Microsoft: Trust and Antitrust

Microsoft is in the news for two reasons today: the continuing saga of the antitrust cases, and Microsoft's public relations push for "trustworthy computing". A selection of links: Microsoft claims two months of code reviews and half-day seminars surpasses everything ever done by the open source community; Salon talks about the problems with a monoculture; SBC, an abusive telecom monopoly, complains about Microsoft's behavior, an abusive OS monopoly; and Microsoft responds, claiming that SBC is merely being self-serving.

Life after Microsoft

[fruey (563914)]

For those Francophones / Germanophones amongst us, tonight on ARTE (TV channel available on terrestrial and digital satellite) has a problem "Life after Microsoft" which should make interesting viewing. around 20:45 CET I believe.

Brainwashed geeks?

[Maskirovka (255712)]

"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.

No comment needed.

Re:Brainwashed geeks?

[MinusOne (4145)]

> "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.

I was surprised by this quote too. The implication that developers at MS are some sort of automatons taht are easily brainwashed is amazing. I'm no fan of MS, its products or its tactics but the developers who work there are robots. I have found the MS people I have met to be pretty party-line company guys but they did have brains and were capable of independent thought.
The other problem with training like this is that without reinforcement from management it is not terrible useful. Sure some of the developers will "get religion" and will be absolutely scrupulous about writing secure code, but others will get lazy, forget the training or go back to old bad habits. Without code review and standards enforced by management in some way training is ineffective.

Silly debating tactics

[hey! (33014)]

<obligatory disclaimer of being fellow microsoft detester omitted/>

C'mon. He's making a good point about geeks -- you can use their love of learning new stuff and putting it to use makes it possible to change their collective direction quickly. It's a valid insight.

Microsoft has been able to exploit this better than any other large company. It's a matter of hiring the right people. They don't always get the right direction, but they can be moved rapidly when necessary. Remember Microsofts total lack of preparation for the Internet a couple of years ago? Now we're worrying about the possibility they may coopt it.

I would view a similar microsoft shift towards more trustworthy software development practices as an unmitigated good. You can't dominate the field of "trustworthy" software. It's just about producing higher quality software, which benefits both their customers and even people who aren't their customers (how many non-windows sites suffered collateral damage to Code Red).

The problem is the inevitable PR baloney that goes with it. Perhaps Microsoft sincerely wants to produce more trustworthy software; this is good. However they want their customers to trust their products right now, so they're trying to make them think that most of the problems have been fixed by a gargantuan effort. This is bad. You can't fix years of shoddy work with a couple of months of auditing. Fixing security problems is, I don't know, but I'd guess at least a ten times as hard as avoiding them in the first place.

A little humility would make people who know better feel a bit more comfortable that this is more than PR hype.

Re:Brainwashed geeks?

[Zapman (2662)]

This quote struck me as odd as well, but I got to thinking about it, and I think I see at least where he was going.

We geeks tend to be facinated by "the newest thing", and rush to try it, and then preach it's merits to anyone who will listen. I know I'm generalizing, and there are people still happily running 2.0 kernels, but look at the general trend. We don't mind using version 0.0.7b6 of products that are cool without thinking twice about it.

Once we learn something new, we tend to make great use of it. And we seem to think of little else. That's probably what he was aiming for in that quote.

And remember, he's knocking his own geeks too.

Key to user security...

[nakhla (68363)]

The key to user security is to enable it by default. Most people running Win2K at home don't bother modifying their file permissions, closing off unnecessary services, etc. They leave settings at the default and go on their way. If Microsoft made the default installations more secure it would drastically improve the security of its OS. How many times has Security Focus [securityfocus.com] reported on vulnerabilities related to Windows file-sharing? The answer to the problem is to turn it off and let the user decide if they want to turn it on. Outlook scripting, ActiveX, file sharing, Windows messaging, etc. Removing or disabling these services are necessary to secure a Windows box, and to reducing the bad PR that Microsoft receives every time a new vulnerability is discovered.

Re:Key to user security...

[rabtech (223758)]

Microsoft has gotten the message. If you were on the Windows.NET server beta, you'd have gotten the memo ;)

Essentially, Windows.NET server ships with absolutely NOTHING enabled by default. This does present a problem to the typical Microsoft "its so easy just plug it in" sort of thing, but that is solved by an improved "configure your server wizard". The first time the server boots up, the user can explicity select what to install and/or turn on, and ONLY what they select gets installed/turned on.

The individual components themselves have improved as well. IIS 6 by default will serve only static HTML files, and installs no sample files or other stuff. You have to manually run the IIS security wizard to turn on things like ASP, CGI, etc. If you install a new ISAPI filter or something of the like, you have to manually enable it. Nothing gets turned on unless YOU the admin turns it on.

The other thing is that IIS 6 is a complete ground-up rewrite; no code from IIS 5 was used in its creation. Its gone through a complete code review to (hopefully) eliminate any buffer overflows or other bugs. There are other improvements as well... for example, the easy ability to run each website being hosted under a separate security account, typically with minimal access to anything.

Microsoft isn't stupid; they see that their biggest PR problem right now is security and they are doing something about it. True, they should have jumped on this a long time ago, but late is better than never.

Re:Key to user security...

[_Sprocket_ (42527)]

Before you feel all high and mighty I think I should point out that something likely 75% of all redhat boxes are rooted in the first 24 hours.

I've seen you, and others, bandy about this type of statistic for some time. But I have not found a single reference to back it up. Can you back this statistic up with a valid reference?

Re:Key to user security...

[_Sprocket_ (42527)]

Keep in mind their past history, as well. The article mentions that this latest push - Gates' latest memo - is only one of three. Take a look at those last two.

...

The first was to get Windows onto every desktop.

...

The second memo? The Internet.

One of the amazing things about Microsoft is its ability to turn on a dime. They almost missed the Internet. Then they played an amazing game of catch-up.

But that does not mean they will be able to do it every time.

There is a major difference in the nature of Microsoft's first two challenges (desktop and internet) and its current one (security). The first two were really exercises in marketing. The third is a technical challenge.

Microsoft...

[PhotoGuy (189467)]

Man, does this quote send shivers down anyone else's spine???:

"Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.

If my employer ever publicly said anything like that, I'd run for the exits.

Wonder if the chants are part of the brainwashing process.

Developers, developers, developers, developers.
Developers, developers, developers, developers.
Developers, developers, developers, developers.

Re:Microsoft...

[bughunter (10093)]

Heck, they're brainwashed before they get lined up and herded into the front of the process.

This may sound like a troll, but it's honestly my own perception: Microsoft operates on a cult-like corporate culture. It was especially evident during the antitrust trial; the behavior of the lawyers and execs and their obvious inability to concede, even to themselves, that they just might not be arguing from a rock solid position. It really did remind me of Scientology.

And I'm offended that Mr. Howard thinks of us "geeks" as such simple, predictable, uniformly malleable children. Methinks he's been working in a cult organization too long.

The telling statement

[SuiteSisterMary (123932)]

In a memo in January, Bill Gates, the chairman and co-founder, instructed Microsoft to shift its top priority from adding new features to ensuring that software is secure. Executives said that the memo was the most significant strategy paper from Mr. Gates since one in December 1995, "Internet Tidal Wave."

In 1995, Microsoft couldn't care less about the Internet. Gates had said, publicly and repeatedly, that he didn't think it was going anywhere. Then he realized he was wrong. Within a year, the entire product line had Internet features. Now, 7 years later, people publicly lament that Microsoft has virtually taken the Internet over. Microsoft's greatest strengths have always been the ability to see which way the ship is headed, and when it turns out they're going in the wrong direction, to turn on a dime. Obviously, I'll nod politely at their words, and watch their actions. But the last time they made this big a deal about something, they delivered.

this "big deal" affects the bottom line

[mr_death (106532)]

But the last time they made this big a deal about something, they delivered.

Ah, but this "big deal" negatively affects their revenue and earnings, which is why I think it is little more than PR.

Historically, Microsoft has piled in multitudes of features and foisted what should be beta software on the market. They find out what breaks, and provide bug fixes (euphemistically called "service packs") for the things people really whine about. This approach maximized their revenue, and accelerates it.

Ask yourself if Microsoft would have turned Windows 2000 into Windows 2001 if a significant security hole was found on the eve of the launch.

Re:The telling statement

[weave (48069)]

Microsoft Triva for $100 please

Microsoft's greatest strengths have always been the ability to see which way the ship is headed, and when it turns out they're going in the wrong direction, to turn on a dime.

Ding Ding: What is innovation?

Alex Trebeck: Bwahahahahahhahahahha...

Re:The telling statement

[IamTheRealMike (537420)]

Within a year, the entire product line had Internet features. Now, 7 years later, people publicly lament that Microsoft has virtually taken the Internet over.

Yes - but this is what led to many of their security problems today. They decided they were going to "do" the internet, and so mashed a truckload of net features into all their products. So Word got the ability to detect hyperlinks, Outlook used IE to render web pages and so on.

The problem is - they didn't really do the net at all. Compared to say KDE, where I can give any KDE program a net URL to open and it'll just do it, the Windows internet integration is a joke. They never resolved key policy decisions, like which takes precedence: windows file metadata (with extensions) or MIME types? This is the problem that means I now get several emails every day that contain an embedded wave file, except it isn't a wave file, it's an EXE. IE sees that it's MIME-typed as a WAV, so passes it to the OS, which then makes its own, independant decision and detects from the extension that it's a program and so autoruns it.

The same problem surfaces with web pages. IE usually ignores MIME types - when I was developing a web application recently I wanted to see some XML embedded into an iframe, and then be able to copy and paste it. I return the XML as text/plain, but IE realises it's XML and shows it in that pretty tree thing. Now I can't copy and paste it. Mozilla however follows the rules, so I have to use that instead.

That's not a problem that can just be fixed overnight - it's a key design flaw. How do they fix that virus problem? By switching off the WAV background sound feature (something nobody ever used anyway) in emails. That's just a bandaid, and doesn't get to the core problem, which is the internet code in Windows usually ignores or doesn't receive MIME type info.

Now I have no doubt that after this session of looking at code, MS products will have caught up with the competition in terms of security. Nobody should underestimate them. But as has been pointed out, whether that'll change their long term mindset is anybodies guess.

Re:The telling statement

[dachshund (300733)]

Microsoft's greatest strengths have always been the ability to see which way the ship is headed, and when it turns out they're going in the wrong direction, to turn on a dime.

You're giving them a lot of credit for essentially catching onto something that was about as difficult to ignore as, say, Woodstock going on in your backyard. With the billions of dollars and expectations pouring into companies like Netscape, it would have required nothing short of a deliberate act of self-destruction for MS to ignore what was going on.

Purchasing and developing a web browser in order to compete with a company that had very publicly vowed to put you out of business and buying web services like hotmail (for embarassingly high prices) do not brilliant business strategy make. Even today IIS is not the dominant web server, despite years of aggressive marketing.

As far as I can see, all Microsoft has done is react and trade on their already tough-to-beat desktop monopoly and cash reserves like they were going out of style. With .NET, they're just doing more reacting, at least so far, by implementing what is essentially a Java lookalike and backing it up with Microsoft monopoly and marketing clout.

No, they don't run the internet.

[emil (695)]

When one of the DNS root servers switches to NT, please let me know - not that DNS is that stable or secure.

When IIS has a 60% market share (as Apache does now), I might also get a bit concerned.

When the Microsoft Sybase rip-off has a 46% market share (as Oracle currently has), we might start worrying about the datacenter.

When they have a stable, scalable 64-bit version of Windows, we might start worrying.

In order for Microsoft to get any of these markets, they will have to have a good product, good customer service, and good interoperability with other vendors products. I don't see that happening anytime soon.

After all, we gave them SMTP, and look what they did with that.

Re:The telling statement

[gwernol (167574)]

Big difference between adding an IP stack and a browser component and debugging/stabilizing/refactoring/etc your entire product line.

Well if you think that's all Microsoft have done to become Internet-centric then you are vastly missing the point. Have you looked at their .NET initiative? If (and its still an "if") they follow through on that vision they will have completely changed their software architecture to a completely Internet-centric model.

Lipner is astonished!

[Dharzhak (124289)]

Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.

Lipner also reacted with astonishment when he was told that professional wrestling matches are fixed.

Wait a second

[quantaman (517394)]

several of its key program managers warned that underestimating Microsoft's ability to meet the computer security challenge might be as foolhardy as was misjudging its ability to turn itself into a dominant Internet player.

I thought they were the default security player. Don't the vast majority of hackers break into MS boxes already?

students view

[bpb213 (561569)]

Ok, im a student at a good university.

looking at this -
dozen half-day training sessions for its programmers, about 1,000 at a time.

And i fail to see how you can teach. Its hard as hell to learn in a lecture hall of 300, but 1000? thats insane.

Not only that, but for a half day? Cmon, americans have an attention span of what? 15 sec? if that? (dont anyone take insult...:))

How do they expect coders to pay attention to a small figure in front for a full 6 hours....1.5 hours is hard as it is for a normal college lecture.

you've been in school too long then

[wadetemp (217315)]

I used to have the same problem in college, but then again, I went to class several times a day, 5 days a week, 2 semesters a year, for several years. I fell asleep (mentally if not physically) many times, even in 1 hour classes. Now that I'm out of school, I have no problem paying attention to a 5 hour training session. It's actually a nice break. It's not like I do it every day, or even every week.

What code reviews?

[Nintendork (411169)]

Since Gates sent out the letter pushing security, there have been a few patches. Only one of them (From what I can remember) wasn't credited to some security firm. Other companies are finding their code weaknesses and telling them. This is their plan???

Remember who we're talking about...

[InThane (2300)]

Microsoft most likely is doing code reviews OF FUTURE PRODUCTS, I.E. .NET, .NET Server, Windows XP, Office NGO, etc.

You want security? Fine, buy our subscription products.

Bad Idea for Microsoft

[jacobb (93907)]

Microsoft is rich because people upgrade if not every year, then every other year.
It could not possibly survive by selling bug-free software - it's just not in their interest. The vast majority of users DON'T blame MS for the crashes, rather they either blame a 3rd party program or themselves even though the fault lies almost entirely on Microsoft.

They DON'T get bad press from outlook viruses - the evil hacker delinquent kids do. MS is seen, of course, as the victim.

Windows2000 was released with, what, 20,000 known bugs in it. It seems to me that my Windows partition works worse and worse with each new version I put on it. So I buy another.
Don't you realize, this is the best business model of all? But of course, now that the nerds, geeks and generally intelligent people are widely blaming microsoft they want to quickly sidestep widespread scrutiny by (you guessed it) telling us security is their highest priority.

Microsoft sells software that is so bloated that if they actually did a decent code audit (which, of course, would be far too expensive) and tightened things up, you wouldn't need that couple gigs just devoted to the OS. In short: MS NEEDS you to upgrade. Why on earth would they really mend their ways? Especially if it would cost more and get less overall business?

Re:Bad Idea for Microsoft

[Carnage4Life (106069)]

Don't you realize, this is the best business model of all? But of course, now that the nerds, geeks and generally intelligent people are widely blaming microsoft they want to quickly sidestep widespread scrutiny by (you guessed it) telling us security is their highest priority.

As someone who's actually inside the Borg cube I can tell you that security is currently our highest priority. Thousands of people across various product teams have attended security lectures, new development has been stopped, old code and new code has been stringently reviewed, an emphasis on secure defaults is beginning to occur, and new functionality is designed with security in mind before all else.

Of course some people will complain about why this has taken so long while others will probably say "better late than never" but either way it should be noted that a code review/security audit on this scale is probably unprecedented in software development history. Some may chime in about how Open Source is supposedly a constant large scale code review but I've previously written on the fallacy of this kind of thinking [slashdot.org].

Now on to counter the main claims of your post that releasing software with security issues is a good business model. This may have been true in an un-networked world where the most a compromise could do was allow another user on your system perform some mischief but in a world where some kid in Asia can tie up mail servers on most of the planet by using a GUI virus toolkit, security becomes very important. Unfortunately across the entire software development spectrum from *NIX to Windows, from Open Source to proprietary we as developers are failing and clinging to panaceas and silver bullets (Open Source - the with many all bugs are shallow myth, safe programming languages, just use crypto, etc) when in truth there is more to security than just applying a buzzword technology or software development style. I outlined some of the practices and techniques that lead to more secure software in my The Myth of Open Source Security Revisited v2.0 [earthweb.com] article. Having done some more research into security issues I should probably do a followup article and focus on other fallacies and problems which lead to complacency in software development and from there insecure software.

Disclaimer: This post is my opinion and does not reflect the opinions, intentions, strategies or plans of my employer.

Re:Bad Idea for Microsoft

[BurritoWarrior (90481)]

Microsoft really does brainwash their employees. I went to your site about the "myth" of open source software being more secure, and I see where you point to the Security Focus table to try and prove your point. For the *thousandth* time, that table takes into account every single application that ships with a distribution. Can we lump in all the vulnerabilities for MS Office/Outlook, MS Works, SQL Server, and Exchange into the NT/2000 group?

And even with those misleading statistics, the only distro above NT/2000 (42) is Red Hat (54).

Your lack of objectivity renders your entire article irrelevant.

Re:Avoiding the Issue and Missing the Point

[BurritoWarrior (90481)]

I was trying to avoid direct criticism here, but since you started...I understand what disputable means, thank you. Unfortunately I think you need to look into what the scientific method is before writing an article like you did. You reference articles with misleading statistics, your logic has gaping holes in it, and your conclusions are invalid. All other things being EQUAL (developed by the same people, with the same tools, at the same time in computing history, written in the same language, going through the same review process, etc.) open source software would be more secure as *additional people* would be able to audit the code. Comparing AIX or HP-UX to a Linux distro has *no statistical relevance* because there are DOZENS of other factors that *skew* the results. You even say so in your claim that we shouldn't compare Windows to Linux/OSS because they are so different, then go onto to do the same flawed comparison with commercial Unices vs. Linux.

In conclusion, I find your article nothing more than semi-sophisticated FUD.
Fear - Be afraid, that OSS might not be very secure.
Uncertainty - Well, if it isn't secure you probably shouldn't deploy it, should you. Use commerical software (and keep my paycheck coming).
Doubt - Hmm, well, maybe we should stick with the tried and true, good ole MS. (or IBM if we want to go back in time.)

Possibly correct

[HiThere (15173)]

You may be right. I'll never know. Because I will never agree to what I've seen of the recen MS licenses.

So I will continue to percieve MS software as basically unfriendly, useless, insecure, etc. The last versions that I could legally look at and evaluate were that way, and I see no reason to change my opinion. Any company that makes it illegal to post reviews of their current products does not deserve any amount of "suspension of disbelief".

More to the point, any company that insists on the right to add, delete, copy, or remove whatever software it chooses from my hard disk cannot be considered secure no matter how secure the software itself actually is. That legal requirement is nearly the zenith of possible insecurity, and renders any software that requires it unsuitable for any application that I can conceive of.

Perhaps you've changed your license again. Is there any reason for me to believe that you won't change it back just as soon as I buy in? You seem to be requiring the right to change the terms of the license without my agreeing to it, of even knowing of it (via "license specs are kept on a web page").

I don't see how things COULD be less secure, for the end user.

NY Times username/password

[AmigaAvenger (210519)]

Username: dotslash2002 Password: dotslash2002 (had to, no one posted on yet, had to go through the trouble of getting another account registered...)

Re:NY Times username/password

[Alsee (515537)]

gorwell1984 / gorwell1984

P.S.
You need to accept the second cookie for the article to appear, but that one is only a session cookie that dissapears when you close your browser.

P.P.S.
What's a gorwell? George Orwell author of 1984.

-

MicroSoft is much better at useless effort

[iabervon (1971)]

In those two months, MicroSoft has probably fixed more security-compromising bugs than most open source projects (expect for sendmail and BIND) will ever have. MicroSoft can put far more effort behind solving the problems that they have created for themselves that the open source community could ever hope to, both in terms of solving problems and in terms of creating them.

The open source community is always taking shortcuts by not making every possible mistake and them fixing it. Who cares about results? MicroSoft can do more work than anybody else, and that's all that matters.

Monopoly != Abusive

[guanxi (216397)]

Not all monopolies are abusive. I have no serious objection to Intel's or Cisco's market dominance, and IMHO SBC falls into the same category.

After they took over Ameritech's operations, service and especially support improved dramatically, at least for me. I'm happy to have them here -- the best telecom company I've ever dealt with (I've done business with Ameritech, PacBell, AT&T, MCI/Worldcom, Sprint, Verizon, and some others).

impressive chutzpah or bad math?

[jdbo (35629)]

"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."

I love this quote; it's _so_ MS.

Two months of a several thousand developers = 60 days * 8 hours per day (being generous and throwing in weekends) * 9,000 coders = ~ 500 man-years. Not too shabby!

Bullshit, that's playing with numbers. I could further "statistics-ize" this to say that this means every line of Windows XP got 8 minutes of attention in the last 2 months.

The reality is that secure development takes _time_ and _experience_ as well as eyeballs. Not everything is repaired correctly the first time, and the corrections themselves often need further review and correction. A fast fix is often worse than a naive bug.

This sort of thing is even more likely to happen when you're changing your development habits to take security into account - transitions are always messy. I doubt much effective security work actually "got done" on the Windows code in those 2 months, relatyive to the amount of "security twiddling".

While I have to applaud MS for finally _beginning_ to take security seriously, it's complete B.S. on their part (and very much in classic MS form) to suddeny claim that they're "the securest of the secure" when they're just entering the field.

A real shift in Microsoft's security policy?

[amarodeeps (541829)]

"You have my word: we will lead the industry in delivering secure software."

"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."

To try to relate these two quotes: the OpenBSD folks have been doing constant security audit on their code for years. I'm pretty sure what they've done surpasses anything Microsoft has done as of yet, as they have been specifically focused on providing a secure operation system for quite a while: http://www.openbsd.org/security.html [openbsd.org]

Moreover, they've continued to have security problems [slashdot.org]...and that is the nature of software development. If the software is in use, then somebody is going to find a way to hack it. And the more people use it, the more people are going to figure out how to hack it. And the quicker this process is, the more quickly you are going to have to respond to it.

But this does not mean stopping once a year and deciding you are going to do a massive code audit. It doesn't not follow that Microsoft is all of a sudden going to have secure code unless they wake up and realize their non-disclosure policy is hurtful...they need to immediately make available patches and make people aware of security problems so people can take some sort of action...and I dare say they might think about opening up their code base (naw, that'll never happen I guess). It's a multi-faceted approach, and the open source community is just better at it at this point - we don't have a marketing department.

This whole security push on their behalf just seems to be another marketing ploy, really, complete with a catch-phrase: "Trustworthy Computing." Let's call it what it is, huh? - "we are going to fscking focus on security now." It seems like no matter what they do, as long as their marketing department is fighting their security/engineering team for dominance (well, I guess it's already won really) it's going to be the same old story.

You guys really think that?

[cecil36 (104730)]

I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.

I'm willing to bet that you'll be retracting that statement when something blows up in your code or if some new security hole is discovered by some script kiddie. We have the results to show that code review should not be a rush job.

By definition, Microsoft != trustworthy

[fanatic (86657)]

Even if they were actually successful (not likely) in cleaning up the massive number of unintentional screw-ups in their code, the stuff they do intentionally is worse, including the Product Activation 'technology', their Secure Audio Path crapola (==selling their users's rights to the highest bidder), that abominable Plug'n'Play crap that just 'decides' to randomly re-configure your system hardware, and Anything.Net. Also, their gratutitous changes to file formats, communications protocols and APIs to enforce upgrades and preclude competition.

It's the stuff they do with full knowledge and intent that makes them un-trustworthy.

Re:Quote from the article:

[nakhla (68363)]

Not necessarily. Many times in the OS community, new code is added to a project. How often does the ENTIRETY of the code get reviewed? Yes, I believe that open source software does seem to result in fewer vulnerabilities. But it doesn't mean that there are NO vulnerabilities in open source software. Windows 2000 has approximately 50 million lines of code. If they've even gone through 1/4 of that it's astonishing. When was the last time someone actively poured through every line of the Linux kernel looking for possible bugs? Very often, code is reviewed in small chunks rather than from start to finish. This will solve small bugs and vulnerabilities related to specific functions, but BIG bugs require reviewing a LOT of code. That's probably what Mr. Lipner is talking about.

Re:Two months? Get real.

[Derkec (463377)]

True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully." Now, why that hasn't been done or if it isn't needed because of how well the open community works, is a wholly differant question. But MS can fairly say it has just done some the open community hasn't matched.

Personally, I think both sides have code review procedures which are legitimate. MS is bragging because the open source community can't match what it did within its own procedure. It would be like waterfall method people bragging that they got a product out the door in fewer milestones than an extreme team did. An answer to this is, "Ok, good for you but saying you are better than me is a non-sequitor."

Re:Two months? Get real.

[ichimunki (194887)]

Huh. That's exactly what they did at OpenBSD-- they stopped and reviewed all the code (am I wrong? isn't that what they did?). MS can stuff themselves with this self-serving deception. My favorite is the line where they pretend that "easy to use means easy to hack". What a load! That's the same sort of dishonesty they perpetrate with their "just reboot/reinstall to solve bug X, Y, or Z" approach. Ease of use and security are entirely orthogonal. Microsoft will say *anything* to get you to ignore problems they've helped create.

Re:Two months? Get real.

[bluGill (862)]

OpenBSD defaults to several YEARS of code reviewing. Years between any security hole in the latest release. (Or more, does the openSSH hole count?)

FreeBSD has trusted BSD which has similear aims, plus some code that would be really nice to have.

Sardonix [sardonix.org] is trying to start a general project to do code reviews. Not really running yet, but good goals, I hope they work out.

Just a quick search of open source sites and code review reveals that most projects think highly of code reviews and encourage them.

And finially, the typical way to get into open source is to do start reading code, and then contribute when you can do something. One of the things you can do is find potential holes

None of the above is perfect. All are useful, and all go on all the time. Maybe Microsoft put in more work into theirs, but I remember openBSD which was just a better netBSD, and not secure. By fixing problems they got secrure. I've been a programer long enough to know that each fix has implications elsewhere. Microsoft might have solved a lot of problems, but my expirence is the first two months introduce more problems than they fix, it is only after fixing those new problems that you begine to make progress, and it takes months to get them all closed.

Re:Two months? Get real.

[ILikeRed (141848)]

Derkec gushed:
True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully."

No, False. You (and MicroSoft) are completly ignoring Open Source projects that only audit code... i.e. the Kernel Janitors: [kerneljanitors.org]

Re:Two months? Get real.

[9633 (570325)]

Also, he is ignoring Open Source projects that start out to be secure code in the first place ie. qmail,djbdns... The thing about open soure is we have a choice. More then likely Windows users don't.

Re:Two months? Get real.

[gorilla (36491)]

"ok let's stop development and everyone will go check code extremely carefully."

This is a really awful way of doing it. In order to get a good implemenation you need:

1) A solid design. That means no automatic execution of attachments.

2) Continuous review of the code. If the code sits for 3 years before it's reviewed, then you've exposed yourself to bugs in that time, and perhaps you've even accidentally built stuff which relies on that bug.

Mythical Man Month

[Alien54 (180860)]

"I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months'

I look at all the man months that have gone into the development of Windows, etc. and I look at the results. The sheer amount of time put in is no assurance of the quality of the results.

In fact, if I recall right, the sauthor of the book "the Mythical Man-Month" came to the conclusion that the more people you throw at a software project, the slower the project goes.

So the question is how of the work at MS falls into that category

The important thing is to have our own solutions.

[by Anonymous Coward]

It's a complete waste of time listening to these liars. That is all they are. Liars, deceivers, and power-hungry control freaks that wish to see any sense of community destroyed in order to protect their monopoly and cash flow.

It would be a much wiser thing for us to do instead to focus on implementing our own open, Free, and standardized technologies that present solutions in the best interest of the community. This is the issue, and, whether we realize it or not, this is the war. We either leave these things to them and be controlled by them, or implement these solutions ourselves and protect our liberties.

Simple as that.

Re:Yeah, so?

[danheskett (178529)]

No, no.

MS is 100% correct about SBC.

See, these companies in some cases (Novell and SBC primarily) are using the monopoly case and their testimony as bargaining chips in ongoing negotations!

That is very bad. Believe what you will about MS and its case and its actions - believe whatever you want. I have my own beleifs. But it is very clear that both Novell and SBC are doing really extremely bad things here with their testimony.

SBC is basically trying to blackmail MS into delaying their own services and then parterning with SBC when SBC is ready to go to market.

Re:Windows XP SP1

[ansible (9585)]

And why do I need IE and Media Player on a server that's only running a database?

Step #1 of security, remove and/or disable everything to don't need to get the job done.

MSFT has been ignoring that for years, but maybe they are finally starting to learn.

Re:Windows XP SP1

[ansible (9585)]

In response to you and cscx (below)...

crudeboy writes: (in regards to IE and Media Player) but... a more correct question might be: Why bother to remove it?

End user applications have no business existing on a dedicated server machine. As for why, see below:

cscx writes: Second of all, you don't install all the goodies in Windows 2000 server/advanced server. Why do you need IE? Well, it's handy as hell. You can locally install updates while at the box in the server room, run windows update, download hotfixes, etc. Plus, it's also useful for visiting tech documents / howtos to diagnose problems that the Novell and Linux servers in the same server room are having (yes, this has happened to me before ;P)

So you're going to be surfing random sites on a critical server machine... while logged in as Administrator?????

I'm glad you don't work for me. That would be grounds for a reprimand, at the very least.

Back in the old days, surfing the web ran no risk to the client machine. Nowdays there are all kinds of risks because of mobile code (ActiveX, Javascript, etc.) and exploitable client programs (increasingly complex web browsers). Do either of you guys remember how those worms were spreading last year? Sooner or later, someone's going to figure out yet another exploit for IE.

Yes, yes, you can limit the risks with security settings, but that is no longer proof against attacks.

crudeboy writes: If you really think that you probably shouldn't work with security at all... To say that things you do when implementing a software solution should be carried out first is just plain nonsense...

Well, if "limit your exposure" isn't supposed to be #1 on a security checklist, then it is #2 or #3.

Since you don't seem to understand the basics, then I suggest you read up on the subject before you start calling things "nonsense".

Re:Microsoft can do this

[rnturn (11092)]

``Microsoft is, finally, in a good position to improve the security of its products.

In the days of DOS/Win3.1/Win95/Win98/WinME, it was hopeless. Those have so little protection that there was no hope of securing them. But the current Microsoft product line is all NT-based. Windows 2000 and Windows XP are both based on an NT kernel. So security is at least potentially possible for the current product line.

The key is to put a security model in the operating system which permits the safe execution of hostile code. Then downloadable content can be confined to its own private jail cell, which it can mess up but cannot escape.''

But NT sprang from ideas brought into the company from the outside (Cutler and his background with VMS). And look how long that process took. I somehow doubt that looking inward for a half a day is going to make the security aspects of Microsoft's software design process (note: that'a possibly an oxymoron) any better. Certainly not immediately. But who from the outside will come into Microsoft and be able to make the necessary changes. I recall reading a bit about Cutler's struggles to get MS developers to do things in a more robust way; they were working in such a vacuum that they were coding things in ways that other companies had tried and thrown out years before because they were so broken. I'm betting that it'll take someone to come in and kick some serious tail to get more secure code. No pep rally is going to do it (IMHO).

What I've always found astonishing is how Microsoft managed to ignore the security model of Xenix so thoroughly when that product was, at one time, the company's stated direction. (Actually, it just might have been Cutler that pounded the final nail in Xenix's coffin; he is a reknowned UNIX-hater.) Geez... even if they decided to abort the Xenix direction they could have at least kept the UNIX security model as a starting point for OS security in their new direction. It sure seems apparent (to me, at least) that someone high up at Microsoft was shooting down most security-related features of their products. As secure as NT was supposed to be, it was/is nothing compared to what might have been had they incorporated more of the ideas from VMS. I have difficulty believing that Cutler didn't want them incorporated. But, then, I understand that he fought against moving the graphics subsystem into the kernel and lost that one, too.