Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft No Longer a 'Laughingstock' of Security?

Posted by ryuzaki0 on from the set-the-bar-high-guys dept.

Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"

15 of 282 comments (clear)

  1. Says who? by A+beautiful+mind · · Score: 3, Insightful

    I'm sorry, respect in security is like with all kinds of respect. It is earned, not demanded or bought.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  2. Botnets by Megane · · Score: 3, Insightful

    So Microsoft is so secure that those botnets with hundreds of thousands of zombie computers running Windows will disappear overnight? Great!

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  3. A good example - IIS by duplicate-nickname · · Score: 5, Insightful

    I think a good example of this is how many security problems have been found in IIS in recent years. For example, go to the MS Security Bulletin site and look up bulletins for IIS 6.0 compared to IIS 5.0 -- http://www.microsoft.com/technet/security/current.aspx.

    There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.

    --

    ÕÕ

    1. Re:A good example - IIS by I'm+Don+Giovanni · · Score: 3, Insightful

      IIS 6 Vulnerability Report since 2003:
      Three vunlerabilies, none classified as "highly" or "extremely" critical, all patched.

      Apache 2.x Vulnerability Report since 2003
      33 vunlerabilies, 3% classified as "highly" critical, 9% unpatched, 3% only partially patched.

      Sorry, I know if offends the delicate sensibilites of slashdotters, but IIS6 has a virtually perfect record since its release.
      You spouted a lot of speculation that IIS6 has tons of undisclosed flaws, but you've provided zero evidence. If there are so many flaws, why have they not manifested themselves? Microsoft is better on security than they were in the past, whether you like it or not. Deal with it.

      --
      -- "I never gave these stories much credence." - HAL 9000
  4. MIcrosoft guy says MS's security is ok? by jcr · · Score: 3, Insightful

    Sorry, I don't see why this story is even here. Microsoft has been telling bald-faced lies about their security for at least a decade. What's different this time?

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  5. Re:my opinion of MS security by BUL2294 · · Score: 5, Insightful

    Unfortunately, Microsoft's security problems are masked, not fixed. Seriously, software firewalls should not need to exist. All software firewalls do is cripple other code running on the OS (drivers, services, programs, etc). Fix the underlying code and don't default to running services that home users will never need and, presto, no need for a firewall...

    Someone at M$: "XP with IE is full of 'critical' security holes."
    Someone's manager: "Let's write a firewall and we can get away with calling those security holes 'important' and not fix them."

    --
    Windows 3.1x calc: 3.11 - 3.10 = 0.00
  6. Bridges not falling down is unrealistic? by Vellmont · · Score: 3, Insightful

    I love this comment. It's such an interesting insight into the mind of a Microsoft guy:

    Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.

    I don't know anyone who thinks a major bridge in major US city in the richest country in the world not collapsing is an "unrealistic expectation". I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal. Comparing that to a major bridge disaster that never should have happened is kind of a strange comparison though.

    --
    AccountKiller
  7. Re:Of COURSE they're not the laughing stock... by mattpalmer1086 · · Score: 4, Insightful

    Yes, it is the fault of the OS. No, linux isn't any better in this regard. They all essentially use the multi-user (on a single box), non-networked security models devised in the late 60s and early 70s.

    Why should downloaded (i.e. tainted / potentially unsafe) code have any rights at all except to its own files by default? Should it be able to read your documents, open a network connection and send them out? Should it be able to format your disk? Hell, why even have a globally accessible file system at all?

    We can't improve the users much, so we're going to have to improve the OS. Actually, some of the early security models were much better than the ones we use now, but carried too much overhead for the machines of the day.

  8. They left the port open. by khasim · · Score: 3, Insightful

    Slammer was embarassing, but that one was hardly Microsoft's fault (although they do share some blame). They had released a patch for that vulnerability six months before the attack occurred.

    Yes, they had.

    But the problem was that that port was left OPEN on machines that DID NOT NEED IT OPEN.

    With security, you CANNOT rely upon the end user to keep current on patches. Your system HAS to be able to defend itself WITHOUT those patches.

    And the simple way to do that is to not have ANY open ports by default.

    Security isn't just something you can pin on the software vendor and expect them to solve all your problems. It takes good system admins to keep the systems up-to-date with security patches and have them on a network that is designed for security.

    Security is a process. You are arguing about the high end, theoretical levels ... meanwhile Microsoft systems are still at the very lowest end and every day more zombies are added.
  9. Yeah, 'cause clean code is soooo easy to write. by mosel-saar-ruwer · · Score: 4, Insightful


    You know, the little things, like always remembering your </i>, and never forgetting to preview your work.





    Glass houses.

    Projectile stones.

    Whatever.

  10. Re:May we be... by Penguinisto · · Score: 3, Insightful

    ...the first to admit then that all other operating systems and vendors have said the same thing time and time again, including yours truly "Linux".

    ...except that in Linux, OSX, and *BSD's case, it has been (at various points in time) demonstrably true.

    While I certainly wouldn't say that the three have perfect security (and certainly not WRT dumb admin/user mistakes), I can say with confidence that they can rightfully be claimed as being among the most secure out there. Windows cannot, not has ever been, able to credibly claim that. Whether it can do so in the future remains to be seen.

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  11. Scotts mom and Internet security .. by rs232 · · Score: 3, Insightful

    "One of the things I talk about often is my mom, because she is 78 and she's found e-mail .. You have to educate consumers not to make mistakes like clicking on attachments from unknown sources and not following links and all of that"

    No, all you have to do is build a Desktop System that can't be compromised by opening an e-mail attachment or clicking on a URL ..

    "more people are like, 'Microsoft got its act together, and others should follow their lead,' technologists say, 'OK, our job is done -- what next?'"

    "What I explain to people is that this isn't actually a technology problem we are solving; it's a crime problem"

    Self serving imaginary made up quotes and a nonsensical opinion expressed. Making it a twenty year felony crime for hacking Windows isn't going to make Windows any more secure ...

    --
    davecb5620@gmail.com
  12. but has it improved? by SgtChaireBourne · · Score: 3, Insightful

    Anyway, I guess it's true that Microsoft has gotten more secure and therefore isn't as much of a security laughing stock.

    Wait a sec. Don't project your own values onto a group that may not share them, nor assume a causal relationship where no data has been shown to indicate one.

    So the claim is that it's no longer a laughing stock in the realm of security. All right then. Let's pretend for a moment that claim is true. The next question is why?

    There are at least two possible answers:

    • the design of the software has been changed (security == design)
    • the public relations and marketing activities have been better at quashing unfavorable press and burying complaints

    We can see from the systems affected by vulnerabilities that the former has not happened, no redesign. Maybe it's the latter, better PR.

    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
  13. Re:rear-view mirror by darkonc · · Score: 3, Insightful
    In other words, the headline really should be:

    Microsoft Finally Admits Lying About Security
    Admits that security is still bad, but claims to be no longer 'laughing stock' bad.
    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.
  14. Re: Straight from the MS playbook... by CommandNotFound · · Score: 3, Insightful

    It seems kind of funny to me to hear someone from Microsoft admit that they were a laughingstock, and that they're looking for kudos for not being a laughingstock.

    This is classic Microsoft MO: as soon as a Windows version has been released for a few months, start badmouthing the previous versions. They did the same with XP to 2K/ME, ME to 98, NT4 to NT 3.5, etc.

    Just Vista marketing. Nothing to see here, move along.