Slashdot Mirror
Microsoft No Longer a 'Laughingstock' of Security?
Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"
I'm sorry, respect in security is like with all kinds of respect. It is earned, not demanded or bought.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
So Microsoft is so secure that those botnets with hundreds of thousands of zombie computers running Windows will disappear overnight? Great!
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
I think a good example of this is how many security problems have been found in IIS in recent years. For example, go to the MS Security Bulletin site and look up bulletins for IIS 6.0 compared to IIS 5.0 -- http://www.microsoft.com/technet/security/current.aspx.
There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.
ÕÕ
It's also a bit funny to consider how high the bar is set that they get credit for achieving "no longer the laughingstock..." status.?
Do you mean how low the bar is set? It seems kind of funny to me to hear someone from Microsoft admit that they were a laughingstock, and that they're looking for kudos for not being a laughingstock. It reminds me of Chris Rock's bit about people who brag, "I've never been to jail!" What do you want, a cookie?
Anyway, I guess it's true that Microsoft has gotten more secure and therefore isn't as much of a security laughing stock. There's still something to make fun of in how annoying UAC is, but I guess it's better than what they had before. So... yeah, I guess I'll give it to him. Microsoft is no longer a security laughingstock. They're just a marketing laughingstock for producing the disaster that is Windows Vista.
Sorry, I don't see why this story is even here. Microsoft has been telling bald-faced lies about their security for at least a decade. What's different this time?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
No longer a laughing stock?
Mate, people have stopped laughing, not because Microsoft has changed but because we've become so desensitised to the security issues it no longer brings the same attention it used to; its expected.
If Microsoft do want to correct their security issue, they need to start at the bottom and work their way up; they need to go through their product, they need to document, clean up, remove parts that are security risks, replace parts which are added because they're nice rather than needed. They need to stop the lie that 'computers are easy to use' when in reality, they're complex machines that actually might require a bit of book reading and learning (to the screams of the ignorant out there).
They also start needing to stop re-inventing the wheel and start working in groups; yes, groups are inefficient but like any brain storming, issues are raised which the original author might not have thought about - when you're an organisation all thinking along the same line, you can't adequately scrutinise the specification for every possible scenario - that is why standardisation is desirable. Issues of compatibility and security can be raised, and addressed. Microsoft on the other hand thinks because it has the cash and are a big organisation, it can address all the concerns internally.
I'm exagerating of course, but I hope you get the point, asking an uneducated user is not a security measure. And you still can't run IE under a separate user account. I think you're wrong on that point, there's no reason runas wouldn't work.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Unfortunately, Microsoft's security problems are masked, not fixed. Seriously, software firewalls should not need to exist. All software firewalls do is cripple other code running on the OS (drivers, services, programs, etc). Fix the underlying code and don't default to running services that home users will never need and, presto, no need for a firewall...
Someone at M$: "XP with IE is full of 'critical' security holes."
Someone's manager: "Let's write a firewall and we can get away with calling those security holes 'important' and not fix them."
Windows 3.1x calc: 3.11 - 3.10 = 0.00
Not all botnets are spread with a browser toolbar. Most of them infect unpatched machines via insecure open ports. Linux is safe from these, while Windows is not. My specific concern is pirated machines which CANNOT be patched due to Microsoft's policies (see my nearby post).
I love this comment. It's such an interesting insight into the mind of a Microsoft guy:
Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.
I don't know anyone who thinks a major bridge in major US city in the richest country in the world not collapsing is an "unrealistic expectation". I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal. Comparing that to a major bridge disaster that never should have happened is kind of a strange comparison though.
AccountKiller
...the first to admit then that all other operating systems and vendors have said the same thing time and time again, including yours truly "Linux". Don't get cocky.
Yes, it is the fault of the OS. No, linux isn't any better in this regard. They all essentially use the multi-user (on a single box), non-networked security models devised in the late 60s and early 70s.
Why should downloaded (i.e. tainted / potentially unsafe) code have any rights at all except to its own files by default? Should it be able to read your documents, open a network connection and send them out? Should it be able to format your disk? Hell, why even have a globally accessible file system at all?
We can't improve the users much, so we're going to have to improve the OS. Actually, some of the early security models were much better than the ones we use now, but carried too much overhead for the machines of the day.
There also seems to be a disconnect here-- if pirated Windows machines are presenting a problem that everyone has to face, why do we blast Microsoft for its desire to see these machines taken offline? Moreover, why are we putting "stolen software" in quotes when we're talking about people who're actually willfully using unlicensed software?
Is the idea here that pirates are "good" because they're not playing the "evil" Microsoft's game? Is Microsoft still more "evil" because they aren't improving the security of machines that are already well out of the bounds of their support model?
Yes, they had.
But the problem was that that port was left OPEN on machines that DID NOT NEED IT OPEN.
With security, you CANNOT rely upon the end user to keep current on patches. Your system HAS to be able to defend itself WITHOUT those patches.
And the simple way to do that is to not have ANY open ports by default.
Security is a process. You are arguing about the high end, theoretical levels
MS's improvements have followed a progression, just like everything they do. There isn't all that much difference between Windows and any other OS, aside from age. Comparing Windows to BSD is kind of insane, given how old BSD is and how long they have had to find the security holes.
Now teh Lunix and OSX are another story- their "reputations" for security are based exclusively on spin and obscurity, in a "OMG, look at the other guy!!!" effort to say that, since someone else's product may (or, as in reality, may not) be worse than theirs, that somehow means they are "secure". Teh Lunix and Apple have relied too long on MS-bashing as their method of "improving" their product... but ever since the release of Windows Server 2003, there has been a huge shift. They are now forced to compete on the merits of their software and code... and are being found lacking.
Rather than improving their products, they engaged in MS bashing. Now that the market has become more security conscious, Apple and Lunix are being hoisted by their own petards.
It's kind of interesting how computer software is about the only real case where a market-driven system actually works. But the true irony is how the market losers (Apple, Lunix, Open Office and IBM, Mozilla, Real Networks, etc) are the ones driving governments to interfere in that market dynamic. I guess we can just chalk it up to hypocrisy being the only core value of conservatives.
I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal.
That's not what they're being asked for. What they're being asked for is for systematic holes to be eliminated, so they don't have to keep being patched over and over again. I've listed some of the systematic holes in the design that they keep getting bit by in the message I posted just before yours.
The thing that really bothers me is that people are accepting the argument that holes Microsoft created are not Microsoft's fault. People are blaming applications that didn't sanitize untrusted content before passing it to insecure APIs, rather than blaming Microsoft for not providing a secure API they could use instead.
My girlfriend recently called me because the wireless internet connection on her laptop stopped working. After screwing around with it for awhile, updating the drivers, etc, I noticed a small notation on the latest driver that it would only work if the actual firmware on your card was greater than version XX. After updating the firmware, the wireless worked again.
The apparent cause of the problem? Windows update happily auto-updated the wireless driver, neglecting to check that the firmware was compatible, and neglecting to also offer a firmware update. MS Security might have improved, but I don't think their reliability has. Many big corps tread carefully with update patches for this very reason.
You know, the little things, like always remembering your </i>, and never forgetting to preview your work.
Glass houses.
Projectile stones.
Whatever.
I don't think that Microsoft actually can solve this problem so long as piracy exists. As I'm not actually anti-pirate, I'd suggest that a community response would likely be necessary to resolve this issue on pirated machines...Pirate-spun patches, etc, would be helpful. I don't like the virus idea for the same reasons other benevolent viruses are generally a bad thing...They frequently have unintended consequences.
"One of the things I talk about often is my mom, because she is 78 and she's found e-mail .. You have to educate consumers not to make mistakes like clicking on attachments from unknown sources and not following links and all of that"
..
...
No, all you have to do is build a Desktop System that can't be compromised by opening an e-mail attachment or clicking on a URL
"more people are like, 'Microsoft got its act together, and others should follow their lead,' technologists say, 'OK, our job is done -- what next?'"
"What I explain to people is that this isn't actually a technology problem we are solving; it's a crime problem"
Self serving imaginary made up quotes and a nonsensical opinion expressed. Making it a twenty year felony crime for hacking Windows isn't going to make Windows any more secure
davecb5620@gmail.com
Wait a sec. Don't project your own values onto a group that may not share them, nor assume a causal relationship where no data has been shown to indicate one.
So the claim is that it's no longer a laughing stock in the realm of security. All right then. Let's pretend for a moment that claim is true. The next question is why?
There are at least two possible answers:
We can see from the systems affected by vulnerabilities that the former has not happened, no redesign. Maybe it's the latter, better PR.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
It seems kind of funny to me to hear someone from Microsoft admit that they were a laughingstock, and that they're looking for kudos for not being a laughingstock.
This is classic Microsoft MO: as soon as a Windows version has been released for a few months, start badmouthing the previous versions. They did the same with XP to 2K/ME, ME to 98, NT4 to NT 3.5, etc.
Just Vista marketing. Nothing to see here, move along.