Microsoft's Security Development Process Under CC License

← Back to Stories (view on slashdot.org)

Microsoft's Security Development Process Under CC License

Posted by timothy on Sunday August 29, 2010 @03:50AM from the share-nicely dept.

An anonymous reader writes "The H Online writes: 'Microsoft has placed its process for secure software development under a Creative Commons License. The company hopes that this will lead to more developers utilising its process for programming software more securely across the entire product lifecycle ...'"

164 comments

Oh boy... by Anonymous Coward · 2010-08-29 03:52 · Score: 2, Insightful

Cue a multitude of Slashbot posts pointing out that Microsoft could never do "secure software development".
1. Re:Oh boy... by somersault · 2010-08-29 03:57 · Score: 3, Funny
  
  Yeah, this is kind of like the church releasing its guidelines for picking up hookers under Creative Commons.
  
  --
  which is totally what she said
2. Re:Oh boy... by DJRumpy · 2010-08-29 04:12 · Score: 5, Insightful
  
  Yes and no. The MS OS is actually written with a lot of safeguards in place to make the OS more secure. Years of being attacked tends to make one a bit defensive and certainly more technically adept.
  I think their problems are on multiple fronts:
  Overly complex code
  Lax permission requirements,
  Too many admins (still default on workstation installs)
  Poorly written apps that in turn requires them to bend the rules or to provide workarounds.
  MS could take a hard line, and force apps to comply with OS guidelines, but they'd be shooting their compatibility in the foot. although I see them nudging folks in that direction, with more functions locked out by default, they have a long way to go. Instead, they bend over backwards to try to work around compatibility issues and legacy support, and as a result, leave tons of loopholes. I had great hopes for their VirtualPC bit and was hoping they would take a more Apple-centric approach, allowing them to just start with a fresh slate while virtualizing old OS compatibility. It appears that was a wasted hope however...
3. Re:Oh boy... by bill_mcgonigle · 2010-08-29 04:56 · Score: 1, Funny
  
  I think their problems are on multiple fronts:
  Or "they're not done re-inventing UNIX yet."
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re:Oh boy... by sznupi · 2010-08-29 04:58 · Score: 0
  
  So, still, the release (if it's very accurate in its desciption) could also act as a guideline of what not to do? ;p
  
  --
  One that hath name thou can not otter
5. Re:Oh boy... by jimicus · 2010-08-29 05:12 · Score: 4, Interesting
  
  I think it's simpler than that.
  Windows can be very heavily locked down so end-users can literally do nothing more than that which is explicitly made available to them. Heck, with something like SteadyState, it can even roll back any changes with a simple reboot.
  But far too many third party developers seem to actively go out of their way to break any security - they seem to have some sort of mental block understanding that the assumptions you make when you're designing an application which will run on a system which you can more or less guarantee will only ever have one person using it (and that person has no realistic hope of screwing it up badly simply because there's so little to screw up) simply do not work on a modern multi-user, multi-tasking networked operating system.
  I've lost count of the number of applications - and these aren't crappy things you find on download.com, they're expensive commercial products that are intended to have multiple users - that explicitly expect the end-user to have local admin rights and their first support response is "Does the user have admin rights? No? Go away and come back when they do. I don't care if you can explicitly prove that this isn't the issue here...".
6. Re:Oh boy... by Anonymous Coward · 2010-08-29 05:12 · Score: 0
  
  www.bilisimforum.org
7. Re:Oh boy... by sznupi · 2010-08-29 05:19 · Score: 1
  
  Yeah, this is kind of like the church releasing its guidelines for picking up hookers under Creative Commons.
  Don't you mean "guidelines for running kindergartens"?
  
  --
  One that hath name thou can not otter
8. Re:Oh boy... by frist · 2010-08-29 05:24 · Score: 0, Flamebait
  
  Pretty sure you have no idea about Unix internals vs NT internals. UNIX doesn't have ACL security.
9. Re:Oh boy... by lgw · 2010-08-29 05:30 · Score: 3, Insightful
  
  Or "they're not done re-inventing UNIX yet."
  Now, now, they've been reinventing VMS, not Unix, as anyone should know.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
10. Re:Oh boy... by bill_mcgonigle · 2010-08-29 05:33 · Score: 4, Informative
  
  UNIX doesn't have ACL security.i
  Take your pick: SELinux, GRSecurity, classic or new Solaris ACL's. Use a supporting filesystem with NFSv4.
  You can even go MAC with SELinux if you're at a TLA or similar.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
11. Re:Oh boy... by Anonymous Coward · 2010-08-29 05:33 · Score: 0
  
  Unix has had ACLs for donkeys years ("Posix ACLS", though IIRC the spec was never formally rubberstamped by POSIX). Even the free unix and unix-alikes have them (linux etc.).
  Nowadays, NFSv4 also has ACLs in-standard, that are more like the windows ones than the traditional unix ones. Pretty sure you learnt your unix internals from some early 80s textbook or something.
12. Re:Oh boy... by gilesjuk · 2010-08-29 05:36 · Score: 1
  
  As Bill Gates once put it, they create software that adds new features. They don't think about big fixes, people don't buy software for big fixes.
  So it's the same at 3rd party software companies. They add new features so people buy their software, fixing the software security model isn't something many end users would care about unless you explained what benefits that would provide.
13. Re:Oh boy... by Anonymous Coward · 2010-08-29 05:43 · Score: 3, Interesting
  
  Pretty sure you have no idea about Unix internals vs NT internals. UNIX doesn't have ACL security.
  So, the "Unix internals vs NT internals" is resumed as UNIX not having ACL security?
  Pfffff.. Yeah, looks like you know a lot more on the subject.
  WRONG. Unlike windows, which only supports ONE ACL scheme which is builtin, the most variety of UNIXes out there supports complex ACL mechanisms through a modular design or patches. Windows ACLs are also very basic compared to the full access control provided by SELinux.
  Keywords: SELinux, GRSecurity, FS extended attributes, PAM, ...
  Now go back under the rock you came from.
14. Re:Oh boy... by sam0vi · 2010-08-29 05:46 · Score: 1
  
  Ouch?
  
  --
  When my Karma level reaches 0 I feel in piece with the Universe
15. Re:Oh boy... by bill_mcgonigle · 2010-08-29 05:52 · Score: 1
  
  Fair point. I could have used BOOT.INI;(n-1) more than once in the day.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
16. Re:Oh boy... by RobertM1968 · 2010-08-29 05:54 · Score: 2, Informative
  
  ...I think their problems are on multiple fronts:
  Overly complex code
  Lax permission requirements,
  Too many admins (still default on workstation installs)
  Poorly written apps that in turn requires them to bend the rules or to provide workarounds.
  You forgot a few very very important ones:
  - Way too much legacy code that was not written with network security in mind
  - Way too many technologies, that by their design and the functions they provide, can never be made secure (ActiveX, .NET Click Once and more)
  - NO interest in removing "core components" that compromise the security of Windows systems (.NET and ActiveX) as (1) too many of their clients use it and (2) (the really important one) those technologies are Microsoft's bread and butter in the server marketplace and the only thing that differentiates them from other implementations. With the ease of use of .NET and ActiveX, it allows a larger IT entry point and provides a support model that xAMP does not have (and while that does not make the choice better, we all know there are numerous "admins" and "developers" who do not deserve their titles - but the Microsoft products and "technologies" give them an entry point into those fields that other technologies (PHP for instance) do not - all with Microsoft's support behind them.
  
  I had great hopes for their VirtualPC bit and was hoping they would take a more Apple-centric approach, allowing them to just start with a fresh slate while virtualizing old OS compatibility. It appears that was a wasted hope however...
  C'mon, you really didnt, did you? I dont know anyone in the IT or support industry who thought that or even had any real hopes for that to happen. The day they bought Connectix, we in the OS/2 world knew that the OS/2 version would be killed, followed by the MacOSX version (I even made such posts on the OS/2 World Forum when the announcement of the acquisition was made public), followed by any version Microsoft deemed as detrimental to their server and high end client OS sales. Of course, their promises of the exact opposite behavior notwithstanding, that is exactly what happened. Maybe because we're part of the OS/2 Community and have seen it happen to a far greater extent, it made it easier to see the writing on the wall. So, I cant blame anyone for that. I suspect that MacOSX users may have seen that writing as well, especially after the broken promises on fully feature compatible versions of Office, updated versions of IE and so on.
  Fact is, as some of us speculated, due to issues they've had and never fully resolved with backwards compatibility, we were quite sure that Microsoft's biggest intent was to grab the Connectix stuff to use it as a compatibility layer, while at the same time, preventing people from using other operating systems as the host OS. And thus, the current (Vista onwards) WoW implementation was born. This too was finally admitted to by Microsoft when they touted the better backwards compatibility Vista would provide due to their acquisition.
  I'm not saying that's a bad thing... I'm saying I dont know any IT Professional who thought of any of those situations differently or didnt understand the reasoning behind it, or what the outcome would be. I suspect that you too saw where things would go. I guess the only difference is you decided to hope, while my colleagues and I knew it wasnt worth hoping.
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
17. Re:Oh boy... by ysth · 2010-08-29 06:17 · Score: 1
  
  xAMP? x stands for Linux or GNU/Linux depending on which side of the fight you are on?
18. Re:Oh boy... by nmb3000 · 2010-08-29 06:19 · Score: 2, Informative
  
  ...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it
  A user without administrative access cannot install a rootkit.
  
  Sadly, .NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.
  
  It sounds like you're talking about a local privilege escalation exploit, and those are usually patched pretty quickly. Do you have any examples or sources to back up that claim?
  
  --
  "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
  /)
19. Re:Oh boy... by RobertM1968 · 2010-08-29 07:48 · Score: 1
  
  As I wrote it, xAMP was to stand for "(anything)AMP" (where x is any operating system, such as Linux, AIX, OS/2, eComStation, and (ugh) Windows and so on).
  Coulda just written AMP I guess, but figured people would understand xAMP with less brain effort than they would simply AMP - and it was easier than writing "LAMP/WAMP/OAMP (or WAMP or AMP2)", etc.
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
20. Re:Oh boy... by RobertM1968 · 2010-08-29 08:07 · Score: 1, Informative
  
  ...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it
  A user without administrative access cannot install a rootkit.
  Incorrect (at least as I was discussing). The *user* doesnt have to install it, the escalated malware (via .NET or other methods) does. There are a bunch of escalation exploits available via .NET and especially it's ClickOnce crapnology. But they've been fixed!!! For almost TEN years, that promise has been made repeatedly. The June announcement went way too far in claiming that all such issues were permanently and properly fixed - as opposed to the more truthful statement that the should have used indicating that a patch for the specific exploit was released (and leaving it at that).
  
  Sadly, .NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.
  It sounds like you're talking about a local privilege escalation exploit, and those are usually patched pretty quickly.
  No... those are sometimes patched quickly, sometimes not (like the .NET exploit noted in June that took months to improperly patch.
  If you are referring to the hotfixes they release that hope to mitigate the circumstance until a real (though usually not fully fixed - at least in the case of .NET) patch is released, well, I dont count those, since, as I noted, they generally dont really fix the hole.
  
  Do you have any examples or sources to back up that claim?
  Yeah, as I indicated, it's called "Windows Updates" - check it out sometime! You can go right into your (XP) "Add/Remove Programs" or (Vista upwards) "Programs and Features" and enable viewing of all updates, and check the last few weeks - then check the associated Microsoft pages which will tell you exactly what I posted in Microsoft's own words.
  Use Google if you really want to learn more. In the meantime, with your lack of knowledge, and lack of interest/willingness to do the very simple check on a Windows machine that's up to date to verify my claims, don't assume/claim they are wrong.
  But to give you a head start, here's ONE of the various CRITICAL updates (this one from this month):
  We Never Really Fixed the .NET issue
  This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing the page, as could be the case in a Web hosting scenario.
  This security update is rated Critical for all affected releases of Microsoft .NET Framework for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2; Microsoft Silverlight 2; and Microsoft Silverlight 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.
  Even users with "fe
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
21. Re:Oh boy... by LordLimecat · 2010-08-29 08:07 · Score: 2, Informative
  
  A user without administrative access cannot install a rootkit.
  Thats inaccurate. A non-admin can very easily get infected with a userland rootkit with no exploits necessary. Google "n00bkit".
22. Re:Oh boy... by nmb3000 · 2010-08-29 08:35 · Score: 4, Insightful
  
  Yeah, as I indicated, it's called "Windows Updates" - check it out sometime!
  
  Perhaps now you see what I am talking about... if not, check your hotfixes/ Windows updates, read what they supposedly fix, then look at the similarities between the multiple attempts to fix the same damn issue over and over again.
  
  So the answer is... No, you don't have any real sources. The generic description that comes with a Windows Update is just that -- generic. They all sound pretty much the same. Even the MS security bulletins like you linked to are usually pretty scant on details because they're designed to give an overview, not the nitty-gritty exploit information found elsewhere. I did look around Google for references to privilege escalation issues with .NET and didn't find anything.
  If multiple updates which all say "This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight." has you convinced they've been trying to patch the same vulnerability for 10 years, then you have other issues.
  As it stands, the specific vulnerability you point out doesn't even mention privilege escalation! It's also blazingly obvious what "Users whose accounts are configured to have fewer user rights on the system could be less impacted" means. If you don't have admin rights the worst thing the malware can do is put some entries in your startup folder/registry. If you're a full-on admin then we're talking kernel-mode drivers, raw disk access, machine-wide registry changes, the whole shebang. Big difference between the two.
  
  --
  "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
  /)
23. Re:Oh boy... by RobertM1968 · 2010-08-29 08:43 · Score: 1, Interesting
  
  Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you? Gee, adding things to the startup folder/registry means it might take what... two boots? to fully infect a machine with a piece of malware that has then gained full privileges? I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges. All it took, on a locked down machine, was a couple reboots. So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
24. Re:Oh boy... by nmb3000 · 2010-08-29 08:47 · Score: 1
  
  Thats inaccurate. A non-admin can very easily get infected with a userland rootkit with no exploits necessary.
  
  It depends on your definition of "rootkit", I suppose. The term has been watered down drastically over the last few years with people using it to describe malware in general. If we take Wikipedia's word then:
  
  A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. [...] Once a rootkit is installed, it allows an attacker to mask his intrusion while gaining root or privileged access to the computer.
  If the installing user does not have administrative rights then it's not possible for a rootkit to gain those rights (failing the requirement of gaining privileged access). A standard user might somehow get a user-mode "rootkit" on the machine, but it will only have access to their files and other users will be generally unaffected (barring some other kind of exploit [such as the recent DLL loading issue]). This means that an administrator who logs onto the system will easily be able to see and remove the compromised user's "rootkit", thereby failing the other requirement of remaining hidden.
  
  Google "n00bkit".
  It appears to be a user-mode rootkit. If an administrator installs it, then I suppose it would qualify as a full-blown rootkit on the machine. However, if installed by a standard user it would just fall under "tricky malware". Only machines can be "rooted", not users.
  
  --
  "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
  /)
25. Re:Oh boy... by bertok · 2010-08-29 08:54 · Score: 1
  
  Your comment about ActiveX is valid, but .NET is about as safe as Java. Other then implementation bugs, it's a secure virtual machine that can run applications in sandboxes, just like Java applets.
  Not everything Microsoft does is insecure.
26. Re:Oh boy... by nmb3000 · 2010-08-29 09:07 · Score: 5, Informative
  
  Wow, okay, let's take this slowly, piece by piece.
  
  Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you?
  I did read it, and I do understand.
  
  Gee, adding things to the startup folder/registry means it might take what... two boots?
  A standard user can only write to HKEY_CURRENT_USER. This key controls only their profile. So yes, malware run as a standard user can be set to run when that specific user logs in. Not upon machine startup.
  
  to fully infect a machine with a piece of malware that has then gained full privileges?
  Only if that user has administrative rights. If it was a standard user, then no, the malware did not magically gain more rights than the installing user had. That's why I asked about privilege escalation -- an exploit like that makes the situation much, much worse.
  
  I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges.
  Yes, it's common for malware to use existing system services to run. There are several methods from DLL injection, App_Init DLLs, remote thread creation, etc. However, ALL of these require administrative access. A process cannot play with system services unless it has rights to. A standard user cannot inject DLLs, write to shared memory, or do anything else to processes running with SYSTEM access unless the user itself has admin rights.
  
  All it took, on a locked down machine, was a couple reboots.
  There's nothing magic about rebooting Windows. Some registry keys aren't processed except at boot-time, but there are MANY ways to infect a machine with malware without rebooting the computer. Of course, these ALL require administrative rights.
  
  So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.
  No, they aren't. The results for malware infection via standard user and that via an administrator are drastically different, with the latter being terribly worse. A standard user's infection can be cleaned up in 5-10 minutes with ease. Simply deleting their user profile and creating a new one is the easiest method. Anyone can do it.
  A machine that's been infected by somebody with administrative rights may as well be infinitely worse. Without taking the system offline and analyzing the hard drive in a separate computer (or maybe by booting to a different OS), you will never, ever know if the system is clean. Even offline analyzing isn't guaranteed to work unless you know of and can check every single infection vector, a very challenging task. You're almost always better off reinstalling the machine.
  Hopefully that helps clear things up.
  
  --
  "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
  /)
27. Re:Oh boy... by RobertM1968 · 2010-08-29 09:16 · Score: 1, Redundant
  
  No, it does not. A standard user infection that utilizes privilege escalation (exploits), then becomes the same as one installed when an admin was logged in. There have been numerous.
  Here's an example of one escalation - and NOT a big (or prominent) one, that was only partially fixed.
  http://en.wikipedia.org/wiki/Shatter_attack
  There are bigger and worse ones. Now perhaps my statements make more sense.
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
28. Re:Oh boy... by RobertM1968 · 2010-08-29 09:20 · Score: 1
  
  That's odd. I thought there were hundreds of fixes (and near a dozen large patches) for the .NET framework due to a plethora of vulnerabilities. Well, I know that's the case. The list is daunting. I thought that the most recent one was just this month (3 fixes for exploit vectors).
  And I thought that Java implementations could not escalate privileges on a fully secured machine that a user was not using as an admin without explicit permission(s) being given. And I know that various .NET "technologies" allow bypassing that stuff, such as ClickOnce (or "DontEvenNeedToClick,JustVisit_aBadSite" as it should really be named).
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
29. Re:Oh boy... by Anonymous Coward · 2010-08-29 10:33 · Score: 3, Informative
  
  For anyone not willing to follow the progress of this thread, here's the summary:
  --
  RobertM: Malware is taking advantage of .NET escalation exploits.
  nmb: Which escalation exploits?
  RobertM: The .NET escalation exploits that haven't been fixed in 10 years. <Offers patch details for a fixed .NET vulnerability that allowed code execution on the compromised user account.>
  nmb: That wasn't an escalation exploit.
  RobertM: You don't need an escalation exploit. The Windows operating system allows any process to automatically elevate itself through the registry and startup folders.
  nmb: Wrong.
  RobertM: OK I was wrong. You do need an escalation exploit. <Adds reference to a long-since fixed escalation vulnerability.>
  
  ---
  Escalations affect all operating systems rather equally, are the absolute worst kind of vulnerabilities, are very uncommon compared to other holes, and have the shortest time-to-fix delay. It's really fucking big news whenever one is announced because they tend to be extremely valuable. Historically very few viruses have successfully taken advantage of one. If your customers are affected by system level malware, they (A) clicked yes on something they shouldn't have, (B) disabled UAC, (C) disabled updates, or (D) did all of the above (most likely it was D).
30. Re:Oh boy... by echnaton192 · 2010-08-29 11:15 · Score: 1
  
  YMMD. And you are right, this about sums it up.
31. Re:Oh boy... by RobertM1968 · 2010-08-29 12:31 · Score: 1
  
  Nice try... I never said an escalation exploit is needed or not needed. My premise was IF it was needed, it could still happen.
  Point is, they just fixed one that they think may bypass privileges. Point was, it wasnt the first time. Point is, they have claimed more than once to fix this - and then another piece of malware proves them wrong, and a new patch is released and they claim "ooh, really, we fixed it this time" and another piece of malware comes out.
  Explain why .NET ClickOnce and other .NET exploits still infect machines that are locked down (up until Aug 10th supposedly). And then tell me you think that this time, the issue is really fixed.
  Or perhaps, the malware authors will simply choose one of the other numerous attack vectors created by .NET's security holes. As has happened for almost the last 10 years with .NET and ActiveX.
  So, if a rootkit drops a piece of malware (hmmm, maybe named svchost or smss?) into a "secure" folder (hmmm... maybe in the System Volume Information folder?) and registers it as a service under the System account, does it matter that the account of the next person who logs in is a limited user account? Somehow I dont think so. BTW, without going into technical details, this exploit and piece of malware I describe is real, and very recent. Infection vector? .NET. Mitigated? Supposedly in a recent security update. Similar to others in the past? Yes. Similar to some recent ones that are making headway? Sadly.
  Which one? Look it up. It's a beast to remove for those who dont know what they are doing. For instance, killing the fake svchost or smss services will cause Windows to reboot because it thinks they are vital system services. Removing them does nothing (they will reappear at next boot - or sooner if other pieces of the malware are still present).
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
32. Re:Oh boy... by Anonymous Coward · 2010-08-29 13:58 · Score: 0
  
  If there is a rootkit on your machine then you've already lost. No OS can defend against that.
  As for the rootkit getting there, all you've done is claim that somes holes have existed in various technologies as well as claimed that these holes permit privilege escalation to the level permitting installation of a rootkit, but instead of providing information you're simply pandering to this notion that it's obvious that tons of these holes still exist unpatched and that they completely defeat all of the security mechanisms within the OS. But you've yet to demonstrate, well, a damned thing, except some severe contempt and a lot of surprise that you're being called to actually prove your rhetoric beyond the rambling rant of someone who believes so hard in their bias that, to you, it's long since stopped requiring any form of evidence. Sorry, we're not so gullible. Put up, or shut up.
33. Re:Oh boy... by echnaton192 · 2010-08-29 14:29 · Score: 1
  
  You just mentioned a real threat. Don't let us digg it up. So there is a malware that meets all of these requirements:
  a) Infects a system by simply visiting a webpage and clicking harmless looking buttons and links in a recent browser
  b) Circumvents the users restricted rights and gains administrative / system rights
  c) Infects the machine without any user interaction
  d) is not detected by AV software
  Yes? No? Which threat is it, I'd like to know, please provide a link. Or maybe... you are a little bit blinded by your hatred against everything Microsoft?
34. Re:Oh boy... by nmb3000 · 2010-08-29 14:38 · Score: 2, Informative
  
  This will be my last post in the thread because you clearly don't know what you're talking about and refuse to realize that.
  
  Point is, they just fixed one that they think may bypass privileges.
  Citation please.
  
  Explain why .NET ClickOnce and other .NET exploits still infect machines that are locked down (up until Aug 10th supposedly).
  Citation please.
  
  Or perhaps, the malware authors will simply choose one of the other numerous attack vectors created by .NET's security holes. As has happened for almost the last 10 years with .NET and ActiveX.
  
  They might. And maybe you could give a citation of a currently unpatched privilege escalation attack vector.
  
  So, if a rootkit drops a piece of malware (hmmm, maybe named svchost or smss?) into a "secure" folder
  If a standard user has write access to a "secure folder" it isn't very secure, is it? Oh, and the name of the file doesn't really matter.
  
  maybe in the System Volume Information folder?
  Administrator and/or SYSTEM rights are required to even read from that folder, let alone write to it.
  
  does it matter that the account of the next person who logs in is a limited user account? Somehow I dont think so.
  
  A user must have administrative rights to compromise a "secure folder". Administrators can (obviously) impact all users on the machine.
  
  BTW, without going into technical details
  Oh, please do. I'd love to see a single technical detail.
  
  For instance, killing the fake svchost or smss services will cause Windows to reboot because it thinks they are vital system services
  Just plain wrong. You can even kill legitimate svchost processes (they just host services) without rebooting. There are only a few processes which cause a reboot. You can't kill these without admin rights.
  You seem set on the idea that multiple security patches for ".NET" means they're fixing the same thing over and over. Here's a tip: .NET is a big product. Multiple patches just might mean multiple security issues.
  Take some classes or read some books or something. You really need to either educate yourself about Windows security or stop posting such incorrect FUD.
  
  --
  "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
  /)
35. Re:Oh boy... by Phopojijo · 2010-08-29 15:49 · Score: 1
  
  Yes they can install a rootkit.
  
  The user and the programs they run have limited permissions -- they do not have the permissions to install Rootkits... but they can call APIs with root permissions.
  
  If those libraries (such as, for instance, networking APIs) accept data... it will place the data in the memory space of the API's code. If there's a flaw in the way data is written to the memory... the API might accidentally overwrite some executable code in its memory space.
  
  What happens the next time the executable code is called? It's not there anymore... the data is there because the API accidentally overwrote itself with the data
  
  What if the person who sent the data KNEW that API had a problem with specific sized data under specific conditions? What if they ALSO knew exactly how far from the start of the data the start of the executable code was in the program's memory space?
  
  Get them to open that data under those conditions... and blam... a limited user passes data to a limited program which passes data to a high-privileged API which runs the malware blindly.
  
  What permissions level will it have? The API's... because that's where the overwritten executable code is... the processor and OS simply sees executable code from a high-privileged API and runs it (Unless it has DEP properly configured -- in which case it says "Huh... this code is tagged as data HOLY CRAP ABORT!" and your program or whole damn computer crashes gloriously to prevent the data from executing.)
  
  This is an inherent problem with computers. Somewhere... someone... needs to be root privileged. If that root privileged code accepts data... you can have a security flaw. And errors like that are something that you could review dozens of times and never see anything wrong with it.
  
  XKCD explains it well -- http://xkcd.com/327/
36. Re:Oh boy... by RobertM1968 · 2010-08-29 16:57 · Score: 1
  
  This will be my last post in the thread because *I* clearly don't know what you're talking about and refuse to realize that.
  
  Point is, they just fixed one that they think may bypass privileges.
  Citation please.
  Since Vista's release (again, remember I didnt mention ones being in existence at this moment) - Some recent, some not:
  http://www.scmagazineus.com/hot-or-not-local-privilege-escalation-vulnerabilities/article/34794/
  http://digg.com/news/technology/Vista_Exploit_Surfaces_on_Russian_Hacker_Site
  http://xforce.iss.net/xforce/xfdb/60679
  http://www.neowin.net/news/microsoft-warns-of-critical-unpatched-windows-shell-vulnerability
  - (Sophos, even though MS downplayed it, claims "that the flaw bypasses all Windows 7 security mechanisms, including UAC, and doesn't require administrative privilege to run. In a blog posting, Sophos researchers demonstrate the flaw on Windows 7, which becomes infected with a rootkit as a result." - wow, seems I mentioned something like this in an earlier post).
  http://mspatchwatch.com/microsoft/microsoft-windows-sfnlogonnotify-local-privilege-escalation-vulnerability-ms10-048/
  http://www.iss.net/security_center/reference/vuln/win-ms10kb2160329-update.htm
  - I wonder what "specially-crafted application" means... maybe a "specially-crafted" .NET "application"?
  I could go on for days.
  
  Explain why .NET ClickOnce and other .NET exploits still infect machines that are locked down (up until Aug 10th supposedly).
  Citation please.
  
  Or perhaps, the malware authors will simply choose one of the other numerous attack vectors created by .NET's security holes. As has happened for almost the last 10 years with .NET and ActiveX.
  They might. And maybe you could give a citation of a currently unpatched privilege escalation attack vector.
  I never said there was a current one. I said, we were promised that all such vulnerabilities were fixed with the patch this summer (the one in response to the hell they got for the .NET plugin surreptiously being installed in Firefox). I said that such a claim was ridiculous, since they've never managed to fix ALL vulnerabilities in the past. I said such a claim was more ridiculous considering the slew of .NET patches SINCE THEN to fix vulnerabilities, that by their statement, shouldnt exist.
  
  So, if a rootkit drops a piece of malware (hmmm, maybe named svchost or smss?) into a "secure" folder
  If a standard user has write access to a "secure folder" it isn't very secure, is it? Oh, and the name of the file doesn't really matter.
  You dont understand the difference between a rootkit and a standard user? Really?
  You dont realize that PRE-BOOT things (just like "non-disk-boot" things) dont care about system privileges or such?
  As for the "non-disk-boot" things (trying to keep it simple for you), I refer to things like a Windows Bootable Environment such as BartPE or WinPE, which CAN read such files. I only bring it up because you seem to think that the operating system's protection of those folders is some magical thing, when in reality, things like BartPE, or a pre-boot process, can in fact access those folder. Heck, there are tools designed specifically for that purpose, that run on reboot and clear those folders of unwanted things before the OS enables it's "security" of them.
  
  maybe in the System Volume Information folder?
  Administrator and/or SYSTEM rights are required to even read from that folder, let alone write to it.
  See above.
  
  does it matter that the account of the next per
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
37. Re:Oh boy... by RightSaidFred99 · 2010-08-29 16:58 · Score: 1, Flamebait
  
  Good luck interoperating with those, dipshit. And good luck getting them to work over NFS(*). And if you're not one of the 1% of environments out there using Kerberos for NFS, it's funny to me that you break the oldest rule of security - don't trust the client.
  Give me root on one of your Linux machines and I'll copy any piece of NFS data I want unless you're one of the very few organizations using secured NFS.
38. Re:Oh boy... by perlchild · 2010-08-29 17:04 · Score: 1
  
  Their problems mostly are that whatever they do, on the OS level, if it's not a "third party developers don't have to do anything", they seem to have to rollback/dilute whatever "Good" was in the offering.
  Partly because of the basic multi-user design, partly because of the pre-written unix-based apps, partly because as meaningless as unix 97 and posix are, they do kinda provide enough of a formal api os basis that third parties do not expect to be able to write just anything, has probably more to do with how much each individual unix variant deals with security than the kernel or the basic system.
  You'll notice the MacOS X system(arguably the most popular unix system out there for workstations), has the most vulnerabilities, and most of them in the userland space(I'm looking at adobe and quicktime stuff especially)
  Just anecdotally it seems to indicate the way to deal with this is to force everyone to work in multi-user mode all the time.
  I'll believe microsoft is close to that when you can launch multiple msi installs, one through a remote desktop session, and see them queue themselves and just work.
  In the meantime, yes they have a lot of work to do. How much of that is in how they develop software?
  Not that much
  How they think their OS from the bare metal onwards?
  Almost all of it
39. Re:Oh boy... by RobertM1968 · 2010-08-29 17:18 · Score: 1
  
  You just mentioned a real threat. Don't let us digg it up. So there is a malware that meets all of these requirements:
  a) Infects a system by simply visiting a webpage and clicking harmless looking buttons and links in a recent browser
  I mentioned past real threats. Some recent, some within a year, some a few years ago. There is a list in my post right after this one, and it is far from all inclusive.
  
  b) Circumvents the users restricted rights and gains administrative / system rights
  See list in post below - and then you can dig for more if you are still interested.
  
  c) Infects the machine without any user interaction
  I never made such a point. There were ones where all a user had to do was surf to the wrong choice of websites though. That is a form of user interaction. But there was no further interaction needed (such as click a prompt to OK an install, "OK" a UAC box, etc)
  
  d) is not detected by AV software
  Whistler wasnt until a month+ of it being out. It's happened in other cases, and it will happen again. Maybe since I do this for a living, I see a bunch of these beasties early. After the first Whistler infection came in, it was 17 days before an AV software (list below) recognized parts of it. It was over a month before any recognized all of it. Maybe our customer had some weird, never seen before variant. Regardless, it took that long. Which AV and removal tools am I talking about? Let's see: AVG (Full and Free and Rootkit scan), Sophos, MS Security Essentials, NOD32, SuperAntiSpyware, MalwareBytes, Spyware Terminator, ClamAV, GMR, ComboFix (and related tools), Norton Internet Security, McAfee Internet Security. There may have been more, but those are the ones we ran. First times? Nothing found. A few days later, ONE part found. *17* days later before the more serious parts were found, over a month before all were found (including the rootkit infection that came along in the malware package).
  
  Yes? No? Which threat is it, I'd like to know, please provide a link. Or maybe... you are a little bit blinded by your hatred against everything Microsoft?
  No, I dont hate MS - I get a lot of business thanks to them. Partially because of the security holes that take a while to fix. Partially because, even the "should be less dangerous ones" generate a TON of work because most people log in as admins, partially because the ease of use of their OS and software (regardless of the other issues) has caused the PC market to grow to the point where virtually everyone has a PC. What I hate is when they make erroneous statements about Windows security or about magical patches that protect people "regardless of the attack vector". (MS09-054). What I hate is when, by choice, I ensure that I do not have any .NET or WPF stuff running in Firefox, and they sneak in a plugin in a NEEDED, CRITICAL fix for .NET, and finally, I hate it when, with such an abysmal track record, and exploits having existed and having been used in the past, people dont believe that it will happen again. I heard that from Microsoft apologists on the day that Vista came out "It's impossible, because of all these neat security features!" - they were wrong. And wrong again with each new patch that came out to fix new vulnerabilities that were found.
  Software is NOT perfect, and I understand that. Windows is complex, and I understand that. There are bound to be flaws in it, and I understand that. But when people, very vocally, love to claim that there are none, or "this time, they all really are fixed" (REPEATEDLY, EACH TIME A NEW FIX COMES OUT), that annoys the hell out of me. It's been THREE years of watching an exploit and a fix and then "OH, it's secure now! You just hate Microsoft! It's all fixed now!!!" and then watching it be repeated AGAIN AND AGAIN.
  NO, it is NOT all fixed now. YES, more exploits WI
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
40. Re:Oh boy... by sznupi · 2010-08-29 20:33 · Score: 1
  
  It's too bad WAMP seems to have the most interesting ring to it, as a name...
  
  --
  One that hath name thou can not otter
41. Re:Oh boy... by man_of_mr_e · 2010-08-29 21:28 · Score: 2, Interesting
  
  WTF are you prattling on about? .NET insecure? Seriously? Do you even know what you're talking about? You are making vague claims that make little sense. Like calling the Firefox plug-in a security flaw.. It's using the mechanism that Firefox provided for machine wide-plugins. Firefox has since improved on that, but it wasn't MS's fault nor was it a security flaw.
  Please, point me to some evidence of any severe unpatched .net flaws or exploits. I don't know of any. I think you are confused and simply applying catchphrases you've heard and pretending you know what you're talking about.
  
  --
  If you need web hosting, you could do worse than here
42. Re:Oh boy... by man_of_mr_e · 2010-08-29 21:38 · Score: 1
  
  Dude. Not one of your citations mentions .NET being vulnerable to anything, they all refer to Windows flaws in native components.
  You also don't seem to understand what the firefox plugin is, and i'm scratching my head as this was an issue 2 or 3 *YEARS* ago, and there was no "patch" this summer to address it as you keep claiming.
  The firefox plugin was added in the only way that Firefox allowed system-wide plug-ins to be added. Java, and several other plug-ins use the same mechanism.
  Firefox has since been patched to allow disabling of those components if you want, but that doesn't change the fact that there is no other way to enable system-wide plug-ins in FF. That's a FF limitation that some might call a flaw.
  What the plug-in did was provide a URI handler for click-once applications. Click-once apps install in the users home directory, and run with user privileges. There is no flaw there, or else Linux would also be flawed for allowing apps to be installed in users home directories. Of course, an administrator can disable it in either case, but default installation is to allow it in every OS I know of.
  You keep blabbering about .NET being a security flaw, but you have not provided any shred of evidence to support your claim.
  You're clueless.
  
  --
  If you need web hosting, you could do worse than here
43. Re:Oh boy... by man_of_mr_e · 2010-08-29 21:49 · Score: 1
  
  Dude. Shatter is completely "fixed". It was partially fixed in 2002... years before Vista came out, but that was a patch. Vista eliminates shatter by providing beefed up security for windows messages, and forcing services to run in a different Terminal screen from the interactive user. The article you reference talks about the way Vista addressed the issue.
  In other words, Shatter hasn't been an issue since about 2004. Please stop regurgitating 7 10 year old exploits as if they were valid today.
  
  --
  If you need web hosting, you could do worse than here
44. Re:Oh boy... by LO0G · 2010-08-29 23:44 · Score: 1
  
  Shatter attacks were only partially fixed? Ummm.. I beg to differ.
  Starting with Windows Vista, shatter attacks were completely fixed.
  You're right, MSFT didn't retrofit the massive architectural changes to completely fix shatter attacks in Windows XP. But they DID fix the entire class of vulnerabilities.
  And on XP, they fixed all the EoP vulns that were enabled by shatter attacks.
  This is not to say that there aren't any EoP vulns in Windows. There are. But MSFT patches EoP vulns as quickly as it finds them, just as the various *nix distros (including OSX).
45. Re:Oh boy... by Zero__Kelvin · 2010-08-30 01:41 · Score: 1
  
  "Cue a multitude of Slashbot posts pointing out that Microsoft could never do "secure software development".
  Don't be ridiculous. They might pull it off someday. They will just have to actually create a new OS rather than just claiming that is what they are doing and then wrapping their old insecure code and APIs with different eye candy. It is like a Linux virus: there are lots of theoretical implementations, just almost none found in th real world..
  
  Cue the Microsoft shills modding my factual post down because the truth hurts.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
46. Re:Oh boy... by echnaton192 · 2010-08-30 01:58 · Score: 1
  
  Which Google-search are you referring to? The one I did only resulted in a "rootkit" that could RUN without administrative rights.
  "Easyly be infected"? It runs as a normal program. You kill the process, it's gone - as long as you don't give it administrator rights. It tries to install itself as a service, but will start as a normal process if that fails.
  "Rootkit"? "Infected"?
  Without administrative rights it's neither, if I red it correct.
47. Re:Oh boy... by echnaton192 · 2010-08-30 02:21 · Score: 1
  
  DEP is configured correctly in Win 7 by default. And isn't there a funktion called ASLR that should prevent the attacker to know were to strike?
  Concerning these features, I find these findings... strange:
  http://krebsonsecurity.com/2010/08/anti-virus-products-mostly-ignore-windows-security-features/
  Even if ASLR and DEP aren't working perfectly: Why someone building an AV-product does NOT use these features in order to make it harder for the attacker to circumvent the AV solution is beyond me.
48. Re:Oh boy... by QuantumBeep · 2010-08-30 06:55 · Score: 1
  
  Just tell people you're a WinAMP admin. That will clear up the confusion.
49. Re:Oh boy... by LordLimecat · 2010-08-30 14:17 · Score: 1
  
  The rootkit can be so configured (not providing instructions here) that it is effectively hidden from most methods of detection by active user. Killing the process is rather difficult when you know neither the exe name (it can rename itself and hide the binary) nor the PID. Additionally, a program does not need to install itself as a service in order to infect. It can very easily modify user accessible binaries, so that any UAC prompts appear to come from a trusted source.
  
  It does not fit all definitions of "rootkit", but certainly has most of the notable attributes of one.
50. Re:Oh boy... by Phopojijo · 2010-08-30 19:42 · Score: 1
  
  They break programs that were poorly written, simply put.
  
  Some people execute off the data memory space... some people point to specific points in memory assuming that what they think they put there will be there.
  
  Either they draw a line in the sand and break those programs (some of which are internally-developed corporate programs where the programmer quit and/or died years or even decades ago...) or they let those programs ride in the exception category.
  
  It has nothing to do with ASLR or DEP... it has everything to do with programs written by people who didn't know and/or care that ASLR and DEP exist... and would crash if ASLR or DEP were running on them.
  
  If everyone practiced great and secure programming practices... DEP and ASLR would be next-to perfect solutions to prevent the "whoopsies" from overwriting execute addresses. Unfortunately... that assumes that the only time you're executing from data is by accident.
51. Re:Oh boy... by echnaton192 · 2010-08-31 02:55 · Score: 1
  
  "The rootkit can be so configured (not providing instructions here) that it is effectively hidden from most methods of detection by active user."
  OK, but: It must be started first. And it must circumvent the AV-product you're using. And it must circumvent the Firewall (asking you for permission via admin credentials)...
  A lot of ifs...
  "It can very easily modify user accessible binaries, so that any UAC prompts appear to come from a trusted source."
  Please explain. What is a user accessible binary? An executable that can be WRITTEN to by the restricted user?
  USB-sticks and non-standard installations, OK. But "Joe the restricted user" should not be able to do that.
  And this omnipotent rootkit does all of that?
52. Re:Oh boy... by Anonymous Coward · 2010-09-07 11:01 · Score: 0
  
  You're quite hilarious!
  Your first post - make a whole bunch of generic claims about how Microsoft have a very critical bug that has been unpatched for years.
  Reply - Can you give us a source.
  Your second post - Windows Update!
  So you appear to be claiming to know everything about this bug and all the various attempts to fix it, but when asked for any specifics at all your answer is "Read the description of every Microsoft Update ever and you will clearly see the specifics".
  You don't seem to realise that dotNET is a huge piece of software. You seem to think each time a vulnerability is patched that it is the same exact bug as every other time that MS just couldn't patch right previously. I don't know where you pulled this assumption from, but it's ridiculous.
  Oh, and "less affected" is pretty obvious. The bug allows code execution of the client side. If the user is running in a limited account, then the code runs with limited credentials. If the user is runnning as admin, then the code runs with admin priviliges. There's no escalation of priviliges going on in this exploit. This should be a pretty basic concept for someone claiming to know so much about all the vulnerabilities and what their associated patches do or do not do.
  Oh, and SteadyState rolls your PC back to a point in time. If you didn't have a rootkit at that point int time, you won't have it after the rollback.
At least they're trying. by cosm · 2010-08-29 03:54 · Score: 1

At least they're trying.

--
'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
1. Re:At least they're trying. by symbolset · 2010-08-29 04:15 · Score: 5, Funny
  
  This is not the Special Olympics.
  
  --
  Help stamp out iliturcy.
2. Re:At least they're trying. by davester666 · 2010-08-29 05:00 · Score: 2, Funny
  
  It is for Microsoft.
  
  --
  Sleep your way to a whiter smile...date a dentist!
3. Re:At least they're trying. by Anonymous Coward · 2010-08-29 06:04 · Score: 0
  
  Never mind that a process can't be licensed anyway, it can only be patented, which they wouldn't be able to do with these. It would actually be a great stunt if they're able to pull this off. Appear open when in fact they've diluted copyright/patent law. Hats off.
4. Re:At least they're trying. by cyber-vandal · 2010-08-29 08:11 · Score: 1
  
  Microsoft are very trying.
5. Re:At least they're trying. by HiThere · 2010-08-29 11:03 · Score: 1
  
  Oh?
  I'm not familiar enough with the license they chose, but does it guarantee patent protection? The thrust that MS is currently using against FOSS seems to depend on software patents. If they had chosen the GPL, or GPL3, or BSD, or AGPL I would have an idea of what the significance was, but Creative Commons isn't commonly used for FOSS software, so I don't know what that means as far as patents. (WRT copyrights I can make fair guesses, but that's a different matter.)
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
6. Re:At least they're trying. by LO0G · 2010-08-29 23:53 · Score: 1
  
  Did you *read* the article?
  What MSFT is doing is to release their stuff under CC so that other companies can incorporate the *text* of the SDL and other documents into their internal training materials.
  The text is covered under copyright laws and *can* be licensed.
secure? by Murdoch5 · 2010-08-29 03:55 · Score: 3, Funny

Microsoft and Secure? I'm I missing something here.
1. Re:secure? by GarryFre · 2010-08-29 04:46 · Score: 2, Interesting
  
  if the thieves are getting past the guards, I would not want to emulate them. Something is wrong and needs to change, and till its changed I would not want to copy a security model that isn't secure. The question is, is it insecure because of a failure in the model or is it because so many resourceful thieves are finding ways around the so called safeguards. Who can know?
  
  --
  www.Migrainesoft.com - Computer giving you a headache? We can fix that!
2. Re:secure? by KarmaMB84 · 2010-08-29 05:45 · Score: 2, Insightful
  
  Most of their problems have been in old code they're undoubtedly afraid to change until it's proven there's actually a vulnerability there. I haven't hard anything to indicate their fresh code produced since adopting their current security process is any more insecure than the stuff produced by the open source world.
3. Re:secure? by PhrostyMcByte · 2010-08-29 06:38 · Score: 3, Informative
  
  Talk I've heard from friends in Microsoft indicate that they're quite paranoid about security, putting strict checks on all levels of development. To mention one small portion of it, C and C++ contain some functions that, if misused, can be easy attack vectors. VC++ has a number of non-standard replacement functions for these that they use that include runtime safety checks. They're warned off the "insecure" functions, and anyone that uses them needs a full rationale written up on why. Needless to say, most coders will have an adjustment!
4. Re:secure? by symbolset · 2010-08-29 07:32 · Score: 2, Informative
  
  Actually, even dead-simple basic security like closing ports by default, reducing default services, not including the current working directory in the executable or library search paths, not auto-running anything, reducing app attack surface by turning off embedded format decode by default and a vast many other things are completely off the table at Microsoft. Doing security breaks backward compatibility. It removes popular features, and the fact that the features are in and of themselves the security vulnerability makes it a no go.
  They see these essential vulnerabilities a large part of their value-add. It's not that they're afraid - it's that basic security primitives we've known about for decades are antithetical to their culture. As long as they hold that strategic position, discussing minor tactical matters like how they compose applications for security is simply a waste of time.
  
  --
  Help stamp out iliturcy.
5. Re:secure? by gbjbaanb · 2010-08-29 09:48 · Score: 1
  
  yup. it'll be a "how to develop secure apps suing our innovative methods, so your .NET apps will always be fully unbreakable, blah blah blah, buy Visual Studio and download the free secure option guidance pack now".
  They never give anything away for free that isn't a loss-leader for you to buy some of their other products.
6. Re:secure? by Anonymous Coward · 2010-08-29 14:31 · Score: 0
  
  XOR
That Microsoft Icon On Slashdot by Anonymous Coward · 2010-08-29 03:56 · Score: 3, Insightful

Isn't it long past time it be updated and possibly the correct one be used?
Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.
It would be like used the Edsel to represent Ford, or still using the New Coke logo.
It no longer serves its purpose, and says more about slashdot than Microsoft these days.
1. Re:That Microsoft Icon On Slashdot by lseltzer · 2010-08-29 04:46 · Score: 1
  
  Mod this coward up. AFAIK there are no other icons on /. that are designed to denigrate the subject.
2. Re:That Microsoft Icon On Slashdot by Anonymous Coward · 2010-08-29 05:43 · Score: 0
  
  This is Slashdot. Bigotry and zealotry sells in spite of the so-called liberal mindset.
3. Re:That Microsoft Icon On Slashdot by RobertM1968 · 2010-08-29 06:13 · Score: 1
  
  Isn't it long past time it be updated and possibly the correct one be used?
  Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.
  It would be like used the Edsel to represent Ford, or still using the New Coke logo.
  It no longer serves its purpose, and says more about slashdot than Microsoft these days.
  I disagree. The Edsel is dead and gone. The legacy Gates has left us is definitely very alive and prevalent. There is the big difference. Unless .NET and ActiveX are entirely killed and Windows is honestly rewritten from the ground up, and the damage that Microsoft has done to competitors is reversed, then Gates' legacy - especially as related to things like this topic, is alive, well and still on control of most of the PC related marketplace. Credit where credit is due thus indicates it should be his logo used.
  lseltzer wrote this little bit of nonsense:
  
  Mod this coward up. AFAIK there are no other icons on /. that are designed to denigrate the subject.
  lseltzer, you do realize it's hardly denigration if it's true, dont you? The whole EEE principle. That's not myth. It's fact. It's proven fact. It's been proven in numerous courts of law. It's been proven via internal memos and emails from Gates and others. The image clearly indicates the concept of Embrace, Extend, Extinguish.
  Perhaps when Microsoft actually (and truly) changes their tune and drops such behavior, then it's time to change the image - but in the meantime, these are principles that Microsoft, due to Gates' direction, have embraced (no pun intended) since their earliest days. Thus, his legacy, his actions, their continuing actions based off the direction he set. Very appropriate image, if you ask me. Let me know if they change direction, and I'll gladly change my mind about whether the image is appropriate.
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
4. Re:That Microsoft Icon On Slashdot by hairyfeet · 2010-08-29 07:33 · Score: 2
  
  Oh please! At least Darth Gates was scary, and could do that whole "we'll crush you like a bug" thing real well. Ballmer is like putting the court jester in charge of the kingdom. What you have with Ballmer is "Hey, we can be like Apple and make cool stuff! Yes we can! We really can! STOP LAUGHING AT ME!!!!"
  The whole EEE thing was Gates, Gates may have been a bastard but he, like Jobs and Ellison, was a tough bastard that played to win. The Ballmer monkey just flops from one idea to another and doesn't deserve the Borg Icon. It would be like pretending that IBM is the ruler of all things computing still and just ignoring the past 20 years. Gates is gone, and while Ballmer might try to do evil, he is a quasi-evil, he is the diet Coke of evil, he is the light beer of evil-half the taste and the buzz is a killer. In short he is lame and isn't worthy of being a pimple on Darth Gates's ass.
  A MUCH more appropriate icon would be Ballmer in a jester hat with a I heart Apple!" T-Shirt, since he seems bound and determined to try to be Steve Jobs. And THAT would fit with the current situation at MSFT much more than the old Gates Borg, since without Gates it is like the Borg being led by Reno 911.
  As for TFA MSFT's biggest weakness it hasn't ever been their own code as much as everyone else's. After SP2 MSFT code seemed to get better and better on security, whereas even with Windows 7 I have seen waaaaay too many apps that frankly shouldn't need admin for anything demanding admin rights. Sadly I doubt this will accomplish jack shit because too many lazy developers at too many lazy companies would rather just pretend everyone has admin and be done with it.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
5. Re:That Microsoft Icon On Slashdot by RobertM1968 · 2010-08-29 08:11 · Score: 1
  
  A MUCH more appropriate icon would be Ballmer in a jester hat with a I heart Apple!" T-Shirt, since he seems bound and determined to try to be Steve Jobs. And THAT would fit with the current situation at MSFT much more than the old Gates Borg, since without Gates it is like the Borg being led by Reno 911.
  Well, you've got my vote for that!!!! :-)
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
6. Re:That Microsoft Icon On Slashdot by furbearntrout · 2010-08-29 09:17 · Score: 1
  
  Mod this coward up. AFAIK there are no other icons on /. that are designed to denigrate the subject.
  Like that thumb-sucking gnu holding his blankie. We at Slashdot are equal-opportunity; we pick on everybody.
  
  --
  Crap. What did the new CSS do with the "Post anonymously" option??
7. Re:That Microsoft Icon On Slashdot by gtall · 2010-08-29 11:01 · Score: 1
  
  Gates created a sclerotic company that cannot shoot straight. He succeeded because his monopoly was handed to him. Microsoft has never innovated anything. In the current environment, he'd be a failure..which is my suspicion as to why he gave up a boogied.
8. Re:That Microsoft Icon On Slashdot by hairyfeet · 2010-08-29 14:11 · Score: 1
  
  Thanks, I think you and most here at /. if they were to really look at the way MSFT was run under Darth Gates (such as using IE to crush Netscape, after stealing IE with a sneaky contract. Classic badness) VS how it has been run under Ballmer (RRoD, Zune, Kin, Vista, hell if he wouldn't have brought in the Office guys, which were left over from Gates, to fix Vista and give him 7 he'd have had double OS flops!) you'd agree that MSFT just ain't that scary anymore. They are like IBM in the 80s, desperately trying to recapture old glory while flopping around like a fish on the bank. Pretty much the closest thing to "evil" Ballmer can muster is to be a day late and a dollar short copying Apple. It's...well just sad really.
  So Ballmer with a jester hat and a "I Heart Apple!" T-shirt really fits the frankly lackluster evil they have performed lately. Oh, and to the Apple guys whom I laughed at when the Pepsi guy was ruining your OS? I'm sorry, the shoe is on the other foot and it sucks. Jobs and Gates may be unbelievable bastards, but they are bastards that know how to get shit done. Ballmer is like that hack that rode the coattails of the boss and managed to worm his way into a seat he doesn't have the skills to run.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
9. Re:That Microsoft Icon On Slashdot by Anonymous Coward · 2010-08-29 16:22 · Score: 0
  
  Isn't it about time you considered using more than one sentence per paragraph?
10. Re:That Microsoft Icon On Slashdot by vdboor · 2010-08-29 21:55 · Score: 1
  
  Isn't it long past time it be updated and possibly the correct one be used?
  Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.
  You mean we need a Ballmer version of the icon with Borg implants? :-)
  
  --
  The best way to accelerate a windows server is by 9.81 m/s2 ;-)
Seriously? by ratboy666 · 2010-08-29 03:57 · Score: 3, Insightful

The PROCESS is Creative Commons licensed. Not the tools. Ok, but you know what? I would never have taken Microsoft as an example of a company whose secure coding practice I would want to follow.
Just sayin'
And why bother with a CC license for this? Just publish the practice, and don't take out "business process" patents. Microsoft did that with "Code Complete".
Anyway, I now have to read the frakkin stuff, just to stay on top of it. Maybe I'll be pleasantly surprised...
I hope

--
Just another "Cubible(sic) Joe" 2 17 3061
1. Re:Seriously? by Call+Me+Black+Cloud · 2010-08-29 04:01 · Score: 1
  
  Whose secure coding practices do you follow? Or if they're your own, please share them. Thanks.
2. Re:Seriously? by TheRaven64 · 2010-08-29 04:27 · Score: 5, Informative
  
  CERT publishes a good set. I've worked with some of the people behind them on some proposals for the C1X standard and they're very bright people. I'd trust their recommendations long before I'd trust ones from Microsoft.
  
  --
  I am TheRaven on Soylent News
3. Re:Seriously? by Anonymous Coward · 2010-08-29 04:56 · Score: 0
  
  While everyone on /. appreciates the MS attack. They *MIGHT* know a thing or two about writing a secure system, or at least the theory. I know when your done laughing think about it. They have spent years as the 'top dog' 'easy to attack' OS. They know many of the tricks everyone uses. They know how to mitigate them. *IF* you use their OS in a specific manner it is actually secure. I have been using MS products for years and have maybe 3 times I have ever had to clean a virus off my computer. Back in the day with MAC OS 6 it was a daily occurrence. But I learned as a user what were 'bad habits' and 'good habits'. Those translated very nicely over to windows. MS does know how to write secure code. The problem they now have is they can not 'clean slate' their OS. They must have backwards compatibility. If MS released a new OS and it only ran 10% of the software out there very few people would buy it and we here on /. would be making fun of them. Apple has done this every few years and they ended up as a 5% market share. Now with mobile phones we are about to see a huge tidal wave of malware/trojans/viri out there. iOS and Android while semi secure today have vulins in them (it is usually how they are rooted). I know for a fact that many Android phones do (for example my droid x shipped with a 2.6.27 kernel that is ages old). MS has had the 'luxury' of years of attacks. They have the 'easy' ones out of the system. Apple and Google have not had this as much. They are about to get a rude awakening. Just as MS did in about 2002 with XP.
  Also putting it CC sends a clear sign to everyone. USE THIS. We will not sue/bother/bug you for using our process.
4. Re:Seriously? by Anonymous Coward · 2010-08-29 05:09 · Score: 0
  
  I'm not sure lawyers would see it that way...
5. Re:Seriously? by MaxwellStreet · 2010-08-29 09:25 · Score: 1
  
  I'd suspect that there's plenty of common ground with the CERT set - good practices are good practices.
  What I don't see in this discussion is an honest criticism of the SDL practices being published.
  I have directly observed (from my position as a corporate developer that works somewhat closely with Microsoft) that the Microsoft's focus on security since 2003 is sincere and pervasive. They take security seriously.
  While I'm no friend of ActiveX, the bleating demands that they scrap the .Net framework (or they're not serious about security) are laughable.
  Publishing their internal secure development lifecycle process for all to see is an example of the transparency that is so often trumpeted as a feature of open source development. If you can find flaws in the SDL, I suspect that they'd be happy to discuss it with you. (They've been quite open with our company about their SDL for the past 3 years.)
  Having a good process doesn't guarantee perfect results - and I don't think Microsoft is promising perfect results. No sane software development group would. I think this demonstrates an ongoing commitment to security - one that started years ago.
  Simply pointing and laughing does not reflect well upon you. Criticize the Microsoft SDL - it's out there, with OSS-style transparency. Start a serious discussion - and offer up improvements, if you can.
6. Re:Seriously? by Anonymous Coward · 2010-08-29 21:08 · Score: 0
  
  Hmmm... it seems that some are doing quite decently in this matter (see G-WAN Web server which never had any security breach despite offering C scripts - a World record for a Web Server).
  Maybe that's because their business-model is not about selling patches and updates (or, in MICROSOFT's case, to have an excuse to access end-users' machines, disks and files on a regulary basis).
  Surprised that nobody seems to make the relation (between the amount of critical bugs injected by some vendors and the ability to sell access to people's and organizations' hard-disks).
  In this matter (the amount of critical security breaches), World Leaders like SYMANTEC have an impressive record (especially if you consider the fact that they sell so-called "security-tools" supposed to 'protect' end-users).
  Anyone finding this strange too?
7. Re:Seriously? by nahdude812 · 2010-08-30 03:03 · Score: 1
  
  Wish I hadn't used up my mod points earlier today. This comment is a rare buoy in the frothing sea of "if it's Microsoft, it necessarily sucks," tripe.
  You wouldn't happen to work for a company named similarly to your username would you?
  
  --
  Slay a dragon... over lunch!
It's already slashdotted by Anonymous Coward · 2010-08-29 04:01 · Score: 0

Few comments in and the server delivering this marvel already died.
But of course Microsoft is not only known for its security but also performance.
Sigh.
Trying what? by SgtChaireBourne · 2010-08-29 04:03 · Score: 0, Troll

Whatever for? It's not like it's worth publishing except to document years of fail. Every generation of Windows has been the model of bad design and insecurity, including Vista and Vista7. Before M$ reps revised it, /. even had a vista failure tag, for the version to come along after tagging was implemented.

--
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
1. Re:Trying what? by Anonymous Coward · 2010-08-29 04:09 · Score: 0
  
  Document years of fail...do you know what the SDL is? What specifically is your problem with it?
2. Re:Trying what? by Anonymous Coward · 2010-08-29 04:16 · Score: 2, Insightful
  
  M$
  good job ruining any credibility your post might have had and classifying yourself as a troll.
3. Re:Trying what? by Anonymous Coward · 2010-08-29 04:51 · Score: 0
  
  I used to think that, too, but after years and years of putting up with the absolute crap that came out of Redmond, I can't fault people for being well and truly fed up. How many times must someone stomp on your livelihood before you break? Especially when there are technically better options available?
4. Re:Trying what? by Anonymous Coward · 2010-08-29 05:52 · Score: 2, Insightful
  
  It doesn't matter how shoddy I think Microsoft products are. The moment I resort to name-calling like Republitard, Democunt, or M$, I take on the mental image of a 5 year old. Everything I said should be dismissed. If I can't stay serious for the 30 seconds it takes to write a post on the Internet, I don't have anything of value to say.
5. Re:Trying what? by Anonymous Coward · 2010-08-29 13:35 · Score: 0
  
  Pretty much.
6. Re:Trying what? by Anonymous Coward · 2010-08-30 01:29 · Score: 0
  
  Snap!
mistagged? by Anonymous Coward · 2010-08-29 04:06 · Score: 4, Funny

Shouldn't this be tagged as "humor"?
1. Re:mistagged? by s1lverl0rd · 2010-08-29 05:18 · Score: 1
  
  Strange date for an april fools' joke.
Does CC give a patent grant? by Anonymous Coward · 2010-08-29 04:07 · Score: 0

They probably have that process patented. If you use it, they will come knocking on your door.
MS Security... by leromarinvit · 2010-08-29 04:26 · Score: 5, Insightful
Ahh yes, I can see it now:
- Never check your input, no matter where it comes from
- Make sure to make your algorithms as complex as possible so you don't run out race conditions and other non-trivial bugs, preferably in security critical areas
- Embed your security flaws in specifications you'll have to honor forever to maintain backwards compatibility
- Most importantly: When (not if) somebody finds a bug and reports it to you, don't fix it at once. Only when an exploit is out in the wild you can even start thinking about how to fix the bug.
--
Proud member of the Ferengi Socialist Party.
1. Re:MS Security... by Murdoch5 · 2010-08-29 04:32 · Score: 1
  
  Love the post!!! It's true.
So someone in Redmond decided... by Dracos · 2010-08-29 04:27 · Score: 3, Funny

That the world needed a free lesson in how not to develop secure software?
Ugh, doc by diegocg · 2010-08-29 04:38 · Score: 3, Funny

Unless someone converts it to PDF I'm not downloading that....
1. Re:Ugh, doc by FunPika · 2010-08-29 05:06 · Score: 1
  
  https://docs.google.com/fileview?id=0B0uAlJykfq1qMTViNjdlNzQtNjhiNy00NGFiLTliNjUtMDBkY2MyODBmMTUz&hl=en&authkey=CN-0j8cF There you go...
  
  --
  After years of not using a signature, I am going to make one to say the following: Fuck Beta
2. Re:Ugh, doc by devent · 2010-08-29 05:40 · Score: 1
  
  Unless someone converts it to PDF I'm not downloading that....
  Maybe you are suppose to modify and extend it.
  
  --
  http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
warning to others? by mevets · 2010-08-29 04:50 · Score: 1

http://despair.com/mis24x30prin.html
Secure from *what*? by DoofusOfDeath · 2010-08-29 05:13 · Score: 1, Interesting

Secure from cracking, or secure from competition?
Because, at least prior to Bush's Justice Department dropping all charges against Microsoft, the secound would be a pretty long list of felonies.
1. Re:Secure from *what*? by John+Hasler · 2010-08-29 05:47 · Score: 2, Informative
  
  The antitrust suit against Microsoft was not dropped and did not ever involve any criminal charges.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
2. Re:Secure from *what*? by Anonymous Coward · 2010-08-29 14:18 · Score: 0
  
  Secure from common sense.
3. Re:Secure from *what*? by Anonymous Coward · 2010-08-29 17:04 · Score: 0
  
  God, put a fucking sock in it you neckbeard retard.
The Problem is... by Greyfox · 2010-08-29 05:37 · Score: 1, Interesting

No software can truly be secure. You have to assume that your security will eventually be breached and you have to make an effort to mitigate the damage when a breach occurs. If Microsoft and others want to help, they should be working to make the mitigation side of the equation easier.
Companies that run these operating systems and other software do not think of security at all. They just assume that everything's fine. Home users are even worse. That attitude will also have to change for things to get better.

--
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
1. Re:The Problem is... by ScrewMaster · 2010-08-29 06:16 · Score: 1
  
  That attitude will also have to change for things to get better.
  It won't. Security is a process, not a condition, but people don't think naturally in those terms because it requires continuous effort (and ongoing expense.) Most people prefer to just make an initial investment in security and forget about it. Now, that works when you're talking about a bank vault, maybe, but not computer security.
  
  --
  The higher the technology, the sharper that two-edged sword.
What are they trying? Not engineering. Not PR. by SgtChaireBourne · 2010-08-29 06:05 · Score: 2, Insightful

Why waste time publishing that crap? It's not even good for PR because it only serves to highlight the failure. It's only worth is documenting years of fail and we have Mitre and CERT for that. Every generation of Windows has been the model of bad design and insecurity, including Vista and Vista7. Before M$ reps revised it, /. even had a vista failure tag, for the version to come along after tagging was implemented. Otherwise there would have been a special tag for the XP SP2 disaster.
The SDL is what has contributed to very shitty quality. Of course the raw material, the managers and the engineers have to be mentioned as being incapable.

--
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
When will we get sued for reading that? by Torp · 2010-08-29 06:05 · Score: 1

Besides the obvious jokes about Microsoft and security, the very serious question is what patents of theirs you could infringe by following their process and when they will sue you for it?

--
I apologize for the lack of a signature.
1. Re:When will we get sued for reading that? by ScrewMaster · 2010-08-29 06:19 · Score: 1
  
  Besides the obvious jokes about Microsoft and security, the very serious question is what patents of theirs you could infringe by following their process and when they will sue you for it?
  Probably never. Other operating system vendors could maybe learn from this, sure, but since most of them are already much farther along the security curve than Redmond has ever been, it won't matter. What this might do (assuming that it's sensible, and I've not read it so I don't know) is help Windows application developers write more-secure code, better avail themselves of Windows' existing security features. That's the real benefit to Microsoft, and there's no point in suing people coding for your platform.
  
  --
  The higher the technology, the sharper that two-edged sword.
Important point: it's a CCSA license by FoolishOwl · 2010-08-29 06:16 · Score: 2, Insightful

Can we please get past the cheap shots about Microsoft's security, and pay attention to the trend wherein Microsoft, practically founded on opposition to sharing code, has been experimenting with open source licenses and making overtures to the FLOSS community?
Is this guide helpful or not? by echnaton192 · 2010-08-29 06:18 · Score: 2, Informative

So could someone with some knowledge please actually READ the darned document and say something relevant about it?
To me it looks like common sense practices:
- Make the software so it could work without administration priviledges except for certain actions. It should work under UAC with a non administrative account. To me this makes sense. 90 % of all security problems in Windows > XP are gone once you don't work with administrative priviledges, IIRC.
- Software is not allowed to make the system more insecure without the users consent. No Firewallchanges, no new ports or services, no enabling of services without the users consent
- don't use code which is already proven to be insecure
- etc.
About the rants securitywise: It is not like everything M$ made in the last decade was a step in the wrong direction.
- starting with XP, the whole enduser system was 32 bit and used a real security model with different types of priviledges. It was a real hell to work as a user without administrative rights, but it was possible.
- starting with XP SP2, they implemented a tool to watch if the system has some basic secure settings, the firewall was activated by default and M$ nagged every user to use an AV-product, which makes sense (as a last line of defense).
- starting with Vista, the user still has administrative rights by default, but UAC tries to minimize the threat. The side effect: In order to work under UAC, the software must ask nicely for adminnistrative rights for certain tasks. Thus software generally is more fit to work without administrative rights.
- M$ made MSE available, which *is* a good free AV-product according to different tests. Avira might be as good, but its Nagscreen every day is really annoying...
- With Win 7, UAC works better and new users are non-admin by default
I completely see your point about the insecure bullshit they did before XP SP2 to all end users or the ways in how they tried to maintain their monopoly. But to me a Windows system is not per se insecure provided someone uses some basic precautions:
- Keep software and OS up to date (PSI?)
OKOK, it is far more easy to keep a standard Linux up to date than the standard Windows because every company uses it's own update mechanism. But it is possible...
- Don't work with administrative rights
No Linux user would work with administrative rights permanently, so...
- Use strong passwords in all sensitive areas
NAT, Adminpasswort, Serverpasswords,...
- Use your brain before installing software or typing in your administrator's user credentials
Helps...
- Use your brain on links
Helps..
- As a last line of defense (not he only one) use an AV-product
And yes, I know that linux is more secure for a lot of reasons. But ignoring free guidelines like the one from M$ to develop more secure code for Windows sounds strange to me. It might be that there are better recommendations, but isn't it worth a read until someone comes up with arguments why this document is stupid and not worth reading?
Oh boy, you really don't know much about .NET by benjymouse · 2010-08-29 06:32 · Score: 1

and nor about SteadyState.
.NET is actually a security success-story. Compared to similar (i.e. Java), .NET has experienced almost an order of magnitude fewer vulnerabilities, especially if you consider the severity of the vulns.
.NET (using 2.0): http://secunia.com/advisories/product/6456/
Java (JRE 1.5 which is contemporary): http://secunia.com/advisories/product/4228/
------
SteadyState makes a virtual harddisk. In essense it is itself a "rootkit" in that uses copy-on-write at reads/writes the changed block from/to a log file. When rebooting it simply deletes the logfile and the disk is back to the original state. I would like to see the rootkit which can survive that...

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
1. Re:Oh boy, you really don't know much about .NET by RobertM1968 · 2010-08-29 08:19 · Score: 1
  
  and nor about SteadyState.
  .NET is actually a security success-story. Compared to similar (i.e. Java), .NET has experienced almost an order of magnitude fewer vulnerabilities, especially if you consider the severity of the vulns.
  .NET (using 2.0): http://secunia.com/advisories/product/6456/
  Java (JRE 1.5 which is contemporary): http://secunia.com/advisories/product/4228/
  ------
  SteadyState makes a virtual harddisk. In essense it is itself a "rootkit" in that uses copy-on-write at reads/writes the changed block from/to a log file. When rebooting it simply deletes the logfile and the disk is back to the original state. I would like to see the rootkit which can survive that...
  Wouldnt the answer to that last statement be ANY real rootkit? Just curious. Isn't infecting the MBR the way that rootkits bypass such protections? Wouldn't some rootkits then also be able to hose SteadyState's ability to revert the file system back to previous state? Aren't the file system and MBR two different things, even though they work in conjunction?
  Just curious, hence the questions instead of statements.
  Also, it's a bit disingenuous to simply pick one version of .NET, as systems come with all of them installed and in use from at least 1.1 upwards. Also, it's a bit irrelevant to look at the advisories for .NET as opposed to the numerous hotfixes (hundreds) and multiple large patches (near a dozen) to fix known, in the wild, exploits. Then one should probably factor in the length of time it took for these fixes to come out... and then consider (in the context of this conversation, thus regarding privilege escalation) which, on a properly locked down system can escalate (with NO user interaction and NO user prompts) it's privileges to infect a locked down, limited rights system - I think the answer to that one is .NET - what do you think?
  
  --
  StarTrekPhase2 - The Five Year Mission Continues!
Microsoft preaching security? by Anonymous Coward · 2010-08-29 06:41 · Score: 0

That's like going to a Satanic priest (if there was such a thing) for advice on how to get to heaven! Maybe they want to demonstrate what NOT to do. The only worse company to put out such a document is Adobe.
NonCommercial? by zotz · 2010-08-29 06:41 · Score: 1

Attribution-NonCommercial-ShareAlike 3.0 Unported
Under some takes on this license, no for profit corporation (the idea is that everything such an entity does is by definition for profit) would be allowed to make use of the licensed work. And who will trust MS not to take such a view, now or at some point in the future once the damage is done...
all the best,
drew

--
FreeMusicPush If you want to see more Free Music made, listen to Free
Just PR by HalAtWork · 2010-08-29 06:49 · Score: 1

This is not meant to be taken seriously, it's just PR so that non-technical folk see headlines like this in the news and think to themselves "Hmm, MS is leading an outreach to help others with security, they sure must know a lot if they're giving away all of this help and information and they must have a lot of confidence if they believe they can help their competition and it won't affect them!"

--
Twinstiq, game news
I beg to differ by melted · 2010-08-29 06:52 · Score: 1

I see no reason why software can't be 100% secure. I just think it's unrealistic to expect this from commercial software written by people who don't really care.
1. Re:I beg to differ by Anonymous Coward · 2010-08-29 07:56 · Score: 0
  
  I see no reason why software can't be 100% secure.
  Then you're clearly not a developer, or at least not a good one. There is no way to completely secure anything that has to accept external input. Anything you can do on your computer, someone else can write a program to do as well. You can delete files, that means someone else can write a program to delete your files. We can make it difficult for such a program to run without alerting you, but unless you want to be notified every time anything makes changes to the system (trust me, you don't- you'd never get anything done), there's always going to be ways around it.
2. Re:I beg to differ by Anonymous Coward · 2010-08-29 09:44 · Score: 0
  
  Same here,
  I can understand that you can't make a software secure against a poorly chosen password from a dumb user. But I won't accept a software that allow buffer overrun to compromise it's security! Or one that open port for poorly protected service for all internet to access without the knowledge of the user that it even existed!( or worst, the user know about it, but have no way to prevent it short of disconnecting from the internet!
  You can't prevent user's stupidity, but you can prevent programmer's , they should should know better; process, audit and review and al are there for that.
  The same about bug, should come a time when 2+2 = 4, do you expect your calculator to have bug? Addition work all the time, except when the result is greater than the capacity but that not a bug, that a limitation, you don't have access to firmware when that happen.
3. Re:I beg to differ by Urkki · 2010-08-29 10:22 · Score: 1
  
  I see no reason why software can't be 100% secure.
  Well, the reason is two-pronged.
  First, software can be 100% secure only if it is 100% bug-free. And the only software you can be sure is absolutely bug free is a "hello world" running on an embedded device without operating system. Except, hardware/FPGA/microcode/firmware bug might be exposed through your "hello world", leading to potential security exploit, so scratch that.
  Second, whenever you manage to make the software idiot-proof, nature develops a better idiot, who'll work around your puny artificial software security. So another requirement for security is, that the system is 100% isolated from idiots. And all people are idiots, some just hide it better than others.
4. Re:I beg to differ by echnaton192 · 2010-08-29 11:30 · Score: 1
  
  I can understand that you can't make a software secure against a poorly chosen password from a dumb user. But I won't accept a software that allow buffer overrun to compromise it's security! Or one that open port for poorly protected service for all internet to access without the knowledge of the user that it even existed!( or worst, the user know about it, but have no way to prevent it short of disconnecting from the internet!
  You seem to have red the document....
How sweet the irony... by crovira · 2010-08-29 06:55 · Score: 1

As Mahatma Gandhi said "First they ignore you, then they laugh at you, then they fight you, then you win."
Balmer, and one comp-sci teacher, must be rueing the day that Linus questioned the accepted wisdom and stated is little OS project.

--
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
1. Re:How sweet the irony... by Anonymous Coward · 2010-08-29 07:25 · Score: 0
  
  Linus questioned the accepted wisdom and stated is little OS project.
  Yeah, the FOSS community is extremely good at copying existing successful proprietary software & operating systems.
2. Re:How sweet the irony... by Anonymous Coward · 2010-08-29 09:55 · Score: 0
  
  Yeah, because Windows and OSX are so fucking innovative and original. Get a clue, 'tard.
How about using by crovira · 2010-08-29 07:05 · Score: 1

Balmer's ugly, bald, sweaty, monkey-boy mug for the Microsoft icon?
Gates is gone and now the marketing and legal departments are now in charge over there.
Might as well call a spade a spade...

--
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Who Cares? Anyone read what the MS SDL is? by RobertM1968 · 2010-08-29 07:43 · Score: 1

I know that RTA is not commonplace, so I guess I don't expect many to go even further and go to the MS SDL page, and then go even further to the "What is the Microsoft Security Development Lifecycle (SDL)?" page, but I was bored, so I did.
What is the Microsoft Security Development Lifecycle (SDL)?
The Microsoft SDL is a security assurance process that is focused on software development. It is a collection of mandatory security activities, grouped by the phases of the traditional software development life cycle (SDLC). Many of these security activities would provide some degree of security benefit if implemented on a standalone basis.
Ooooh, wow!!!! Microsoft is open sourcing a list of methods that developers should follow to ensure security of their applications!!!! Wow!!!
Inotherwords, (at least from their "What is") this isnt about code. This isn't about APIs. This is about methodology to write secure software.
Think about this... isn't this:
(1) The type of stuff programmers should be taught in college, or self learn from reputable places?
(2) Something Microsoft's track record proves they have limited or no knowledge about?
(3) Something somewhat irrelevant to the Linux and Open Source world?
(4) Something that is more likely simply a publicity stunt? (look how many people think this has to do with actual APIs and such)
So, whoop-de-do!!!! One could already learn this stuff from better sources, implement it in better ways, and gain more knowledge from other companies who are quicker with security updates and better at designing programs with security in mind.
Perhaps developers that use Microsoft's development tools, and Microsoft's frameworks MAY gain some advantage from this, but even that advantage is limited by what security holes there are in those frameworks (.NET and so on) and Windows as a whole.

--
StarTrekPhase2 - The Five Year Mission Continues!
1. Re:Who Cares? Anyone read what the MS SDL is? by David+Jao · 2010-08-29 14:53 · Score: 1
  
  Ooooh, wow!!!! Microsoft is open sourcing a list of methods that developers should follow to ensure security of their applications!!!! Wow!!!
  It's not even an open source license. The license is CC-BY-NC-SA 3.0. NC as in non-commercial. This license does not satisfy any reasonable definition of open source/free software.
  Richard Stallman said that one of the reasons he opposes the CC licenses is because it's very easy for people to confuse the free CC licenses with the non-free CC licenses, and mistakenly think that a CC-licensed work is free when it's not free. I'm beginning to think that he's right.
Microsoft Introduces Free and Open Software System by symbolset · 2010-08-29 07:45 · Score: 1

Dateline: Redmond, August 29, 2010.
In a sudden break from tradition Microsoft has announced a new strategy: Open Systems. A keystone of this system will be the idea that for progress to occur in the information processing space of the future, separate and independent entities must be able to work together cooperatively. By publishing some components of their systems they hope to create a new field: a Free and Open Software System. For now some trivial portions of their proprietary works will remain a company secret, but they hope the rest of the world will join them in adopting this new model.
Speaking at a Redmond press conference, Microsoft Open Systems spokesman Muhammed Saeed al-Sahaf said: "Although Microsoft's software has always had fully open specifications, independent software vendors have been respond in kind. This makes it difficult to integrate our offerrings with things like Google Docs and Facebook. By making more information available under free software licenses we hope to create a groundswell of support for this new model. Microsoft will leverage our innovation in this field to bring about a new era of cooperation and rapid innovation."

--
Help stamp out iliturcy.
We like it. by symbolset · 2010-08-29 08:00 · Score: 1

We like the Gates Borg icon. That's enough. It's not denigrating. The Borg are powerful and near immortal, technologically far superior.
It speaks to the power of Microsoft's business model of innovation through acquisition, their dominant influence in all the fields they enter.
Bill Gates is still Chairman of the Board so he helps set policy at the highest level. He's the largest stockholder. He formulated the business strategies that persist to this day being executed less subtly by others. As the iconic figurehead he still talks on Microsoft's behalf to the general public, heads of state, Congress. He's still a public speaker promoting their interests. He is not gone.
The GatesBorg icon should stay.

--
Help stamp out iliturcy.
"Utilising" by Undead+Waffle · 2010-08-29 08:12 · Score: 1

That is very noble of them to make this available in hopes of "more developers utilising the Microsoft process for developing software".
Unfortunately without an explanation this will go over most people's heads. It's one thing my boss likes to poke fun at...
To "utilise" something is to use it for something other than its intended purpose.
While searching for a good reference, I found this one to be appropriate.
1. Re:"Utilising" by shaitand · 2010-08-29 08:58 · Score: 1
  
  What's a "utilise"? I've never heard anyone utilize that term before.
2. Re:"Utilising" by B+Nesson · 2010-08-29 12:05 · Score: 1
  
  "Utilize means 'make use of something, or find a practical use for something' and so is more specific than use. Utilize is more common in technical contexts: The device utilizes a special plug-in connection. It can also refer to using things in unusual or unintended ways, as a more formal equivalent of 'make use of': When the fan belt broke they had to utilize a leather belt. In business jargon and in other contexts, utilize is often found when the meaning intended is simply 'use,' a use that should be avoided: Successful applicants will be able to use [not utilize] their skills and experience in this field." [bold added]
  
  According to your own provided source, to "utilise" something can also mean to use it for something other than its intended purpose. It doesn't absolutely always mean that. It doesn't even usually mean that. It just can mean that.
3. Re:"Utilising" by Undead+Waffle · 2010-08-29 12:58 · Score: 1
  
  I didn't say it was a good source, just an appropriate one. Most other dictionaries don't go into explanation about it, but it is implied by the definitions. "make use of" and "find a practical use for" doesn't really apply if you're just using something as it was intended. There is no use to "find" or "make" in that case.
  If you like you can search Google for "use vs. utilize" and all of the top hits will be long explanations about it. I thought it more appropriate to link a dictionary, even if none of them had very good explanations of the differences.
4. Re:"Utilising" by RightSaidFred99 · 2010-08-29 17:09 · Score: 1
  
  Pedantry fail.
  
  Utilize: To put to use, especially to find a profitable or practical use for.
  Substitute:
  
  more developers [putting to use] the Microsoft process for developing software
  Yep, synonymous!
Re:Seriously? (it's time to Thank MS!) by Anonymous Coward · 2010-08-29 08:29 · Score: 0

They *MIGHT* know a thing or two about writing a secure system, or at least the theory. I know when your done laughing think about it. They have spent years as the 'top dog' 'easy to attack' OS.
You're right - we should all thank MS for releasing this guide, and also thank them for releasing notoriously insecure operating systems that basically spawned the entire PC security/AV industry. As MS systems are phased out over time for linux or OSX, we'll still have useful firewalls and encryption in place for additional protection that we would have otherwise never have bothered with if it weren't for windows. Sort of like how the prevalence of gangrene contributed to development of the modern aseptic surgical practices...
Microsoft hopes that... by Anonymous Coward · 2010-08-29 09:19 · Score: 0

Microsoft hopes that any licence but the GPL will take hold. They're desperate. They don't want you sharing your effort with each other and preventing them from stealing it right back.
Go ahead, use cc, use BSD licence. Microsoft wants you to.
Re:What are they trying? Not engineering. Not PR. by Anonymous Coward · 2010-08-29 10:57 · Score: 0

So, do you have something valuable to say or just the usual Microsoft hatred?
I thought so.
That's a fallacy. by melted · 2010-08-29 14:04 · Score: 2, Insightful

Software that accepts external inputs is secure if it rejects invalid or malicious input. That's all there is to it. And it's perfectly possible to write a program that does just that. It doesn't even have to be 100% bug-free.
1. Re:That's a fallacy. by Urkki · 2010-08-29 18:43 · Score: 2, Insightful
  
  Software that accepts external inputs is secure if it rejects invalid or malicious input. That's all there is to it. And it's perfectly possible to write a program that does just that. It doesn't even have to be 100% bug-free.
  That doesn't cover valid input which triggers a bug.
  Even defining "invalid or malicious input" to include "otherwise valid input that just happens to expose a bug in the code" doesn't help, because you don't know what you'd need to filter out (or if you did, better fix the bug).
  Also, security is not just input, it's also output. All kinds of output. For example, there's a class of security exploits which depend on timing (mostly cryptography and authentication related). It's not enough that input is validated and code is 100% bug free, it also has to be coded so that processing time (and even power consumption) doesn't depend on validity or content of input.
  There *may* be 100% secure complex programs, but there is no way to know which they are, or if there really are any.
2. Re:That's a fallacy. by melted · 2010-08-30 08:00 · Score: 1
  
  >> That doesn't cover valid input which triggers a bug
  It does. That would be what I call "malicious input". It's perfectly possible to write programs that reject it or otherwise error out without doing any harm.
  My point is, there's nothing _fundamentally_ impossible about writing secure software. It can be done. It's just very hard and the cost/benefit ratio is not quite there to support it.
It's not a free CC license by David+Jao · 2010-08-29 14:56 · Score: 1

Can we please get past the cheap shots about Microsoft's security, and pay attention to the trend wherein Microsoft, practically founded on opposition to sharing code, has been experimenting with open source licenses and making overtures to the FLOSS community?
Not all CC licenses are free software/open source. In particular, the license that Microsoft used is CC-BY-NC-SA. This is not a free or open source license. The problem is the NC clause -- NC means non-commercial. A non-commercial license does not satisfy the definition of free software or open source.
Maybe Microsoft could start using it? by miffo.swe · 2010-08-29 17:44 · Score: 1

I really hope this enables Microsoft to start using it internally. Some of the bugs that has popped up recently in their new code just wouldnt have snuck past any serious security effort.
Same goes for the dll loading bug where at least 40 of Microsofts applications had a "programming error". How could 41 of Microsofts applications contain the same serious mistake if they followed SDL?
My view of this is that its all PR. Its not about better security, its about perceived security.

--
HTTP/1.1 400
In other news: by silentcoder · 2010-08-29 18:20 · Score: 1

Roseanne Barr has published her diet plan under a C.C. license. She says she hopes this will encourage others to eat as live as healthy and be as thin as she is.

--
Unicode killed the ASCII-art *
Microsoft track record by heffrey · 2010-08-29 20:07 · Score: 1

It seems that a majority of posters here are out of touch with Microsoft's track record regarding security. It was terrible 10 years cut starting from XP SP2 they have done well.
Those of you looking for a mainstream commercial software vendor that pays little regard to security should take a look at Adobe or Apple.
Re:What are they trying? Not engineering. Not PR. by rtb61 · 2010-08-29 20:53 · Score: 1, Insightful

To be fair, there would no doubt be many M$ software engineers and coders know how to produce quality and secure code. It is the M$ marketdroids and bean counters who push it out the door before it is done, or cut out quality modules because it will cost money and not generate extra profits, or dismember features because they were only for marketing purposes or shunt stuff off to the next pretend version so they can sell it as a upgrade.
There are undoubtedly several cliques within M$ the useless Ballmerites of greed and B$ and the real computer geeks/nerds who enjoy what they are doing and want to take pride in their work and company (they just don't run the company or control the destiny of the software they produce).

--
Chaos - everything, everywhere, everywhen
Watch out! by Anonymous Coward · 2010-08-29 21:06 · Score: 0

Attribution-NonCommercial-ShareAlike! It's cancerous! Run!
WNT = next VMS if 2001 A Space Odyssey is real by Zero__Kelvin · 2010-08-30 01:52 · Score: 1

"Now, now, they've been reinventing VMS, not Unix, as anyone should know.
Hiring a key VMS architect from DEC, ignoring everything he tries to teach you about security while coming up with a clever name ala IBM/HAL 2001 A Space Odyssey , and using the fact that he came to work with you as spin to claim your next OS will be secure when you know damn well it won't, doesn't even remotely qualify as reinventing VMS.
I was a VMS System Administrator and was trained at DECs Burlington campus in all aspects of VMS including their security model, and I promise you, if you knew VMS you would know that the two should never be confused.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
1. Re:WNT = next VMS if 2001 A Space Odyssey is real by lgw · 2010-08-30 07:18 · Score: 1
  
  What aspects of the VMS security model is the NT kernel missing? It has ACLs on just about every kernel object. Or did you mean the various security mistakes in Windows that have nothing to do with the kernel that Dave Cutler created? It has always seemed to me that the Windows security problems were from flawed apps running as admin, not the kernel itself.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:WNT = next VMS if 2001 A Space Odyssey is real by Zero__Kelvin · 2010-08-30 09:31 · Score: 1
  
  "Or did you mean the various security mistakes in Windows that have nothing to do with the kernel that Dave Cutler created? It has always seemed to me that the Windows security problems were from flawed apps running as admin, not the kernel itself."
  Windows and VMS are not kernels. They have a kernel, just like any Linux distribution. If I were to ascribe to your line of reasoning I would have to conclude that all Windows application programmers suck and all Open Source programmers are security gurus.
  I am not blaming Cutler, and you should not be blaming application developers. Put the blame where it rightly belongs. (Identity of actual greedy bastard who willing sold out his customers best interest to line his own pockets left as an exercise for the reader)
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re:WNT = next VMS if 2001 A Space Odyssey is real by lgw · 2010-08-30 10:58 · Score: 1
  
  Most of the WIndows suckage (especially the Win9x stuff) is a direct result of aggressive backwards compatibility, especially WRT security, where MS has never taken a hard line and broken all legacy apps (as it so desparately needs to for that goal). That's what the customers wanted, though - people simply value legacy support over security, or reliability. That's why chip-and-PIN credit cards have so many security flaws too - legacy support. I'm not how that makes anyone a greedy bastard.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
4. Re:WNT = next VMS if 2001 A Space Odyssey is real by Zero__Kelvin · 2010-08-30 11:32 · Score: 1
  
  "That's what the customers wanted, though - people simply value legacy support over security, or reliability. ... I'm not [sure] how that makes anyone a greedy bastard.
  They wanted that because they were mis-educated. They bought the "anyone can use it; it just works" BS. The lie was told because the lie sold many more copies of Windows. That is the greed.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Why not say what you mean? by azrider · 2010-08-30 09:53 · Score: 1

Other then implementation bugs, it's a secure virtual machine that can run applications in sandboxes, just like Java applets.
Other than that, Mrs. Lincoln, how did you like the play???

--
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)