue that he is correct, he had no obligation to do so. If we as a society feel that he was obligated to do so, then we as a society should vocalize that we want a law stating this). Why are so many people being so judgemental?
"One of the things I talk about often is my mom, because she is 78 and she's found e-mail .. You have to educate consumers not to make mistakes like clicking on attachments from unknown sources and not following links and all of that"
..
...
No, all you have to do is build a Desktop System that can't be compromised by opening an e-mail attachment or clicking on a URL
"more people are like, 'Microsoft got its act together, and others should follow their lead,' technologists say, 'OK, our job is done -- what next?'"
"What I explain to people is that this isn't actually a technology problem we are solving; it's a crime problem"
Self serving imaginary made up quotes and a nonsensical opinion expressed. Making it a twenty year felony crime for hacking Windows isn't going to make Windows any more secure
davecb5620@gmail.com
Tell that the the controllers of the botnets, they seem to be laughing.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
Maybe they think this because we've been doing all the laughing behind their backs?
Clearly, we need to laugh in their face more often. You know, perhaps we could have a good laugh over the Windows Media Player/IE vulnerabilities that still affect people whose default browser is Firefox?
Or we could laugh at them over playing the blame game when those URL handler vulnerabilities were found. Mozilla fixed their end of it, I don't remember that Microsoft ever did...
It's naive to think of security in terms of black and white. If you force everything into a false dichotomy of "secure" and "insecure", then nearly everything falls into the realm of "insecure". Maybe some information sealed in an iron ball and dropped into the deepest part of the ocean, *maybe* that's secure, *for now*.
Security is best reduced to resources: Attacker has X dollars and Y hours, and is free to use any nasty trick in the book. How much of any of your resources do you want to commit to stopping it?
For example, you could construct a car with bank-vault style locks on it. No car thief is going to try to steal it, because they'll look for easier targets. But, it probably cost you a small fortune to build the car. Most of us weigh the security risk and just buy car insurance and lock the (normal) doors. Is your car "secure" or "insecure"? In an absolute sense, it's insecure. A thief can pop the lock, hot-wire, and drive away. However, if you get beyond the false dichotomy; I leave my car parked on the street every day with locked doors; it's "secure enough".
So instead of thinking as Microsoft products as "secure" or "insecure", ask yourself, "Are they 'secure enough'?"
- Are you willing to let a competent linux geek use IE on your computer?
- Are you willing to let an incompetent family member use IE on your computer?
- Are you willing to let a child use IE on your computer?
- In an e-mail from a stranger, are you willing to follow a link from Outlook to open in IE on your computer?
- If run a server and have experienced a DDoS attack from zombies running Windows; do you feel Microsoft products are 'secure enough'?
I left Microsoft for Linux a long time ago, because I didn't feel Microsoft was "secure enough". YMMV.
I wonder why the IT industry needs virus scanners, firewalls and tools to remove troyans...
"It was our aspirational goal that the SDL will get rid of every bug. But let's get realistic for a minute: It's not a realistic goal."
If you articulate a goal that you don't believe is realistic, and all the people working for you know that you don't believe it's realistic, it can't actually serve to measure or motivate progress and is not a real goal.
If you can articulate a goal that is measurable, so that you can whether or not it's been met ("get rid of every bug,") but everybody knows it's not the real goal, and the real goal isn't measurable, then there is no goal at all.
To the extent that I understand what he's saying, he's saying that there was no goal at all. (Or he's not telling us what it was, lest it be obvious that it was not met).
"How to Do Nothing," kids activities, back in print!
If people aren't laughing at Microsoft security as much nowadays, it's merely because the joke has grown stale.
You weren't around for the days when port 139 ICMP/Nukes were around?
:)
Every idiot under the sun used to ask (on IRC no less) Win 95/98 users "what's UR IP, yo."
Course running under Red Hat 5.2 at the time was a good laugh... hard to have your system rebooted when the service to receive said malformed packet wasn't present in the first place, and neither was the OS vulnerability. (Having spent hours coming up with a good ipchains ruleset helped keep the rest of the gaming rigs actually RUNNING Windows 95/98 safe behind the firewall
" What luck for rulers that men do not think" - Adolf Hitler
All I can say is that several years ago when I went to Defcon some guy from Microsoft took us all out to dinner and paid for the whole group. How can I sit on my ass now and type something bad about MS when it would be so easy and everyone else here seems to blindy follow the I hate MS crowd anyway.
... Its just not a fair comparision. Like it or not darn near everyone runs Windows so as a cracker why would I waste my time looking for problems in Apple or Linux when the return on my investment is soo much more with Windows?
:) Vistas run the browser in a vm sandbox approach is a real good idea to keep lusers from hurting themselves.
If you look at SQL Server there have been no vulnerabilities found in their server software since the slapper incident. All other vendors including/especially Oracle release regular streams of vulnerability after vulnerability. Heck one of my test systems even got rooted because I accidently left an oracle test server running.
On the Windows VS Linux and MAC
Apple market uptake and automated discovery tools are starting to chip away at Apples only security advantage... "obscurity".
MS's security reputation will always be dragged through the mud due to the vast endless oceans of lusers that get tricked into installing all manners of crap on their computers. Linux users know better until the lusers start using linux
I don't much care about what happened in the past. What I do care about is the offerings avaliable today and how well they work. People bitching about the past and the fun they had in the dialup erra with windows guest accounts can bitch away I guess but I would rather address reality, today and the future than the past that is over and done with.
Now its time for me to bitch about all of the wrong directions software vendors are taking to make it appear as if their serious about security when their changes contribute nothing.
Virus scanning as an answer?
When you are infected by a virus its already game over/too late. Scanners are nice and useful for lusers that have already been owned but have very little to do with security.
Firewalls are good?
Firewalls make people think their safe and this in turn directly promotes complaicancy. They also ignore certain realities such as luser initiated compromise is the rule rather than exception and prevelance/cost of insider sabatage.
UAC is good right?
Not really, first and foremost its annoying and secondly while it may protect my operating system it does nothing to protect *my data* accessable by me.. which it seems to me most people care more about than a stupid OS that can be reinstalled at any time.
Banking sites and anti-phishing countermeasures.
This crap really needs to end right now along with those secure gif logos that make people think that since they see code words that only they know about or see a keylock that their transactions are somehow more secure. BS!!!!!!!!!!!! The banks cert is the only possible thing preventing active MITM and by steering the typical users attention away from the browsers SSL status window with a bunch of irrelevent crap you are just enhancing the possibility that a typical luser will get burned because these baseless countermeasures looked official.
Which brings up my last point on my use of 'luser' I don't mean that to sound elitist or make fun of people who don't understand the specifics of a technology. They shouldn't have to!! The point is technology is only good if people know how to use it correctly and like the TSA/Airport situation soo many companies are shifting their focus from the hard useful work and education to CYA so they don't get sued and the *impression* of security that has no roots in reality.
"Fear leads to Anger. Anger leads to Hate. Hate leads to suffering"
- Master Yoda
Agree. The fact that Microsoft says something doesn't make it so --but people don't know that.
Earlier this month, Microsoft said that Google could not have done without them, and now they're saying that Microsoft products are no longer the butt of jokes.
They can say that just because they are a big company and people listen to them. Whether we choose to believe Microsoft is a different matter.
I remember wearing my first business suit, complete with starched shirt and necktie, early in my university years. People would take me seriously because I was dressed in business attire, no matter what I said. It was fun! Once I stood at the entrance foyer to the city concert hall with my sloppily dressed friends, and people would come up to me and ask for directions and generally assume that I was not part of that group of friends in T-shirt and jeans. I tell them some ridiculous thing with a straight face (like there were free concert tickets upstairs if they could show a McDonalds hamburger wrapper) and people would believe me. Another time I asked to see a high school friend of mine who was in the middle of some all-day meeting, just to socialize (I knew the event was boring) and they just assumed I was a university teacher.
The pranks got boring after the first few times, but it made me realize how easily we accord credibility and respect to certain people for reasons that have nothing to do with the content of their message or their position.
It takes a huge effort to constantly critically evaluate whether to believe something, whether to believe that silver-haired "doctor" on the TV commercials who says your male organ will grow by 50%, or that typical mom-looking woman in the magazine ad (cuddling her baby, no less) who says that XX works on her cold symptoms, or that bespectacled politician who says that illegal immigrants are the cause of failure to curb crime, or your friend at the bar who says, "The Linux kernel is insecure. Trust me --I write web pages for a living." (Yeah, so you know all about the Linux kernel, right?)
So, we end up picking and choosing what we evaluate critically. When we're alert and fresh, we think critically; but after a long hard day at work, or when you feel like just flaking out with a beer in one hand and the TV remote in the other, we let our guard down. That's when the TV commercials hit us, when the Bill O'Reillys and the Wolf Blitzers insinuate their messages. Similarly, Microsoft gets its message splashed across any media space available, and people will listen. It's we geeks who are best able to peel away the facade, to say, "Hey, Microsoft, [[citation needed!]]"
For all I care, next week Microsoft can go say that Microsoft has produced the best Linux for PalmPilots since George Washington invented the Internet.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Secunia lists only one open vulnerability for Vista, which has to be executed by a local user.
http://secunia.com/product/13223/?task=advisories
Wait a sec. Don't project your own values onto a group that may not share them, nor assume a causal relationship where no data has been shown to indicate one.
So the claim is that it's no longer a laughing stock in the realm of security. All right then. Let's pretend for a moment that claim is true. The next question is why?
There are at least two possible answers:
We can see from the systems affected by vulnerabilities that the former has not happened, no redesign. Maybe it's the latter, better PR.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Sort of has the feel of detergent companies when they started saying "no longer with trisodium phosphate. phosphate free. doesn't clean worth a crap, but new and improved"
which is great if you're a fish....
So we laud the microsoft, you are now a level 2 product. welcome to being the "Toilet Paper of IT"
and secretly, we know the success is from declining penetration of MS products. Norton, Mozilla, and leveraged code buyouts have all helped make possible increases in security for your products =)
Now if you excuse me, I need to take a dump. Where's my VistaPaper?
What? It isn't true? But only last week someone swore it was so.
Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]
Well, the reason being that its hard to laugh in between all the security pop-ups. It breaks the rhythm.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
is.....HA! HA!
Microsoft : Phew! we're no longer the laughingstock of security.
Slashdot-crowd : Right, now you're the asstunnel of security AND resource-hoggage.
their Windows Defender product is no longer in the top spyware detectors, and their AV stuff is near the bottom in detection?
Is this why "Patch Tuesday" remains?
Another bunch of fucking LIES from Microsoft.
Why bother to read anything that comes out of Redmond?
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
They have advanced in their strategy to control all bad security. Moving on from laughing stock, they should soon have complete mastery of the entire laughing lock, stock, and barrel categories.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
You know the worst thing about *****? They always want some credit for some s*** they're supposed to do... "I've never been in jail!" Whatcha want? A cookie?? You're not supposed to go to jail!"
When you are the world's leading software company, with billions of dollars to spend on R&D, no longer being a laughing stock isn't something you should be bragging about. Vista took five years, and who knows how much money and programmer errors to make. With that much resources, it should be as close to unbreakable as an Operating System could be.
Now, there is some reason to believe that the argument that Linux has less malware than Windows is just because it isn't popular enough to be targeted. But there is also, presumably, much less money for paid researchers to go through the Linux code and search for bugs. If the OSDL had a one billion dollar a year budget (which would be pocket change to Redmond), there is no doubt in my mind that Linux security could go from solid to virtually invincible.
Hopefully I didn't put any [] around my words.
SDL totally rocks! Cross-platform game development is insanely great! That Sam Lantinga is a fucking genius!
It seems kind of funny to me to hear someone from Microsoft admit that they were a laughingstock, and that they're looking for kudos for not being a laughingstock.
This is classic Microsoft MO: as soon as a Windows version has been released for a few months, start badmouthing the previous versions. They did the same with XP to 2K/ME, ME to 98, NT4 to NT 3.5, etc.
Just Vista marketing. Nothing to see here, move along.
Bwahaha... typical! /. members (the "pro *nix" kind that is) can't come up with any better than a "down mod" instead of a score superior to the one that Windows Server 2003 user had on the multiplatform CIS tool security test.
/.'ers!)
(The "pro *nix" crowd here sure 'talks big', but when it comes to actual contests of skill & backing up their b.s.? Well, anyone can see the results here... ZERO, for the
Microsoft can't fix Windows properly (by redesigning all its obviously flawed subsystems and conventions) because most people value backward compatibility with existing devices, drivers, and applications over anything else.
If Microsoft introduced a version of Windows that had been re-written from the ground up in a robust, efficient, sensible way, nobody would buy it (because there wouldn't be any device drivers and applications for it), device manufacturers wouldn't write drivers for it (because the customer base for the OS was so miniscule), and application developers wouldn't port all their software to it (again, because the customer base for the OS was miniscule).
Look at the modest architectural changes Microsoft took a risk and made with Vista. That broke driver compatibility, and messed with app compatibility in some fringe cases, so now you've got millions of complaints from people bitching that their existing hardware and programs won't work on Vista. It's a major reason that Vista hasn't been well received. Now imagine how Microsoft would have fared if the device and app compatibility had been 100% broken.
People who claim Microsoft should take the OS X route (new clean OS design, providing backward compatibility by running other OSes in virtual machines) are again forgetting the drivers issue. A new OS architecture cannot generally use drivers from some other OS, and without drivers for your host OS, you're again stuck.
Microsoft is in a tough position -- damned if they do, damned if they don't. But I just wish they would be transparent and honest about the position they are in. They haven't solved the security issues, and should just admit that they never will be able to as long as they don't control the hardware the way Apple does and customers keep valuing backward compatibility.
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
Microsoft is no longer insecure, says Microsoft. Yup. It's true because they said it's true.
I think today I shall declare that I am a seven foot tall baby chicken who can slam dunk a basketball. It's true because I say it's true.
Tired of FB/Google censorship? Visit UNCENSORED!
This will be news when someone who isn't employed or funded by MS makes this statement. Until then, it's just more marketing crap that doesn't really belong on /.
I mean really, this story is almost troll-worthy. What did they expect when they post this up here? "OMG he's right. Now we no longer need *nix to feel secure. The war is over!"
phbt!
I think that you've kind of hit upon the truth. The real security problem with Windows is not the bugs. The problem is that one of the user's main enemies is the operating system producer. DRM is designed to stop the computer owner doing things they might want to do. WGA is designed to force users to register where they might want to keep their privacy. These are just the very well known examples, however; this goes through the whole of everything Microsoft does. The difference between different editions of Vista is that most of them are deliberately crippled to help MS make money by forcing heavy users to pay extra; the reason that ActiveX used to automatically install is to allow MS advantages over existing technologies; as everyone now knows, at the cost of the users security. The reason Java isn't automatically and easily installed on Windows is because MS didn't want it to take over their market; this was a choice which damaged many companies existing investment in Java technology. The cases can go on forever. The difference is that, where before we could call it incompetence, now we know that it actually is a form of malice.
The point is that security is mostly a matter of tradeoffs; my ability to back up my music against the record companies ability to stop unlicensed copying. Your ability to control the software on your system against Microsoft's ability to automatically change it. Your competitor's ability to find ways to control your computers against your ability to do business. With most companies, the realisation comes that it's more important that customers trust them than that the take every last bit of advantage of their power. I don't think that stage has arrived with MS and I don't see that their operating systems can ever be secure for their users just because that means they will never be secure for MS.
You're kidding, right? Microsoft is notorious for shipping buggy crap that gets fixed (sometimes) on the next iteration, provided you pay for the update. It's been that way since 1986, at least, and MS C V4. If somebody in charge is promising to submit MS stuff to QC with teeth, bravo. The short sharp exhalations are me not holding my breath.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
SgtChaireBourne, off topic: You asked to tell you what Domain Name Registrar I chose. I chose NameCheap.
Not suprising really - the rise of the ADSL modem that is also a NAT router and firewall is putting these windows machines on the net under adult supervision. Antivirus software has also taken on extra roles (and much now consumes incredible amounts of cpu time and memory as a tradeoff). Third place has to go to Microsoft adding in some decent improvements like the firewall and frequent bug patches - the company has a different attitude now than in the past. They managed to turn NT into a home computer operating system good for not much other than playing games but now many of the mistakes are being fixed. I think in a few years we will forget Vista (as with ME) and their updated server version of NT will be sold with a desktop version as well.
> Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable.
Yep, today they've moved on to be the laughing stock of just about every other industry too. Respect!
by not using vista, it'll be the most secure OS out there?
too bad everyone beat you to that idea!
The problem with Windows is the users. As long as people insist on remaining ignorant when it comes to "complicated" computers, whichever OS is most popular will be plagued with malware and viruses.
If more people on Linux and Max liked reading "eCards" from strangers, their reputations would be just as bad.
That being said, fuck Windows.
Maybe not
We're the laughingstock for continually buying the OS despite numerous security problems. Let's not talk about the 'secret hidden update' that MS did a few short weeks ago. In the end, Mr. Enduser is the laughingstock for buying the OS knowing damn well all the problems that comes with it.
Interestingly, there was an article over on the Internet Patrol about Windows security just this week in which they point out that if Windows was a car, there would be a forced government recall. With Microsoft announcing an average of two new security flaws a week, and with the huge spread of botnets as a result, the article says
"If this were any other industry, the government would be mandating recalls - maybe even launching an investigation for criminal negligence.
In no other industry - in no other time in memory - has a company been able to get away with putting so many unsafe products in the hands of so many people, for such a long time, and with the potential to wreak such widespread havoc."
Amazingly, half of the comments to that article are sticking up for Windows. The article is at
http://www.theinternetpatrol.com/microsoft-windows-unsafe-at-any-speed
Because there only 2% of the UK companies are able to say that they are still a laughing stock.
Don't fight for your country, if your country does not fight for you.
"Yes. Now look at the CVS logs from between forking the project from NetBSD and the first OpenBSD release, as I said. You will see hundreds of security fixes as a result of that first complete audit"
Could you do me the favor of finding them ?
What do the CVS logs from the same time period say of Windows ?
What correlation is there between CVS logs and number of actual breeches ?
was: Re:MIcrosoft guy says MS's security is ok?
davecb5620@gmail.com
"Microsoft has been telling bald-faced lies about their security for at least a decade. What's different this time?" - by jcr (53032) on Friday September 21, @11:08AM (#20696607)
I see you say "Microsoft lies", well... what about you "Pro *NIX" Penguins & "bsd devils" here on slashdot?
/. tried to say "Apache is more secure than IIS" &, lo and behold in the 2 url's below:
/. often spout, like "Windoze blows" etc. when clearly, it is a fine set of products MS produces for the MOST part...
/.'ers ran from a challenge regarding Windows vs. Linux security, in a thread post here on /., regarding "Hardening Linux" no less:
/. no less, regarding security data):
/. about Windows vs. Linux (even SeLinux &/or BSD variants as well) regarding securability of them all!
/. has exceeded that score a Windows Server 2003 user achieves on i
It was hilarious in this thread also where others from the "Pro-*NIX" camp here @
----
APACHE UNPATCHED KNOWN VULNERABILITIES LIST (9%):
http://secunia.com/product/73/?task=statistics
IIS 6.x UNPATCHED KNOWN VULNERABILITIES LIST (0%):
http://secunia.com/product/1438/?task=statistics
----
Let's also move onto & take a look @ SQLServer 2005 also, shall we??
SQLServer 2005 UNPATCHED KNOWN VULNERABILITIES LIST (0%):
http://secunia.com/product/6782/
----
Let's NOT stop there either... take a peek @ Microsoft Office 2007!
Microsoft Office 2007 UNPATCHED KNOWN VULNERABILITY LIST (0%):
http://secunia.com/product/13228/
----
Given all that data (& yes, IE sux, & IE7 even needs more work in terms of security, but that is what Opera & FireFox are for imo)? It amazes me the b.s. you people here @
IE is really the LAST area/product from MS that need some work it seems/is all!
APK
P.S. => Also, see this URL where over 30++
SLASHDOT POST ABOUT "HARDENING LINUX":
http://it.slashdot.org/comments.pl?sid=267599&threshold=-1&commentsort=0&mode=thread&cid=20203061
(That's where no *NIX person here on this site @/., & other sites oriented around both LINUX &/or BSD could not do a better job on a valid multi-platform test of security (based on best practices for each OS platform than a Windows Server 2003 user could!))
The *NIX folks were challenged on this site, who stated things along the lines of:
"(Insert *NIX variant here) is more secure OR securable than Windows"
& that's when I simply challenged them to that test in CIS TOOL... not a single one exceeded my score on Windows Server 2003 fully custom hardened for security. See this image which backs my score:
http://img.techpowerup.org/070828/APK_AToutLeMonde_85.185CISToolScorePhotoProof.jpg
"CIS TOOL" (by the center for internet security) has been noted as a tool to help secure yourself by BOTH Computerworld & SANS (sites often cited here on
Here is the outline for achieving that 85.185 score on CIS TOOL, for Windows users:
http://forums.techpowerup.com/showthread.php?p=375355#post375355
It works & so much so, it tends to "silence the F.U.D." spreaders here on
Again, for all their 'talk', not a single *NIX person here beat that score, failing to "put up, or shut up". Nobody from
When I started at my current job a little over a year ago, I was neutral on the subject of MS security. Read: *not* a zealot. I was originally brought on board as the lead programmer/analyst, but since it's a small company I now wear quite a few hats, including administering several servers. During THIS last year (not 10 years ago, not 5 years ago, but NOW), my opinion of Microsoft Windows as a server OS (whether 2000 or 2003) has completely tanked.
I'll give you one case in point: one of the Win 2003 servers which was infected by a root kit. It turned out that neither the latest service packs, the monthly "malicious software utility", a strong windows password, nor current Symantec Anti-Virus were enough to keep the root kit out. I had to download and use "Ice Sword" just to deal with the RK. After checking all of the above, I tightened up the firewall. Eventually I found the RK's log files and traced the problem back to Microsoft SQL server. The root kit system had compromised the SA account of SQL server, and was then able to manipulate SQL Server (a mere RDMS, mind you) to install itself on the machine and circumvent the kernel. I couldn't even see the RK using windows explorer; I could only see it with Ice Sword. That is just poor design, and that was with a current patched MS Server product.
I also found and resolved problems with other Windows servers, and it didn't take long for me to realize that NONE of the *nix servers had any issues. Zip. Zero. Nada.
So I don't laugh at Microsoft security, but I sure as hell don't trust it. I have concluded that MS has *earned* their horrid security reputation for many YEARS through SEVERAL generations of products (including the current MS Windows 2003). Yet for YEARS they continually touted their improved security. Ever hear of the boy that cried wolf?
In THIS last year I've also concluded that Solaris and Linux work beautifully, thank you. Not only have they proven themselves more secure, but they're more reliable *and* less expensive to purchase and maintain.