Craig Mundie Blames Microsoft's Product Delays On Cybercrime

whoever57 writes "In an interview in Der Spiegel, Craig Mundie blames Microsoft's failure in mobile on cyber criminals. Noting that Microsoft had a music player before the iPod and a touch device before the iPad, he claims a failure to execute within Microsoft resulted in Microsoft losing its 'leadership.' The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering. The criminal activity in cyberspace was growing dramatically ten years ago, and Microsoft was basically the only company that had enough volume for it to be a target. In part because of that, Windows Vista took a long time to be born.'"

Cyber criminals

Yep, cyber criminals armed with chairs...

Re:Cyber criminals

[K.+S.+Kyosuke]

Hah, wait till Chair Man comes to the rescue! (I know the public identity to his secret one, but I won't tell!)

Were MS Assets Available?

[BoRegardless]

If MS had wanted to start a new division for mobile devices, it had the cash to do it. Mundie's excuse doesn't cut it.

If what he is saying is that he and Balmer are so much of a micromanagement team that they couldn't handle one more project and still tell everyone what to do, I can buy that as an excuse.

Re:Were MS Assets Available?

[DarkOx]

That and attempting to duck responsibility for the security situation is a little pathetic too. Yes, the people responsible for crime are the criminals. If someone hacks you trashes you site, steals you trade secrets whatever that cracker is the responsible party. Just like if someone breaks the glass in my window reaches around and opens the lock, they own the breaking and entering. That does not mean however its not a good idea take steps to protect you valuable assets, because we know there are bad actors out there.

The reality is most of us want an operating system where the security controls are effective. Microsoft was forced by the market to 'focus on security' because businesses really were going to start jumping ship for alternatives like Apple desktops and Linux in back office (an in some cases the front office too). If Microsoft had made a correct allocation of resources to security in the first place they would not have to sideline so many other efforts to fill in the deficit later.

Re:Were MS Assets Available?

[MysteriousPreacher]

I feel for Mundie. My construction business went through something similar. After many happy years of designing and building sub-standard residential properties, we were caught off-guard when people began to exploit the tendency of our houses to catch fire, explode, and be easily burgled.

As the largest builder of houses, we were a common target. We lost our lead in commercial buildings because we had to devote a lot of resources to learning how to build houses that lasted more than a few days.

it's easy in hindsight to say that electrical insulation is useful, or that gas pipes should not leak, or that front doors be made of something more sturdy than cardboard. Back then we had no reason to assume that anything of those things were ever going to be important, and I assume everyone built houses that were prone to sudden annihilation.

We're not entirely blameless. This would never have happened if people had kept naked flames at least 30ft away from the houses. The cardboard doors on the houses not at the time exploding and/or burning, was only an issue because criminals were trying to burgle houses.

Never designed to be network-aware

[jabberw0k]

Windows (and MS-DOS before it) was not originally designed to be network-aware, much less network-safe. MS-DOS was a thinly disguised clone of Digital Research's CP/M, circa 1974. CP/M, as a personal computer operating system, was specifically designed not to have any sort of security, versus what was seen as the draconian measures taken by "mainframe mentality" operating systems like UNIX (from Bell Labs, 1969).

It was no surprise to anyone that an operating system that treats all programs and operations as fully privileged, when connected to a global network, treats everyone in the world as a sysadmin. Microsoft's campaign, then, was to somehow graft basic security features into an o/s that never had them, without horribly breaking every existing application.

That they succeeded even a little is a triumph of engineering.

But they would have saved everyone, including themselves, a huge amount of time and money by using something more UNIX-like as the design basis of Windows NT in the early 1990s. Apple learned that lesson with OS/X. Microsoft had Xenix years before, but threw it away. We, and Microsoft, are still suffering the consequences.

As so-called "smart" phonecomputers and tablets further fragment the marketplace, it won't be the PC that "goes away" but, at long, last, Windows and the CP/M heritage. The UNIX way wins at last... Huzzah!

Re:Never designed to be network-aware

[Alomex]

was specifically designed not to have any sort of security, versus what was seen as the draconian measures taken by "mainframe mentality" operating systems like UNIX (from Bell Labs, 1969).

pffffft (spits coffee out) Unix security what?

Unix was designed as an experimental operating system for a lab setting and hence had the weakest security of all OSes at the time. In fact, old timers will remember the common quip from the 80's and early 90's: Unix security is an oxymoron.

Here's a sample quote from 1986:

"UNIX Security" is an oxymoron. It's an easy system to brute-
force hack (most UNIX systems don't hang up after x number of login
tries, and there are a number of default logins, such as root, bin,
sys and uucp). Once you're in the system, you can easily bring
it to its knees (see my previous Phrack article, "UNIX Nasty Tricks")
or, if you know a little 'C', you can make the system work for you
and totally eliminate the security barriers to creating your own
logins, reading anybody's files, etcetera. This file will outline
such ways by presenting 'C' code that you can implement yourself.

For example: 1) the original Unix did not even have disk quotas. 2) as late as the early 1990s any regular user could bring the entire system down with a simple stty command, 3) wall used to be enabled to all users by default which included the ability of writing control characters in someone else's TTY 4) the password file containing the encrypted passwords used to be publicly readable which opens the system to offline attacks 5) to this date, *nix does not support well the concept of application ownership of a file which leads to programs requiring their own user account, which is another kludge.

Unix security today is a hard won battle by many people who patched up the original Unix system. Even so it is still subpar compared to big iron mainframe security.

Re:Never designed to be network-aware

[terjeber]

Oh, there are so many mistakes in this drivel that I am at loss as to where to start. Well, let's begin at the beginning.

Windows (and MS-DOS before it) was not originally designed to be network-aware

And how is that relevant? The Windows NT source code is not based on, and contains no, DOS code. DOS, and Win16 software runs in emulation on Windows since Windows NT, that is Win2K, WinXP etc. There is very little difference between the way Linux runs Win16 software (on Winw) and the way WinNT based OSs run Windows software. WinNT was designed from bottom-up to be a network operating system. In many ways, it has far more network awareness and security built in than does, for example, Linux.

The base of the Windows you are running today was designed to be similar to VMS from DEC, an operating system that actually had the "mainframe mentality".

draconian measures taken by "mainframe mentality" operating systems like UNIX

BZZZZ! WRONG! Unix was written as a "personal" operating system that would be a lot simpler than the operating systems under "mainframe mentality" (whatever that was at the time) and would free its users from the rigors of time-share systems etc.

no surprise to anyone that an operating system that treats all programs and operations as fully privileged

Windows hasn't done that since before Win2K. In WinNT (but that was sadly later dropped) a Microkernel mantra was used, where even most drivers ran in user-space rather than in kernel space. Graphics drivers were later (in Win2K as far as I can remember, but don't quote me on that) moved to kernel space.

Microsoft's campaign, then, was to somehow graft basic security features into an o/s that never had them

Oh, so wrong, so wrong. Clueless drivel in fact. Windows NT had far more security features than most desktop Unices at the time, and Windows still has a much more sophisticated security model than, for example Linux. Even the basic file system security of Windows is heads and shoulders above most Linux file systems.

Honestly, if you want to post about the technical underpinnings of something, you really should get a basic clue fist. Repeat after me
There is no DOS code in the Windows operating system.
Windows was built from ground-up based on VMS as a network-aware, multi-user operating system
Windows has better file and run-time security than almost any personal operating system in use today, including OS/X and Linux.

That, you see, is reality. Not the nonsensical drivel you posted.

Re:Never designed to be network-aware

[CajunArson]

Shush you! Your irresponsible knowledge of history and politically-incorrect use of "facts" are getting in the way of us praising the perfect security of anything associated with UNIX!

Now excuse me while I go purge my SSH logs of all those pesky login attempts that I'm sure are all coming from only Windows machines since Microsoft forces everyone to use SSH on Windows. I'll ignore all those nmap reports that indicate the attack machines are actually compromised Linux boxes in Asia since its theoretically possible for someone to lock down a Linux box, therefore ALL Linux boxes are always perfectly admined and cannot be hacked!

Re:Never designed to be network-aware

[terjeber]

For the record, the rubbish Craig Mundie says in the referenced article seems like drug-induced nonsense. Microsoft dropped the ball on security by basically, in Win2K defaulting to run anything under the "root" user, which was a stupid idea, but understandable, most users of Win95/98/ME would have been lost if the security in Windows had actually been used properly.

Re:Never designed to be network-aware

[gbjbaanb]

ohhhh shit, the world's just been turned upside down - Unix is for personal, hack-style users and Windows is for mainframe, secure datacentre applications?! :)

Of course you're right - Dave Cutler did a great job with the original WNT, and Linux was a crashy bit of crap for many years, but things change and Linux had a load of good engineering put into it, and WindowsNT had a load of crappy engineering put into it.

So today, the faults with Linux lie in the original design flaws, and the faults with Windows lie in the bodged up crap that was added by other teams in Microsoft. (however, I'd take a slight contention about Windows NT security model - it started life really well, simple to use and understand. Today even running as administrator you don't have administrator privileges, then there's the overly complex way of applying some security aspects, and then there's the different models of security that just don't use the underlying model that worked so well - for example I once attended a course from MS about MTS and in there they talked of security roles. I put my hand up and asked "why have roles when you could have used Windows groups?" The guy ummed a little, gave a little laugh and said "ah yes, I see where you're coming from with that... next question"). Obviously some team at MS had decided to roll their own security system rather than rely on the underlying thing, and this is what still happens today.

Re:Never designed to be network-aware

[Waffle+Iron]

Windows (and MS-DOS before it) was not originally designed to be network-aware

And how is that relevant? ... The base of the Windows you are running today was designed to be similar to VMS from DEC, an operating system that actually had the "mainframe mentality".

It's relevant because for many years they shipped their OSes configured "out of the box" to bypass or hobble much of that wonderful-on-paper NT security model. This was so they could preserve the nonrestrictive DOS/Win95 the user experience that people were so used to. The security technology might as well not be there if nobody actually uses it.

This problem was compounded by a lack of quality control on much of the system code outside of the kernel itself. Remember when the half life to 0wnage of a fresh XP box connected to the Internet was measured in minutes?

Re:Never designed to be network-aware

[Dr.+Evil]

NT4 moved the graphics into the kernel. It was controversial back then. http://technet.microsoft.com/en-us/library/cc750820.aspx

The biggest PITA to run outside of an administrative account was the software. It wasn't until XP that software *started* to work as a 'user'.

Microsoft made big leaps in security in the past decade. Security advisory/patch cycles to entrypoint randomization, driver signing, code signing, policy refinement, non-executable stacks, WSA, antivirus etc.

I don't buy that this cost them their leadership. Crappy decisions did. I'll add that ironically, because they didn't create marketplaces like itunes, their music player almost *relied* on piracy "cybercrime" for their marketshare.

Obviously the dog ate their decent designs...

[tylikcat]

He's discussing the time period right about when I finally bailed on MS. I had been trying to be a security advocate for my group for a couple of years - and was told over and over again that users don't want security, and who cares? (Admittedly, the group I'd worked for before that, which was more server focused, was also more security focused.) ...and then the security initiative began, and while I was cheerfully packing up my office, I suddenly had coworkers stopping by, picking my brain and trying to get me to give them my phone number so I could, continue to work for the company I was so eager to depart from, for free. And, of course, the security infrastructure they produced was incredibly annoying and non helpful for most users. (Somewhere in here my not particularly computer literate mother switched over to linux.)

Of all the stupid statements I've heard coming out of Microsoft about why they have made lousy products and terrible missteps which were, inaccountably, not embraced by customers, this has got to be the stupidest.

Mobile? The core problem continues to be that mobile is much more about hardware (which Microsoft itself has finally acknowledged). And even aside from the hardware, more about clean interface design than market dominance.

What bufoonery.

Here we go...

"Microsoft was basically the only company that had enough volume for it to be a target"

Tying security to volume of installs shows, to me, a lack of understanding of the actual models underlying the operating systems.
Windows is an entirely different creature from say Linux. Linux is merely the kernel, everything else is a package. A properly secured linux box, (proper PAMs, selinux, permissions, Least user privs, and minimum packages) != a hardened windows box. They are not even close. Volume has little to do with the security models. I hate that is always pops up. As if.

Well duh

[Solandri]

The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering.

You took an OS which effectively ran with superuser privileges (DOS) all the time, and added a graphical shell on top of it (Win95, Win98). You then tried to switch it to a more secure user / superuser model, but you made it so inconvenient that it was easier for everyone to just run as superuser all the time (NT, 2k, XP). Finally you started trying to enforce running as a regular user except when needed (Vista). But the industry had had a decade to acclimate to running as superuser, so you were met with so much resistance you had to scale it back (7). Of course you're going to have a huge security problem.

You should've just bitten the bullet and enforced the user / superuser paradigm as early as you could have. i.e. Back when the Internet became big, around when Windows 95 came out, you should've realized the future was for all computers to be networked, and that user vs. admin privileges were going to become very, very important. But no, you took the easy way out and stuck with the one-computer one-user model, and you've been paying the price for it for the last decade and half. You made your own bed; it's disingenuous to now blame someone else for having to lie in it.

Part of being a good leader (of a group, country, market, whatever) is to foresee and recognize what's going to become important or a problem in the future, long before your followers do. A good example is what the NSA did with DES. They had done enough secret research into DES that they knew of a vulnerability; and when DES was proposed as a standard they made some secret changes to it which eliminated that vulnerability before the public was even aware of it. Your job as a leader is to act on that foresight, even if your followers can't see what you see and complain about it. If you can't do that, you just aren't cut out to be a leader.

Re:Well duh

[QuietLagoon]

You should've just bitten the bullet and enforced the user / superuser paradigm as early as you could have. i.e. Back when the Internet became big, around when Windows 95 came out, you should've realized the future was for all computers to be networked

Bill Gates, that great visionary at Microsoft, famously missed the onslaught of the Internet. He didn't even see it coming until he had to play catch-up.

Re:Yeah, we remember the Zune.

[jimicus]

He can't possibly be talking about the Zune. It came out in 2006; the iPod came out in 2001 and was on its fifth revision by the time the Zune came out.

Translation

[folderol]

It's everyone else's fault. Not ours.

Re:Cry Me a River

[DarkOx]

Yes and the worst part is the very argument shows top brass at Microsoft still regard security as a distraction rather than a key design requirement in their products.

Microsoft was run by idiots.

[knorthern+knight]

I remember Redhat 6.x from the ealy 2000's. It installed with all services+listeners running by default. Stuff like SMTP and RPC and bind was listening. For a Redhat install, the only safe way to install was from CD. Then run "lsof -i" and see what services are listening to the internet, and spend the better part of an hour shutting them down, and/or uninstalling them altogether. Worms like L10n and Ramen were rampant. After a lot of yelling+screaming Redhat finally listened, and stopped installing that stuff by default. Installs could be done without needing a firewall. The worms went away.

Microsoft was run by a bunch of idiots who wanted everything to "just work". One of the advertising claims for Windows 3.1 was "ease of administration". You could send a script as an email to all users in the office, and they simply had to click on it and it would re-configure their PC as you desired. This worked great in a 10-person office before the WWW. On a hostile web/internet, it was a disaster waiting to happen.

In order to make things "just work" for home PCs, Windows defaulted to NetBIOS/NetBEUI and RPC all turned on. This was one of the causes of all the worms that spread by portscanning. To make things worse, by Win98SE, *YOU COULD NOT TURN OFF RPC EVEN IF YOU WANTED TO*.

The "Autorun" mentality was another problem. We all know about sticking a USB key into a Windows machine, and it "automagically" ran stuff. That was not the only such problem.

Excel had "autoexec macros" that ran when you fired up the spreadsheet. MS' first response was to change Excel to set a bit in the file header of the spreadsheet, flagging that it had autorun macros, and Excel shouldn't run them if the user had changed his Excel config to disallow autorun macros. It didn't require genius for bad guys to save a spreadsheet with autoexec macros, and edit the file header of the spreadsheet with a hex editor, telling Excel that the spreadsheet was "safe". Excel then proceeded to run the autoexec macro when loading the spreadsheet, regardless of the user's settings. That was eventually fixed.

Outlook Express (known "affectionately" as "Outhouse Excuse") also "auto-rendered" files. This allowed photos to be displayed inline, and music files (WAV, etc) to be played automatically. The "security" consisted of filtering against a list of safe file extensions (WAV, JPG, etc), and then handing off the file to the OS to run. The OS ignored the extension, and determined the file type by checking the file header, then it handed off the file to the appropriate program. So the bad guys renamed "virus-installer.exe" to "song.wav", and it was automatically executed. This is how SirCam and Bubble-Boy wormed their way around the web.

And then we get to Active X, known "affectionately" as "Active Hacks". This was the mechanism behind so many "drive-by-downloads". What made it worse was that Active-X was rammed down people's throats by Internet Explorer. Let's say you disabled Java, Javascript, and Active-X in IE.

* Java was Sun's product. You launched a webpage with a Java applet, the applet didn't download and run, but the rest of the page displayed properly. IE "degraded gracefully".

* Javascript (originally called "Livescript") was Netscape's baby. You launched a webpage with javascipt, the javascript didn't run, but the rest of the page displayed properly. IE "degraded gracefully".

* Active-X was Microsoft's baby. A lot of webpages had Active-X code. When IE came across a page with Active-X, and IE had Active-X, then IE came to a screeching halt, and put up a modal dialogue about how "This page may not display properly". It would not budge until you clicked OK. With all the Active-X applets on the web, IE was effectively unusable with Active-X disabled. Just like UAC several years later, people got sick and tired of clicking "OK" every 30 seconds, and simply enabled Active-X in IE. That was what kept drive-by-downloads going.

Microsoft have only themselves to blame.