Craig Mundie Blames Microsoft's Product Delays On Cybercrime

whoever57 writes "In an interview in Der Spiegel, Craig Mundie blames Microsoft's failure in mobile on cyber criminals. Noting that Microsoft had a music player before the iPod and a touch device before the iPad, he claims a failure to execute within Microsoft resulted in Microsoft losing its 'leadership.' The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering. The criminal activity in cyberspace was growing dramatically ten years ago, and Microsoft was basically the only company that had enough volume for it to be a target. In part because of that, Windows Vista took a long time to be born.'"

Cyber criminals

Yep, cyber criminals armed with chairs...

Re:Cyber criminals

[K.+S.+Kyosuke]

Hah, wait till Chair Man comes to the rescue! (I know the public identity to his secret one, but I won't tell!)

Were MS Assets Available?

[BoRegardless]

If MS had wanted to start a new division for mobile devices, it had the cash to do it. Mundie's excuse doesn't cut it.

If what he is saying is that he and Balmer are so much of a micromanagement team that they couldn't handle one more project and still tell everyone what to do, I can buy that as an excuse.

Re:Were MS Assets Available?

[DarkOx]

That and attempting to duck responsibility for the security situation is a little pathetic too. Yes, the people responsible for crime are the criminals. If someone hacks you trashes you site, steals you trade secrets whatever that cracker is the responsible party. Just like if someone breaks the glass in my window reaches around and opens the lock, they own the breaking and entering. That does not mean however its not a good idea take steps to protect you valuable assets, because we know there are bad actors out there.

The reality is most of us want an operating system where the security controls are effective. Microsoft was forced by the market to 'focus on security' because businesses really were going to start jumping ship for alternatives like Apple desktops and Linux in back office (an in some cases the front office too). If Microsoft had made a correct allocation of resources to security in the first place they would not have to sideline so many other efforts to fill in the deficit later.

Re:Were MS Assets Available?

[MysteriousPreacher]

I feel for Mundie. My construction business went through something similar. After many happy years of designing and building sub-standard residential properties, we were caught off-guard when people began to exploit the tendency of our houses to catch fire, explode, and be easily burgled.

As the largest builder of houses, we were a common target. We lost our lead in commercial buildings because we had to devote a lot of resources to learning how to build houses that lasted more than a few days.

it's easy in hindsight to say that electrical insulation is useful, or that gas pipes should not leak, or that front doors be made of something more sturdy than cardboard. Back then we had no reason to assume that anything of those things were ever going to be important, and I assume everyone built houses that were prone to sudden annihilation.

We're not entirely blameless. This would never have happened if people had kept naked flames at least 30ft away from the houses. The cardboard doors on the houses not at the time exploding and/or burning, was only an issue because criminals were trying to burgle houses.

Never designed to be network-aware

[jabberw0k]

Windows (and MS-DOS before it) was not originally designed to be network-aware, much less network-safe. MS-DOS was a thinly disguised clone of Digital Research's CP/M, circa 1974. CP/M, as a personal computer operating system, was specifically designed not to have any sort of security, versus what was seen as the draconian measures taken by "mainframe mentality" operating systems like UNIX (from Bell Labs, 1969).

It was no surprise to anyone that an operating system that treats all programs and operations as fully privileged, when connected to a global network, treats everyone in the world as a sysadmin. Microsoft's campaign, then, was to somehow graft basic security features into an o/s that never had them, without horribly breaking every existing application.

That they succeeded even a little is a triumph of engineering.

But they would have saved everyone, including themselves, a huge amount of time and money by using something more UNIX-like as the design basis of Windows NT in the early 1990s. Apple learned that lesson with OS/X. Microsoft had Xenix years before, but threw it away. We, and Microsoft, are still suffering the consequences.

As so-called "smart" phonecomputers and tablets further fragment the marketplace, it won't be the PC that "goes away" but, at long, last, Windows and the CP/M heritage. The UNIX way wins at last... Huzzah!

Re:Never designed to be network-aware

[Alomex]

was specifically designed not to have any sort of security, versus what was seen as the draconian measures taken by "mainframe mentality" operating systems like UNIX (from Bell Labs, 1969).

pffffft (spits coffee out) Unix security what?

Unix was designed as an experimental operating system for a lab setting and hence had the weakest security of all OSes at the time. In fact, old timers will remember the common quip from the 80's and early 90's: Unix security is an oxymoron.

Here's a sample quote from 1986:

"UNIX Security" is an oxymoron. It's an easy system to brute-
force hack (most UNIX systems don't hang up after x number of login
tries, and there are a number of default logins, such as root, bin,
sys and uucp). Once you're in the system, you can easily bring
it to its knees (see my previous Phrack article, "UNIX Nasty Tricks")
or, if you know a little 'C', you can make the system work for you
and totally eliminate the security barriers to creating your own
logins, reading anybody's files, etcetera. This file will outline
such ways by presenting 'C' code that you can implement yourself.

For example: 1) the original Unix did not even have disk quotas. 2) as late as the early 1990s any regular user could bring the entire system down with a simple stty command, 3) wall used to be enabled to all users by default which included the ability of writing control characters in someone else's TTY 4) the password file containing the encrypted passwords used to be publicly readable which opens the system to offline attacks 5) to this date, *nix does not support well the concept of application ownership of a file which leads to programs requiring their own user account, which is another kludge.

Unix security today is a hard won battle by many people who patched up the original Unix system. Even so it is still subpar compared to big iron mainframe security.

Re:Never designed to be network-aware

[terjeber]

Oh, there are so many mistakes in this drivel that I am at loss as to where to start. Well, let's begin at the beginning.

Windows (and MS-DOS before it) was not originally designed to be network-aware

And how is that relevant? The Windows NT source code is not based on, and contains no, DOS code. DOS, and Win16 software runs in emulation on Windows since Windows NT, that is Win2K, WinXP etc. There is very little difference between the way Linux runs Win16 software (on Winw) and the way WinNT based OSs run Windows software. WinNT was designed from bottom-up to be a network operating system. In many ways, it has far more network awareness and security built in than does, for example, Linux.

The base of the Windows you are running today was designed to be similar to VMS from DEC, an operating system that actually had the "mainframe mentality".

draconian measures taken by "mainframe mentality" operating systems like UNIX

BZZZZ! WRONG! Unix was written as a "personal" operating system that would be a lot simpler than the operating systems under "mainframe mentality" (whatever that was at the time) and would free its users from the rigors of time-share systems etc.

no surprise to anyone that an operating system that treats all programs and operations as fully privileged

Windows hasn't done that since before Win2K. In WinNT (but that was sadly later dropped) a Microkernel mantra was used, where even most drivers ran in user-space rather than in kernel space. Graphics drivers were later (in Win2K as far as I can remember, but don't quote me on that) moved to kernel space.

Microsoft's campaign, then, was to somehow graft basic security features into an o/s that never had them

Oh, so wrong, so wrong. Clueless drivel in fact. Windows NT had far more security features than most desktop Unices at the time, and Windows still has a much more sophisticated security model than, for example Linux. Even the basic file system security of Windows is heads and shoulders above most Linux file systems.

Honestly, if you want to post about the technical underpinnings of something, you really should get a basic clue fist. Repeat after me
There is no DOS code in the Windows operating system.
Windows was built from ground-up based on VMS as a network-aware, multi-user operating system
Windows has better file and run-time security than almost any personal operating system in use today, including OS/X and Linux.

That, you see, is reality. Not the nonsensical drivel you posted.

Re:Never designed to be network-aware

[CajunArson]

Shush you! Your irresponsible knowledge of history and politically-incorrect use of "facts" are getting in the way of us praising the perfect security of anything associated with UNIX!

Now excuse me while I go purge my SSH logs of all those pesky login attempts that I'm sure are all coming from only Windows machines since Microsoft forces everyone to use SSH on Windows. I'll ignore all those nmap reports that indicate the attack machines are actually compromised Linux boxes in Asia since its theoretically possible for someone to lock down a Linux box, therefore ALL Linux boxes are always perfectly admined and cannot be hacked!

Re:Never designed to be network-aware

[Waffle+Iron]

Windows (and MS-DOS before it) was not originally designed to be network-aware

And how is that relevant? ... The base of the Windows you are running today was designed to be similar to VMS from DEC, an operating system that actually had the "mainframe mentality".

It's relevant because for many years they shipped their OSes configured "out of the box" to bypass or hobble much of that wonderful-on-paper NT security model. This was so they could preserve the nonrestrictive DOS/Win95 the user experience that people were so used to. The security technology might as well not be there if nobody actually uses it.

This problem was compounded by a lack of quality control on much of the system code outside of the kernel itself. Remember when the half life to 0wnage of a fresh XP box connected to the Internet was measured in minutes?

Obviously the dog ate their decent designs...

[tylikcat]

He's discussing the time period right about when I finally bailed on MS. I had been trying to be a security advocate for my group for a couple of years - and was told over and over again that users don't want security, and who cares? (Admittedly, the group I'd worked for before that, which was more server focused, was also more security focused.) ...and then the security initiative began, and while I was cheerfully packing up my office, I suddenly had coworkers stopping by, picking my brain and trying to get me to give them my phone number so I could, continue to work for the company I was so eager to depart from, for free. And, of course, the security infrastructure they produced was incredibly annoying and non helpful for most users. (Somewhere in here my not particularly computer literate mother switched over to linux.)

Of all the stupid statements I've heard coming out of Microsoft about why they have made lousy products and terrible missteps which were, inaccountably, not embraced by customers, this has got to be the stupidest.

Mobile? The core problem continues to be that mobile is much more about hardware (which Microsoft itself has finally acknowledged). And even aside from the hardware, more about clean interface design than market dominance.

What bufoonery.

Here we go...

"Microsoft was basically the only company that had enough volume for it to be a target"

Tying security to volume of installs shows, to me, a lack of understanding of the actual models underlying the operating systems.
Windows is an entirely different creature from say Linux. Linux is merely the kernel, everything else is a package. A properly secured linux box, (proper PAMs, selinux, permissions, Least user privs, and minimum packages) != a hardened windows box. They are not even close. Volume has little to do with the security models. I hate that is always pops up. As if.

Well duh

[Solandri]

The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering.

You took an OS which effectively ran with superuser privileges (DOS) all the time, and added a graphical shell on top of it (Win95, Win98). You then tried to switch it to a more secure user / superuser model, but you made it so inconvenient that it was easier for everyone to just run as superuser all the time (NT, 2k, XP). Finally you started trying to enforce running as a regular user except when needed (Vista). But the industry had had a decade to acclimate to running as superuser, so you were met with so much resistance you had to scale it back (7). Of course you're going to have a huge security problem.

You should've just bitten the bullet and enforced the user / superuser paradigm as early as you could have. i.e. Back when the Internet became big, around when Windows 95 came out, you should've realized the future was for all computers to be networked, and that user vs. admin privileges were going to become very, very important. But no, you took the easy way out and stuck with the one-computer one-user model, and you've been paying the price for it for the last decade and half. You made your own bed; it's disingenuous to now blame someone else for having to lie in it.

Part of being a good leader (of a group, country, market, whatever) is to foresee and recognize what's going to become important or a problem in the future, long before your followers do. A good example is what the NSA did with DES. They had done enough secret research into DES that they knew of a vulnerability; and when DES was proposed as a standard they made some secret changes to it which eliminated that vulnerability before the public was even aware of it. Your job as a leader is to act on that foresight, even if your followers can't see what you see and complain about it. If you can't do that, you just aren't cut out to be a leader.

Re:Well duh

[QuietLagoon]

You should've just bitten the bullet and enforced the user / superuser paradigm as early as you could have. i.e. Back when the Internet became big, around when Windows 95 came out, you should've realized the future was for all computers to be networked

Bill Gates, that great visionary at Microsoft, famously missed the onslaught of the Internet. He didn't even see it coming until he had to play catch-up.

Re:Yeah, we remember the Zune.

[jimicus]

He can't possibly be talking about the Zune. It came out in 2006; the iPod came out in 2001 and was on its fifth revision by the time the Zune came out.

Re:Cry Me a River

[DarkOx]

Yes and the worst part is the very argument shows top brass at Microsoft still regard security as a distraction rather than a key design requirement in their products.