Microsoft: Trust and Antitrust 539
Microsoft is in the news for two reasons today: the continuing saga of the antitrust cases, and Microsoft's public relations push for "trustworthy computing". A selection of links: Microsoft claims two months of code reviews and half-day seminars surpasses everything ever done by the open source community; Salon talks about the problems with a monoculture; SBC, an abusive telecom monopoly, complains about Microsoft's behavior, an abusive OS monopoly; and Microsoft responds, claiming that SBC is merely being self-serving.
NY Times username/password (Score:5, Informative)
Re:Two months? Get real. (Score:2, Informative)
I may be wrong on this, but I thought OpenBSD counts as Open Source, and they're certainly doing a security audit [openbsd.org] of the source code.
Re:Two months? Get real. (Score:5, Informative)
True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully."
No, False. You (and MicroSoft) are completly ignoring Open Source projects that only audit code... i.e. the Kernel Janitors: [kerneljanitors.org]
Re:What code reviews? (Score:2, Informative)
I'm not saying they are delivering either, but they are doing stuff. Time will tell if it is actually real work or just smoke.
Re:Windows XP SP1 (Score:2, Informative)
Re:Key to user security... (Score:5, Informative)
Essentially, Windows.NET server ships with absolutely NOTHING enabled by default. This does present a problem to the typical Microsoft "its so easy just plug it in" sort of thing, but that is solved by an improved "configure your server wizard". The first time the server boots up, the user can explicity select what to install and/or turn on, and ONLY what they select gets installed/turned on.
The individual components themselves have improved as well. IIS 6 by default will serve only static HTML files, and installs no sample files or other stuff. You have to manually run the IIS security wizard to turn on things like ASP, CGI, etc. If you install a new ISAPI filter or something of the like, you have to manually enable it. Nothing gets turned on unless YOU the admin turns it on.
The other thing is that IIS 6 is a complete ground-up rewrite; no code from IIS 5 was used in its creation. Its gone through a complete code review to (hopefully) eliminate any buffer overflows or other bugs. There are other improvements as well... for example, the easy ability to run each website being hosted under a separate security account, typically with minimal access to anything.
Microsoft isn't stupid; they see that their biggest PR problem right now is security and they are doing something about it. True, they should have jumped on this a long time ago, but late is better than never.
Re:NY Times username/password (Score:3, Informative)
P.S.
You need to accept the second cookie for the article to appear, but that one is only a session cookie that dissapears when you close your browser.
P.P.S.
What's a gorwell? George Orwell author of 1984.
-
Re:Two months? Get real. (Score:2, Informative)
My computer has received 10+ security updates from MS since the beginning of February. Prior to that they came out few and far between (every few months). I would say that from an end-user's perspective, I can see a major difference. And I had noticed the increased updates without seeing any of their "Dog and Pony Show." It remains to be seen whether or not these updates prove useful, and also just how many more updates will come out (how many are needed?), but I can see that they're doing *SOMETHING*, which is more than I've seen in the past.
Bullshit, look at OE and file sharing defaults... (Score:3, Informative)
Re:Key to user security... (Score:1, Informative)
"two months of code reviews" ??? (Score:2, Informative)
Today, my next-cubicle neighbor asked me why we keep the warning-level at 3 in the MSVC++ environment. Being primarily a Linux/Solaris guy, I said I had no idea why and suggested he raise the level to 4 (the maximum) and see what happens. Ten minutes later, he got his answer: the compiler issued 1000+ warnings, most of which came from the standard library header files! Talk about a need for code reviews...
But I guess I shouldn't worry, since Mr. Lipner will simply sic his Uruk-Hai legions on that code for a week, and they'll make it into a thing of such sparkling crystalline beauty that the gcc developers will weep with envy.
yppupdurc