Craig Mundie Blames Microsoft's Product Delays On Cybercrime

whoever57 writes "In an interview in Der Spiegel, Craig Mundie blames Microsoft's failure in mobile on cyber criminals. Noting that Microsoft had a music player before the iPod and a touch device before the iPad, he claims a failure to execute within Microsoft resulted in Microsoft losing its 'leadership.' The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering. The criminal activity in cyberspace was growing dramatically ten years ago, and Microsoft was basically the only company that had enough volume for it to be a target. In part because of that, Windows Vista took a long time to be born.'"

Were MS Assets Available?

[BoRegardless]

If MS had wanted to start a new division for mobile devices, it had the cash to do it. Mundie's excuse doesn't cut it.

If what he is saying is that he and Balmer are so much of a micromanagement team that they couldn't handle one more project and still tell everyone what to do, I can buy that as an excuse.

Re:Were MS Assets Available?

[DarkOx]

That and attempting to duck responsibility for the security situation is a little pathetic too. Yes, the people responsible for crime are the criminals. If someone hacks you trashes you site, steals you trade secrets whatever that cracker is the responsible party. Just like if someone breaks the glass in my window reaches around and opens the lock, they own the breaking and entering. That does not mean however its not a good idea take steps to protect you valuable assets, because we know there are bad actors out there.

The reality is most of us want an operating system where the security controls are effective. Microsoft was forced by the market to 'focus on security' because businesses really were going to start jumping ship for alternatives like Apple desktops and Linux in back office (an in some cases the front office too). If Microsoft had made a correct allocation of resources to security in the first place they would not have to sideline so many other efforts to fill in the deficit later.

Re:Were MS Assets Available?

[MysteriousPreacher]

I feel for Mundie. My construction business went through something similar. After many happy years of designing and building sub-standard residential properties, we were caught off-guard when people began to exploit the tendency of our houses to catch fire, explode, and be easily burgled.

As the largest builder of houses, we were a common target. We lost our lead in commercial buildings because we had to devote a lot of resources to learning how to build houses that lasted more than a few days.

it's easy in hindsight to say that electrical insulation is useful, or that gas pipes should not leak, or that front doors be made of something more sturdy than cardboard. Back then we had no reason to assume that anything of those things were ever going to be important, and I assume everyone built houses that were prone to sudden annihilation.

We're not entirely blameless. This would never have happened if people had kept naked flames at least 30ft away from the houses. The cardboard doors on the houses not at the time exploding and/or burning, was only an issue because criminals were trying to burgle houses.

Here we go...

"Microsoft was basically the only company that had enough volume for it to be a target"

Tying security to volume of installs shows, to me, a lack of understanding of the actual models underlying the operating systems.
Windows is an entirely different creature from say Linux. Linux is merely the kernel, everything else is a package. A properly secured linux box, (proper PAMs, selinux, permissions, Least user privs, and minimum packages) != a hardened windows box. They are not even close. Volume has little to do with the security models. I hate that is always pops up. As if.

Well duh

[Solandri]

The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering.

You took an OS which effectively ran with superuser privileges (DOS) all the time, and added a graphical shell on top of it (Win95, Win98). You then tried to switch it to a more secure user / superuser model, but you made it so inconvenient that it was easier for everyone to just run as superuser all the time (NT, 2k, XP). Finally you started trying to enforce running as a regular user except when needed (Vista). But the industry had had a decade to acclimate to running as superuser, so you were met with so much resistance you had to scale it back (7). Of course you're going to have a huge security problem.

You should've just bitten the bullet and enforced the user / superuser paradigm as early as you could have. i.e. Back when the Internet became big, around when Windows 95 came out, you should've realized the future was for all computers to be networked, and that user vs. admin privileges were going to become very, very important. But no, you took the easy way out and stuck with the one-computer one-user model, and you've been paying the price for it for the last decade and half. You made your own bed; it's disingenuous to now blame someone else for having to lie in it.

Part of being a good leader (of a group, country, market, whatever) is to foresee and recognize what's going to become important or a problem in the future, long before your followers do. A good example is what the NSA did with DES. They had done enough secret research into DES that they knew of a vulnerability; and when DES was proposed as a standard they made some secret changes to it which eliminated that vulnerability before the public was even aware of it. Your job as a leader is to act on that foresight, even if your followers can't see what you see and complain about it. If you can't do that, you just aren't cut out to be a leader.

Re:Never designed to be network-aware

[terjeber]

For the record, the rubbish Craig Mundie says in the referenced article seems like drug-induced nonsense. Microsoft dropped the ball on security by basically, in Win2K defaulting to run anything under the "root" user, which was a stupid idea, but understandable, most users of Win95/98/ME would have been lost if the security in Windows had actually been used properly.

Translation

[folderol]

It's everyone else's fault. Not ours.

Re:Never designed to be network-aware

[Waffle+Iron]

Windows (and MS-DOS before it) was not originally designed to be network-aware

And how is that relevant? ... The base of the Windows you are running today was designed to be similar to VMS from DEC, an operating system that actually had the "mainframe mentality".

It's relevant because for many years they shipped their OSes configured "out of the box" to bypass or hobble much of that wonderful-on-paper NT security model. This was so they could preserve the nonrestrictive DOS/Win95 the user experience that people were so used to. The security technology might as well not be there if nobody actually uses it.

This problem was compounded by a lack of quality control on much of the system code outside of the kernel itself. Remember when the half life to 0wnage of a fresh XP box connected to the Internet was measured in minutes?

Re:Cry Me a River

[DarkOx]

Yes and the worst part is the very argument shows top brass at Microsoft still regard security as a distraction rather than a key design requirement in their products.