Slashdot Mirror
Craig Mundie Blames Microsoft's Product Delays On Cybercrime
whoever57 writes "In an interview in Der Spiegel, Craig Mundie blames Microsoft's failure in mobile on cyber criminals. Noting that Microsoft had a music player before the iPod and a touch device before the iPad, he claims a failure to execute within Microsoft resulted in Microsoft losing its 'leadership.' The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering. The criminal activity in cyberspace was growing dramatically ten years ago, and Microsoft was basically the only company that had enough volume for it to be a target. In part because of that, Windows Vista took a long time to be born.'"
Yep, cyber criminals armed with chairs...
If MS had wanted to start a new division for mobile devices, it had the cash to do it. Mundie's excuse doesn't cut it.
If what he is saying is that he and Balmer are so much of a micromanagement team that they couldn't handle one more project and still tell everyone what to do, I can buy that as an excuse.
Windows (and MS-DOS before it) was not originally designed to be network-aware, much less network-safe. MS-DOS was a thinly disguised clone of Digital Research's CP/M, circa 1974. CP/M, as a personal computer operating system, was specifically designed not to have any sort of security, versus what was seen as the draconian measures taken by "mainframe mentality" operating systems like UNIX (from Bell Labs, 1969).
It was no surprise to anyone that an operating system that treats all programs and operations as fully privileged, when connected to a global network, treats everyone in the world as a sysadmin. Microsoft's campaign, then, was to somehow graft basic security features into an o/s that never had them, without horribly breaking every existing application.
That they succeeded even a little is a triumph of engineering.
But they would have saved everyone, including themselves, a huge amount of time and money by using something more UNIX-like as the design basis of Windows NT in the early 1990s. Apple learned that lesson with OS/X. Microsoft had Xenix years before, but threw it away. We, and Microsoft, are still suffering the consequences.
As so-called "smart" phonecomputers and tablets further fragment the marketplace, it won't be the PC that "goes away" but, at long, last, Windows and the CP/M heritage. The UNIX way wins at last... Huzzah!
He's discussing the time period right about when I finally bailed on MS. I had been trying to be a security advocate for my group for a couple of years - and was told over and over again that users don't want security, and who cares? (Admittedly, the group I'd worked for before that, which was more server focused, was also more security focused.) ...and then the security initiative began, and while I was cheerfully packing up my office, I suddenly had coworkers stopping by, picking my brain and trying to get me to give them my phone number so I could, continue to work for the company I was so eager to depart from, for free. And, of course, the security infrastructure they produced was incredibly annoying and non helpful for most users. (Somewhere in here my not particularly computer literate mother switched over to linux.)
Of all the stupid statements I've heard coming out of Microsoft about why they have made lousy products and terrible missteps which were, inaccountably, not embraced by customers, this has got to be the stupidest.
Mobile? The core problem continues to be that mobile is much more about hardware (which Microsoft itself has finally acknowledged). And even aside from the hardware, more about clean interface design than market dominance.
What bufoonery.
With security out of the way, it looks like they can knock out a new version about every 18 months now. Lucky us. Especially if you happen to be in the business world and they screw you over and say they are not even going to offer more service packs for an operating system a lot of businesses just installed.
Microsoft needs a new business model that doesn't involve forced, non-needed upgrades. Don't know what that exactly is, but the current method is not working.
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
What a whiney rant to cover up his own malfeasance.
In other words the corners cut ignoring the lessons learned on *nix and other systems before MS Windows even existed eventually needed to be at least partially dealt with.
The reason for MS's failure in that field was clear to all. Even it the poor company it shared, it still stood out as a crock.
Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
"Microsoft was basically the only company that had enough volume for it to be a target"
Tying security to volume of installs shows, to me, a lack of understanding of the actual models underlying the operating systems.
Windows is an entirely different creature from say Linux. Linux is merely the kernel, everything else is a package. A properly secured linux box, (proper PAMs, selinux, permissions, Least user privs, and minimum packages) != a hardened windows box. They are not even close. Volume has little to do with the security models. I hate that is always pops up. As if.
Too bad they didn't use that extra time to abort...
You took an OS which effectively ran with superuser privileges (DOS) all the time, and added a graphical shell on top of it (Win95, Win98). You then tried to switch it to a more secure user / superuser model, but you made it so inconvenient that it was easier for everyone to just run as superuser all the time (NT, 2k, XP). Finally you started trying to enforce running as a regular user except when needed (Vista). But the industry had had a decade to acclimate to running as superuser, so you were met with so much resistance you had to scale it back (7). Of course you're going to have a huge security problem.
You should've just bitten the bullet and enforced the user / superuser paradigm as early as you could have. i.e. Back when the Internet became big, around when Windows 95 came out, you should've realized the future was for all computers to be networked, and that user vs. admin privileges were going to become very, very important. But no, you took the easy way out and stuck with the one-computer one-user model, and you've been paying the price for it for the last decade and half. You made your own bed; it's disingenuous to now blame someone else for having to lie in it.
Part of being a good leader (of a group, country, market, whatever) is to foresee and recognize what's going to become important or a problem in the future, long before your followers do. A good example is what the NSA did with DES. They had done enough secret research into DES that they knew of a vulnerability; and when DES was proposed as a standard they made some secret changes to it which eliminated that vulnerability before the public was even aware of it. Your job as a leader is to act on that foresight, even if your followers can't see what you see and complain about it. If you can't do that, you just aren't cut out to be a leader.
If you release a lot of crappy software, sooner or later, somebody will have to pay the bill. The secret of Microsoft is that make so the customer is the one paying this bill, but sometimes Microsoft has to pay part of it. Imagine if Microsoft where forced to retroactivelly pay for all the lost because of OS crash, and all the expenses because of antivirus software. But we don't live in a world where Microsoft is being forced to pay for his crappy products faults.
-Woof woof woof!
The OS was horribly insecure. That it took them a decade to (more or less) fix that is their fault, not the fault of their market-share.
Awesome term. Can anyone translate into human? I think he's saying that they done fucked up, but for all I know, he's talking about literally killing employees who didn't fit in with the corporate culture.
If you were blocking sigs, you wouldn't have to read this.
Microsoft came out with a tablet and it did everything you liked about a laptop but less. Apple came out with a tablet that did everything you liked about a smart phone only more. Apple was a bit more clever.
When Windows first came on the market it was not the market leader. It did not have years of legacy code or legacy applications holding it back. It could have been built more secure from the ground up.
All of Windows competitors competed in the same market with the same 'cyber-criminals'. They built products that better withstood attack. All of the parties building products for sale in all of these markets were subject to the same market forces. By the time we got to the world of touch surfaces, music players and phones, Microsoft had a few things it could have used to its advantage: $49B in the bank and market dominance. They are complaining that they had to re-direct resources to make Windows secure. Then they should have tapped into their reserves and gotten more resouces!
Maybe if they didn't waste money on ads for churros and running shoes with Jerry Seinfeld and put that money towards product development they would have succeeded.
Microsoft failed in these markets because they failed to understand what consumers wanted. They have no one else to blame but themselves.
Build procucts people actually want to buy.
Microsoft is a Marketing Operation With Some Shoddy Software. They are very good at polishing the surface of crap-balls so that the naive/dumb/ignorant "management talent" with their MBA "degrees" buys their crapola. Just look at their MFC container classes - they don't have a fecking clue about complexity analysis. They don't know what an automatically growing hashtable is. So they employ tons of software developers who apparently never went through a proper CS fundamentals course.
Google knows their stuff because they weed out those who have no grasp of basic CS concepts when interviewing them. If you look for a technology leader, look at Google. Or NSA; actually those two are more or less two faces of the same coin. And yeah, I don't like them collecting like mad. But MS, they are all amateurs in the business of drawing nice glossy pictures and making tools for that end.
TFA and Craig Mundie believes his own spin.
If MS managed to avoid having security loopholes, what makes anyone think that Zune or Touch would've made it? How easy it is to forget DRM and playing by MS rules, proprietary file types, half-baked software, codecs and technology that dosen't fit anything else.
Oh, and just insert Apple pretty much anywhere if you're not a fanboi.
What troubles me the most is the attempt to rewrite history. Much like modern politics I suppose....
Don't be apathetic. Procrastinate!
It's everyone else's fault. Not ours.
I was under the impression that at least early on Microsoft kinda sorta turned a blind eye to pirating - that way they could spread their stuff far and wide. Only after everyone was "hooked" did they start tightening the screws.
I remember how easy it was to install ms office (and other sw) throughout a business with a single set of installation CDs/diskettes + add extra bogus seats/connections/licenses to your server etc.
Just sayin'
Disk quotas are not a security measure.
Password file was encrypted.
Application ownership of a file isn't security.
... that in XP, all the users you created at install time (up to 4, IIRC) in addition to the "Administrator" root account, were members of the "Administrators" group, that the account type for newly created users in control panel defaulted to "Computer administrator", and you had to change that on purpose to "Limited" (who - if they are not computer experts, wants to be limited?); the new naming convention ("Standard User" instead of "Limited") in Win7 is much better.
Obviously, the fact that a lot of programs that originated in Windows 3 or 95 by default wrote their configuration to an *.ini file in the install directory, and that most games would not run for limited accounts at all, contributed to this: if MS had made users run as limited accounts, lots of old programs and games that used to work on the user's old machine would have stopped working, and users would have blamed MS.
BTW: Win2K, before XP, put all limited accounts by default into the "power users" group, which had a similar effect - almost - as making them administrators.
And the number of rants on the internet about annoying UAC prompts - "It is my machine, and I'm damn well decide which programs to run and what to do", and the articles about how to turn UAC off, often by quite proficient computer users, only prove that some people are just too plain stupid to use a networked computer.
Yes, it was. I believe that's what Clueless Craig would term an "executional misstep".
Pain is merely failure leaving the body
From what i remember, it wasnt designed to be all that secure, and beisdes, it wasnt theirs anyway. It was rebranded/licensed from SCO, back when they were still a legit company producing code.
And dont forget even MSDOS wasnt original in the beginning, they bought ( stole ) it from another company.
Hell they even had to buy SQL server from another company to get that started.. ( have they ever had a true original thought from the beginning? )
Overall microsoft is a huge joke, and would have never had a chance if it wasnt for their founding unfair advantage with ibm that give them the upper hand in the market.
If he didnt have the inside track and CP/M was given a fair chance with the PC, the landscape would be far different today.
---- Booth was a patriot ----
News to me. I think this is a case of rewriting history to not admit abysmal failure across the board.
Incidentally, I think that if MS had any real competition for Windows and Office, they would fail about as bad. The technology is still decades behind.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering."
Because there never was a move to secure the OS when it was initiated, and it only became a priority after numerous public attacks forced it.
But really, to say that a corp the size of Microsoft can't develop new products and secure their existing ones at the same time is naive at best and more like;y propaganda.
"If any question why we died, Tell them because our fathers lied."
Victimhood.
Have gnu, will travel.
Actually, Windows NT 3.51 was in good shape on the security front. It was intended to run 32-bit programs only. The 16-bit subsystem, which was an optional add-on (you could install NT without it), was intended as a short-term conversion aid for legacy code. It didn't support many of the vagaries of Windows 95.
The Intel Pentium Pro had a similar problem. It was a good 32-bit CPU, able to run 16-bit x86 code as well, but not with full performance. Reviewers gave it bad reviews running Windows 95 with 16-bit applications. Both Microsoft and Intel overestimated how rapidly the industry would convert to 32-bit applications.
Recovery from this was done by dumping vast amounts of Windows 95 code into the NT line, to the detriment of security. This resulted in NT 4 (a turkey) and, after a huge effort, Windows 2000 (reasonably good). That's where the effort went.
Also, remember, Microsoft went into the game console business. That cost them a lot more than they expected. The original Xbox was a PC. It ran a version of Windows 2000, and you could run XBox games on Windows 2000 (if you were a developer, had the development kit, and were developing your own game; the DRM prevented running the games of others). It lost money from launch to discontinuation. The XBox 360 was a new design, was incompatible with Windows, required much new software, and finally made money for Microsoft. It sucked up a lot of talent.
(Not as bad as the PS3, though. Developing tools to deal with the Cell architecture sucked up all the talent in SCEA's R&D operation for years. Sony is dumping the Cell for the next round.)
During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering.
Why did Microsoft have to shift focus? Because Microsoft had taken a "features have priority over security" mindset previously. That mindset led to software that was so full of security issues, it is amazing it wasn't exploited more than it was.
.
This premise is substantiated by the fact that other vendors have software in the marketplace and appear to weather the cyber-criminal attacks much better than Microsoft does.
Microsoft will fix its strategic problems only when it stops trying to blame others for the missteps that Microsoft has taken. My for a first step: fire Mr. Ballmer.
Microsoft has never taken security seriously until the point that Mundie mentions and even after that one can hardly given them a glowing review. That Microsoft failed to build in security from the start was clearly a gamble of some sort. Clearly Microsoft knew of computer security issues; that MSFT choose to ignore serious security for the sake of profits, market share or whatever other factors only to have to stop and fix things, isn't the fail of hackers; that MSFT choose to ignore security is what made it easy for black hat hackers to thrive.
http://www.hawknest.com/
I remember Redhat 6.x from the ealy 2000's. It installed with all services+listeners running by default. Stuff like SMTP and RPC and bind was listening. For a Redhat install, the only safe way to install was from CD. Then run "lsof -i" and see what services are listening to the internet, and spend the better part of an hour shutting them down, and/or uninstalling them altogether. Worms like L10n and Ramen were rampant. After a lot of yelling+screaming Redhat finally listened, and stopped installing that stuff by default. Installs could be done without needing a firewall. The worms went away.
Microsoft was run by a bunch of idiots who wanted everything to "just work". One of the advertising claims for Windows 3.1 was "ease of administration". You could send a script as an email to all users in the office, and they simply had to click on it and it would re-configure their PC as you desired. This worked great in a 10-person office before the WWW. On a hostile web/internet, it was a disaster waiting to happen.
In order to make things "just work" for home PCs, Windows defaulted to NetBIOS/NetBEUI and RPC all turned on. This was one of the causes of all the worms that spread by portscanning. To make things worse, by Win98SE, *YOU COULD NOT TURN OFF RPC EVEN IF YOU WANTED TO*.
The "Autorun" mentality was another problem. We all know about sticking a USB key into a Windows machine, and it "automagically" ran stuff. That was not the only such problem.
Excel had "autoexec macros" that ran when you fired up the spreadsheet. MS' first response was to change Excel to set a bit in the file header of the spreadsheet, flagging that it had autorun macros, and Excel shouldn't run them if the user had changed his Excel config to disallow autorun macros. It didn't require genius for bad guys to save a spreadsheet with autoexec macros, and edit the file header of the spreadsheet with a hex editor, telling Excel that the spreadsheet was "safe". Excel then proceeded to run the autoexec macro when loading the spreadsheet, regardless of the user's settings. That was eventually fixed.
Outlook Express (known "affectionately" as "Outhouse Excuse") also "auto-rendered" files. This allowed photos to be displayed inline, and music files (WAV, etc) to be played automatically. The "security" consisted of filtering against a list of safe file extensions (WAV, JPG, etc), and then handing off the file to the OS to run. The OS ignored the extension, and determined the file type by checking the file header, then it handed off the file to the appropriate program. So the bad guys renamed "virus-installer.exe" to "song.wav", and it was automatically executed. This is how SirCam and Bubble-Boy wormed their way around the web.
And then we get to Active X, known "affectionately" as "Active Hacks". This was the mechanism behind so many "drive-by-downloads". What made it worse was that Active-X was rammed down people's throats by Internet Explorer. Let's say you disabled Java, Javascript, and Active-X in IE.
* Java was Sun's product. You launched a webpage with a Java applet, the applet didn't download and run, but the rest of the page displayed properly. IE "degraded gracefully".
* Javascript (originally called "Livescript") was Netscape's baby. You launched a webpage with javascipt, the javascript didn't run, but the rest of the page displayed properly. IE "degraded gracefully".
* Active-X was Microsoft's baby. A lot of webpages had Active-X code. When IE came across a page with Active-X, and IE had Active-X, then IE came to a screeching halt, and put up a modal dialogue about how "This page may not display properly". It would not budge until you clicked OK. With all the Active-X applets on the web, IE was effectively unusable with Active-X disabled. Just like UAC several years later, people got sick and tired of clicking "OK" every 30 seconds, and simply enabled Active-X in IE. That was what kept drive-by-downloads going.
Microsoft have only themselves to blame.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
1. NO. Disk Quotas ARE NOT SECURITY. They may halt a DoS if, for example, the partition fills up that holds your data cache, but root keeps a reserve of 5%.
2. Password file was encrypted. That is what security meant. That the brute forcing of encryption dropped from a billion computer years to a few hundred hours AND there were not more than a few hundred computers at the time meant this was ENTIRELY SECURE. As secure as 256-bit AES encryption used to secure high-classification documents stored on media.
And when the situation changed, you got /etc/shadow.
Jeez, you really DO have to hate on, don't you?
Microsoft was basically the only company that had enough volume for it to be a target
Crap. Volume is not the only value of import here at all. Volume isn't insignificant, but the overall problem is more proportional to volume * ease-of-attack. If it were just volume then Apache would have been in the news for security problems more than IIS rather than the other way around.
You built Windows starting with DOS and slapped Windows on top. With each release, it was a new evolution which mixed in the result of Microsoft's collaboration with IBM's OS/2 to create NT.
The Apache web server got its name because of how it was built and developed. But if any one product deserves the name, it's Windows. It is simply far too patchy to be secure.
The whole idea of "The UNIX Way" is that files are just files ... and that you accomplish tasks by running files as streams through various pipes and filters. This is utterly at odds with requiring file associations to any particular program. You can use vi or Emacs or pico or whatever you like to edit a .c file. You can use Emacs to edit a PostScript file... you can use any of half a dozen common programs to edit a .docx file... It's the "Apple way" of forbidding anything but the Anointed Holy Programs from operating on my files, that is broken.
Linux: IPX protocol null-pointer dereference exploit. Apache: chunked-encoding exploit. Not as long-standing as the NTVDM or GDI exploits in NT, but still pretty darn bad.
Coffee-driven development.
I'm glad Mundie is sorting me out here. All this time, I've been thinking Windows' security problems were due to stupid decision making - creating the Administrator account without a password by default; having an SQL server running and listening to the outside by default; stuff like that. Nope - now I know it's just that Microsoft was big, and any other OS would've had the same issues if they were just used more.
#DeleteChrome
We were all drunk at the time? Any sort of noble gesture or even quiet shame are off the table.
I think part of the confusion comes from that fact that despite NT having had some of these things first, people still ran into them first on Linux. I mean, up until 2000 (or was it XP?) the first user you made was setup to run all applications as administrator by default. Microsoft has a ton of really smart people creating some incredible stuff. Then marketing seems to get a hold of those ideas and drive them into the ground or hobble them.
^I'm with stupid.^
MS' claims that they had to shift their focus to security engineering and had to delay release of new products is BS. It's like the republicans claiming that we need more tax cuts for the rich to create jobs in the US. If they had really done an security research and development Windows might now actually be the stable, reliable platform that they keep claiming it is.
MS deserves it's long overdue death.
Wayback in 2003, Microsoft achieved dominance in the mobile consumer electronics market with TRON, the real-time OS, or they would have if they didn't perceive it (and everything else) as a threat to the Windows platform.
Microsoft v. Tron
AccountKiller
"Windows (and MS-DOS before it) was not originally designed to be network-aware, much less network-safe
Windows has been 'network-aware' since at least Windows for Workgroups 3.11
AccountKiller
Its clearly unfair to blame Microsoft for losing this opportunity to dominate another space. Its not their fault that criminals chose to exploit their wildy insecure and unstable software. They can't be held responsible for the quality of product that they develop.
No one (at Microsoft) should lose their job (or CEO-ship) over such activities.
Suppose you were an idiot. And suppose you were a member of congress. But then I repeat myself. -- Mark Twain
.. "The problem isn't that NT-based operating systems are inherently insecure. The problem is that .. NT had to be backwards compatible with existing applications" ..
Why didn't they run older apps inside a virtual DOS machine like on OS 2?
AccountKiller
Look, just because you might have had a crappy music player and some junky tablet before someone else doesn't mean you had any idea how to engage your users on the platforms. If we turned back time and you got a redo, it would end up the same way because they wouldn't "just work" for people, and therefore people wouldn't buy them.
the iPod was released in 2001
Zune was released in what.... 2006?
Diamond Rio in 1998, but it was from Diamond
Creative Nomad in 2000 but it was from Creative.
What is this guy talking about that MS had a music player before the iPod?
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Deserves to be read!