Slashdot Mirror
Microsoft No Longer a 'Laughingstock' of Security?
Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"
I have to sometimes wonder how, when security is considered so important, how Microsoft has been allowed to take so long. It's also a bit funny to consider how high the bar is set that they get credit for achieving "no longer the laughingstock..." status.
It kind of reminds me of the cell phone industry and their "high" standard where they get away with advertising braggadocio like "the provider with the fewest dropped calls". It's funny, I grew up with a phone infrastructure where I never experienced a dropped call -- granted, a less complex (wired) achievement, but had "wired" phone service been invented today, I suspect the standard would have been "less dropped calls", too... because maximized profit dominates the industries' collective motivations, not quality products.
(Case in point... if you'd ever owned the amazing Harmony() remote controls before they were bought by Logitech, they were wonderful devices -- rock solid, great feel to them... now, they're sexied up with cheap buttons, lousy feel, and questionable reliability. And get ready, Logitech just bought Slimline devices. Thought the Squeezebox was a great gadget? Better get the remaining quality ones before profit-think forges it into a cheap crappy imitation of it's former self.)
And, to save you all a little time.... mod(self, -1, offtopic);
I'm sorry, respect in security is like with all kinds of respect. It is earned, not demanded or bought.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Now we just snicker and giggle!
Great minds think alike; fools seldom differ.
He keeps saying those words... I do not think they mean what the thinks they mean...
Inasmuch as this constitutes any sort of admission that Microsoft products were not always exemplars of good security, it should not be forgotten that Microsoft has always insisted that they were.
So really, they are not saying anything different than they have always said. "Back then" when their products were insecure, they insisted that their products were secure. Now, they are admitting that "back then" their products were not secure, and are continuing to insist that their products are secure.
Why should we believe them? Once bitten, twice shy, and with good reason.
I concede that MS is not the laughingstock that it once was, but they are a ways from the respect that some of their competitors of similar scale (cough*IBM*cough) have long since earned. Eliminating the repeat vulnerabilities such as the recent ANI vuln might be a good place to start.
I'm thinking (in part to stroke Theo's ego a bit) set OpenBSD as the security standard out there. Every OS, compare it security-wise to OpenBSD. Put a "percentage" for how secure, then we can see hard numbers for how securly an OS is out of the box.
Karma Whoring for Fun and Profit.
...now if you'll excuse me, I have to go delete the spam that was sent from a botnet of computers that are running a series of a particular OS that shall remain nameless...
So Microsoft is so secure that those botnets with hundreds of thousands of zombie computers running Windows will disappear overnight? Great!
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
I think a good example of this is how many security problems have been found in IIS in recent years. For example, go to the MS Security Bulletin site and look up bulletins for IIS 6.0 compared to IIS 5.0 -- http://www.microsoft.com/technet/security/current.aspx.
There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.
ÕÕ
I'm just surprised that the various governments of the world have let so many state secrets get locked up in Microshaft's closed, insecure standards. If Microshaft ever folds, the only people that will be able to access those old documents that tell you how to turn off that automated attack system of yestercentury are the Chinese hackers.
Resistance is futile. Your technological distinctiveness will be added to our own. You will become one with the morgue
There's no question that Microsoft is responsible for some of the most powerful computing initiatives in the world today.
Redmond's other bots will want to set the record straight.
Rich And Stupid is not so bad as Working For Rich And Stupid.
Shift-Right-Click -> Run-As -> The-Following-User?
I do it all the time...
Yeah, you can. Right-click and choose "Run as..." or pull up a command prompt and use the "Runas" command specifying a separate user and pointing to "C:\Program Files\Internet Explorer\iexplore.exe"
It may not be exactly like that in Vista but it works perfectly in XP even if explorer has been blocked for alternate users.
Resistance is futile. Your technological distinctiveness will be added to our own. You will become one with the morgue
It's not funny any more.
Was it ever?
Help stamp out iliturcy.
Sorry, I don't see why this story is even here. Microsoft has been telling bald-faced lies about their security for at least a decade. What's different this time?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
No longer a laughing stock?
Mate, people have stopped laughing, not because Microsoft has changed but because we've become so desensitised to the security issues it no longer brings the same attention it used to; its expected.
If Microsoft do want to correct their security issue, they need to start at the bottom and work their way up; they need to go through their product, they need to document, clean up, remove parts that are security risks, replace parts which are added because they're nice rather than needed. They need to stop the lie that 'computers are easy to use' when in reality, they're complex machines that actually might require a bit of book reading and learning (to the screams of the ignorant out there).
They also start needing to stop re-inventing the wheel and start working in groups; yes, groups are inefficient but like any brain storming, issues are raised which the original author might not have thought about - when you're an organisation all thinking along the same line, you can't adequately scrutinise the specification for every possible scenario - that is why standardisation is desirable. Issues of compatibility and security can be raised, and addressed. Microsoft on the other hand thinks because it has the cash and are a big organisation, it can address all the concerns internally.
I had asked Microsoft's Security VP, Mike Nash, about the problem of infected pirated machines. And what did he say?
"It's hard for me to feel too bad for the person who you know who doesn't have a licensed copy of Windows and is infected. They are using stolen software."
In other words, we ALL are suffering spam, viruses and worms because Mike Nash got picky about not providing security to "stolen software".
It $hould be clear now that Micro$oft got their prioritie$ $traight. Right?
...but I'm still laughing. :-)
StarTrekPhase2 - The Five Year Mission Continues!
I'm exagerating of course, but I hope you get the point, asking an uneducated user is not a security measure. And you still can't run IE under a separate user account. I think you're wrong on that point, there's no reason runas wouldn't work.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Unfortunately, Microsoft's security problems are masked, not fixed. Seriously, software firewalls should not need to exist. All software firewalls do is cripple other code running on the OS (drivers, services, programs, etc). Fix the underlying code and don't default to running services that home users will never need and, presto, no need for a firewall...
Someone at M$: "XP with IE is full of 'critical' security holes."
Someone's manager: "Let's write a firewall and we can get away with calling those security holes 'important' and not fix them."
Windows 3.1x calc: 3.11 - 3.10 = 0.00
hahahahaahahahahah! *falls over* hahaha haa lmao lol hahahahahahahahahahahahahahahahahaahahahahahaahaha ha... *breath* haha... ha ahhhhhhhh Nope, still works.
I'm exagerating of course, but I hope you get the point, asking an uneducated user is not a security measure.
You are severely exaggerating this. I get them message a lot, only because I do a lot of configuration. But overall, the average user will only get questioned on things that are really important. If you are saying the average user cannot even be trusted to do this, then you may as well have Microsoft hold the administrator account, and you need to call them to install anything (at a small fee).
Overall I hate Vista with a passion. See my prior comment in the history for evidence of this. However, I believe they have made great strides in the security realm.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Poor security makes money for Microsoft because Corrupted PC's Find New Home in the Dumpster.
So, we are supposed to trust a group INSIDE Microsoft, who comment on Microsoft products?
Sorry, tits or GTFO.
Microsoft Security in its software has never been funny to its victims. From my perspective; Scott Charney's observations are like observing a battered wife rationalize the need to live using wires, and tubes.
I have to say I have used many OS's and really have never had a security problem with any of them. That includes Windows in most iterations. Most of the security stories I have heard have been from other people on the net. The odd time I have attended to a friend or relative's machine, it has almost always been because of something they themselves have done. I still maintain that the main source of computer (including security) problems is with the users themselves. Not saying the others are liars but if the expectation is that you can protect users from themselves, then that is an unrealistic expectation.
Windows is still a disaster, and I think I know why people don't care. It is the "Big target" rational nonsense.
Microsoft has been successful in seeding in people's minds that "all computers are insecure and the only reason why Windows *LOOKS* so bad is that they are so many of them, and if [apple][linux][foo] were as popular, there would be just as many security holes."
It is a plausible argument when one is ignorant, as most are, of the basics of security. Unfortunately, the argument is getting traction and letting them off the hook.
They're still funny. We just needed to catch our breath and rest our aching sides.
In line with microsoft's pronouncement,
I want to recognize how much respect and admiration everyone at Slashdot now has for all my posts.
---
Cool-- did that change anything? No. The fact is, that compared to the AS/400, microsoft operating systems are festering mounds of viruses that crash without warning at 10 times the rate. Compared to linux, microsoft O/S are boxers with glass jaws.
Instead of adding all of these new features in Vista (which sucked a ton of performance) they needed to shut down all the buffer overflow exposures (which have been avoided because they cause a 1-3% performance hit).
When we stop getting major Trojans, worms, email viruses, IM viruses, etc. then microsoft will get the respect they are proclaiming unilaterally they are getting.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
All modern operating systems are still struggling to catch up to the Atari 800.
Even now it sits impenetrable with layer one security from both the Internet and power grid in my closet!
This sig is alpha and shouldn't be viewed on production machines
"we were the laughing stock of security" - so it was like that. So then, you were serving faulty, lacking products to customers ?
Read radical news here
The biggest problem is, of course, the HTML control.
Until Microsoft abandons the entire "security zone" model and makes the HTML control default to a secure or "closed" state completely under the management of the calling application Windows security will never be anything but a joke. The recent hole in Yahoo Instant Messenger, for example, is primarily Microsoft's fault... because the "security zones" should not be able to "fail open". Blaming Yahoo for not 'sanitizing' the input is nuts.
No other HTML rendering library works this way. The two leading alternatives... Mozilla's Gecko and KDE's KHTML (and thus Apple's Webcore)... both implement a closed sandbox. If an application wants the page to have more capability, it must explicitly install hooks to grant it that capability. This way when an application renders a page using Gecko or KHTML there's no possibility of there being prepared holes to attack. In addition, when they DO install a controlled hole in the sandbox, they know that they're the only agency doing so... there's no concerns about some insecure ActiveX control in the system becoming an avenue of attack.
Until Microsoft completely changes the API for the HTML control they won't solve their image problem, and they shouldn't expect to... because until they do this, they have a problem and the image only reflects that.
ActiveX use in the HTML control, of course, is completely insane. Given all the layers of bandaids and patches and dialogs and settings and security levels wrapped around them, it's actually less effort to explicitly install a plugin than to open IE up to the point where you can use a "trusted" ActiveX control. They need to deprecate and eventually eliminate this.
There are other problems, too. Applications have to parse command lines completely, using their own code to break them up into arguments and perform wildcard expansion. Both OS X and Linux use the UNIX "exec" call, which doesn't require the application to add this additional evaluation step. Many of the "URI" related holes found in applications on Windows... including several recent ones involving IE, Firefox, and Second Life... are due to this flaw in Microsoft's APIs.
There's a second flaw in their URI handlers, and that is the inability to separate internal handlers that may expose more powerful capabilities than a sandboxed object should have access to with the ones that are designed for use by untrusted documents. The 'patch' to fix this is to try and sanitise the list of URI handlers that each application will use. This, like any other "sanitization-based" approach, is inherently flawed. They need to create a second registry that only supposedly secure applications will use... and then they won't need to worry about web pages containing links to ".CHM" files.
(Apple, by the way, has copied this flaw from Microsoft. But at least they don't share the rest of the burden)
The lack of a standard mechanism to bind network services to specific interfaces is a third problem. In UNIX most network services have traditionally been run from inetd, so if you replace inetd with something like xinetd or tcp wrappers you can prevent services from listening to anything but the local interface "localhost". This means that a firewall on UNIX is an extra defense, where on Windows it's the only way to keep insecure protocols from accepting connections from external sources.
For Microsoft to get the same reputation for security that UNIX based systems have earned, it will have to correct these flaws. The easiest way, perhaps, would be for it to BECOME a UNIX-based system. It wouldn't take much, so much of the API is already inherited from Microsoft's one-time infatuation with UNIX, and they ship a subset of teh UNIX API with Windows in the POSIX subsystem.
Or, though it would be less desirable from the point of view of people who have to write portable code, they could implement their own secure APIs and make the existing ones a deprecated and eventually optional add-in.
But so long as they keep the current API unchanged in all details, though, they can not solve these problems they're faced with.
You are considering becoming complacent and answering yes to all security pop-ups. Accept or Deny?
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
I love this comment. It's such an interesting insight into the mind of a Microsoft guy:
Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.
I don't know anyone who thinks a major bridge in major US city in the richest country in the world not collapsing is an "unrealistic expectation". I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal. Comparing that to a major bridge disaster that never should have happened is kind of a strange comparison though.
AccountKiller
Ha ha.
Ha ha ha.
Ha ha ha ha ha ha.
Ha ha ha ha ha ha ha ha ha ha ha.
Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha.
Nope, you're still the laughing stock.
6F 9E A9 1E 96 9F 74 27 ED B8 81 6D 0C 4E 1E 78
My other Sig is a 229.
they will tell you.
"stop laughing, please. We're secure, really, why are you laughing harder, stop that."
I guess they just need to say it 9 more times for it to stick
cause saying means more than doing.
Resistance is futile. Your technological distinctiveness will be added to our own. You will become one with the morgue
Ass-immo-lated...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
They aren't a laughing stock because it just isn't funny anymore.
No Nyarlathotep, No Chaos
Know Nyarlathotep, Know Chaos
M$ are saying they are no longer the laughing stock of security.
This must mean that M$ admits that they used to be (that's a big jump for them).
Furthermore why should we believe them as anyone who cares about security (well almost everyone) has jumped ship and uses something else (linux/mac/BSD/solaris/whatever). No one is likely to be tempted back because we know vista already has more holes than other OSes and M$ is now the laughing stiock of DRM.
is that MS is no longer a laughingstock. The bad news is, now we're crying instead.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
It is not for you to determine when you are, or are not, a laughing stock.
;)
The subject of a joke does not get to determine whether or not it is funny.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
I was once inside of Microsoft and called for tech support 2 times. Both times i was directed to a support person in india on the other side of the world from hp. The asked me to do an application sharing session with netmeeting and both times ASKED ME TO CHECK AUTOMATICALLY ACCEPT REMOTE CONNECTIONS. I can't imagine how many people actually did this, but i refused. HAS MICROSOFT'S SECURITY BEEN REDUCED TO ONE CHECKBOX?
Really?
I use netfilter on my laptop running Debian Linux for various things, and it seems to do the job acceptable.
Of course, I don't run any day-to-day programs as a user (read: root) who can actually use iptables to change my rules either.
Oh well.
Peace sells, but who's buying?
Yes, they had.
But the problem was that that port was left OPEN on machines that DID NOT NEED IT OPEN.
With security, you CANNOT rely upon the end user to keep current on patches. Your system HAS to be able to defend itself WITHOUT those patches.
And the simple way to do that is to not have ANY open ports by default.
Security is a process. You are arguing about the high end, theoretical levels
The reason is that u get the window idiot here who claim that virus etc. attack Windows BECAUSE there are so many, Even with the virus writers saying that they attack windows because of the ease of doing it. But if Windows becomes more secure than Linux and OSX, then they will retarget weaker systems. The good news for /., is that finally we can put to rest that piece of FUD.
I prefer the "u" in honour as it seems to be missing these days.
Do you remember that guy in 6th grade who farted in all-school assembly? I sure do. That has been a long time. You don't forget it when somebody--a person or an organization--does something really stupid. We won't forget about Microsoft's security screw ups for decades.
I'm sure GWB's aspirational goal was to turn Iraq into a secular democracy...
Up for it.
I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal.
That's not what they're being asked for. What they're being asked for is for systematic holes to be eliminated, so they don't have to keep being patched over and over again. I've listed some of the systematic holes in the design that they keep getting bit by in the message I posted just before yours.
The thing that really bothers me is that people are accepting the argument that holes Microsoft created are not Microsoft's fault. People are blaming applications that didn't sanitize untrusted content before passing it to insecure APIs, rather than blaming Microsoft for not providing a secure API they could use instead.
They integrate everything in the core operating system. This tends to result in more bugs because it's more difficult to keep the code clear and understandable. This translates into longer and more difficult development cycles, unexpected side effects when implementing or fixing something and bloated packages.
The end result is that Microsoft needs more and better coders to understand the pile of spaghetti windows must be by now.
Is that where they've set their bar? "Let's not be the laughing stock?" I can relate to that actually. Given how complex software & it's design process has become it certainly is a realistic goal to get software out the door that just "doesn't suck." However, I'd prefer if my server OS vendor aimed a little higher.
If we're past the laughing phase then it's only because we're moving to the silent shunning phase.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
My girlfriend recently called me because the wireless internet connection on her laptop stopped working. After screwing around with it for awhile, updating the drivers, etc, I noticed a small notation on the latest driver that it would only work if the actual firmware on your card was greater than version XX. After updating the firmware, the wireless worked again.
The apparent cause of the problem? Windows update happily auto-updated the wireless driver, neglecting to check that the firmware was compatible, and neglecting to also offer a firmware update. MS Security might have improved, but I don't think their reliability has. Many big corps tread carefully with update patches for this very reason.
why do we blast Microsoft for its desire to see these machines taken offline?
The problem is that Microsoft does NOT desire to see these machines taken offline. If that was the case, they could have set a virus that would disable network connectivity on infected machines, as a "security measure". I would vote for this measure! We'd get rid of thousands of botnets in one pass.
Instead, They keep these machines ONLINE, unpatched, and vulnerable to botnet infection.
Most computer users are so accustomed to Microsoft's products being insecure, that they don't really notice the insecurity any more.
If Microsoft product security has improved so much, they why do we still have all those Windows zombies spamming us each day?
.. and it becomes true. MS has been engaging in this kind of 'talk it up' behavior for years. "Okay, we admit we weren't that secure before.. but NOW, /now/ is a much different story." The sad part is, it works. If they repeat it often enough, loudly enough, and with enough different voices, the people responsible for making purchases will believe it's true. A prime example of this is the Linux v Windows TCO "debate" -- which didn't exist until MS spent millions of dollars to /make/ it exist.
Really. It wasn't until I used Windows and scanned a few machines that I realised just why personal firewalls appeared at all. Didn't occur to me that there would be so much exposed.
Deleted
Here's what it is. The desktop icon for IE's right click brings up IE properties, not, IE the process properties. But, if I do the icon for IE's shortcut on the taskbar, then yeah, I can run as another user. Not too shabby MS.
This is my sig.
You know, the little things, like always remembering your </i>, and never forgetting to preview your work.
Glass houses.
Projectile stones.
Whatever.
Somebody please explain to Mr. Charney that his Jedi mind tricks may work on the general public but we're not falling for that!
An onion pretty much describes the MS security model. Take a core, wrap some layers around it, then add more annoying layers to protect the existing layers. And not every layer has to be from the same kind of onion.
Coding practices can only get security so far... MS needs to revamp their security design.
Apache-httpd is not known to have ever done this, MS have done "silent fixes". It would be significantly hard for Apache-httpd to do this, given that they have an open SCM ... all you get for MS are binary diffs. on released blobs. MS also have a much worse reputation for down playing known vulnerabilities, again Apache-httpd has never said "this can't be exploited" unless it can't ... I think they've said no known exploit once or twice when one was later found (the weird BSD memmove() bug comes to mind).
So, yes, you'd be flamed for saying that about Apache-httpd ... but you wouldn't be flamed for saying that about say wu-ftpd, for the same reasons you won't be flamed for saying ti about IIS.
ustr: Managed string API with ave. 44% overhead over strdup(), for 0-20B
...the first to admit then that all other operating systems and vendors have said the same thing time and time again, including yours truly "Linux".While I certainly wouldn't say that the three have perfect security (and certainly not WRT dumb admin/user mistakes), I can say with confidence that they can rightfully be claimed as being among the most secure out there. Windows cannot, not has ever been, able to credibly claim that. Whether it can do so in the future remains to be seen.
Quo usque tandem abutere, Nimbus, patientia nostra?
Firewalls *are* a good thing, but only if they're implemented properly (see Linux/*BSD). A firewall should be an extra line of defense, not the only security on the system. The Microsoft way: "All services run with full privileges and listen on all interfaces. Wow, look at all these ports open, every single one of them is a huge security hole. Just put a firewall on it so noone can access them." The problem with this approach...firewalls (especially software firewalls running in Windows) can be breached (in Windows case, pretty easily). The *nix approach: "Don't open any unnecessary ports. Only have services listening on interfaces where they're needed. Don't run services as root or give them unnecessary privileges. There, now there's nothing exploitable exposed, so noone can break in. Now put a firewall on top of it." If I really wanted to, I could completely take the firewall down on my Linux server and not really be any less secure. Ideally, the actual security is in the OS itself. The firewall is just there as the furthest line of defense. In Windows there is NO security whatsoever and the firewall is the only defense. Bad design.
He sort of reminds me of the Black Knight from Monty Python's Holy Grail.
Have gnu, will travel.
What's really funny is that 20 years ago, wired long distance carriers were waging advertising battles over who had the clearest call. Sprint's "Pin Drop" ads probably set the bar in this respect.
So, while you take the wired phone service for granted, it hasn't been that long since call quality was a very important part of a consumers purchasing system.
Go back another 20 years to the '60s and you still had a significant portion of the phone network that was manually switched by human operators.
"One of the things I talk about often is my mom, because she is 78 and she's found e-mail .. You have to educate consumers not to make mistakes like clicking on attachments from unknown sources and not following links and all of that"
..
...
No, all you have to do is build a Desktop System that can't be compromised by opening an e-mail attachment or clicking on a URL
"more people are like, 'Microsoft got its act together, and others should follow their lead,' technologists say, 'OK, our job is done -- what next?'"
"What I explain to people is that this isn't actually a technology problem we are solving; it's a crime problem"
Self serving imaginary made up quotes and a nonsensical opinion expressed. Making it a twenty year felony crime for hacking Windows isn't going to make Windows any more secure
davecb5620@gmail.com
Tell that the the controllers of the botnets, they seem to be laughing.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
Stop splitting hairs. The message was clear. If one were to do use that command often enough then presumably one would add it to the path, which makes it technically correct too.
And Aaron Margosis' blog explains how to make it more useful (PrivBar).
Maybe they think this because we've been doing all the laughing behind their backs?
Clearly, we need to laugh in their face more often. You know, perhaps we could have a good laugh over the Windows Media Player/IE vulnerabilities that still affect people whose default browser is Firefox?
Or we could laugh at them over playing the blame game when those URL handler vulnerabilities were found. Mozilla fixed their end of it, I don't remember that Microsoft ever did...
Long ago I found it was secure enough for me to use on my own main PC, provided I was the only user, and it was behind a router. I'd still call them the laughing stock of the security industry though, but with a little tweaking I could lock down anything I needed to.
...but I would still take every precaution I did before, with the exception of a 24/7 software firewall, which I don't run simply because my router is doing such a good job of filtering, and the last virus/trojan I had was in the 1990s.
Now... I'd say they aren't the worst, but I don't know who is... They're certainly moving up even if slowly, and I wouldn't call them a laughing stock anymore...
"It was our aspirational goal that the SDL will get rid of every bug. But let's get realistic for a minute: It's not a realistic goal."
If you articulate a goal that you don't believe is realistic, and all the people working for you know that you don't believe it's realistic, it can't actually serve to measure or motivate progress and is not a real goal.
If you can articulate a goal that is measurable, so that you can whether or not it's been met ("get rid of every bug,") but everybody knows it's not the real goal, and the real goal isn't measurable, then there is no goal at all.
To the extent that I understand what he's saying, he's saying that there was no goal at all. (Or he's not telling us what it was, lest it be obvious that it was not met).
"How to Do Nothing," kids activities, back in print!
If people aren't laughing at Microsoft security as much nowadays, it's merely because the joke has grown stale.
You weren't around for the days when port 139 ICMP/Nukes were around?
:)
Every idiot under the sun used to ask (on IRC no less) Win 95/98 users "what's UR IP, yo."
Course running under Red Hat 5.2 at the time was a good laugh... hard to have your system rebooted when the service to receive said malformed packet wasn't present in the first place, and neither was the OS vulnerability. (Having spent hours coming up with a good ipchains ruleset helped keep the rest of the gaming rigs actually RUNNING Windows 95/98 safe behind the firewall
" What luck for rulers that men do not think" - Adolf Hitler
Agree. The fact that Microsoft says something doesn't make it so --but people don't know that.
Earlier this month, Microsoft said that Google could not have done without them, and now they're saying that Microsoft products are no longer the butt of jokes.
They can say that just because they are a big company and people listen to them. Whether we choose to believe Microsoft is a different matter.
I remember wearing my first business suit, complete with starched shirt and necktie, early in my university years. People would take me seriously because I was dressed in business attire, no matter what I said. It was fun! Once I stood at the entrance foyer to the city concert hall with my sloppily dressed friends, and people would come up to me and ask for directions and generally assume that I was not part of that group of friends in T-shirt and jeans. I tell them some ridiculous thing with a straight face (like there were free concert tickets upstairs if they could show a McDonalds hamburger wrapper) and people would believe me. Another time I asked to see a high school friend of mine who was in the middle of some all-day meeting, just to socialize (I knew the event was boring) and they just assumed I was a university teacher.
The pranks got boring after the first few times, but it made me realize how easily we accord credibility and respect to certain people for reasons that have nothing to do with the content of their message or their position.
It takes a huge effort to constantly critically evaluate whether to believe something, whether to believe that silver-haired "doctor" on the TV commercials who says your male organ will grow by 50%, or that typical mom-looking woman in the magazine ad (cuddling her baby, no less) who says that XX works on her cold symptoms, or that bespectacled politician who says that illegal immigrants are the cause of failure to curb crime, or your friend at the bar who says, "The Linux kernel is insecure. Trust me --I write web pages for a living." (Yeah, so you know all about the Linux kernel, right?)
So, we end up picking and choosing what we evaluate critically. When we're alert and fresh, we think critically; but after a long hard day at work, or when you feel like just flaking out with a beer in one hand and the TV remote in the other, we let our guard down. That's when the TV commercials hit us, when the Bill O'Reillys and the Wolf Blitzers insinuate their messages. Similarly, Microsoft gets its message splashed across any media space available, and people will listen. It's we geeks who are best able to peel away the facade, to say, "Hey, Microsoft, [[citation needed!]]"
For all I care, next week Microsoft can go say that Microsoft has produced the best Linux for PalmPilots since George Washington invented the Internet.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Secunia lists only one open vulnerability for Vista, which has to be executed by a local user.
http://secunia.com/product/13223/?task=advisories
Wait a sec. Don't project your own values onto a group that may not share them, nor assume a causal relationship where no data has been shown to indicate one.
So the claim is that it's no longer a laughing stock in the realm of security. All right then. Let's pretend for a moment that claim is true. The next question is why?
There are at least two possible answers:
We can see from the systems affected by vulnerabilities that the former has not happened, no redesign. Maybe it's the latter, better PR.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Sort of has the feel of detergent companies when they started saying "no longer with trisodium phosphate. phosphate free. doesn't clean worth a crap, but new and improved"
which is great if you're a fish....
So we laud the microsoft, you are now a level 2 product. welcome to being the "Toilet Paper of IT"
and secretly, we know the success is from declining penetration of MS products. Norton, Mozilla, and leveraged code buyouts have all helped make possible increases in security for your products =)
Now if you excuse me, I need to take a dump. Where's my VistaPaper?
What? It isn't true? But only last week someone swore it was so.
Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]
One of the issues with Windows is LCD (Lowest Common Denominator). If you don't spell it out almost exactly (which I, too, am guilty of) most Windows users will type the command exactly as you said and when it doesn't work most Windows users will assume that you were wrong and not research the mistake. Most Windows users think that the PATH has something to do with religion. :)
In other words, I was just trying to help. I apologize for offending you, Malc.
Resistance is futile. Your technological distinctiveness will be added to our own. You will become one with the morgue
Well, the reason being that its hard to laugh in between all the security pop-ups. It breaks the rhythm.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
is.....HA! HA!
The only fallacy here is your straw man. The claim you quote is something that you made up yourself. It is clearly very deliberately not present in the original post.
I'll spell it out, for the hard of thinking: saying that "Your evidence is flawed and can equally explain the opposite conclusion" (my post) is not the same thing as saying "The opposite conclusion is true" (your misquote).
their Windows Defender product is no longer in the top spyware detectors, and their AV stuff is near the bottom in detection?
Is this why "Patch Tuesday" remains?
Another bunch of fucking LIES from Microsoft.
Why bother to read anything that comes out of Redmond?
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
They have advanced in their strategy to control all bad security. Moving on from laughing stock, they should soon have complete mastery of the entire laughing lock, stock, and barrel categories.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
You know the worst thing about *****? They always want some credit for some s*** they're supposed to do... "I've never been in jail!" Whatcha want? A cookie?? You're not supposed to go to jail!"
When you are the world's leading software company, with billions of dollars to spend on R&D, no longer being a laughing stock isn't something you should be bragging about. Vista took five years, and who knows how much money and programmer errors to make. With that much resources, it should be as close to unbreakable as an Operating System could be.
Now, there is some reason to believe that the argument that Linux has less malware than Windows is just because it isn't popular enough to be targeted. But there is also, presumably, much less money for paid researchers to go through the Linux code and search for bugs. If the OSDL had a one billion dollar a year budget (which would be pocket change to Redmond), there is no doubt in my mind that Linux security could go from solid to virtually invincible.
Hopefully I didn't put any [] around my words.
It seems kind of funny to me to hear someone from Microsoft admit that they were a laughingstock, and that they're looking for kudos for not being a laughingstock.
This is classic Microsoft MO: as soon as a Windows version has been released for a few months, start badmouthing the previous versions. They did the same with XP to 2K/ME, ME to 98, NT4 to NT 3.5, etc.
Just Vista marketing. Nothing to see here, move along.
Microsoft can't fix Windows properly (by redesigning all its obviously flawed subsystems and conventions) because most people value backward compatibility with existing devices, drivers, and applications over anything else.
If Microsoft introduced a version of Windows that had been re-written from the ground up in a robust, efficient, sensible way, nobody would buy it (because there wouldn't be any device drivers and applications for it), device manufacturers wouldn't write drivers for it (because the customer base for the OS was so miniscule), and application developers wouldn't port all their software to it (again, because the customer base for the OS was miniscule).
Look at the modest architectural changes Microsoft took a risk and made with Vista. That broke driver compatibility, and messed with app compatibility in some fringe cases, so now you've got millions of complaints from people bitching that their existing hardware and programs won't work on Vista. It's a major reason that Vista hasn't been well received. Now imagine how Microsoft would have fared if the device and app compatibility had been 100% broken.
People who claim Microsoft should take the OS X route (new clean OS design, providing backward compatibility by running other OSes in virtual machines) are again forgetting the drivers issue. A new OS architecture cannot generally use drivers from some other OS, and without drivers for your host OS, you're again stuck.
Microsoft is in a tough position -- damned if they do, damned if they don't. But I just wish they would be transparent and honest about the position they are in. They haven't solved the security issues, and should just admit that they never will be able to as long as they don't control the hardware the way Apple does and customers keep valuing backward compatibility.
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
Microsoft is no longer insecure, says Microsoft. Yup. It's true because they said it's true.
I think today I shall declare that I am a seven foot tall baby chicken who can slam dunk a basketball. It's true because I say it's true.
Tired of FB/Google censorship? Visit UNCENSORED!
This will be news when someone who isn't employed or funded by MS makes this statement. Until then, it's just more marketing crap that doesn't really belong on /.
I mean really, this story is almost troll-worthy. What did they expect when they post this up here? "OMG he's right. Now we no longer need *nix to feel secure. The war is over!"
phbt!
Er, pulling out the "everything is relative" card doesn't really add anything to the discussion, now does it?
Allow me to reiterate: I asked for concrete evidence that there exist serious flaws in IIS 6. If there are, I shall kindly shut up and contribute no further. Show me the proof I demand. Surely if it is as terrible as everyone is implying it is, you can provide this sort of proof, right? Leave the hand-waving and faith-based arguments at the door. They have no place in a discussion of computer security.
You're kidding, right? Microsoft is notorious for shipping buggy crap that gets fixed (sometimes) on the next iteration, provided you pay for the update. It's been that way since 1986, at least, and MS C V4. If somebody in charge is promising to submit MS stuff to QC with teeth, bravo. The short sharp exhalations are me not holding my breath.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
SgtChaireBourne, off topic: You asked to tell you what Domain Name Registrar I chose. I chose NameCheap.
Not suprising really - the rise of the ADSL modem that is also a NAT router and firewall is putting these windows machines on the net under adult supervision. Antivirus software has also taken on extra roles (and much now consumes incredible amounts of cpu time and memory as a tradeoff). Third place has to go to Microsoft adding in some decent improvements like the firewall and frequent bug patches - the company has a different attitude now than in the past. They managed to turn NT into a home computer operating system good for not much other than playing games but now many of the mistakes are being fixed. I think in a few years we will forget Vista (as with ME) and their updated server version of NT will be sold with a desktop version as well.
The problem with Windows is the users. As long as people insist on remaining ignorant when it comes to "complicated" computers, whichever OS is most popular will be plagued with malware and viruses.
If more people on Linux and Max liked reading "eCards" from strangers, their reputations would be just as bad.
That being said, fuck Windows.
Maybe not
Putting aside that you put OSX into that list (which is at least 5 years behind the security curve), Vista is honestly on par with a hardened linux (i.e. grsec/pax/etc) and openbsd. Over the past few years MS has actually made huge leaps towards better security, and the security of Vista shows it. You state that the whether the security of windows is yet to be seen, but you neglect that Vista has been out for about a year now, without a single critical flaw found to date, nor a single reliably exploitable heap overflow, and so on. Really, anyone who refuses to see the about-face that ms has taken is guilty of just being blindly zealoted.
All UAC has succeeded in doing is increasing my anxiety over the day when I finally click "Deny" only to be met with:
You failed to turn on the light and have been eaten by a grue.
Now back to my regular pseudo-scientific reading.
We're the laughingstock for continually buying the OS despite numerous security problems. Let's not talk about the 'secret hidden update' that MS did a few short weeks ago. In the end, Mr. Enduser is the laughingstock for buying the OS knowing damn well all the problems that comes with it.
Maybe I am confused, but how do you explain this?
Because there only 2% of the UK companies are able to say that they are still a laughing stock.
Don't fight for your country, if your country does not fight for you.
"Yes. Now look at the CVS logs from between forking the project from NetBSD and the first OpenBSD release, as I said. You will see hundreds of security fixes as a result of that first complete audit"
Could you do me the favor of finding them ?
What do the CVS logs from the same time period say of Windows ?
What correlation is there between CVS logs and number of actual breeches ?
was: Re:MIcrosoft guy says MS's security is ok?
davecb5620@gmail.com
It's just authentication.. aww geez being a grammar nazi is no fun when someone asks politely.
When I started at my current job a little over a year ago, I was neutral on the subject of MS security. Read: *not* a zealot. I was originally brought on board as the lead programmer/analyst, but since it's a small company I now wear quite a few hats, including administering several servers. During THIS last year (not 10 years ago, not 5 years ago, but NOW), my opinion of Microsoft Windows as a server OS (whether 2000 or 2003) has completely tanked.
I'll give you one case in point: one of the Win 2003 servers which was infected by a root kit. It turned out that neither the latest service packs, the monthly "malicious software utility", a strong windows password, nor current Symantec Anti-Virus were enough to keep the root kit out. I had to download and use "Ice Sword" just to deal with the RK. After checking all of the above, I tightened up the firewall. Eventually I found the RK's log files and traced the problem back to Microsoft SQL server. The root kit system had compromised the SA account of SQL server, and was then able to manipulate SQL Server (a mere RDMS, mind you) to install itself on the machine and circumvent the kernel. I couldn't even see the RK using windows explorer; I could only see it with Ice Sword. That is just poor design, and that was with a current patched MS Server product.
I also found and resolved problems with other Windows servers, and it didn't take long for me to realize that NONE of the *nix servers had any issues. Zip. Zero. Nada.
So I don't laugh at Microsoft security, but I sure as hell don't trust it. I have concluded that MS has *earned* their horrid security reputation for many YEARS through SEVERAL generations of products (including the current MS Windows 2003). Yet for YEARS they continually touted their improved security. Ever hear of the boy that cried wolf?
In THIS last year I've also concluded that Solaris and Linux work beautifully, thank you. Not only have they proven themselves more secure, but they're more reliable *and* less expensive to purchase and maintain.
Security on opensource and non ms oses isnt what makes them great, its the tools for detecting and fixing machines...
hardly a month goes by without my isps DNS server manages to get hacked long enough for it to try to access known vulnerabilities on certain ports (not probing for, trying to connect and upload vulnerabilities, my firewall only logs the connection attempts)
but the problem never lasts for more than a few hours before my isp has managed to get their servers unhacked. windows is still a bear to get unhacked without elaborate third party software. so, really its the turnaround time from detection to cleaning the system that really matters.
reminds me of when i ran a webserver and 50% of my traffic was exploited windows machines trying to exploit my server...
and i have had opensource pcs compromized, usually because i was running optional software that i really didnt need... but ive had far more windows machines that ive had to deal with virus and trojan removal than open source problems...
https://www.gnu.org/philosophy/free-sw.html