Microsoft to Focus on Security 720
Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
Come on now... (Score:4, Interesting)
If you look at the other side of the story, this is pretty much admitting that they haven't cared about security at all. At least now they'll release more PR regarding security issues.
Especially if they find that anyone's distributing exploit code.
Re:Come on now... (Score:2, Informative)
In e-mail to employees obtained by The Associated Press, Gates referred to the new philosophy as ``Trustworthy Computing''
Now, of course, they may have deliberately leaked it
Re:Come on now... (Score:4, Insightful)
The last time Microsoft made an annoucement like this, they refocused the company on the Internet, and started hammering out MSIE into a Netscape-killer. For all his faults, once Gates and his people get an idea in their heads, they can turn on a dime and they won't stop until they do what they want to do.
Re:Come on now... (Score:3, Insightful)
Re:Come on now... (Score:3, Informative)
The first versions of Windows were released in the late 80's. Not very many people saw those, because they were sold alongside the first versions of Excel (which not very many people saw either). There was some serious MacOS copying going on in those Windows-es IIRC, except they didn't work very well. Then there was Windows 3.11 (3.1 was so buggy it was quickly replaced by a much needed upgrade version; I doubt anyone here actually used Win 3.1 proper). Then 95 and the (usable, if unstable) upgrades for that. At the same time, MS experimented with a DOS-free OS as well (NT), which, in its 5th incarnation, actually turned into a usable, stable system (Win2K). Windows XP marks the end of the DOS-based 9x series; the consumer friendly aspects of these OSes got bolted onto the Win2k (=NT 5) kernel. By most accounts, it's a pretty decent OS. A resource hog and riddled with security holes, but pretty much as stable as Linux or any other decent OS. I had to use it for a month or so, and it never crashed on me once during that time.
So there.
timing? (Score:3, Flamebait)
Maybe they should have thought of this BEFORE they rewrote the OS?
Re:timing? (Score:5, Funny)
1. To workout more
2. To eat better
3. To be nicer to the people we love
4. To not drink so much
The email closed with a lamentation about how these beginning of the year resolutions never seem to work, followed by a humorous panel from the comic strip "Cathy".
Re:timing? (Score:3, Insightful)
That GUID on WMP? Yeah . . . (Score:2, Offtopic)
Re:That GUID on WMP? Yeah . . . (Score:2, Insightful)
Re:That GUID on WMP? Yeah . . . (Score:3, Informative)
Just because it's possible to fix the hole doesn't make it "Normal slashdot staff overreacting again." Not only does the original report contain the information for how you can turn off the ID, it makes some good arguments for why that isn't good enough.
So no, not an overreaction at all.
Re:That GUID on WMP? Yeah . . . (Score:5, Insightful)
The defaults are everything, Why do you think Microsoft has negotiated so hard for its icons to be on the Mac desktop(IE), and no other browser is allowed to be there ? Why do you think Microsoft has spent so much effort controlling system defaults for media players, and IE home pages, and startup icons ?
This is standard user behavior - they do not change the defaults. Somehow it is the fault of the guy who installed NT server and NEVER WANTED IIS that he got broken into, and not Microsoft's fault for globally enabling IIS and asking the admins to turn it off.
Giving the end user a chance to change a system default is a good way to ensure that 95% will use the default, and the company (Microsoft in this case) can blow blame aside by saying the user can change it.
Now, you can argue users need to be more savvy, or you can accept that Microsoft KNOWS end user behavior and uses it to their advantage. Or both...
Re:That GUID on WMP? Yeah . . . (Score:3, Interesting)
The defaults are everything,
Will you remember that the next time somebody installs a Linux workstation with every daemon in the world running?
Re:That GUID on WMP? Yeah . . . (Score:3, Funny)
Re:That GUID on WMP? Yeah . . . (Score:3, Interesting)
Funny, I Don't Feel More Secure... (Score:5, Funny)
Re:Funny, I Don't Feel More Secure... (Score:2)
Microsoft Security: store all your personal information at One Redmond Way so that malicious corporations can't invade your privacy; argue that public disclosure of exploits and bugs are criminal acts.
Standard Corporate Security Policy (Score:5, Insightful)
Nothing has changed as far as I can see, nothing will in the next 1 - 2 years because Microsoft will take that long to get what we currently have running NOW working correctly, and I just feel this is another ploy to get Microsoft to force us to upgrade to the latest and greatest operating system because they are promising that this time, really folks, this time it will be the most secure and stable release of Microsoft software EVER!, as if this is hard to to!
Grrrr, too many NT crashes, not enough intellegent techs to figure out what went wrong, other than.. oh just reboot!
Re:Standard Corporate Security Policy (Score:5, Insightful)
Problem is, that's not going to do a lot of good if these people don't have the experience to spot security bugs in the first place. The potential universe of exploits is huge, and it includes interactions between components written by different groups. I doubt that they even have the talent base to do this job effectively.
It's possible to create an OS that's secure out of the box; OpenBSD is an example. Now Microsoft wants to get to the same place, but with orders of magnitude more code, a small fraction of the time, and next to zero corporate security culture. This is beyond "trying to have a baby in one month". This is more like putting 5900 women in a room and trying to get a baby in one hour.
Re:Standard Corporate Security Policy (Score:3, Funny)
And as everyone knows, if you put 5900 randomly chosen (American, normally distributed) women in a room, you have to wait roughly 18 days for one of them to have a kid. You actually need 2.5 million to get a kid in an hour, and not even MS employs that many programmers. Though to hear some tell, the Open Source Movement might. Of course, they're predominantly male geeks, so you'd probably have to wait several years before 5900 open source programmers produced offspring, and even then it might just be a replicant.
Re:Standard Corporate Security Policy (Score:5, Funny)
I don't know about the rest of you guys, but I'm buying this video when it comes out.
Re:Standard Corporate Security Policy (Score:3, Interesting)
That's not true -- they were a VAX shop and had a usenet feed and e-mail back in the days of bang-paths. billg@microsoft.com has been a live address for decades.
Back in '89 or so, they made it clear that TCP/IP was going to be the LAN protocol of choice by building it into OS/2 LAN Manager, even though IPX had something like a 90% marketshare at the time.
What they didn't get very quickly was that the WWW (primarily stupid pictures of people's cats at the time) was going to be a major revolution in corporate computing, or that it would be more useful to the home user than a proprietary online service.
Yes, M$ understood the internet. (Score:3, Insightful)
Microsoft executives said the memorandum resembled previous broadsides that have been fired off by Mr. Gates, the company's co-founder and chairman, when he thought that the company's strategic direction needed radical changes.
In 1995, for example, Mr. Gates sent a companywide e-mail message exhorting employees to turn the direction of the Microsoft "battleship" and focus all the company's efforts on the threat of the Internet to Microsoft's business.
They viewed the free comunications media that was growing as a threat. This is why they did not rush to embrace it, but fought to destroy or dominate it. Sure, billg made a vanity web page and company policy was to tell everyone that was all it was good for. I remember it from being there. They rolled netbios out on the majority of their victims and tried to hold off TCP/IP for freaking ever, or at least till winsock was ported from BSD for free and they could steal and sell it. Since then they have done everything in their power to cram their stupid propriatory formats over it by buying out companies and perverting them to spam sites. Like bolshivicks, they seek to disrupt the medium until they can control it. They are evil, and we have yet to see if the internet will win this one but freedom has a way of ignoring snake oil until there is nothing left but a fringe market for fools.
Security on M$ platforms is impossible. There are no real user ID's, nor file permisions built into the kernel or the file system. The PNP hole on port 5000 iw a great example of this. Why did it take so long to find it? Where were the comercial firewall companies that so many trolls like to tout here? You would think that they would have spotted it and closed it if such things were possible on an OS that does not really keep track of all the processes that are running.
As I lost two karma points for in an earlier post, the only M$ is going to be able to provide any kind of security is to follow the Apple example and dump Windows. I imagine they will roll a BSD and make some kind of WINE like compatibility mode. It's not going to work. They are far to behind, after all Apple bought up Next and it still took them years. They canned all their good VAX people and gutted the majority of their work as they shifted focus from their failed Unix killer, NT. I don't think so much as their mediocre korn shell made it to win 2000. The ridiculous proposition of a month long "focus" on security by all of their employees shows that they have an impossible task on their hands. Their sins are all looking them in the face and laughing. Had they spent as much time working with other platforms as they did breaking interfaces, swapping print methods and ruining other companies in general, they would be in a much better position today.
Re:Standard Corporate Security Policy (Score:3, Insightful)
Microsoft's brand name is going down the crapper - faster than you can say "Flush". They MUST do something about their lax security image, or it will only get worse. Read on...
Probably every IT magazine has blasted them about their security practices. People everywhere think Microsoft's security breaches are a joke these days.
What's making them peddle even faster is that Linux is breathing down their neck and getting more and more mainstream. I find a lot of irony in this. Why? Microsoft crushed Netscape and many other companies by giving software away for free. They can do this because they have a huge bankroll and don't need the extra revenue of addon products. Linux is free, too... this hits them dead on where it hurts - their OS market. It was said many times during the Netscape vs. Microsoft browser war "you can't beat free". Only now, Linux and Open Source have something better than a large bankroll. They have practically unlimited development capacity. WAY more than Microsoft thousands of engineers. They also have the hearts and minds of hundreds of thousands of developers around the world. They have goodwill. They have quality and security far superior to Microsoft.
I believe this is the way. Eventually everything gets commoditized. The operating system is next. Microsoft - the ride's just about over. You know it because you're digging your claws into just about every market you can. You're differentiating. Not everyone is buying your differentiated crap, though, are they? Your reputation will follow you wherever you go... remember that.
only one thing to say (Score:2, Funny)
I guess those stories [slashdot.org] suggesting that software companies might become liable for damages arising from security holes put the fear of God into him.
so all those pr0n sites... (Score:3, Funny)
well, atleast maybe I'll get more targeted advertising... ya know, nothing against transvestites, but the pr0n of them in an advertisement just does NOT make me want to subscribe!
That'll work. (Score:3, Informative)
Now they are going to focus on security instead of function.
I have a pocket calculator that adds, subtracts, multiplies and divides. The square root button is broken. I just jammed an RJ-45 cable into the slot where the battery normally goes. It appears to be doing nothing.
I'm certain that my calculator now meets Bill's new objectives. It does nothing, but is entirely secure. Particularly since it is behind a firewall.
Good idea Bill.
-Rothfuss
Now windows is going to suck even more to use (Score:3, Funny)
Hmmm, I think I'll go read slashdot today...
It looks like you're trying to reach the internet, this is a potential security risk. Find out more about how your internet experience is made more secure with Microsoft by clicking "Find out more." If you wish to continue, click "Ok."
Arrgh, *click ok* (stupid microsoft)
Your computer has begun downloading information, this is a potential security risk. Find out more about how your internet experience is made more secure with Microsoft by clicking "Find out more." If you wish to continue, click "Ok."
And so on!
Y'know... (Score:2, Insightful)
Anyone else notice this?
internal resistance. (Score:2)
Russ Cooper, a security expert with TruSecure Corporation, said the change occurred in part after a new security team assigned to attend every product meeting met resistance from product teams.
I am not very surprised by this
Customers could also see a downside, though. Other than fewer new features, product upgrades could come less frequently or could be pushed back.
Somehow, this is not a drawback, and hopefully this throws the subsription thing out of wack.
uh micheal? (Score:2, Insightful)
the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
It's not a security problem to have a number assigned to you, it's a privacy problem.
Re:uh micheal? (Score:3, Insightful)
Writing Secure Code (Score:5, Interesting)
It's obviously Windows biased with respect to code samples, but it's actually very good.
Now they just need to read it themselves - for example, all the vulnerabilities exploited by the universal plug and play [microsoft.com] fiasco (buffer overruns, trusting untrustworthy data and denial of service attacks) are well described in the book,
Re:Writing Secure Code (Score:3, Troll)
Also coming soon from BitterIrony press:
GNU [gnu.org]'s guide to user-frendly UI.
The U.S. D.O.J. [usdoj.gov]'s guide to speedy legal precedings.
And:
Larry Wall [wall.org]'s guide to maintainable code.
Re:Writing Secure Code (Score:5, Interesting)
To whet your appetite, a little excerpt from the beginning about how quickly machines get attacked:
Surely, no one will discover a computer slipped onto the Internet, right? Think again. The Windows 2000 test site was found almost immediately, and here's how it happened... Someone was scanning the external IP addresses owned by Microsoft. That person found a new live IP address; obviously, a new computer had been set up. The person then probed various ports to see what ports were open, an activity commonly called port scanning. One such open port was port 80, so the person issued an HTTP HEAD request to see what the server was; it was an Internet IIS 5 server. However, IIS 5 had not shipped yet. Next the person loaded a Web browser and entered the server's IP address, noting that it was a test site sponsored by the Windows 2000 test team and that its DNS name was www.windows2000test.com. Finally the person posted a note on www.slashdot.org, and within a few hours the server was being probed and flooded with IP-level attacks.
Re:Writing Secure Code (Score:3, Insightful)
Sounds bad. Does that make us hacker terrorists?
Old story versus new story (Score:2, Informative)
Hhhmmm... (Score:4, Insightful)
However, take a look at OpenBSD [openbsd.org]. They really are secure, or at least as secure as anyone can reasonably expect for an operating system. They have done a great job, but it takes time. A lot of time. OpenBSD was based on NetBSD, so security was always a priority, OpenBSD just made it more of a priority.
But really... even if security really is job one now at Microsoft, we aren't going to see any concrete results in the near future. Forget Microsoft's next operating system. It is going to take years, not months, to get results. I mean, we are looking at 2006, likely, until Microsoft systems have a hope of being secure. Will Microsoft (would any corporation) invest that many years of development? Are their customers really demanding security?
Re:Hhhmmm... (Score:2)
Actually an interesting announcement... (Score:4, Insightful)
I'm not surprised that they're hearing about security... and I won't be surprised if they find a way to build it.
Hey, I'm just sayin'.
About windows media.. (Score:5, Informative)
Right. This is not a security problem. This is a privacy issue.
And speaking of which. Many of us have fixed IP addresses. Web sites already track our actions with cookies. Telcos sell information about us to anyone who wants to pay for it. Get over it. We have no privacy to begin with.
If.. (Score:5, Insightful)
Honestly, and not trying to troll. What will everyone here do if microsoft ceases being the evil empire? What if they can pull this off, and find some middle ground with the government? I said before, in a much earlier post, that most religions have an antagonist; What happens if we lose ours? Will
MS Press Release:
"Microsoft released a patch today to save 15K of RAM in explorer.exe"
Slashdot:
Microsoft wasting gobs of memory for extra red-dot in windows logo.
Personally, I say good for microsoft. Microsoft, right now, is an intergral part of so many organizations, and admittedly they have security problems; They could use the positive PR. They could also deal with less -unfounded sensationalism- nonsense from the peanut gallery (note, this does not mean the founded, intelligent, objective news items which from time to time may appear in the comments section.)
Just my $0.02, Refundable with a $2.00 restocking fee.
Re:If.. (Score:2, Insightful)
Re:If.. (Score:4, Flamebait)
Objectiveness is key.
(AOL-TW-Microsoft-Oracle-KrogerCorp: All your neeeds. Period. If we don't make it, you don't need it. Sit, and Vegitate.)
thought of the day:
Do you think for yourself, or do you just think you think for yourself?
Re:If.. (Score:5, Insightful)
Sure, I watch CNN. Maybe I pick up Time occasionally, but I'm aware of who they are and what they are doing. If I want to avoid their media conglomeration entirely, I can. And if I do, it doesn't affect me. (Of course it affects the society around me.)
Maybe I don't hear the incessant ads for AOL on CNN, maybe I have to use a smaller ISP. I think I can live without those things.
Microsoft, on the other hand, by trying to extend its monopolies, is targeting my ability to communicate with other people. I can choose not to run Powerpoint or Word, but if 90% of the people around me only speak that "language" I can't see what they're saying. I can choose not to run IE, but if I can't read half the web because of it, I've lost. If I choose not to use Window's Media Whatever-its-called, I might not be able to hear the music I want to. And of course if I choose to run Linux, I can't even choose not to use all these MS products.
When this happens, I've not just lost out on being able to use MS's products, but on a larger part of my world.
AOL/TW is trying to control the content. MS is trying to control the underlying language. I find MS's intrusions more threatening to my lifestyle.
Tradeoffs (Score:4, Interesting)
The typical assumption (as I've heard it) has always been that Microsoft's poor security was a necessary side effect of their quick-to-market and add-lots-of-new-feature strategies. Though I don't think most people on this forum view those two strategies as a "good" thing, it appears that they've worked rather well for MS up until now.
So the $50,000 question is, can Microsoft focus on security without falling behind on those other fronts? And if they have to slow down on their speedy rollout of new products and features, will they suffer in the marketplace?
If MS can do security and still be as quick-to-market as they were before, they're probably going to be in a very good position. If, on the other hand, they are forced to make a tradeoff-- of speed and quantity for security, for instance-- then it might be a whole different ballgame. Worse yet, they might wind up compromising on both fronts.
Re:Tradeoffs (Score:3, Interesting)
I think one of the problems at Microsoft (and this was displayed eminantly in a story my uncle (who works big time in multimedia) related to me once, but which I won't repeat in its entirety because I'm tired and lazy.
In the story, though, there were a team of programmers at Microsoft working on a project (don't know which), and they gave a presentation to Bill Gates himself, telling him when it would ship. He responded by getting angry, and telling THEM when it would ship - bumping up the release date by a huge amount.
Well, the programmers had to work their asses off to meet the release date. They worked overtime, some burned out, some dropped by the wayside, some quit. Seriously undermanned, they missed their new release date, but the program did eventually get released - on the day that they'd originally said it would get released.
The only difference is, now they have lost several key programmers on the project, the ones they have like their job far less than they used to, and the code is rushed for no good reason.
I don't know if this story is true, or, if it is, if that still goes on today, but I get the feeling that it is, at least in part, a good indicator. What reminded me was the mention of 'rush-it-out' philosophy PLUS always being late with their products, both of which are still true today (remember how Win2K/ME were supposed to be WinXP? Remember Win93? Win94?).
Just my two bits.
--Dan
Re:If.. (Score:5, Interesting)
I think basically you are saying that when Windows' technical deficiencies disappear (which in itself makes the dubious presupposition that one size might fit all), there is no longer any reason why we should oppose them.
This presupposes that such is the case right now; i.e. that we are opposing Microsoft because their code is supposedly so horrible.
But that's bullshit. I have to admit I don't know myself where all the folklore of lousy Windows performance and lousy Windows stability came from. Sure their software can run slow. But have you looked at GNOME recently? And as for security, granted their track record is very bad. But at least they don't ship with telnet, right [redhat.com]? Besides there is nothing like designing security for a piece of software that runs on 95% of the desktops in the world.
So it's all relative. In any case, I'll tell you the real reason why we should oppose Microsoft: because whatever business you are in right now, if you're successfull, it will be Microsoft's business next week. That's why we need to oppose Microsoft.
Re:If.. (Score:5, Insightful)
Declare victory. I think Linus once said, "If Microsoft starts producing good software, we've won."
Personally, I think this is the goal: to get good software. I enjoy the fact that currently the best software around doesn't cost me any money to obtain. But I'm not going to maintain some sort of religious fanatacism about it. If better software comes along that costs money, I'll buy it.
How many of you play only free games on your computers? Me either. I play Q3A or SimCity. I paid for them. Why? Because they're better than the free stuff. I'll pay for an OS too, if it's better than the free stuff.
Re:If.. (Score:3, Interesting)
Unless, of course, this is the classic (I need "Word" because everyone else has "Word.") What amuses me about this is how quickly we forget. Just 7 years ago Word was the upstart. WordPerfect was the defacto standard. Word 6 was the first version of Word that wasn't a joke and Word95 was the first to make major inroads.
An earlier post ask why Microsoft is so reviled. The simple answer is that they use a monopoly in systems to extend a monopoly in applications. At this point, Office is a monopoly in itself. They are positioning themselves to be the monopoly media platform, net service platform, etc.
After seeing them do this enough times, you start to have Capt. Kirk's feelings about Klingons (be sure to add the excessively dramatic emphasis Shatner adds when you read this): "DON'T belive them! DON'T trust them!"
I'll be very happy if I never have to do another thing in a Microsoft OS ever again. I don't right now. When people send me things in Word format, I politely inform them that I don't use Windows. I'll do the best I can with OpenOffice to read and use their stuff, but maybe they should consider using RTF or HTML, since these are open standards.
Wow! Not only did I get dragged in by a troll (intended or not), but I slipped off into a rant! Why should I be any different frm the average slathering slashdotter...
Microsoft Focus (Score:3, Interesting)
But what would Slashdot do if Microsoft changes? They'll go on. Slashdot is not the anti-Microsoft site. There would be plenty of other news if Microsoft dropped out of sight tommorow. Microsoft just manages to do things often enough to become a prime subject of this community.
Microsoft constantly stands out from their peers. The IT industry is full of large, powerfull corporations. They all put out products that could have their merrits debated. They all make marketing claims, promise things to their customers, and set company policy that impacts end users (including Slashdot readers). Yet somehow Microsoft manages to raise to the top.
Sure, there is over-the-top bashing of Microsoft (ignoring Microsoft's own PR, reputation for FUD, and zelous proponents). But there are also lots of legitimate grieviences ranging from product quality to Microsoft's marketing tactics.
Microsoft gets attention because they deserve it.
When Microsoft changes its ways, they will fade in to the background with other industry leaders like IBM. And the news will march on with or without them.
Re:If.. (Score:3)
Re:If.. (Score:4, Insightful)
Ballmer said they have a "popularity bug". It's no bug, it's by their own design. They've earned their place in the hall of shame. They want to win everyting, regardless of what's good for the people around them. Some people call that "hardball", but I call it antisocial.
The question, then, is why should we believe Microsoft is really going to change anything? Why isn't this just another publicity stunt? They've lied to everyone many times, including falsification of evidence in a US court of law. If Microsoft magically transfigured themselves into a perfect company today, it would still take many years before I would trust them.
-Paul Komarek
this is a good thing (Score:2, Interesting)
Other than security problems and product activation, I have to admit, that XP is actually a nice product. I may not agree with a number of its design decisions (stuffing things into kernel space that don't need to be there, building the GUI into the kernel, Microsoft ASCII text,etc), but it IS very feature complete for the average end user.
I still won't run it by choice (FreeBSD baybeee), but having to *support* the platform will be a lot less hassle...
just my US0.01c (damn pathetic aussie dollar...)
smash
Is this like internet day? (Score:5, Funny)
Of course, by that I mean Microsoft finally understanding something several years after the rest of the world "gets it?"
Re:Is this like internet day? (Score:2)
Your jibe would carry more weight if only you could surf the internet without using Microsoft internet software in some way, be it a browser, streaming media format, or web server.
Microsoft, like any huge company, is often late in 'getting something.' But once they do, they have a remarkable ability to use their [monopoly] power to dominate in that area later.
They're serious about fighting Open Source (Score:3, Insightful)
What I really hate to see, however, is that we're not doing too much about it. In fact, the only new thing is Lindows, and I sincerely hope they live up to the hype. Unfortunately, Microsoft has realized that Joe Average Consumer *dosen't care* about anything that is not the easiest way to go; even in the server market the PHBs will stick to MS until they see something like the Gartner Report or the FBI declaring Windows XP to be insecure (or whatever).
IMHO, a good part of the Open Source world needs to focus on making Linux a real competitor on the desktop market; such as idiot-proof install programs that need *NO KNOWLEDGE OF PARTITIONING* (and just ask, "do you want to install Linux on separate hard drive, or should I resize your Windows partition to X gigabytes and install it on this hard drive) and autodetect hardware (X Windows configuration is a *REAL* pain in the derriere if you don't know much, if anything about computers, for example) and whatnot. In order for Linux to be a real competitor for the computer of Joe AOLuser, it should take advantage of almost (or as much or more) autodetection/idiot proof default settings as Windows.
Now I know, I know, we aren't after Joe AOLuser, but in order for manufacturers to keep making Open-Source compatible hardware, THEY NEED MARKET DEMAND. It's far easier to cave in to Microsoft if it means losing 5% of sales (to hardcore geeks) than if it means losing 50% of sales (to Joe Average User). And yes, I just pulled those figures out of my hat, but I wouldn't be surprised if they were true.
Re:They're serious about fighting Open Source (Score:4, Informative)
Remember that visit from the FBI about XP? (Score:3, Interesting)
What probably got their attention was the recent visit from the FBI. Something most people forget is that one of the primary responsibilities of the FBI is counterespionage, and it doesn't take a genius to figure out how much damage a subtle virus could do on government computers. (Esp. after other countries had sensitive documents leak out with that "I write you for your advice" virus.)
We'll never know what the FBI told them... but we can guess based on what we now know. Every group must explicitly consider security issues, senior management remindning the troops to take it seriously. Maybe this is my one cynical-free day each year, but I really don't see this as an ploy to attack open source software such as Samba. I think they finally understand that they have a serious problem.
But, ironically, I'm now concerned that they don't have enough experienced security people. The corporate culture just hasn't encouraged development of the right skills. Any semi-decent programmer can check for buffer overflows and the like - even automated tools can do that in many cases now - but true security comes from an ability and willingness to challenge the most basic assumptions, to question the most sacred code, etc.
Could this be the death of Linux?? (Score:2, Funny)
Linux and the open source movemnet will most certainly never die, but I would really like to see a day where mom, pop and granny all used Linux, most games and popular software ran natively on it, and windows was a weird "fringe" thing like Macs.
I honestly believed we could pull it off in 5 years, 10 tops. But with the full resources of a gigantic monopoly turned to focus on what has always been our strong point, dear lord, what are we going to do now???
Worse than that, what if ole Billy also decides to make it a lot faster? What if the deepest pockets in the world turn to actually making windows a decent OS?
Re:Could this be the death of Linux?? (Score:2)
I know plenty of bloated hackers who run linux.
Worse than that, what if ole Billy also decides to make it a lot faster? What if the deepest pockets in the world turn to actually making windows a decent OS?
Then I'd start using it. Linux is best suited for servers. That may change in the near future, but for now Windows has the desktop market and isn't going anywhere soon. If MS actually does manage to improve Windows security and stability, the end-users can only benefit.
-Legion
Thoughts (Score:5, Interesting)
Second of all, it can't be said that this is the first time a company has put forth a gung-ho effort (if that is even the case) to secure their products - Oracle's Unbreakable [slashdot.org] database is clear evidence of this. To me, this seems Microsoft has placed itself further into the security spotlight, and that more holes will be exposed as a result.
Finally, above all else, one has to admit that this announcement seems like the reactionary brainchild of Microsoft's PR department. On
I can see it now... (Score:2, Funny)
A)bort R)etry I)gnore
=tad=
Security risk? (Score:4, Insightful)
Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
It's not a security problem. It's a privacy problem.
If it posted the user's passwords, executed arbitrary code, or removed network firewall configurations, then it would be a security problem.
Re:Security risk? (Score:3, Insightful)
Information security is the protection and preservation of any data/information about or in the possession of an organization. One way you protect your information is through good "computer security". However, good IT security departments are also concerned with (among other things) backups, contacts with law enforcement and press agencies and legal issues. None of which appear to fall into your definition of security.
It is common for system administrators and developers to view "security" in the context of "computer security." Paranoid IT security trolls [TM] usually adhere to the second view.
Privacy is also a subset of information security -- think about the relationship between privacy, information and social engineering for a minute.
I'm not saying that in this particular case that this privacy breach is an invitation to massive social engineering. I am saying that privacy issues are security issues.
It's also rather misleading (Score:3, Informative)
Now I'm someone who will cherily click past a click-through license agreement without reading it, but Microsoft still managed to draw my attention to the existance of this ID, then told me what benifits it gave, and then how to disable it (which I did).
(They didn't mention the supercookie privacy bug tho
When you install WMP7 it brings up a Privacy Policy dialog (and those words immediately make anyone who would actually care [about web pages being able to collate info about them etc] decide 'this is something I should read') which explains pretty much in bullet points every aspect of WMP that might violate your privacy, what advantge you get by having it on, and how you can turn it off (including the Content Rights Management). You then have to tick an "I have read the privacy policy" checkbox before you can continue the install.
In that sense "an obscure option in WMP which is barely documented" is complete bollox. However, I imagine it's possible (now or soon) that you could buy a machine preconfigured from the store with WMP7, and not be provided with any information, or warning.
Windows2000 (SP2) comes bundled with a much earlier version of WMP so no worries there, but I've not looked at XP.
My question for anyone who has bothered to read this far...
(I'll word the same question it 3 different ways)
Is this just a bug, or would the only way to fix this bug defeat the entire purpose of the ID? / Can this feature exist without the side-effect? / Is it a side-effect or just the other side of a double edged sword?
Re:It's also rather misleading (Score:3, Informative)
Win2KSP2 has WMP 6.4. It's in there.
View => Options => Player => Allow Internet sites to uniquely identify your player
Uncheck the box to fix.
Open security issue on their site... (Score:2, Interesting)
Two questions (Score:5, Interesting)
Two, to what extent is this an agenda for obliterating any shred of interoperability with other commercial products in the name of 'security'? Isn't it an open invitation to claim that total and complete lock-in is the only way to be 'secure'?
I'll believe it when I see it... (Score:2)
We all remember Jim Allchin saying that XP was "the most secure Windows ever." And everyone here knows about the UPnP bugs that were discovered the day XP was released. Their other recent announcements lambasting the process of full disclosure by Scott Culp also show that they have no real commitment to providing decent security in their products. Well, if this word from BillG is supposed to mean anything, we ought to see it in action. Unless "trustworthy computing" is supposed to mean trusted computers (a conceptual fiction) for use with digital rights management...
Subject (Score:2)
It's about fucking time.
In other news, why does this story have a Borg logo on it instead of the Monty Python foot?
-Legion
Paying for results... (Score:2)
If you know anything about managing people, that is probably the #1 way to get people who don't really want to do something to get results. Sounds like while it may be in part a PR stunt, it really is a serious push by Gates.
-Pete
"Trustworthy Computing" is an Innovative Term (Score:4, Insightful)
"Trustworthy Computing" doesn't necessarily mean "secure computing." Microsoft wants you to think that, though, just like they want you to assume "we're innovating" means "we're making products better for you." (Incidentally, MS's definition of "innovation" means "finding new ways to solidify our market position.")
Anyone remember Bill Gates's deposition [washingtonpost.com] in the MS antitrust trial? His version of the English language is so far out of whack he spent most of each session professing to have no understanding of common words and terms.
In this case, "Trustworthy Computing" means "convincing computer users that they don't have to wory about security... that they can trust MS."
Re:"Trustworthy Computing" is an Innovative Term (Score:3, Insightful)
Have you seen how much hype has gone into web services, with Microsoft acting like they were the first ones to the table? Arg.
You should be afraid... (Score:5, Insightful)
I bet I wasn't alone in laughing. The first version of MSIE that was out at the time was a JOKE. Netscape reigned supreme. RealAudio was king of streaming. Third parties actually had a shot at selling a Windows web server.
How long did it take them to: (a) Kill Netscape with MSIE, (b) maim RealAudio with Windows Media, (c) shutdown 3rd-party Windows webservers with IIS, etc.? Not long.
Extrapolate amongst yourselves.
Goodbye ZoneLabs (makers of ZoneAlarm). What other big Windows security players will have their security software crushed within 3 years? McAfee? Symantec?
Unix users laugh at the inherent security problems with Windows, just as I laughed at MSIE 7 years ago. I haven't been laughing lately. Will you still be laughing a few years from now?
Re:You should be afraid... (Score:5, Insightful)
Re:You should be afraid... (Score:3, Funny)
Until then, I for one will keep laughing.
Re:You should be afraid... (Score:3)
On what planet? Netscape is sitting around 8% of the browser market.
RealAudio is closed
And so is the software MS used to kill it. Your point??
Haven't you heard of Apache
He said servers on Windows and he was right.
He can talk the talk... (Score:5, Interesting)
To that I say, put your money where your mouth is. Quit endorsing DRM. Quit using proprietary formats in your applications. Open your APIs. Include some decent text manipulation tools at the command line (like GNU textutils). Give the user some choice for a change.
Microsoft's Acceptable User Parameters (Score:5, Funny)
Translation: [serious] Users should be made to think that our ideas of how their data should be used are also their ideas.
-or-
[humorous] Microsoft should be in control of how its users are used.
Seriously, though, all those who fit Microsoft's definition of user already think they are in control of their data. They believe that Microsoft provides them freedom to do what they want. Look at those Windows XP flying commercials. People actually believe that stuff. Just a thought.
Water to focus on being dry (Score:2)
Security for whom? For end users or... (Score:2)
Check out the last paragraph (Score:3, Interesting)
Ok, what the heck does that mean? Unless Microsoft plans on solving the trusted client problem, once I send you an email there is no way I can control how you use it. The only thing I can think of is letting users add a header to outgoing email, and if it was present Outlook would not allow copying or saving when the recipient viewed it. Of course anything like this is trivial to defeat, resulting in the illusion of privacy rather than actual privacy.
security, programmers, human nature... (Score:5, Insightful)
Properly securing products isn't fun.
Implementing improved, automatic PGP hooks might be fun (hint hint), but slowly and methodically picking through all of your code to make sure that no buffers can overflow is just uninteresting and unglamorous. If we can't convince ourselves to sufficiently comment the code we write, even though we routinely curse ourselves for not having done it previously, security is going to be unfortunately naturally low on the list of things to do.
Likewise, an ounce of glitzy new features tends to sell better than an ounce of better security. People are going to look down upon you if you encourage them to upgrade from the old software you sold them by pointing out the security flaws that it had. It's usually more marketable to say "Trust our products, we have new inline spell checking across all our platforms" rather than "Trust our products, we no longer grant root through tcp/ip overflows."
All of this falls down like a rotten house if you allow your security to get too bad for too long, as is obvious to anyone reading this thread. You can let the support poles wear a little, and usually the cost of a *little* more wear is much less than the cost of fixing the whole thing properly. But unless you have that long-term vision, you'll be sleeping outside eventually. Microsoft didn't, and it is really starting to hurt them. The greatest threat to their monopoly has come from people being unable to use NT in critical applications. You don't want to force your customers to have to go to competitors.
Microsoft has shown throughout history an ability to expend large amounts of money to get things done. IE... MSN... XBOX... WinCE/PocketPC... If they really do set their mind to security issues, I'm sure that they will be hammered out after several slow, unglamorous years. The press release would make it appear that they know that they are up against human nature on both sides but that the company needs to take action or they will lose their stability.
Microsoft can do this if they want to (Score:3, Insightful)
First, Microsoft has finally flushed the security-hopeless operating systems (DOS, Win3.5x, Win95, Win98, WinME) out of their product line. The current product line is Win2K and XP, both of which have reasonable underlying security machinery. It's not well-used, but it's there.
Given a reasonable underlying OS, it's quite possible for Microsoft to arrange things so that all executable content executes in a "jail". More generally, a security distinction has to be made between what the user is doing and what external content is doing, and the OS kernel has to enforce this.
If MS does this right, it won't matter if IE has security holes, because trouble will get no further than the current IE document.
We're all going to be doing a lot more forking and IPC.
Just Like Ford... (Score:3, Interesting)
Here's what this means... (Score:3, Flamebait)
Am I going to trust Microsoft? Ever? (Score:4, Interesting)
Why?
Because I know how Bill Gates' mind works, and if I can't see the code, I'm not going to run it. Yes, us Linux sysadms have a rep for being paranoid bastards. Yer damn right we are, and proud of it. That's what's kept me virus-free and crack-free the last five years, watching boxes powered by You Know Who drop like flies.
Linux isn't perfect, no, but it'll take him a minimum of 2 years to get his codebase in order even with the army of people he's got.... and by then we'll have our world domination, and they'll be putting Linus' picture behind that Borg eye rather than Bill's. We might even get Mozilla to 1.0, who knows.
But, seriously. Even if l0pht and friends were to publish with much fanfare, "holy penguins! I can't crack this thing!" I still wouldn't buy it, and not just because I'm opposed to getting on this $100 every eighteen months to upgrade kick.... Not when I can run a product I personally helped design if not build. And can look at the code and see that it is good... or fix it if it's not. And there's huge advantages to being able to talk to the guy that wrote it.
Real-life situation, several weeks ago. I had a problem with the Mylex raid driver. Sent email to the guy who was listed in the headers for the source. A little email tag ensues. Eventually he sends me a patch. cut, paste, compile, init 6. Blammo. It worked. Total elapsed time, about 48 hours.
You will never get that out of Microsoft. Ever.
Then there's the principle of the thing. The Borg's stated objective is to take over the world and have it for his own. I'm not giving aid and support to that cause. I'm giving aid and support to another guy who wants to take over the world... and set it Free. I may be pagan, but there are some altars at which I will not kneel. Far more likely to torch'em.
--
Nuke'em from orbit.
It's the only way to be sure.
A slightly different view on this... (Score:4, Insightful)
Look at it this way. Developed countries have a set of systems that can be defined as critical infrastructure. These maintain the operability of a nation on a day-to-day basis. If any of these systems break down, then society will follow down too.
Some examples? Well... water, power, sewerage, welfare, health, emergency services, police and justice, banking, government, communications, and one of the latest additions would have to be IT.
IT must been damn close to being critical infrastructure, if it isn't already. We all know MSFT is very dominant in Operating Systems. Their systems are being used within many of these critical services, which would tend to suggest that MSFT is already inextricably linked to the other critcal infrastructures.
Already countries overseas are opting for alternatives to MSFT because of some of the risks that their products provide. Govt's of Germany, France, and others are looking for more 'trusted' IT products - partly for cost, but also because some of the systems are critical.
MSFT didn't have any choice but to accept security, much as they had to accept the Internet in '95. If they didn't, they would see dwindling market share, and their products being dropped from IT solutions involved in critical infrastructure. So, they have to get on the 'trusted' bandwagon to maintain market share. Govt's do spend a bit of money on IT after all.
Story's moved (Score:4, Informative)
Take this seriously (Score:3, Insightful)
There seems to be a feeling that MS aren't doing this sincerely. Maybe not they're not but we can't possibly know that yet. I think there is every reason to believe they will go through with this. Does anyone remember what happenned when Bill Gates realised his company had taken its eye of the ball by ignoring the internet?
They will tie Passport to "Trustworthy" (Score:3, Interesting)
Vendors will have to use Passport in order to get a "Microsoft Trustworthy Computing" seal on their website (have they trademarked that fucker yet?).
Users attempting to access Commerce sites without Passport integration will be warned with a big "THIS SITE NOT MS-TRUSTWORTHY-CERTIFIED!" messages.
After all, every consumer knows you need a big, familiar, feel-good corporation like MS to ensure your Internet security and privacy...
M$ already own the technology to kill buffer issue (Score:5, Interesting)
Re: "Buffer Overflow" security problems (Baker, RISKS-21.84)
"Nicholas C. Weaver"
Sat, 5 Jan 2002 13:15:52 -0800 (PST)
I agree with Henry Baker's basic assessment that buffer overflows, especially in code which listens to the outside world (and therefore vulnerable to remote attacks) should be classed as legally negligent.
However, it seems to be nigh-impossible to get programmers to write in more semantically solid languages.
There is another solution: software fault isolation [1]. If the C/C++ compilers included the sandboxing techniques as part of the compilation process, this would eliminate the most deleterious effects of stack and heap buffer overflows: the ability to run an attacker's arbitrary code, with a relatively minor hit in performance (under 10% in execution time).
An interesting question, and one for the lawyers to settle, is why haven't these techniques been widely deployed? The techniques were being commercialized by Colusa Software as part of their mobile code substrate [2] in the mid 1990s. In March 1996, Colusa software was purchased by Microsoft and it seems effectively digested, thereby eliminating another potential mobile-code competitor, something Microsoft seemed to fear at the time.
The interesting RISK, and one which is probably best left to the lawyers, is that as a result, for over half a decade, Microsoft has owned the patent rights and the developments required to eliminate two of their biggest security headaches: unchecked buffer overflows and Active-X's basic "compiled C/C++" nature, yet seems to have done nothing with them.
What is the liability involved when a company owns the rights to a technology which could greatly increase safety, at an acceptable (sub 10%) performance penalty, but does nothing to use it in their own products? Especially when the result is serious, widespread security problems which
could otherwise be prevented?
[1] "Efficient Software-Based Fault Isolation", Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham, in *ACM SIGOPS Operating Systems Review*, volume 27, number 5, December 1993, pp 203--216,
[2] "Omniware: A universal substrate for mobile code"
Nicholas C. Weaver nweaver@cs.berkeley.edu
Why they won't do it...even if they are serious (Score:3, Interesting)
Security is one of those things that is required to come at the planning stage of any product -- not as an afterthought during the coding and test stages.
MS needs profits to buy new companies so they don't have to pay divedends. They need big profits so that the stockholders will be happy with the 'value' of MS as a whole.
Yet, the software side of thier business is a stagnent market -- huge and captive but not growing as it used to. Because of that they need to retain customers and get them to upgrade on a regular basis (subscriptions everyone?).
Then, we're back to the schedule and the features and security getting short shrift.
Does anyone expect it to be any other way?
Microsoft does not consider it a security problem. (Score:3, Insightful)
That part is really central to the problem.
Microsoft has been the dominant player for so long now (what, about 15 years?) that it has become complacent and arrogant. They can say, with all credibility,
even if it grates on the ears of their competitors and users.There are definitely some brilliant people working in Redmond, but if they are managed by the same people that bred this culture of arrogance, then only rare glimpses of that brilliant work will be revealed to the world. Most of that good work will be muffled and warped beyond recognition under various business pratices such as supporting Windows, leveraging Office, promoting .NET or whatever the fad (cf, Trustworthy Computing) of the day happens to be.
The sooner that megalithic company is split into smaller pieces the sooner it will have a chance to bring genuinely good products to the marketplace.
Comment removed (Score:3, Interesting)
MS websites and browser security ... (Score:3, Funny)
Re:AND THE TOP STORY... (Score:2, Funny)
The New PR Spin (Score:2)
Some people think Bill invented the Internet. Now is his chance to invent the Microsoft System for Secure Computing (TM), which will include all of thosde features that MS wants first, and maybe a few that you feeel are important as well.
Microsoft Planet here we come! =8~|
Re:Do we Trust Bill on this? (Score:4, Funny)