Microsoft Talks Back To Google's Security Claims

Kilrah_il writes "Yesterday there was a piece about Google ditching Windows for internal use because of security concerns. Now Microsoft is fighting back, claiming its products are the most secure — more than Google's and Apple's. 'When it comes to security, even hackers admit we're doing a better job making our products more secure than anyone else. And it's not just the hackers; third-party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others.'"

Some Helpful Advise

[eldavojohn]

When it comes to security, even hackers admit we're doing a better job making our products more secure than anyone else.

Hint: Your worst nightmares do not have open jovial dialogues with you. And if they did communicate with you or offer you a score card or report, they would want you to feel as though you are completely safe -- totally unaware and unprepared for what you may face.

You've come a long way, Microsoft, but you have much much further to go. If you measure security by percentage increase in security then the evolution from Windows 95 to Windows 7 is nigh impassable. But that in no way means you're number one in the security scores. Run your marketing campaign with setting the "facts" straight but people like me know. With what little (journalistic) evidence you presented, there's no way I can build a conclusion that backs up your statement. And there's no way around that. It would better prepare you to look into the several thousand anecdotes found daily revealing the issues with Windows and Internet Explorer.

Re:Some Helpful Advise

[h4rr4r]

Server rooms around the world disagree. As do smartphones, netbooks and all manner of embedded devices.

Re:Some Helpful Advise

[dAzED1]

tired response is tired.

The money is on UNIX systems. That's where the large banks are running their transactions, where stock is being traded, where the military is running it's services, where engineering designs are stored, etc. omgponies you hacked grandpa's 10 year old computer, and added it to your botnet...just what did that get you, really? For just a few $k a month I could build an ec2 cluster that would destroy any botnet in sheer computing power...mostly because I wouldn't have to deal with crazy queing mechanisms, or nicing the tasks down enough to not be noticed by the user.

The reality is, more than anything this tired "people hack windows boxes because they can win more" response pretends to suggest, that UNIX is phenominally more secure on a basic, fundamental, architectural level than Windows. Out of the box, I can trust an app on a RHEL os. Out of the box, I can't even plug a windows machine in to a network without being behind a firewall. I've literally seen, with my own eyes, windows machines get compromised in less than 20 minutes of being online. Sure sure, sample sizes and all that...except, I've also managed hundreds of unix machines at a time without any concerns on them.

Re:Some Helpful Advise

[man_of_mr_e]

What a ridiculous line of reasoning. The money is in lots of different systems. Unix, Windows, but largely IBM Mainframes running OS's like MVS.

But what OS is used is irrelevant, because those systems are well protected by more than just the OS itself. Further, those systems have the power of the FBI, CIA, NSA and others behind them to track down anyone who might be capable of penetrating the impressive outer security to get to the OS itself. No (sane) hacker wants that reign of hurt to come down on them.

Then, even if you get access.. then what? You have to figure out how to get the money out. That's not an easy thing to do, since there are tons of safeguards in place to prevent money from just evaporating.

It's *MUCH* easier to compromise low-security desktop machines and take over someones checking account, transfering a few hundred or thousand dollars using the users own credentials to someplace offshore. Or, it's even easier if you get the user to do it themselves (ala fake anti-virus).

Your "reality" is not any kind of real "reality".

Wow, you hook a 10 year old operating system up to the internet without any kind of security, and it gets compromised in 20 minutes. Great. I guarantee you a 10 year old copy of Linux could get compromised just as easily if someone had merely had the motivation to write the code to do it.

And trust me, a 10 year old unpatched copy of Linux probably has 10,000 or more vulnerabilities that could be exploited to do so... if anyone cared to.

Re:Some Helpful Advise

[Bert64]

That's entirely the point, on paper windows has a very impressive set of security features, but once you get down to trying to use them the cracks show...

The password hashing is trivially weak compared to what other systems have...
The authentication system is tied in to the hashing algorithm so it cant easily be changed without breaking things...
The authentication system is designed such that you never need to send the plain text password over the network, but you don't need the plain text password - you can just use the hash (google for hash spraying or the windows auth model is broken)...
Many of the group policy restrictions are implemented in userland applications and are easily bypassed...
Windows and its associated network protocols are extremely complex (greater complexity leads to greater chance of bugs) and in those network protocols there is often no clear demarcation between what functions can be accessed pre-auth and whats available post-auth... RDP for instance establishes a full gui session *before* you log in meaning any of those gui functions are open to attack by unauthenticated attackers...
File extensions are used to differentiate between types of file and wether a file can be executed or not, although windows does implement execute permissions through acls they usually allow execute by default. a remote web/ftp/whatever server can control the filename but not the permissions...
The complexity of the windows security system means that very few people try to use it fully, and those who do need to expend significant effort to get things working with it. Because so few people harden their systems in this way, very few applications are designed to run in such an environment and many simply don't.
Windows is generally not modular, so removing things you don't need is far more difficult than it should be, win2k8 has gone some way in this regard but its still a long way from the package managed modularity of linux.
Windows has a very messy filesystem layout, files are randomly lumped together in the windows and system32 dirs, unix has a far more sensible design which lets you do things like keep core parts of the system on read-only media.

Windows is an unholy over complicated mess, consisting of parts of a relatively well designed OS (NT), merged with parts of an extremely poorly designed OS (win9x) and various poorly designed subsystems on top...

Unix on the other hand keeps it simple, its easy to know exactly whats going on with a unix system, and the more you understand about a system the better you can monitor and harden it.

Security?

[WahCheng]

Security is NOT about patching holes, a system must be designed from the ground up to be secure. Doze and it's predecessors were NEVER designed this way. Mind you, it's created one hell of an industry patching holes.

Re:Security?

[MrEricSir]

They've added a lot of security. For example, when I debug an application on Windows 7, I have to click four dialog boxes instead of just one. If that isn't real security, I don't know what is.

Re:Security?

[hedwards]

A shill's a shill. UAC in vista was more or less completely worthless because it was so intrusive that nearly everybody turned it off. Patch Tuesday is not the definition of prompt security updates. The permission system they use has gotten a lot better over the years, but it's absolutely inexcusable that Windows XP was allowed to ship without a proper security model. Yes, that's kind of an old OS, but it is still heavily used in the Windows world and it did ship at a time when proper security models dating back decades before indicated that running everything as admin was bad. Technically you didn't have to, it's just to get any work done at all you had to be.

Some of these things MS has fixed, but most of it is just whitewash. The internet was never something they planned for. And it took them a really long time to even consider stopping to just fix things properly. Sure they may spend more time and money on security than the competition, but is it being productive. The actual effect is what's important, not the amount of resources.

Re:Security?

[nmb3000]

Security is NOT about patching holes, a system must be designed from the ground up to be secure. Doze and it's predecessors were NEVER designed this way.

Is that why Ubuntu 8.04 prompts me to install some hundred or more security updates after installing it? No software is perfect and anyone who thinks that the only secure system is on that is "designed from the ground up to be secure" either A) has never worked on a large software project and/or B) doesn't have a clue what they're talking about.

What is so fundamentally more secure from a design perspective about the Linux kernel compared with the WinNT kernel? How about a distribution like Ubuntu compared with Windows XP/Vista/7? Since one was "designed from the ground up to be secure" I sure hope you can point out a few design choices specifically.

Since all software (even the Linux kernel and its ilk) have security holes, the ability and speed at which you discover the exploits and issue fixes for them is at least as important as the initial design and coding of the program. It's naive and obtuse to think any complex system will be perfect from the get-go.

Focus and Investment

[Weaselmancer]

Nice zero content marketingspeak there:

"...third-party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others."

Focus and investment. Notice "results" aren't on that list.

As a side note, I'd also like to add that lately BP has had a huge focus and investment on cleaning up oil spills. More so than any other oil company. But still - nobody loves them this week. Wonder why?

Keep saying it and one day it might stick

[kaptink]

All I know is that for more than ten years I made good money removing malware from Windows boxes. In all fairness tho Windows 7 is a much better effort at a secure OS but saying that 'hackers' are making such comments is just not all that believable. Any serious geek will tell you the long sorded history of windows and all its memorable virii, malware and hacks is nothing to be proud of but I guess if you start telling people what you want them to think and keep at it one day it will stick. I think a few statistics should set the record straight.

Re:Keep saying it and one day it might stick

[Dynedain]

Where are the equivalent virii in 2010? I remember Code Red and Slammer and the really malicious code that was raping any system stupid enough to expose 135/137 and 445 to the world. I don't remember any malware of that league in recent memory.

That's because modern spyware is more focused on hijacking your machine to be part of distributed botnets. That means you don't want the user to realize the machine is compromised. As such, vandalism is less prominent in favor of the lucrative enterprise of selling access to the botnets.

Vista reinstall

[NetNed]

I did a reinstall on a Vista machine recently for a friend. 100+ windows critical updates later and it was done! Really, the install itself took a fraction of the time that all the updates took. I guess if security is measured in security updates, you win Microsoft. Now claim your paper hat that says "We Won!"

Re:Cisco

[ThePhilips]

That resonates with my own reading of the quote: all companies who are on the receiving end of M$' security investments praise the investor.

And obviously anti-virus companies would tell that Windows is better: without the swiss cheese OS they would be out of job.

Focus and investment != results

[Todd+Knarr]

Certainly Microsoft's focus and investment surpasses everyone else's. That's because it needs to simply to tread water. The problem is that most of Microsoft's security problems aren't bugs, they're design features of their system.

There's a quote from a boss: "I don't want the industrious guy who'll keep busy doing things over and over. I want the lazy guy who'll do it once, right, so he doesn't need to keep doing it over."

Re:Both have problems

[hedwards]

Hmm, I must've missed MS beating out OpenBSD for security.

Re:Both have problems

[Runaway1956]

No, now that you mention it - I know about 3000 kids using Windows, and one kid using OpenBSD. And, now that I think about it, at least 2500 WIndows users have nuked and reinstalled multiple times. That nerdy little BSD kid just keeps on going, and going, and going, and going. I think maybe she's getting some of the Energizer Bunny.