Microsoft a Weak Link In Possible Cyber War

climenole writes 'Microsoft has vast resources, literally billions of dollars in cash, or liquid assets reserves. Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods,' says former White House advisor Richard Clarke in a recent book. Microsoft makes the list of risks because so many people have installed its software for critical systems.

He said what?

[siloko]

Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods.

If he really said that I bet Microsoft execs are spewing their cornflakes as we speak!

Re:He said what?

[StuartHankins]

If Microsoft execs aren't already aware of that, they should be fired. Part of managing a company is knowing your weaknesses.

Re:He said what?

[siloko]

Part of managing a company is knowing your weaknesses.

Knowing your weaknesses is not the same as having them advertised to the world by a White House advisor!

Re:He said what?

[gstoddart]

If Microsoft execs aren't already aware of that, they should be fired. Part of managing a company is knowing your weaknesses.

I think by the time you get to the C-level execs, it's more about leveraging your synergies and maximizing your returns.

They don't likely know much about the technology, and believing in the company and drinking the Kool-Aid is mandatory.

In their mind, they produce high quality goods. The best there is.

Re:He said what?

[Foofoobar]

Oh give me a break! If the entire tech community doesn't realize that Microsoft's security is a wet paper sack and a sign that says 'do not lean against' then they've been in a coma since before Robin Williams was funny.

Re:He said what?

[causality]

No, there's a big difference. If he was a current government official, then the statement would represent a government policy.

"This company dominated the market with low-quality products" is not a policy. It is an observation. It's true or it's false no matter who says it or how "official" they are. Try thinking for yourself and being less impressed with authority.

Re:He said what?

[erroneus]

Could it be that someone "out of office" is the only one with the freedom to say such things in public? Anyone in office would fear for his job. It would be my guess that this statement was desired and even requested by people in office. Who better than someone who once held the seat (read: an expert on the topic) and someone who has nothing to lose (read: already out of office).

Microsoft Weak Link ...

[gstoddart]

Film at 11.

I mean, seriously, it's the most widely used OS on the planet. It's also the most likely target.

Re:Microsoft Weak Link ...

False.

It may be the most widely used desktop OS, but once you include servers and small devices, Linux beats it easily.

Re:Microsoft Weak Link ...

[UnknowingFool]

And Apache is the most widely used Web Server but its security record is far better than IIS. So what does that say. Also Unix/Linux far outnumber Windows Server in terms of presence on the Internet; however, they are more on the yet their track record is far better than Windows server.

Re:Microsoft Weak Link ...

[1s44c]

Film at 11.

I mean, seriously, it's the most widely used OS on the planet. It's also the most likely target.

That's a flawed argument. It isn't bad because lots of people use it, it's bad because it's bad.

Microsoft's Business

[HeX314]

One of my computer science professors once stated, quite succinctly, that Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money.

On a related note, if they were in business to make a quality operating system, they would have a tough time selling "upgrades."

Re:Microsoft's Business

[Lunix+Nutcase]

One of my computer science professors once stated, quite succinctly, that Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money.

What a stupid statement that is complete tautology. The entire point of starting a business is to make money. Otherwise the business *ahem* goes out of business.

Re:Microsoft's Business

[Em+Emalb]

The entire point of starting a business is to make money.

This is false. While a company needs to make money to be successful, this is not the only reason for a company to exist. And I thought I was jaded.

Re:Microsoft's Business

[Lunix+Nutcase]

The entire point of a business is to provide goods and services for money. Otherwise you're running an NPO.

Re:Microsoft's Business

[snowraver1]

One of my computer science professors once stated, quite succinctly, that Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money.
On a related note, if they were in business to make a quality operating system, they would have a tough time selling "upgrades."

That's horseshit. When someone makes a better OS than MS, I'll start believing these stories. The level of complexity between Windows and OSX is incomparable. OSX works on like 5 hardware configurations, while windows will run on pretty much any hardware. OSX doesn't have enterprise level support/management, and it's arguable that the only reason that OSX is more "secure" is simply because they are less of a target.

Linux may have some technical merit, but is a mess where people without advanced computer skills are left in the dark. Sure windows had bugs, but many of those aren't MS's fault, but rather venders that write crap drivers.

P.S. MS is having problems selling upgrades. Why do you think ~90% of businesses are still on XP? Because it was/is a useable, relatively stable OS that did what people wanted. You can say what you want about MS, but the fact is, they are the best OS for Businesses, and most consumers. When OSX works for more than a handfull of hardware configs, I'll take it seriously. When Linux is usable by joe user, I'll take it seriously. Until then, we have MS.

Re:Microsoft's Business

[lymond01]

This is all true. Microsoft is learning, painfully slowly, how to construct a better network operating system. I think Windows 7 (or maybe Vista...sort of skipped that one) is their first OS that requires an initial password to proceed with installation. Something as basic as requiring a password for your administrator account...and it was left out for over a decade, despite security issues in the news again and again.

With the latest Windows 7, Microsoft may finally be getting security right, at least from a basic viewpoint. How innately hackable their system is even with a strong password I'm not certain. But at least you can't just wander into anyone's box anymore.

As far as usability in terms of day-to-day as well as configuration both mundane and advanced, Windows blows away any OS out there. Well...MacOS is pretty good as a user OS. It's a ridiculous choice for enterprise use because of its weak management tools. Apple does have some tools, but they aren't nearly as good as what MS puts out. I haven't seen any of the Linux Enterprise management tools. We just use Puppet.

Re:Microsoft's Business

[Narpak]

This is false. While a company needs to make money to be successful, this is not the only reason for a company to exist.

Agreed. Though a more important question, as far as I am concerned, is whether or not something as important, and voluntarily, as computer/network/internet infrastructure should be run for profit (specifically government/utility system software/hardware). One could argue that there is a financial incentive for companies to make a good product, but time and time again it seems that companies are happy sacrificing the long term for short term profit. Even when that means taking short cuts that risk creating significant problems down the road. Thankfully my country, Norway, has decided to start shifting all software used by the state over to Open Standard alternatives.

Re: Microsoft's Business

[Black+Parrot]

Linux may have some technical merit, but is a mess where people without advanced computer skills are left in the dark.

The same can be said of Windows. People ask me for help with their Windows computers all the time, but I can rarely help because I don't often use anything besides Linux, and contrary to what you'd like to believe, there's nothing inherently intuitive about the way Windows works.

Re:Microsoft's Business

[TheRaven64]

The level of complexity between Windows and OSX is incomparable. OSX works on like 5 hardware configurations, while windows will run on pretty much any hardware

Yup, OS X only runs on three hardware platforms; ARM, PowerPC, and x86. Five if you count the 64-bit variants of PPC and x86 as different. Windows runs on x86, x86-64, and PowerPC (XBox). It used to run on MIPS and Alpha as well, but hasn't since NT 4.

Or are you talking about device drivers? Because I hope that you realise that most of these are provided by the hardware manufacturers, rather than by Microsoft. So, your argument for Windows' superiority is that more third parties support it? That's certainly a valid reason for using it, but not really an indication of its intrinsic quality.

Re:Microsoft's Business

[Captain+Splendid]

The entire point of a business is to provide goods and services for money. Otherwise you're running an NPO.

No, the real world's not binary like that. Plenty of people running businesses not just (or not at all) for the money. Yes, the balance sheet at the end of every month needs to be right, but there's a huge difference between lots of profit, and enough to get by.

Re:Microsoft's Business

[Captain+Splendid]

I'm saying that supporting millions of different hardware configurations does

And a large portion of that hardware is nominally standards-compliant. Not saying you're wrong, but it's a monitor lizard, not Godzilla.

Re:Microsoft's Business

[tepples]

You praise Microsoft for "running on any hardware" while that is the vendors' drivers responsibility (and open standards such as SATA, PCI, USB).

The praise directed at Microsoft is for managing to convince hardware vendors to put a Windows driver on the included CD and not include a Linux driver.

Re:Microsoft's Business

[Bert64]

There is only financial incentive to make a good product if you are in a highly competitive market and your product needs to be better than the competitors...
Otherwise, the financial incentive is to actually make a poor product so that you can sell upgrades more easily.

In the case of MS, lock-in ensures that competition is kept at bay enabling them to produce extremely poor quality products. Keeping customers locked in is also far more profitable for them than offering an open product and then having to face competition. This situation *ONLY* benefits MS, and is to the absolute detriment of everyone else, and so considering the importance of computers in todays society something should most definitely be done about it.

Re:Microsoft's Business

[burnin1965]

Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money

I see you are getting hammered with comments that I believe misunderstand your professor's statement. Of course businesses are in business to make money, what people don't seem to get is that Microsoft's core competency, main objective, mission statement, sole purpose, etc. is to make money.

I could be wrong but I don't believe that Microsoft developers intentionally make bad products with the intention of getting customers hooked and then forced to upgrade. I believe this is just the end result of a business strategy that permeates virtually all of business management in the United States today. I would describe the U.S. business models as, greed is good slash and burn, hookers and extortion profit margin goals, end times are near hoarding and investment(or lack there of), and disaster focused management.

Greed is good slash and burn: There is an entire generation, perhaps more, of MBAs who watched Wallstreet and fell for Gekko's speech about greed as a driving factor for all human pursuits but either failed to watch the entire movie or did not make the connection to the plot where greed did not result excellence in business pursuits but instead led to cheating, destruction of other people's livelihoods to transfer wealth from a group of people to an individual, and out right criminal activity. And we don't need a movie to tell us that greed is not good, we have real life events that occur over and over and over that show us how greed left unchecked simply leads to crime not excellence.

Hookers and extortion profit margin goals: Profit margins are important for the viability of a business and its ability to expand and invest into future business opportunities, however, the greed mentality has created a deranged market concept that becomes detached from the real market and real viability of a product. I have seen this mentality at work at a hardware manufacturer during management and engineering meetings where Part B had a lower profit margin than Part A and it was repeatedly suggested that Part B should no longer be manufactured and Part A should be ramped up using the manufacturing capacity of Part B. Unfortunately the MBAs and engineers refused to listen to sanity, the bulk of the market wanted to buy Part B not Part A and the final products that used Part A also required Part B. Without the low margin Part B there was no market for Part A! Once logic failed I gave in to the greedy profit margin goal and suggested we replace all the engineers and manufacturing employees with hookers and thugs as the profit margin in the Hookers and Extortion business was probably better than making parts. As an engineer I would not be needed so I left.

End times are near hoarding and investment(or lack there of): Again driven by greed, rather than having long term multiple year future plans many U.S. corporations are more concerned with 3 month business plans as if there will be no future for the planet or business beyond the next 3 months. If your engineering project does not have an acceptable ROI within 3 months then it stays on the back burner. Even after presenting the same 3 year plan after 3 years on an annual basis and explaining that 3 years ago if it had been implemented the benefits would have been rolling in the project is perpetually placed on the back burner while the funds that could have financed the project are hoarded until upper management bonus time rolls around.

Disaster focused management: And as a result of the previous management techniques the focus of U.S. business management becomes continually locked in disaster recovery mode. With everything focused on greed the little things like safety, sustainability, future capability, etc. are all left to the way side until they becom

Re:Microsoft's Business

Then it wouldn't be a business Einstein...what an idiot....let me guess...you typed your comment while wearing a Che shirt on an iPad while sipping a latte at starbucks...your Prius parked out front....Obama 08 sticker proudly on display on the rear bumper.

Spare us your idiotic notion of business and economics.

Summary misdirected

[ATestR]

For once, I RTFA. The summary seemed interesting. However, the FA was even more interesting, although it had little to do with all the money that Microsoft had in its back pocket, and how it's market dominance was based on low cost products.

The main thrust of the FA, for those of you who don't want to click the link, is that because the Windows OS is so prevalent in civilian and corporate usage, a Cyberattack could devastate the economy (and western civilization).

Re:Summary misdirected

[vcgodinich]

Implying the Microsoft products are prevalent because they are "low cost" is absurd.

Granted, OSX in use is a bit pricier, but not -that- much, and Unix/Linux is as close to free as you can get.

Microsoft isn't low cost at all, if anything, it is high cost in a great many areas.

I disagree

[2names]

I am not a Microsoft fan, but I believe the weak link has much more to do with the meat sitting in front of the computer than the software on the computer.

Re:It is simple Darwinism

[betterunixthanunix]

There is more to it than that. A very carefully managed Windows system can certainly withstand a number of attacks, just like a carefully managed *nix system. The problem is that most Windows systems are not carefully managed, and a carelessly managed Windows system is much more vulnerable than a carelessly managed *nix system. Windows started out as a single user OS, and even though the NT kernel has everything necessary to support multiuser setups, it is very difficult for Microsoft to push better security as the default in Windows -- there are just too many people who have a habit of doing everything as "Administrator," and too much software the relies on that sort of behavior. Things have started to change, but Windows XP is still widely deployed.

Really, if Microsoft wanted to, they could start marketing an OS designed for security sensitive environments (perhaps with a compatibility mode that allows Windows software to run in some kind of VM), and leave Windows as a "home PC" operating system. The fact that they are not doing anything like that, despite the fact that MSR developed such an OS, speaks volumes about Microsoft's priorities.

Microsoft created this problem

[bugs2squash]

But then, to a large extent they helped popularize the PC which became ubiquitous and hence became worthy of attack. The PC also became a reasonably standard platform upon which Linux etc. could be developed and cheap enough that we can all afford to own one and join in the fun. It is by no means certain that this would have happened otherwise because I don't believe security is the enemy of profit, in fact I think we'll see a future where security tightens to the point where hardware will be locked to only run a certain OS - where will Linux be then ?

Interesting

[DaMattster]

All of the money spent on lobbying the government against using Linux would have been much better spent on developing a reliable, secure operating system. The shortsightedness of large corporation never ceases to amaze me. Since they spent all of this money on lobbying, which ultimately was unsuccessful, they had to spend money on securing Windows anyway. So, Microsoft spent a large sum of money in total, when they could have just made a better product to being with.

Re:one sided

Why do you people always say this? Windows is the Single-User system botched into a multi-user environment, not Unix.

Weak links

[DaMattster]

I might argue that many operating systems would be wink links in the cyber warfare scheme. The most noteable exception would be OpenBSD. If I were in a decision-making capacity, I would reach out to Theo de Raadt, apologize for the way we previously treated him, and get him started immediately in developing a secure network. He and his team seem to have the understanding of security from the lowest level possible. The current en-vogue trend, end-point security, is useless if your web application leaks memory. Ostensibly, you would need a hole in the end-point to reach the application and that gets exploited opening the network wide open.

Re:It is simple Darwinism

[TheCarp]

I would submit that most non-windows systems are also poorly managed.

The difference is monoculture vs diversity. Look at windows users, and you will find lots of people using the same tools. Outlook, as soon as a company installs exchange you can be sure that the vast majority will be using outlook to connect to it. You find a vulnerability in outlook, or word, or a system service, and you can suddenly hit huge swaths of machines.

Now, Unix? You have multiple hardware architectures, distributions of even similar systems like Redhat and Debian Linux have made different choices for default daemons for various services. A hole in pine or mutt may not effect evolution users, or thunderbird users.

So in addition to a smaller audience, you get a smaller percentage of that audience.

to put it in business terms, the ROI of windows vulnerability exploits is just higher. That is, unless you are targeting a specific system, in which case, well, I know that where I work, many more windows servers exist than the entire unix environment, but, the Unix environment has a higher percentage of the mission critical (or more to the point, patient care critical) servers.

So thats not to say there isn't definite ROI on such attacks, it can even be higher. However, I don't think that such attacks realy factor into this discussion since specific attacks on specific machines for their content is the exception rather than the rule for most systems/users.

-Steve

The weak link is old Software

[Toreo+asesino]

There's nothing wrong with the newer rounds of MS software; the problem is the older stuff, which as time goes further back, tends to get less & less secure (all the way to Win98/95 which actually had no security at all).

Even now I occasionally run into boxen running thoroughly rooted Windows.....98. That's your problem.

Microsoft is the market leader.

[miffo.swe]

As such you would expect them to excel at security nowadays since it seems a very big concern amongst most users. Still their security efforts are pretty laid back and half assed. Microsoft dont take security seriously, its a pr problem for them at the most.

As a market leader one would expect Windows spanking Linux, BSD and Apples behinds but in reality Windows security sucks. Not because its more prevalent but because its a sitting duck. At Microsoft, features and ease of development has always stood higher than security on the priority lists. The only thing that can change that is monetary pressure like demand for accountability of their products. Until then, Microsoft security is a game of statistics, lies and damn statistics.

Windows is widely used where it matters

[tepples]

[Windows] may be the most widely used desktop OS, but once you include servers and small devices, Linux beats it easily.

Compared to home desktop PCs, servers are more likely to be administered by someone with a clue about locking down and updating the system. Small mobile devices have only a sporadic connection to the Internet, much like home PCs in the dial-up era, and many use an executable whitelist managed by the device maker. So barring a security hole in something like a home router appliance, desktop PCs running Windows are likely the juiciest targets for establishing a botnet.

Re:Windows is widely used where it matters

[causality]

Compared to home desktop PCs, servers are more likely to be administered by someone with a clue about locking down and updating the system.

Most of whom choose a non-Windows OS. When people with a clue avoid something and people who don't know better flock to something, it says a lot about that something.

To put it another way, I have never met a person who was highly competent with using Windows and also highly competent with using a Unix-like OS (Linux, *BSD, etc) who still preferred Windows. I'm sure someone will pipe up now that I've posted this but the point remains, such people are quite rare. Your preference for one thing is meaningless if you are not at least as familiar with an alternative.

So barring a security hole in something like a home router appliance, desktop PCs running Windows are likely the juiciest targets for establishing a botnet.

Actually a beefy *nix server with extremely high bandwidth, multiple CPUs, and multiple gigs of ram is the juiciest target to be a member of a botnet. It's also a lot more difficult to compromise. Windows PCs are not the juiciest targets. They are the low-hanging fruit that can be harvested in large numbers with automated tools, making it not worthwhile for the botnet owners to spend too much effort taking over any one target no matter how tempting it is.

Re:Windows is widely used where it matters

[Amouth]

Actually a beefy *nix server with extremely high bandwidth, multiple CPUs, and multiple gigs of ram is the juiciest target to be a member of a botnet. It's also a lot more difficult to compromise. Windows PCs are not the juiciest targets. They are the low-hanging fruit that can be harvested in large numbers with automated tools, making it not worthwhile for the botnet owners to spend too much effort taking over any one target no matter how tempting it is.

I'd tend to disagree with that comment - look what bot nets are used for?? very rarely are they used for mass processing power or for anything more than a spamming and dos'ing..

- A personal computer on a basic always on connection which tend to keep a dynamic ip for several days then move (some providers it is longer) VS a server that doesn't..

- a Home computer with a user none the wiser that doesn't even bother to see what is running VS a server that would have an Admin responsible for it and regulatory checking up on thing

- a home computer on a dynamic ip block owned by a large telcom who doesn't give a shit about crap on that part of the network that won't cut it off or relay infection details or won't respond to your calls VS a server on a company owned block that will checkup on reports and will respond.

In my experience when we are getting spam or bot attacks - if the source is coming from a private company's network or anyones owned IP block (not blocks for residential service) they always respond to inquiry and normally say thank you. I've NEVER had one blow me off - Now when it's coming from some dynamic block I've been blown off so many times that i don't even bother calling them.

Take it how you will but i think you are confusing what you personally would want to have with what is sufficient and functional for bot nets.

Re:Windows is widely used where it matters

[eth1]

To put it another way, I have never met a person who was highly competent with using Windows and also highly competent with using a Unix-like OS (Linux, *BSD, etc) who still preferred Windows. I'm sure someone will pipe up now that I've posted this but the point remains, such people are quite rare. Your preference for one thing is meaningless if you are not at least as familiar with an alternative.

OK, I'll bite :)

Most people that are competent couldn't answer the question "Do you prefer Linux (etc.) or Windows?" (unless the answer is "both"). It begs the question, prefer it for *what* exactly? At work, I have both Windows 7 and Ubuntu systems at my desk running Synergy. I use whichever one happens to be best suited for my current task. Same at home, except that the Linux box has been decapitated and shoved in a closet. I prefer windows (7) on the computer I sit at at home, because in my experience, I spend far less time screwing with it trying to get stuff to work (Mac might be an option, if it wasn't for games).

Apologist much?

[HiggsBison]

That's horseshit. When someone makes a better OS than MS, I'll start believing these stories. ... while windows will run on pretty much any hardware.

Set the koolade down and step back. Microsoft Windows works on a much wider range of hardware than OSX, but it's still quite limited. I will concede that only Microsoft Windows excels at making use of a proprietary piece of crap like a Win-modem or a Win-printer.

Linux may have some technical merit, but is a mess where people without advanced computer skills are left in the dark.

My experience is that the average XP user is more baffled by Windows 7 than by Ubuntu. And don't even think of suggesting that Ubuntu can't be set up by someone knowledgeable.

Sure windows had bugs, but many of those aren't MS's fault, but rather vendors that write crap drivers.

Microsoft provides an ever-changing foundation of thick muck. And like you, they are quick to blame others for any problems.

Re:The weak link is old^H^H^H NEW Software

[petes_PoV]

The other weak link is new software that is rushed to market without being tested properly Adobe Since the market pressures require as short a development time (and preferably no testing - since yo might find bugs that have to be fixed: more delays) in order to keep the cash-flow flowing.

Only government agencies can afford to spend a year designing a bullet-proof system, then another year writing the software and a year or two more making sure that no-one can ever break in to it. Are yo prepared to slow down software development by a factor of 8, from 6-monthly release cycles to a new version every 4 years? It would be commercial suicide and far too expensive.

Re:Windows, vs. LINUX, vs. MacOS X (security vulns

[oakgrove]

Linux 2.6x KERNEL SECURITY VULNERABILITIES

It doesn't make sense to compare a line of kernels dating back to 2003 to an operating system that came out last year. The 7 kernel is just a derivative of the Vista kernel, for example. And in '03, XP was still going strong. Furthermore, 2.6 or whatever is just a name. I am running 2.6.32. How does the NT 6.1 you are presumably running compare to that?

Do you have any support facts?

And Apache is the most widely used Web Server but its security record is far better than IIS. So what does that say. Also Unix/Linux far outnumber Windows Server in terms of presence on the Internet; however, they are more on the yet their track record is far better than Windows server.

I often see this wives tale but have yet to see any supporting data.