Forgot your password?
typodupeerror
Microsoft

Microsoft: Trust and Antitrust 539

Posted by michael
from the ironic-t-shirt-slogan dept.
Microsoft is in the news for two reasons today: the continuing saga of the antitrust cases, and Microsoft's public relations push for "trustworthy computing". A selection of links: Microsoft claims two months of code reviews and half-day seminars surpasses everything ever done by the open source community; Salon talks about the problems with a monoculture; SBC, an abusive telecom monopoly, complains about Microsoft's behavior, an abusive OS monopoly; and Microsoft responds, claiming that SBC is merely being self-serving.
This discussion has been archived. No new comments can be posted.

Microsoft: Trust and Antitrust

Comments Filter:
  • by fruey (563914) on Tuesday April 09, 2002 @01:14PM (#3310565) Homepage Journal
    For those Francophones / Germanophones amongst us, tonight on ARTE (TV channel available on terrestrial and digital satellite) has a problem "Life after Microsoft" which should make interesting viewing. around 20:45 CET I believe.
  • Maybe they've seen all the security flaws and bugfixes required, but I hardly think even with all of Microsoft's power, they could not outstrip the entire OSS community in just two months.

    There's still a lot more manpower in OSS. It's just more fractious.
    • Apparentlly you are wrong, Steve wouldn't lie.

      Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."
      • Mythical Man Month (Score:5, Insightful)

        by Alien54 (180860) on Tuesday April 09, 2002 @01:30PM (#3310707) Journal
        "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months'

        I look at all the man months that have gone into the development of Windows, etc. and I look at the results. The sheer amount of time put in is no assurance of the quality of the results.

        In fact, if I recall right, the sauthor of the book "the Mythical Man-Month" came to the conclusion that the more people you throw at a software project, the slower the project goes.

        So the question is how of the work at MS falls into that category

        • there is Eric Raymond's "loophole" to Brooks law -

          "primary development does not scale, debugging does."

          Which of course applies to the open source movement. As briefly discussed on this page [michaelmoser.org].

          side note:

          Note that while manager of the 360 project it was Dr. Brooks who specified that a byte would consist of 8 bits. Whether or not you agree with his decision, it's hard to argue that this has not had a huge impact on the computer field.

          Which is interesting trivia by itself.

      • total MS security man-years = ((9000 employees * (2 months * 120 work-hours/month)) - (9000 employees * 4 hours "security re-training")) / 1440 work-hours/year = 1475.
    • by Derkec (463377)
      True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully." Now, why that hasn't been done or if it isn't needed because of how well the open community works, is a wholly differant question. But MS can fairly say it has just done some the open community hasn't matched.


      Personally, I think both sides have code review procedures which are legitimate. MS is bragging because the open source community can't match what it did within its own procedure. It would be like waterfall method people bragging that they got a product out the door in fewer milestones than an extreme team did. An answer to this is, "Ok, good for you but saying you are better than me is a non-sequitor."

      • Huh. That's exactly what they did at OpenBSD-- they stopped and reviewed all the code (am I wrong? isn't that what they did?). MS can stuff themselves with this self-serving deception. My favorite is the line where they pretend that "easy to use means easy to hack". What a load! That's the same sort of dishonesty they perpetrate with their "just reboot/reinstall to solve bug X, Y, or Z" approach. Ease of use and security are entirely orthogonal. Microsoft will say *anything* to get you to ignore problems they've helped create.
        • by bluGill (862) on Tuesday April 09, 2002 @01:56PM (#3310904)

          OpenBSD defaults to several YEARS of code reviewing. Years between any security hole in the latest release. (Or more, does the openSSH hole count?)

          FreeBSD has trusted BSD which has similear aims, plus some code that would be really nice to have.

          Sardonix [sardonix.org] is trying to start a general project to do code reviews. Not really running yet, but good goals, I hope they work out.

          Just a quick search of open source sites and code review reveals that most projects think highly of code reviews and encourage them.

          And finially, the typical way to get into open source is to do start reading code, and then contribute when you can do something. One of the things you can do is find potential holes

          None of the above is perfect. All are useful, and all go on all the time. Maybe Microsoft put in more work into theirs, but I remember openBSD which was just a better netBSD, and not secure. By fixing problems they got secrure. I've been a programer long enough to know that each fix has implications elsewhere. Microsoft might have solved a lot of problems, but my expirence is the first two months introduce more problems than they fix, it is only after fixing those new problems that you begine to make progress, and it takes months to get them all closed.

      • by Dusty (10872)
        True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully."

        I may be wrong on this, but I thought OpenBSD counts as Open Source, and they're certainly doing a security audit [openbsd.org] of the source code.

      • by ILikeRed (141848) on Tuesday April 09, 2002 @01:51PM (#3310877) Journal
        Derkec gushed:
        True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully."

        No, False. You (and MicroSoft) are completly ignoring Open Source projects that only audit code... i.e. the Kernel Janitors: [kerneljanitors.org]
        • by 9633 (570325)
          Also, he is ignoring Open Source projects that start out to be secure code in the first place ie. qmail,djbdns... The thing about open soure is we have a choice. More then likely Windows users don't.
      • by gorilla (36491)
        "ok let's stop development and everyone will go check code extremely carefully."

        This is a really awful way of doing it. In order to get a good implemenation you need:

        1) A solid design. That means no automatic execution of attachments.

        2) Continuous review of the code. If the code sits for 3 years before it's reviewed, then you've exposed yourself to bugs in that time, and perhaps you've even accidentally built stuff which relies on that bug.

    • I think their claim may be true in a literal sense, but I wonder how effecitve their reviewing has actually been so far? I mean in a literal sense, a man-year of work could be 700 people working until noon too, it doesn't mean they're really getting anything done.Still, I'm really glad they're making the effort.

    • by toopc (32927)
      There's still a lot more manpower in OSS. It's just more fractious.

      There's still a lot more potential manpower in OSS. As has been proven in several big OSS projects, like Mozilla for one, just because there are tens of thousands of people who can work on a poject, it doesn't mean there will be tens of thousands of people who do work on a project.

      resignation and postmortem. [jwz.org]

      The truth is that, by virtue of the fact that the contributors to the Mozilla project included about a hundred full-time Netscape developers, and about thirty part-time outsiders, the project still belonged wholly to Netscape -- because only those who write the code truly control the project.

  • Brainwashed geeks? (Score:3, Interesting)

    by Maskirovka (255712) on Tuesday April 09, 2002 @01:16PM (#3310583)
    "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.

    No comment needed.

    • by MinusOne (4145) on Tuesday April 09, 2002 @01:26PM (#3310682)
      > "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.

      I was surprised by this quote too. The implication that developers at MS are some sort of automatons taht are easily brainwashed is amazing. I'm no fan of MS, its products or its tactics but the developers who work there are robots. I have found the MS people I have met to be pretty party-line company guys but they did have brains and were capable of independent thought.
      The other problem with training like this is that without reinforcement from management it is not terrible useful. Sure some of the developers will "get religion" and will be absolutely scrupulous about writing secure code, but others will get lazy, forget the training or go back to old bad habits. Without code review and standards enforced by management in some way training is ineffective.
      • Yeah, exactly.

        It's not enough to teach your programmers to write code that can't be exploited by buffer overflows.

        You've got to back that up with management trainning, emphasizing security and documentation (a critical component of security) over features.

        If you're sending your programmers to class for a day, you need to send your managers to classes for a week.

      • by hey! (33014)
        <obligatory disclaimer of being fellow microsoft detester omitted/>

        C'mon. He's making a good point about geeks -- you can use their love of learning new stuff and putting it to use makes it possible to change their collective direction quickly. It's a valid insight.

        Microsoft has been able to exploit this better than any other large company. It's a matter of hiring the right people. They don't always get the right direction, but they can be moved rapidly when necessary. Remember Microsofts total lack of preparation for the Internet a couple of years ago? Now we're worrying about the possibility they may coopt it.

        I would view a similar microsoft shift towards more trustworthy software development practices as an unmitigated good. You can't dominate the field of "trustworthy" software. It's just about producing higher quality software, which benefits both their customers and even people who aren't their customers (how many non-windows sites suffered collateral damage to Code Red).

        The problem is the inevitable PR baloney that goes with it. Perhaps Microsoft sincerely wants to produce more trustworthy software; this is good. However they want their customers to trust their products right now, so they're trying to make them think that most of the problems have been fixed by a gargantuan effort. This is bad. You can't fix years of shoddy work with a couple of months of auditing. Fixing security problems is, I don't know, but I'd guess at least a ten times as hard as avoiding them in the first place.

        A little humility would make people who know better feel a bit more comfortable that this is more than PR hype.
    • by Zapman (2662)
      This quote struck me as odd as well, but I got to thinking about it, and I think I see at least where he was going.

      We geeks tend to be facinated by "the newest thing", and rush to try it, and then preach it's merits to anyone who will listen. I know I'm generalizing, and there are people still happily running 2.0 kernels, but look at the general trend. We don't mind using version 0.0.7b6 of products that are cool without thinking twice about it.

      Once we learn something new, we tend to make great use of it. And we seem to think of little else. That's probably what he was aiming for in that quote.

      And remember, he's knocking his own geeks too.
    • No wonder there are so many security errors. You can't program right if you're brainwashed.

      Seriously, though, you have to be able to think for yourself and work things out, it's not about watching a lecture for 2 months and all of a sudden getting it.

      Or are they trying to say they've figured out Artificial Intelligence now too?
  • Windows XP SP1 (Score:2, Interesting)

    by cscx (541332)
    Windows XP SP1 will include some changes [com.com] that will allow component removal for things such as Windows Messenger, IE, and Windows Media Player. Now, why someone would want to remove IE and Windows Media Player is beyond me. Also, don't forget all those programs that rely on the Web control and need IE to function.
    • Re:Windows XP SP1 (Score:3, Interesting)

      by ansible (9585)

      And why do I need IE and Media Player on a server that's only running a database?

      Step #1 of security, remove and/or disable everything to don't need to get the job done.

      MSFT has been ignoring that for years, but maybe they are finally starting to learn.

    • Re:Windows XP SP1 (Score:2, Informative)

      by GutBomb (541585)
      if you actually read the article you would see that it says the service pack will HIDE msn messenger, ie, and media player if you wish. it says nothing of REMOVING them.
  • by jspey (183976)
    Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."

    Hah hah hah!! What an idiot.

    Mr. Spey
    • by nakhla (68363) on Tuesday April 09, 2002 @01:23PM (#3310650) Homepage
      Not necessarily. Many times in the OS community, new code is added to a project. How often does the ENTIRETY of the code get reviewed? Yes, I believe that open source software does seem to result in fewer vulnerabilities. But it doesn't mean that there are NO vulnerabilities in open source software. Windows 2000 has approximately 50 million lines of code. If they've even gone through 1/4 of that it's astonishing. When was the last time someone actively poured through every line of the Linux kernel looking for possible bugs? Very often, code is reviewed in small chunks rather than from start to finish. This will solve small bugs and vulnerabilities related to specific functions, but BIG bugs require reviewing a LOT of code. That's probably what Mr. Lipner is talking about.
      • This will solve small bugs and vulnerabilities related to specific functions, but BIG bugs require reviewing a LOT of code.

        No, big bugs require reviewing the architecture which the code implements. Bad design is the cause of big bugs, and you have to be willing to scrap the bad design and start over from -architecting- the code before even reimplementing it.

        Is MS willing to do that?

    • Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."

      How often has the community found it necessary to do a complete security review of any package, years after the fact?

    • Okay, just one thing: About a year ago or so I saw one of the security guys (wish I could remember his name) talking on one of the geek channels (we no longer get it, so I forget what it is called). He was from McAffee and his #1 complaint about Microsoft is that every year they invite him and other security experts up there and every year they tell Microsoft the same thing: GET RID OF VISUAL BASIC!

      Perhaps it is me, but two months doesn't seem like a very long time to do "security reviews" ("you see a problem, Frank?" "Yeah, but at $5.00/Hour they don't pay me to fix problems, Joe...").

      Okay, so let us say they DID review it. Did they fix anything? Or is it just on their ever-growing (read never-ending) list of problems they just haven't gotten around to yet (lets all give them a Round TUIT, eh?).

      Personally, after seeing the level of "quality" shipped in some of the source for CE (drivers that hang, etc.), I've been underwhelmed at the code quality. I've seen Open Source that beats the pants off of it.

      Ah, but whadda I know? I'm just brainwashed...

      Okay, hold your arms out and recite after me: Brains...brains...brains...

  • by nakhla (68363) on Tuesday April 09, 2002 @01:19PM (#3310607) Homepage
    The key to user security is to enable it by default. Most people running Win2K at home don't bother modifying their file permissions, closing off unnecessary services, etc. They leave settings at the default and go on their way. If Microsoft made the default installations more secure it would drastically improve the security of its OS. How many times has Security Focus [securityfocus.com] reported on vulnerabilities related to Windows file-sharing? The answer to the problem is to turn it off and let the user decide if they want to turn it on. Outlook scripting, ActiveX, file sharing, Windows messaging, etc. Removing or disabling these services are necessary to secure a Windows box, and to reducing the bad PR that Microsoft receives every time a new vulnerability is discovered.
    • by ltsmash (569641)
      Keep in mind that Red Hat Linux has released several versions where the default installation settings had practically everything turned on. This is not a windows-only problem.
    • by rabtech (223758) on Tuesday April 09, 2002 @02:16PM (#3311057) Homepage
      Microsoft has gotten the message. If you were on the Windows.NET server beta, you'd have gotten the memo ;)

      Essentially, Windows.NET server ships with absolutely NOTHING enabled by default. This does present a problem to the typical Microsoft "its so easy just plug it in" sort of thing, but that is solved by an improved "configure your server wizard". The first time the server boots up, the user can explicity select what to install and/or turn on, and ONLY what they select gets installed/turned on.

      The individual components themselves have improved as well. IIS 6 by default will serve only static HTML files, and installs no sample files or other stuff. You have to manually run the IIS security wizard to turn on things like ASP, CGI, etc. If you install a new ISAPI filter or something of the like, you have to manually enable it. Nothing gets turned on unless YOU the admin turns it on.

      The other thing is that IIS 6 is a complete ground-up rewrite; no code from IIS 5 was used in its creation. Its gone through a complete code review to (hopefully) eliminate any buffer overflows or other bugs. There are other improvements as well... for example, the easy ability to run each website being hosted under a separate security account, typically with minimal access to anything.

      Microsoft isn't stupid; they see that their biggest PR problem right now is security and they are doing something about it. True, they should have jumped on this a long time ago, but late is better than never.
      • Outlook Express *still* ships with the preview pane turned on by default, and port 139 is still wide open by default too. These are the two biggest security flaws in Windows operating systems, allowing the spread of every virus in recent memory. Yet Microsoft has done nothing about this.
  • by PhotoGuy (189467) on Tuesday April 09, 2002 @01:21PM (#3310622) Homepage
    Man, does this quote send shivers down anyone else's spine???:

    "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said.
    If my employer ever publicly said anything like that, I'd run for the exits.

    Wonder if the chants are part of the brainwashing process.

    Developers, developers, developers, developers.
    Developers, developers, developers, developers.
    Developers, developers, developers, developers.
    • ``If my employer ever publicly said anything like that, I'd run for the exits.''

      Couldn't happen to a more deserving company (IMHO).

      I was an (contract) admin at a company that felt the need to post those ``motivational'' posters around the workplace. I found them pretty insulting. Especially the one that they had plastered on the wall where the developers worked that read: ``It's dumb to be too smart.'' (It always amazes me when managers wonder why, after treating their workers like shit, they find themselves thought of as assholes.)

      After I left, I heard quite a few headhunters comment that they had a difficult time getting anyone to accept positions at that company. Some of the headhunters claimed that they were being asked to filter candidates according to age (which they refused to do), that candidates were routinely lied to during interviews, and that recruiting fees weren't paid without a huge hassle. Wonder how long it'll be before Microsoft begins being viewed the same way by recruiters.

      Whoa... enough of this topic drift!

    • Dadada dada
      the Leader,leader, Leader.
      I Love the leader.
    • Re:Microsoft... (Score:4, Insightful)

      by bughunter (10093) <bughunter&earthlink,net> on Tuesday April 09, 2002 @03:18PM (#3311499) Journal
      Heck, they're brainwashed before they get lined up and herded into the front of the process.

      This may sound like a troll, but it's honestly my own perception: Microsoft operates on a cult-like corporate culture. It was especially evident during the antitrust trial; the behavior of the lawyers and execs and their obvious inability to concede, even to themselves, that they just might not be arguing from a rock solid position. It really did remind me of Scientology.

      And I'm offended that Mr. Howard thinks of us "geeks" as such simple, predictable, uniformly malleable children. Methinks he's been working in a cult organization too long.

  • two months of code reviews and half-day seminars surpasses everything ever done by the open source community

    Yeah, and what was the final bill? Imagine how much work the OSS community might have gotten done for that price.
  • by drinkypoo (153816)
    Microsoft responds, claiming that SBC is merely being self-serving.

    So what if they're being self-serving? If everyone is being self-serving by dissing microsoft, it's obvious that microsoft is not adequately serving anyone.

  • Quoting Michael Howard, the security expert who designed the course for Microsoft:

    "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed."

    I was astonished that he can make such bold claims. I have always thought that geeks have a mindset all of our own, and not one to be brainwashed easily. But then I found this quote:

    "Microsoft has always had a crisis-driven mentality," said Mr. Howard, the security expert. "You have my word: we will lead the industry in delivering secure software."

    And I couldn't help but laugh my ass off.....

  • by SuiteSisterMary (123932) <slebrun AT gmail DOT com> on Tuesday April 09, 2002 @01:24PM (#3310662) Journal
    In a memo in January, Bill Gates, the chairman and co-founder, instructed Microsoft to shift its top priority from adding new features to ensuring that software is secure. Executives said that the memo was the most significant strategy paper from Mr. Gates since one in December 1995, "Internet Tidal Wave."
    In 1995, Microsoft couldn't care less about the Internet. Gates had said, publicly and repeatedly, that he didn't think it was going anywhere. Then he realized he was wrong. Within a year, the entire product line had Internet features. Now, 7 years later, people publicly lament that Microsoft has virtually taken the Internet over. Microsoft's greatest strengths have always been the ability to see which way the ship is headed, and when it turns out they're going in the wrong direction, to turn on a dime. Obviously, I'll nod politely at their words, and watch their actions. But the last time they made this big a deal about something, they delivered.

    • > Microsoft's greatest strengths have always been the ability to see which way the ship is headed, and when it turns out they're going in the wrong direction, to turn on a dime.

      Rather, Micorsoft's biggest problem is that they don't see what everyone else is doing until several years later, and then they turn on a dime and follow along cluelessly, wreaking havoc in their wake.

    • by mr_death (106532) on Tuesday April 09, 2002 @01:47PM (#3310849)
      But the last time they made this big a deal about something, they delivered.

      Ah, but this "big deal" negatively affects their revenue and earnings, which is why I think it is little more than PR.

      Historically, Microsoft has piled in multitudes of features and foisted what should be beta software on the market. They find out what breaks, and provide bug fixes (euphemistically called "service packs") for the things people really whine about. This approach maximized their revenue, and accelerates it.

      Ask yourself if Microsoft would have turned Windows 2000 into Windows 2001 if a significant security hole was found on the eve of the launch.

    • ... when Microsoft steered their ship to embrace, extend, and extinguish the Internet, it was a "point adjustment" compatible with their general direction and operating methods. Deciding to quit adding features and ensure security *IS* contrary to their general direction and operating methods. Microsoft has risen fast on gone far based on moving faster than their mistakes, on making quality job 1.1, on getting something out their for sale, and then selling the fixes to the bugs.

      Getting the bugs out and making the software secure prior to first sale means that they can't run as fast, getting out ahead of competitors the way they used to. It also deprives them of the point-fix revenue stream.

      Maybe now that they're a genuine, legal monopoly they can afford to change business models. That's part of the point of .net, after all. Most significant, it changes the ongoing revenue model from point-fix sales to simply ongoing revenue. (presumably services)

      This turn will simply be harder than the Internet course correction.
      • Getting the bugs out and making the software secure prior to first sale means that they can't run as fast, getting out ahead of competitors the way they used to. It also deprives them of the point-fix revenue stream.
        It also means that they have a wonderful gauntlet to throw at their competitors. Interviewer: Mr. Gates, we note that Product X is late, yet your competitor has released their version. Care to comment?
        Bill: Yes, we're still doing our final security checks, in line with our Trusted Computing campagin. I wonder what they missed, rushing it out... In other words, quite a few of the arguments now used against them. As for "point releases" lets take a look at IE3 vs IE4. IE3 was, rightly so, the laughing stock of the Internet. IE4 singlehandedly destroyed Netscape.
    • Microsoft Triva for $100 please

      Microsoft's greatest strengths have always been the ability to see which way the ship is headed, and when it turns out they're going in the wrong direction, to turn on a dime.

      Ding Ding: What is innovation?

      Alex Trebeck: Bwahahahahahhahahahha...

    • Within a year, the entire product line had Internet features. Now, 7 years later, people publicly lament that Microsoft has virtually taken the Internet over.

      Yes - but this is what led to many of their security problems today. They decided they were going to "do" the internet, and so mashed a truckload of net features into all their products. So Word got the ability to detect hyperlinks, Outlook used IE to render web pages and so on.

      The problem is - they didn't really do the net at all. Compared to say KDE, where I can give any KDE program a net URL to open and it'll just do it, the Windows internet integration is a joke. They never resolved key policy decisions, like which takes precedence: windows file metadata (with extensions) or MIME types? This is the problem that means I now get several emails every day that contain an embedded wave file, except it isn't a wave file, it's an EXE. IE sees that it's MIME-typed as a WAV, so passes it to the OS, which then makes its own, independant decision and detects from the extension that it's a program and so autoruns it.

      The same problem surfaces with web pages. IE usually ignores MIME types - when I was developing a web application recently I wanted to see some XML embedded into an iframe, and then be able to copy and paste it. I return the XML as text/plain, but IE realises it's XML and shows it in that pretty tree thing. Now I can't copy and paste it. Mozilla however follows the rules, so I have to use that instead.

      That's not a problem that can just be fixed overnight - it's a key design flaw. How do they fix that virus problem? By switching off the WAV background sound feature (something nobody ever used anyway) in emails. That's just a bandaid, and doesn't get to the core problem, which is the internet code in Windows usually ignores or doesn't receive MIME type info.

      Now I have no doubt that after this session of looking at code, MS products will have caught up with the competition in terms of security. Nobody should underestimate them. But as has been pointed out, whether that'll change their long term mindset is anybodies guess.

    • Microsoft's greatest strengths have always been the ability to see which way the ship is headed, and when it turns out they're going in the wrong direction, to turn on a dime.

      You're giving them a lot of credit for essentially catching onto something that was about as difficult to ignore as, say, Woodstock going on in your backyard. With the billions of dollars and expectations pouring into companies like Netscape, it would have required nothing short of a deliberate act of self-destruction for MS to ignore what was going on.

      Purchasing and developing a web browser in order to compete with a company that had very publicly vowed to put you out of business and buying web services like hotmail (for embarassingly high prices) do not brilliant business strategy make. Even today IIS is not the dominant web server, despite years of aggressive marketing.

      As far as I can see, all Microsoft has done is react and trade on their already tough-to-beat desktop monopoly and cash reserves like they were going out of style. With .NET, they're just doing more reacting, at least so far, by implementing what is essentially a Java lookalike and backing it up with Microsoft monopoly and marketing clout.

    • by emil (695) on Tuesday April 09, 2002 @03:32PM (#3311601) Homepage

      When one of the DNS root servers switches to NT, please let me know - not that DNS is that stable or secure.

      When IIS has a 60% market share (as Apache does now), I might also get a bit concerned.

      When the Microsoft Sybase rip-off has a 46% market share (as Oracle currently has), we might start worrying about the datacenter.

      When they have a stable, scalable 64-bit version of Windows, we might start worrying.

      In order for Microsoft to get any of these markets, they will have to have a good product, good customer service, and good interoperability with other vendors products. I don't see that happening anytime soon.

      After all, we gave them SMTP, and look what they did with that.

  • by Dharzhak (124289) on Tuesday April 09, 2002 @01:28PM (#3310699)
    Steven B. Lipner, Microsoft's director of security assurance, responded, saying: "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.

    Lipner also reacted with astonishment when he was told that professional wrestling matches are fixed.
  • by quantaman (517394) on Tuesday April 09, 2002 @01:28PM (#3310700)
    several of its key program managers warned that underestimating Microsoft's ability to meet the computer security challenge might be as foolhardy as was misjudging its ability to turn itself into a dominant Internet player.

    I thought they were the default security player. Don't the vast majority of hackers break into MS boxes already?
  • hey now! (Score:2, Funny)

    by KingPrad (518495)
    what happened to honor among thieves?

    KingPrad

  • students view (Score:5, Insightful)

    by bpb213 (561569) <bpbyrne.gmail@com> on Tuesday April 09, 2002 @01:30PM (#3310715)
    Ok, im a student at a good university.

    looking at this -
    dozen half-day training sessions for its programmers, about 1,000 at a time.

    And i fail to see how you can teach. Its hard as hell to learn in a lecture hall of 300, but 1000? thats insane.

    Not only that, but for a half day? Cmon, americans have an attention span of what? 15 sec? if that? (dont anyone take insult...:))

    How do they expect coders to pay attention to a small figure in front for a full 6 hours....1.5 hours is hard as it is for a normal college lecture.
    • Re:students view (Score:2, Insightful)

      by danheskett (178529)
      Because professionals are not college students, and vice versa.

      When the guy who writes my pay check speaks, I listen, even if its stupid, dumb, and tiresome.
    • I think you will find that when the bottom line is threatened, Americans can focus on a problem in a way thats slightly scary.

      You just have to make it a convincing threat.

      (Hey, somebody around here has to stick up for us).
    • by wadetemp (217315) on Tuesday April 09, 2002 @02:38PM (#3311230)
      I used to have the same problem in college, but then again, I went to class several times a day, 5 days a week, 2 semesters a year, for several years. I fell asleep (mentally if not physically) many times, even in 1 hour classes. Now that I'm out of school, I have no problem paying attention to a 5 hour training session. It's actually a nice break. It's not like I do it every day, or even every week.
  • Microsoft.com Running on Linux [linuxjournal.com]

    Wired News reported today that Microsoft has outsourced their DNS to Akamai, and microsoft.com is now being served by name servers with a "networking implementation very similar to that of Linux". Akamai Technologies is a well-known Linux shop, but let's see.
  • What code reviews? (Score:4, Insightful)

    by Nintendork (411169) on Tuesday April 09, 2002 @01:35PM (#3310753) Homepage
    Since Gates sent out the letter pushing security, there have been a few patches. Only one of them (From what I can remember) wasn't credited to some security firm. Other companies are finding their code weaknesses and telling them. This is their plan???
    • by kTag (24819)
      This is horse shit. I'm using Win2k and for the past two weeks I got patches every couple of days just for the OS. That about 10 patches since they decided to work on their security.

      I'm not saying they are delivering either, but they are doing stuff. Time will tell if it is actually real work or just smoke.
    • Microsoft most likely is doing code reviews OF FUTURE PRODUCTS, I.E. .NET, .NET Server, Windows XP, Office NGO, etc.

      You want security? Fine, buy our subscription products.
  • by jacobb (93907) on Tuesday April 09, 2002 @01:37PM (#3310765) Homepage
    Microsoft is rich because people upgrade if not every year, then every other year.
    It could not possibly survive by selling bug-free software - it's just not in their interest. The vast majority of users DON'T blame MS for the crashes, rather they either blame a 3rd party program or themselves even though the fault lies almost entirely on Microsoft.

    They DON'T get bad press from outlook viruses - the evil hacker delinquent kids do. MS is seen, of course, as the victim.

    Windows2000 was released with, what, 20,000 known bugs in it. It seems to me that my Windows partition works worse and worse with each new version I put on it. So I buy another.
    Don't you realize, this is the best business model of all? But of course, now that the nerds, geeks and generally intelligent people are widely blaming microsoft they want to quickly sidestep widespread scrutiny by (you guessed it) telling us security is their highest priority.

    Microsoft sells software that is so bloated that if they actually did a decent code audit (which, of course, would be far too expensive) and tightened things up, you wouldn't need that couple gigs just devoted to the OS. In short: MS NEEDS you to upgrade. Why on earth would they really mend their ways? Especially if it would cost more and get less overall business?

    • by Carnage4Life (106069) on Tuesday April 09, 2002 @02:06PM (#3310975) Homepage Journal
      Don't you realize, this is the best business model of all? But of course, now that the nerds, geeks and generally intelligent people are widely blaming microsoft they want to quickly sidestep widespread scrutiny by (you guessed it) telling us security is their highest priority.

      As someone who's actually inside the Borg cube I can tell you that security is currently our highest priority. Thousands of people across various product teams have attended security lectures, new development has been stopped, old code and new code has been stringently reviewed, an emphasis on secure defaults is beginning to occur, and new functionality is designed with security in mind before all else.

      Of course some people will complain about why this has taken so long while others will probably say "better late than never" but either way it should be noted that a code review/security audit on this scale is probably unprecedented in software development history. Some may chime in about how Open Source is supposedly a constant large scale code review but I've previously written on the fallacy of this kind of thinking [slashdot.org].

      Now on to counter the main claims of your post that releasing software with security issues is a good business model. This may have been true in an un-networked world where the most a compromise could do was allow another user on your system perform some mischief but in a world where some kid in Asia can tie up mail servers on most of the planet by using a GUI virus toolkit, security becomes very important. Unfortunately across the entire software development spectrum from *NIX to Windows, from Open Source to proprietary we as developers are failing and clinging to panaceas and silver bullets (Open Source - the with many all bugs are shallow myth, safe programming languages, just use crypto, etc) when in truth there is more to security than just applying a buzzword technology or software development style. I outlined some of the practices and techniques that lead to more secure software in my The Myth of Open Source Security Revisited v2.0 [earthweb.com] article. Having done some more research into security issues I should probably do a followup article and focus on other fallacies and problems which lead to complacency in software development and from there insecure software.

      Disclaimer: This post is my opinion and does not reflect the opinions, intentions, strategies or plans of my employer.
      • by BurritoWarrior (90481) on Tuesday April 09, 2002 @03:18PM (#3311497)
        Microsoft really does brainwash their employees. I went to your site about the "myth" of open source software being more secure, and I see where you point to the Security Focus table to try and prove your point. For the *thousandth* time, that table takes into account every single application that ships with a distribution. Can we lump in all the vulnerabilities for MS Office/Outlook, MS Works, SQL Server, and Exchange into the NT/2000 group?

        And even with those misleading statistics, the only distro above NT/2000 (42) is Red Hat (54).

        Your lack of objectivity renders your entire article irrelevant.
      • Possibly correct (Score:5, Insightful)

        by HiThere (15173) <charleshixsn&earthlink,net> on Tuesday April 09, 2002 @05:20PM (#3312293)
        You may be right. I'll never know. Because I will never agree to what I've seen of the recen MS licenses.

        So I will continue to percieve MS software as basically unfriendly, useless, insecure, etc. The last versions that I could legally look at and evaluate were that way, and I see no reason to change my opinion. Any company that makes it illegal to post reviews of their current products does not deserve any amount of "suspension of disbelief".

        More to the point, any company that insists on the right to add, delete, copy, or remove whatever software it chooses from my hard disk cannot be considered secure no matter how secure the software itself actually is. That legal requirement is nearly the zenith of possible insecurity, and renders any software that requires it unsuitable for any application that I can conceive of.

        Perhaps you've changed your license again. Is there any reason for me to believe that you won't change it back just as soon as I buy in? You seem to be requiring the right to change the terms of the license without my agreeing to it, of even knowing of it (via "license specs are kept on a web page").

        I don't see how things COULD be less secure, for the end user.

      • Of course some people will complain about why this has taken so long while others will probably say "better late than never" but either way it should be noted that a code review/security audit on this scale is probably unprecedented in software development history.


        Then again probably not, FreeBSD has had every line of code reviewed before, and if you count the fact that it has more functionality pound for pound.



        Some may chime in about how Open Source is supposedly a constant large scale code review but I've previously written on the fallacy of this kind of thinking .


        Oh well QE- fucking - D then, if YOU wrote on it we must be wrong. Let me clue you in, no developer, company, or whatever can prepare for every eventuality, once past a certain threshold no code can be 100% secure. There's always the possibility, that something will come along to break it. And when that thing comes, it's the OSS that gets fixed quicker, and better than any commercial offering.

  • Stick the guy who was quoted in the article in a room with Theo De Raadt(sp?? sorry Theo) of OpenBSD fame.

    Then tape the hilarity that ensues, we could have a new weakest link on our hands. :D

    I know I'll get modded down for this, but you only live once.
  • Bare Computing (Score:2, Insightful)

    by Anonymous Coward

    This Salon article [salon.com] asks if people would trust Microsoft enough to allow their programming to fly planes or spaceships. Of course, a plane running on windows 3.1 or win98 would be scary indeed... but even a bloated NT/XP or *nix installation would make anybody nervous.

    ... but what about a DOS box?

    ... what about a stripped down *nix box?

    It seems to me (a windows user) that the power of the *nix systems is the ability to strip it down to the bare essentials... to remove variables that could cause problems. DOS also kinda had the feel to me.

    I wonder if we all would trust microsoft stuff more if we as users could completely remove the nonessential parts... and slowly build as we needed. Everybody knows it's impossible to debug in multiple dimensions...

    Until that time... nobody would fly in one of those planes... due to the constant worrying if the movie that they are watching will suddenly change into the "blue screen of death."


    Anyway... be gentle... my karma is so fragile...

    Davak

  • by AmigaAvenger (210519) on Tuesday April 09, 2002 @01:43PM (#3310817) Journal
    Username: dotslash2002 Password: dotslash2002 (had to, no one posted on yet, had to go through the trouble of getting another account registered...)
    • gorwell1984 / gorwell1984

      P.S.
      You need to accept the second cookie for the article to appear, but that one is only a session cookie that dissapears when you close your browser.

      P.P.S.
      What's a gorwell? George Orwell author of 1984.

      -
  • by iabervon (1971) on Tuesday April 09, 2002 @01:46PM (#3310837) Homepage Journal
    In those two months, MicroSoft has probably fixed more security-compromising bugs than most open source projects (expect for sendmail and BIND) will ever have. MicroSoft can put far more effort behind solving the problems that they have created for themselves that the open source community could ever hope to, both in terms of solving problems and in terms of creating them.

    The open source community is always taking shortcuts by not making every possible mistake and them fixing it. Who cares about results? MicroSoft can do more work than anybody else, and that's all that matters.
  • In other Microsoft related news [excite.com], the judge is quoted as saying "I will note that Microsoft sounds a little schizophrenic,"
    after "Microsoft asked Kollar-Kotelly to throw out much of Schwartz's testimony"
  • by guanxi (216397) on Tuesday April 09, 2002 @01:47PM (#3310846)
    Not all monopolies are abusive. I have no serious objection to Intel's or Cisco's market dominance, and IMHO SBC falls into the same category.

    After they took over Ameritech's operations, service and especially support improved dramatically, at least for me. I'm happy to have them here -- the best telecom company I've ever dealt with (I've done business with Ameritech, PacBell, AT&T, MCI/Worldcom, Sprint, Verizon, and some others).
  • by jdbo (35629) on Tuesday April 09, 2002 @01:48PM (#3310857)
    "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."

    I love this quote; it's _so_ MS.

    Two months of a several thousand developers = 60 days * 8 hours per day (being generous and throwing in weekends) * 9,000 coders = ~ 500 man-years. Not too shabby!

    Bullshit, that's playing with numbers. I could further "statistics-ize" this to say that this means every line of Windows XP got 8 minutes of attention in the last 2 months.

    The reality is that secure development takes _time_ and _experience_ as well as eyeballs. Not everything is repaired correctly the first time, and the corrections themselves often need further review and correction. A fast fix is often worse than a naive bug.

    This sort of thing is even more likely to happen when you're changing your development habits to take security into account - transitions are always messy. I doubt much effective security work actually "got done" on the Windows code in those 2 months, relatyive to the amount of "security twiddling".

    While I have to applaud MS for finally _beginning_ to take security seriously, it's complete B.S. on their part (and very much in classic MS form) to suddeny claim that they're "the securest of the secure" when they're just entering the field.
    • i agree the quote is very MSFTish.

      it's nice to examine each line of code (are these former Y2K code monkeys?), but the fundamental design must be examined and secured from that perspective. i really think the process of making software totally secure begings with re-engineering the design, and securly implementing that through code.
  • "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he said

    I'm surprised they'd admit that so openly. Maybe they're serious about this trust thing, afterall.
  • One of the themes of the Salon article is that Microsoft is using Digital Rights Management to further promote Windows as the single dominant PC operating system for commercial transactions involving intellectual property with end users. The author argues that if Windows gets intertwined with commercial transactions as the sole approved method, than this single (weak) operating standard will be a boon to thieves and terrorists. The parallel was that this is essentially the equivalent of the monoculture problem which lead to the Potato Famine, where populations of genetically identical potatoes are more susceptable to diseases (e.g. viruses) than genetically diverse ones.

    I'm wondering whether Microsoft is ideally placed to take advantage of this .... If Open Source software is intertwined with free transfer of intellectual property, then it seems like the media companies will almost be driven to Microsoft by default.

  • Yo, Microsoft! I've been code reviewing the Linux kernel since 1994.
    2 months. I'm not impressed.

    -Spack

    PS: For the doubters, Yggdrasil, green cover, God playing "pull my finger" with Adam on the cover.
  • "Geeks like learning new things, and when they pop out at the end of the process they're entirely brainwashed," he (Michael Howard) said.

    Brainwashed? This coming from a Microsquash guy? I guess I'd be brainwashed too if I worked there....

    EFGearman

  • I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.

    I wonder what Theo has to say about that!
  • "You have my word: we will lead the industry in delivering secure software."

    "I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."

    To try to relate these two quotes: the OpenBSD folks have been doing constant security audit on their code for years. I'm pretty sure what they've done surpasses anything Microsoft has done as of yet, as they have been specifically focused on providing a secure operation system for quite a while: http://www.openbsd.org/security.html [openbsd.org]

    Moreover, they've continued to have security problems [slashdot.org]...and that is the nature of software development. If the software is in use, then somebody is going to find a way to hack it. And the more people use it, the more people are going to figure out how to hack it. And the quicker this process is, the more quickly you are going to have to respond to it.

    But this does not mean stopping once a year and deciding you are going to do a massive code audit. It doesn't not follow that Microsoft is all of a sudden going to have secure code unless they wake up and realize their non-disclosure policy is hurtful...they need to immediately make available patches and make people aware of security problems so people can take some sort of action...and I dare say they might think about opening up their code base (naw, that'll never happen I guess). It's a multi-faceted approach, and the open source community is just better at it at this point - we don't have a marketing department.

    This whole security push on their behalf just seems to be another marketing ploy, really, complete with a catch-phrase: "Trustworthy Computing." Let's call it what it is, huh? - "we are going to fscking focus on security now." It seems like no matter what they do, as long as their marketing department is fighting their security/engineering team for dominance (well, I guess it's already won really) it's going to be the same old story.

  • by cecil36 (104730) on Tuesday April 09, 2002 @02:12PM (#3311020) Homepage
    I'd be astonished if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months.

    I'm willing to bet that you'll be retracting that statement when something blows up in your code or if some new security hole is discovered by some script kiddie. We have the results to show that code review should not be a rush job.
  • by fanatic (86657) on Tuesday April 09, 2002 @04:05PM (#3311827)
    Even if they were actually successful (not likely) in cleaning up the massive number of unintentional screw-ups in their code, the stuff they do intentionally is worse, including the Product Activation 'technology', their Secure Audio Path crapola (==selling their users's rights to the highest bidder), that abominable Plug'n'Play crap that just 'decides' to randomly re-configure your system hardware, and Anything.Net. Also, their gratutitous changes to file formats, communications protocols and APIs to enforce upgrades and preclude competition.

    It's the stuff they do with full knowledge and intent that makes them un-trustworthy.
  • by mmusn (567069) on Tuesday April 09, 2002 @05:16PM (#3312272)
    A many-billion dollar company faces security problems and its response is to do what the textbooks say to do about security: mostly lots of extremely dull code reviews.

    Yes, they probably will do some good. Yes, they will probably help a little with the perennial problems with Microsoft software: that it is dumped on the market with way too many bugs, that it is dumped on the market with way too many features, and that it is dumped on the market much earlier than the software from more conscientious competitors, driving them out of business.

    But it doesn't address the fundamental problems. Microsoft software is still closed source and it is still written and controlled by a small number of programmers up in Redmond, programmers who often have no experience of anything beyond Microsoft. Even if Microsoft made all their software "shared source", the economic incentives would favor the crackers (other developers don't have much interest in contributing fixed to Microsoft that they just have to pay for again in the next release).

    Most importantly, however, Microsoft's goal of total market domination is their own worst enemy: an OS that runs on 95% of the machines is intrinsically and unavoidably not secure. We need operating system diversity. If no single OS or server software runs on more than 5-10% of desktops and servers, then security problems are automatically self-limiting. And, as a bonus, the increased competition would give us better products and more innovation. (And, yes, these comments apply to Apache as well.)

It is better to give than to lend, and it costs about the same.

Working...