Microsoft a Weak Link In Possible Cyber War

climenole writes 'Microsoft has vast resources, literally billions of dollars in cash, or liquid assets reserves. Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods,' says former White House advisor Richard Clarke in a recent book. Microsoft makes the list of risks because so many people have installed its software for critical systems.

He said what?

[siloko]

Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods.

If he really said that I bet Microsoft execs are spewing their cornflakes as we speak!

Re:He said what?

[decipher_saint]

*in deep trailer-guy voice*

"In 2010; Chairs WILL be Thrown"

Re:He said what?

[StuartHankins]

If Microsoft execs aren't already aware of that, they should be fired. Part of managing a company is knowing your weaknesses.

Re:He said what?

[siloko]

Part of managing a company is knowing your weaknesses.

Knowing your weaknesses is not the same as having them advertised to the world by a White House advisor!

Re:He said what?

[StuartHankins]

It's not as if people didn't already know about Microsoft's abysmal security record. Just a simple query such as http://www.google.com/search?hl=en&safe=off&client=firefox-a&hs=kKP&rls=org.mozilla%3Aen-US%3Aofficial&q=site%3A*.gov+microsoft+advisory&aq=f&aqi=&aql=&oq=&gs_rfai= shows tens of thousands of hits. Maybe Microsoft will be shamed enough to take action and improve their products.

I guess the point of it is "Is Microsoft the weak link when it comes to security?" to which the only answer can be "Yes." Kudos to the White House team for telling it like it is!

Re:He said what?

[M.+Baranczak]

Clarke is not on the "White House team". He retired a few years ago. Come on, people, would it hurt you to at least read the summary?

Re:He said what?

[causality]

No, there's a big difference. If he was a current government official, then the statement would represent a government policy.

"This company dominated the market with low-quality products" is not a policy. It is an observation. It's true or it's false no matter who says it or how "official" they are. Try thinking for yourself and being less impressed with authority.

Re:He said what?

[erroneus]

Could it be that someone "out of office" is the only one with the freedom to say such things in public? Anyone in office would fear for his job. It would be my guess that this statement was desired and even requested by people in office. Who better than someone who once held the seat (read: an expert on the topic) and someone who has nothing to lose (read: already out of office).

Microsoft's Business

[HeX314]

One of my computer science professors once stated, quite succinctly, that Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money.

On a related note, if they were in business to make a quality operating system, they would have a tough time selling "upgrades."

Re:Microsoft's Business

[Lunix+Nutcase]

One of my computer science professors once stated, quite succinctly, that Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money.

What a stupid statement that is complete tautology. The entire point of starting a business is to make money. Otherwise the business *ahem* goes out of business.

Re:Microsoft's Business

[Em+Emalb]

The entire point of starting a business is to make money.

This is false. While a company needs to make money to be successful, this is not the only reason for a company to exist. And I thought I was jaded.

Re:Microsoft's Business

[Lunix+Nutcase]

The entire point of a business is to provide goods and services for money. Otherwise you're running an NPO.

Re:Microsoft's Business

[Narpak]

This is false. While a company needs to make money to be successful, this is not the only reason for a company to exist.

Agreed. Though a more important question, as far as I am concerned, is whether or not something as important, and voluntarily, as computer/network/internet infrastructure should be run for profit (specifically government/utility system software/hardware). One could argue that there is a financial incentive for companies to make a good product, but time and time again it seems that companies are happy sacrificing the long term for short term profit. Even when that means taking short cuts that risk creating significant problems down the road. Thankfully my country, Norway, has decided to start shifting all software used by the state over to Open Standard alternatives.

Re: Microsoft's Business

[Black+Parrot]

Linux may have some technical merit, but is a mess where people without advanced computer skills are left in the dark.

The same can be said of Windows. People ask me for help with their Windows computers all the time, but I can rarely help because I don't often use anything besides Linux, and contrary to what you'd like to believe, there's nothing inherently intuitive about the way Windows works.

Re:Microsoft's Business

[TheRaven64]

The level of complexity between Windows and OSX is incomparable. OSX works on like 5 hardware configurations, while windows will run on pretty much any hardware

Yup, OS X only runs on three hardware platforms; ARM, PowerPC, and x86. Five if you count the 64-bit variants of PPC and x86 as different. Windows runs on x86, x86-64, and PowerPC (XBox). It used to run on MIPS and Alpha as well, but hasn't since NT 4.

Or are you talking about device drivers? Because I hope that you realise that most of these are provided by the hardware manufacturers, rather than by Microsoft. So, your argument for Windows' superiority is that more third parties support it? That's certainly a valid reason for using it, but not really an indication of its intrinsic quality.

Re:Microsoft's Business

[Captain+Splendid]

The entire point of a business is to provide goods and services for money. Otherwise you're running an NPO.

No, the real world's not binary like that. Plenty of people running businesses not just (or not at all) for the money. Yes, the balance sheet at the end of every month needs to be right, but there's a huge difference between lots of profit, and enough to get by.

Re:Microsoft's Business

[tepples]

You praise Microsoft for "running on any hardware" while that is the vendors' drivers responsibility (and open standards such as SATA, PCI, USB).

The praise directed at Microsoft is for managing to convince hardware vendors to put a Windows driver on the included CD and not include a Linux driver.

Re:Microsoft's Business

[ArcherB]

That's horseshit. When someone makes a better OS than MS, I'll start believing these stories. The level of complexity between Windows and OSX is incomparable. OSX works on like 5 hardware configurations, while windows will run on pretty much any hardware.

Uh, no. Windows runs on one, and only one platform, the x86 (x86-64 is still x86). OSX used to only run on RISC (PowerPC) but recently made the switch to x86 as well. It should be noted that Apple did a pretty good job making the old stuff written for RISC run on x86 for a time in order to complete the transition. The core of OSX also runs on a few different mobile platforms as well for i-phone/pod/pad devices.

Linux will run on just about anything. Sure, you can't download the latest Ubuntu and install it on an Alpha based machine, but you can find Linux distro's designed for just about any platform.

Linux may have some technical merit, but is a mess where people without advanced computer skills are left in the dark.

Linux is easier to set up or operate than either Windows or OSX. The problem is that 99% of all computers sold come with either Windows or MacOS installed, so it's what people learn. Once you learn a system, it is easy to you, even if it's some antiquated, console driven, remote accessible Unix app.

MS is having problems selling upgrades. Why do you think ~90% of businesses are still on XP? Because it was/is a useable, relatively stable OS that did what people wanted.

People are not upgrading because XP is good enough and it's cheaper to keep running XP than it is to upgrade. Even if the OS itself was free, you still have to pay your IT guys to create an image for every machine config in the office, install it, train your employees to use it, and pay for the downtime they experience backing up their old stuff and learning the new OS.

You can say what you want about MS, but the fact is, they are the best OS for Businesses, and most consumers

No. MS produces the OS used by most businesses and consumers, therefor, it is what most businesses and consumers choose when they upgrade. It's easier to make the upgrade from XP to 7 than it is to upgrade form XP to Ubuntu 10.4, just as it's easier to make the move from Ubuntu 9.10 to 10.04. When you upgrade to a newer version of your current OS, odds are that you lose nothing. If you switch OS's entirely, you have find replacements for every application you currently depend on and still convert all your files to the new format.

When Linux is usable by joe user, I'll take it seriously.

My three year old daughter runs Linux and she can't even read yet. Hopefully Joe User is more savvy than an illiterate three-year-old.

Re:Microsoft's Business

[burnin1965]

Microsoft was not in business to make a quality operating system (or quality product). They are in business to make money

I see you are getting hammered with comments that I believe misunderstand your professor's statement. Of course businesses are in business to make money, what people don't seem to get is that Microsoft's core competency, main objective, mission statement, sole purpose, etc. is to make money.

I could be wrong but I don't believe that Microsoft developers intentionally make bad products with the intention of getting customers hooked and then forced to upgrade. I believe this is just the end result of a business strategy that permeates virtually all of business management in the United States today. I would describe the U.S. business models as, greed is good slash and burn, hookers and extortion profit margin goals, end times are near hoarding and investment(or lack there of), and disaster focused management.

Greed is good slash and burn: There is an entire generation, perhaps more, of MBAs who watched Wallstreet and fell for Gekko's speech about greed as a driving factor for all human pursuits but either failed to watch the entire movie or did not make the connection to the plot where greed did not result excellence in business pursuits but instead led to cheating, destruction of other people's livelihoods to transfer wealth from a group of people to an individual, and out right criminal activity. And we don't need a movie to tell us that greed is not good, we have real life events that occur over and over and over that show us how greed left unchecked simply leads to crime not excellence.

Hookers and extortion profit margin goals: Profit margins are important for the viability of a business and its ability to expand and invest into future business opportunities, however, the greed mentality has created a deranged market concept that becomes detached from the real market and real viability of a product. I have seen this mentality at work at a hardware manufacturer during management and engineering meetings where Part B had a lower profit margin than Part A and it was repeatedly suggested that Part B should no longer be manufactured and Part A should be ramped up using the manufacturing capacity of Part B. Unfortunately the MBAs and engineers refused to listen to sanity, the bulk of the market wanted to buy Part B not Part A and the final products that used Part A also required Part B. Without the low margin Part B there was no market for Part A! Once logic failed I gave in to the greedy profit margin goal and suggested we replace all the engineers and manufacturing employees with hookers and thugs as the profit margin in the Hookers and Extortion business was probably better than making parts. As an engineer I would not be needed so I left.

End times are near hoarding and investment(or lack there of): Again driven by greed, rather than having long term multiple year future plans many U.S. corporations are more concerned with 3 month business plans as if there will be no future for the planet or business beyond the next 3 months. If your engineering project does not have an acceptable ROI within 3 months then it stays on the back burner. Even after presenting the same 3 year plan after 3 years on an annual basis and explaining that 3 years ago if it had been implemented the benefits would have been rolling in the project is perpetually placed on the back burner while the funds that could have financed the project are hoarded until upper management bonus time rolls around.

Disaster focused management: And as a result of the previous management techniques the focus of U.S. business management becomes continually locked in disaster recovery mode. With everything focused on greed the little things like safety, sustainability, future capability, etc. are all left to the way side until they becom

It is simple Darwinism

[filesiteguy]

If you look at any ecosystem, you'll find that there are pests trying to gain a foothold into that system by exploiting a weakness. If there is only one type of organism, the pests will adapt and exploit the weakness of that organism. This is why you need ever more powerful pesticides when cultivatign monoculture crops such as corn, wheat or even soybeans.

Same goes for ecosystems of comptuers. Given 90% are running Wintendo, you find that the pests (virus and other exploit authors) take adavantage of that monoculture. The weaknesses are then exploited and have to be "patched" in order to ensure survival of data and/or systems.

Given an ecosystem with multiple operating systems - Windows, Linux, Unix/OSX, zOS - you'll find a greater ability to defend against continual threats.

Re:It is simple Darwinism

[betterunixthanunix]

There is more to it than that. A very carefully managed Windows system can certainly withstand a number of attacks, just like a carefully managed *nix system. The problem is that most Windows systems are not carefully managed, and a carelessly managed Windows system is much more vulnerable than a carelessly managed *nix system. Windows started out as a single user OS, and even though the NT kernel has everything necessary to support multiuser setups, it is very difficult for Microsoft to push better security as the default in Windows -- there are just too many people who have a habit of doing everything as "Administrator," and too much software the relies on that sort of behavior. Things have started to change, but Windows XP is still widely deployed.

Really, if Microsoft wanted to, they could start marketing an OS designed for security sensitive environments (perhaps with a compatibility mode that allows Windows software to run in some kind of VM), and leave Windows as a "home PC" operating system. The fact that they are not doing anything like that, despite the fact that MSR developed such an OS, speaks volumes about Microsoft's priorities.

Re:It is simple Darwinism

[vcgodinich]

The fact that at the recent history of security conferences, widows did just as well out of the box as *nix did, and OSX was breached with ease speaks volumes as well.

No matter WHAT MS does, it isn't going to be able to secure home PCs against "cyber warfare" from China. end of story. MS's security isn't bad at all, in fact it's years ahead of it's nearest competitor (OSX).

Re:It is simple Darwinism

[TheCarp]

I would submit that most non-windows systems are also poorly managed.

The difference is monoculture vs diversity. Look at windows users, and you will find lots of people using the same tools. Outlook, as soon as a company installs exchange you can be sure that the vast majority will be using outlook to connect to it. You find a vulnerability in outlook, or word, or a system service, and you can suddenly hit huge swaths of machines.

Now, Unix? You have multiple hardware architectures, distributions of even similar systems like Redhat and Debian Linux have made different choices for default daemons for various services. A hole in pine or mutt may not effect evolution users, or thunderbird users.

So in addition to a smaller audience, you get a smaller percentage of that audience.

to put it in business terms, the ROI of windows vulnerability exploits is just higher. That is, unless you are targeting a specific system, in which case, well, I know that where I work, many more windows servers exist than the entire unix environment, but, the Unix environment has a higher percentage of the mission critical (or more to the point, patient care critical) servers.

So thats not to say there isn't definite ROI on such attacks, it can even be higher. However, I don't think that such attacks realy factor into this discussion since specific attacks on specific machines for their content is the exception rather than the rule for most systems/users.

-Steve

Summary misdirected

[ATestR]

For once, I RTFA. The summary seemed interesting. However, the FA was even more interesting, although it had little to do with all the money that Microsoft had in its back pocket, and how it's market dominance was based on low cost products.

The main thrust of the FA, for those of you who don't want to click the link, is that because the Windows OS is so prevalent in civilian and corporate usage, a Cyberattack could devastate the economy (and western civilization).

Re:Summary misdirected

[Bert64]

While true, by the time MS became an expensive option it no longer mattered - millions of people were already locked in.

Back in the days, MS (and the cheap hardware they ran on) were a cheap option compared to Novell, Sun, DEC, SGI, IBM, Apple and all the other highend vendors... MS and x86 were massively inferior to everything else on the market, but with such a huge price differential they were able to make it up on volume...

Ford cars are clearly inferior to Rolls Royce or Ferrari, however you see a lot more Fords on the roads for the same reason. However, cars are standardised enough that its impossible to lock someone in, thus ensuring there is a healthy level of competition in the industry.

I disagree

[2names]

I am not a Microsoft fan, but I believe the weak link has much more to do with the meat sitting in front of the computer than the software on the computer.

Clark is all right

[Rogerborg]

Remember, he was the guy who warned Rice and President Cheney about an imminent Al Qaeda attack. Or depending how you view it, failed to convince them of it. Still, as ass covering goes, his was iron clad.

Microsoft created this problem

[bugs2squash]

But then, to a large extent they helped popularize the PC which became ubiquitous and hence became worthy of attack. The PC also became a reasonably standard platform upon which Linux etc. could be developed and cheap enough that we can all afford to own one and join in the fun. It is by no means certain that this would have happened otherwise because I don't believe security is the enemy of profit, in fact I think we'll see a future where security tightens to the point where hardware will be locked to only run a certain OS - where will Linux be then ?

Interesting

[DaMattster]

All of the money spent on lobbying the government against using Linux would have been much better spent on developing a reliable, secure operating system. The shortsightedness of large corporation never ceases to amaze me. Since they spent all of this money on lobbying, which ultimately was unsuccessful, they had to spend money on securing Windows anyway. So, Microsoft spent a large sum of money in total, when they could have just made a better product to being with.

Re:one sided

Why do you people always say this? Windows is the Single-User system botched into a multi-user environment, not Unix.

The weak link is old Software

[Toreo+asesino]

There's nothing wrong with the newer rounds of MS software; the problem is the older stuff, which as time goes further back, tends to get less & less secure (all the way to Win98/95 which actually had no security at all).

Even now I occasionally run into boxen running thoroughly rooted Windows.....98. That's your problem.

Microsoft is the market leader.

[miffo.swe]

As such you would expect them to excel at security nowadays since it seems a very big concern amongst most users. Still their security efforts are pretty laid back and half assed. Microsoft dont take security seriously, its a pr problem for them at the most.

As a market leader one would expect Windows spanking Linux, BSD and Apples behinds but in reality Windows security sucks. Not because its more prevalent but because its a sitting duck. At Microsoft, features and ease of development has always stood higher than security on the priority lists. The only thing that can change that is monetary pressure like demand for accountability of their products. Until then, Microsoft security is a game of statistics, lies and damn statistics.

Windows is widely used where it matters

[tepples]

[Windows] may be the most widely used desktop OS, but once you include servers and small devices, Linux beats it easily.

Compared to home desktop PCs, servers are more likely to be administered by someone with a clue about locking down and updating the system. Small mobile devices have only a sporadic connection to the Internet, much like home PCs in the dial-up era, and many use an executable whitelist managed by the device maker. So barring a security hole in something like a home router appliance, desktop PCs running Windows are likely the juiciest targets for establishing a botnet.

Re:Windows is widely used where it matters

[causality]

Compared to home desktop PCs, servers are more likely to be administered by someone with a clue about locking down and updating the system.

Most of whom choose a non-Windows OS. When people with a clue avoid something and people who don't know better flock to something, it says a lot about that something.

To put it another way, I have never met a person who was highly competent with using Windows and also highly competent with using a Unix-like OS (Linux, *BSD, etc) who still preferred Windows. I'm sure someone will pipe up now that I've posted this but the point remains, such people are quite rare. Your preference for one thing is meaningless if you are not at least as familiar with an alternative.

So barring a security hole in something like a home router appliance, desktop PCs running Windows are likely the juiciest targets for establishing a botnet.

Actually a beefy *nix server with extremely high bandwidth, multiple CPUs, and multiple gigs of ram is the juiciest target to be a member of a botnet. It's also a lot more difficult to compromise. Windows PCs are not the juiciest targets. They are the low-hanging fruit that can be harvested in large numbers with automated tools, making it not worthwhile for the botnet owners to spend too much effort taking over any one target no matter how tempting it is.

Re:Windows is widely used where it matters

[Amouth]

Actually a beefy *nix server with extremely high bandwidth, multiple CPUs, and multiple gigs of ram is the juiciest target to be a member of a botnet. It's also a lot more difficult to compromise. Windows PCs are not the juiciest targets. They are the low-hanging fruit that can be harvested in large numbers with automated tools, making it not worthwhile for the botnet owners to spend too much effort taking over any one target no matter how tempting it is.

I'd tend to disagree with that comment - look what bot nets are used for?? very rarely are they used for mass processing power or for anything more than a spamming and dos'ing..

- A personal computer on a basic always on connection which tend to keep a dynamic ip for several days then move (some providers it is longer) VS a server that doesn't..

- a Home computer with a user none the wiser that doesn't even bother to see what is running VS a server that would have an Admin responsible for it and regulatory checking up on thing

- a home computer on a dynamic ip block owned by a large telcom who doesn't give a shit about crap on that part of the network that won't cut it off or relay infection details or won't respond to your calls VS a server on a company owned block that will checkup on reports and will respond.

In my experience when we are getting spam or bot attacks - if the source is coming from a private company's network or anyones owned IP block (not blocks for residential service) they always respond to inquiry and normally say thank you. I've NEVER had one blow me off - Now when it's coming from some dynamic block I've been blown off so many times that i don't even bother calling them.

Take it how you will but i think you are confusing what you personally would want to have with what is sufficient and functional for bot nets.

Re:Windows is widely used where it matters

[eth1]

To put it another way, I have never met a person who was highly competent with using Windows and also highly competent with using a Unix-like OS (Linux, *BSD, etc) who still preferred Windows. I'm sure someone will pipe up now that I've posted this but the point remains, such people are quite rare. Your preference for one thing is meaningless if you are not at least as familiar with an alternative.

OK, I'll bite :)

Most people that are competent couldn't answer the question "Do you prefer Linux (etc.) or Windows?" (unless the answer is "both"). It begs the question, prefer it for *what* exactly? At work, I have both Windows 7 and Ubuntu systems at my desk running Synergy. I use whichever one happens to be best suited for my current task. Same at home, except that the Linux box has been decapitated and shoved in a closet. I prefer windows (7) on the computer I sit at at home, because in my experience, I spend far less time screwing with it trying to get stuff to work (Mac might be an option, if it wasn't for games).

You can't have secure AND popular

[petes_PoV]

For software to be used by "everyone" it must put as few complications as possible between its users and their objectives. Since most people's objectives are focussed on results, not security, if you try to make an operating system or application suite secure, people will find a simpler, more direct way of achieving their goals. One where their perceived balance of speediness and security (i.e. as fast as possible and damn the consequences) is met.

Once you get away from using popular applications and O/S's, the price rises incredibly quickly. Instead of spreading (say) a billion dollar development costs across 100 million product sales, you have maybe 10,000 customers who can be persuaded to pay for a product. This immediately means no-one will buy it unless forced to by law, or unless they can in turn, pass on the costs to their customers. The smaller market also means there will be fewer suppliers - probably just one. Which in turn will drive up costs due to lack of competition and decrease any incentives to fix problems or develop new wares in a timely fashion.

We know what a secure operating system for the year 2010 will look like. It will look like VMS from 1995, for all the reasons discussed above. Now, which are we prepared to pay for: Microsoft products on every store shelf, running the country or critical systems with the security, features, lack of connectivity from the mid-90s?

Re:Microsoft Weak Link ...

[1s44c]

Film at 11.

I mean, seriously, it's the most widely used OS on the planet. It's also the most likely target.

That's a flawed argument. It isn't bad because lots of people use it, it's bad because it's bad.

Apologist much?

[HiggsBison]

That's horseshit. When someone makes a better OS than MS, I'll start believing these stories. ... while windows will run on pretty much any hardware.

Set the koolade down and step back. Microsoft Windows works on a much wider range of hardware than OSX, but it's still quite limited. I will concede that only Microsoft Windows excels at making use of a proprietary piece of crap like a Win-modem or a Win-printer.

Linux may have some technical merit, but is a mess where people without advanced computer skills are left in the dark.

My experience is that the average XP user is more baffled by Windows 7 than by Ubuntu. And don't even think of suggesting that Ubuntu can't be set up by someone knowledgeable.

Sure windows had bugs, but many of those aren't MS's fault, but rather vendors that write crap drivers.

Microsoft provides an ever-changing foundation of thick muck. And like you, they are quick to blame others for any problems.

Re:The weak link is old^H^H^H NEW Software

[petes_PoV]

The other weak link is new software that is rushed to market without being tested properly Adobe Since the market pressures require as short a development time (and preferably no testing - since yo might find bugs that have to be fixed: more delays) in order to keep the cash-flow flowing.

Only government agencies can afford to spend a year designing a bullet-proof system, then another year writing the software and a year or two more making sure that no-one can ever break in to it. Are yo prepared to slow down software development by a factor of 8, from 6-monthly release cycles to a new version every 4 years? It would be commercial suicide and far too expensive.

Re:Windows, vs. LINUX, vs. MacOS X (security vulns

[oakgrove]

Linux 2.6x KERNEL SECURITY VULNERABILITIES

It doesn't make sense to compare a line of kernels dating back to 2003 to an operating system that came out last year. The 7 kernel is just a derivative of the Vista kernel, for example. And in '03, XP was still going strong. Furthermore, 2.6 or whatever is just a name. I am running 2.6.32. How does the NT 6.1 you are presumably running compare to that?

Re:Windows, vs. LINUX, vs. MacOS X (security vulns

[erroneus]

It's a frequently used troll post. It has been completely debunked in the past several times. All of the critical bugs listed for the Linux kernel, for example, were local exploits only -- NONE were remote. In contrast, Microsoft's exploitable bugs are famously remote exploits meaning they can be done over a network connection. Mac OS X is another bag of worms... but thankfully, Apple controls and limits its users such that it will never be big or ubiquitous enough for large scale general use like Windows and will never likely get used in critical government or business operations.