Microsoft on Security: We'll Break Your Apps

jointm1k writes "Wired.com is running a story about how Microsoft is trying to act responsible and all by fixing (or trying to fix?) many (if not all) security holes in Windows. Not only new versions of Windows will be patched or improved, but as I understood they also plan to force security updates for older versions of Windows down peoples throats. Even if that means that some applications will mallfunction. Nice to see Microsoft taking reponsibility for their mistakes, but they really should have done so when they designed Windows."

Rock and a hard place

[tylerdave]

Assuming Microsoft does actually want to clean up their act, which I'm highly skeptical about, it seems that they'd be criticized for forcing updates just as much as they would for not trying to make adoption of the updates widespread.

Whiners

[Profane Motherfucker]

Microsoft fixes problems: you bitch because it breaks shitty apps. Microsoft doesn't fix problems: you fucking bitch because it doesn't fix problems.

Now the submitter claims that "they should have fixed them when they designed Windows." What kind of fucking bullshit logic is this crap? Do we piss and moan that Linus is a stupid mangina because the virtual memory in the early 2.4 kernels was fucking trash?

Get with the fucking program: MS isn't *all* bad, and they are not 'forcing upgrades down people's throats." It's still your option to have a shitty, fucking security hole laden sloth of an OS.

Damage control.

[Martigan80]

That is all this is really. After reviewing their recent papers about how to shift business tactics and the threat of open source; it makes sense they would try this next. Maybe they took a moment, and looked at the tests themselves. Or this is a follow up to the $400M they gave to India?

What?

[clinko]

Yeah, your right. Microsoft should have written every line perfectly like every line of code you ever have written.

Say that again...

[cOdEgUru]

they really should have done so when they designed Windows

Bugs (*aheam* features) and Security flaws are not intended to be part of the package. They happen because of bad design and bad coding practices and bad decisions. And no matter how hard you try (and try as you may even in the case of Linux) its impossible to do so during the design or coding time.

I would applaud this effort to force it down the throats of customers (atleast it would reduce the number of vulnerable servers sitting out in the open), but it goes only as far as any user would want to.

Silly aside

[aborchers]

Nice to see Microsoft taking reponsibility for their mistakes, but they really should have done so when they designed Windows

This is a really silly aside. If we waited for software to be perfect before designing/releasing it, we would never have any software. Design flaws are part of the process. How they are fixed with minimal technical and insult to the users is what is important. IMO, the real reason to slag MS is for changing the license terms in exchange for a security patch!

Still won't change virus compatibility

[jjsjeff]

The more holes they patch the more holes they open.

This new strategy is to break competing software

.

for christsake

[avandesande]

but they really should have done so when they designed Windows

What os didn't need security fixes after it was released?

There going with the times...

[muffen]

but they really should have done so when they designed Windows.

I think you have to remember that Microsoft used to put functionality before security. There is a tradeoff between functionality and security. For example, do you allow mailing functionality within the VBS language and the macro language? There is a reason why there are over 20 worms that can spread using MSN messenger, and none that can spread using Yahoo messenger.

However, times change, and people change. Now people put security before functionality. Microsoft is just going with the times...

Security has to be part of the foundation

[gaff1]

I think it's a noble effort on Microsoft's part, but if you've ever developed large applications you know that security cannot be an after thought. It's been my experience that unless you design security in from the very begining, it's almost impossible to make it truely secure. Security has to be part of the foundation not a layer higher level layer.

Re:Whiners

[Anonymous Coward]

I couldn't agree more. It's very for the /. crowd to sit back, feel superior, and snipe at Microsoft, when most of the people here aren't even developers. And I'd bet that those who do write serious code (50-lines scripts don't count) have almost no real-world experience with trying to please a mainstream market. Just look at Linux with its 1% desktop market share for proof of how hard it is to address this segment.

Re:Microsoft and Linus

[rovingeyes]

the only way to avoid massive layers of backwards-compatible cruft is to just slough off the existing infrastructure and create the OS anew for every release.

My take on this "impractical". A new version of OS comes out in every couple of years, and in near future I can expect it to be every year. Now that means shelling out money on new, improved version of apps and systems. Let me tell you there are people still using win95 and very happy with it coz it still works. Tell them to upgrade every year and shell out $500 a year on system. They'll just smile at you and say -"boy are you out of your mind, no way"

Re:Life of Brian jumps to mind...

[FortKnox]

Amen, brother!

Nice to see Microsoft taking reponsibility for their mistakes, but they really should have done so when they designed Windows."

I mean, come on. When they do something right, you just GOTTA change it around to make it a negative. And you wonder why MS is after Linux, right? Who's being childish now?

I'd really like to know how many lines of code the submitter even wrote if he is naive enough to think that MS architects would design the perfect OS from the start.

Re:Microsoft and Linus

[Flabby Boohoo]

Yes, and of course he is talking about free software. So if something breaks, just download the new version.

But if the apps are purchased, that is a bit much to swallow. Of course, if MS has service packs that fix the broken apps, then I guess it would not be so bad.

the fact of the matter is

[p00kiethebear]

That windows just doesnt seem like it was designed to take on improvements. It seems like every new "security" update only brings more problems. What they should be doing is sending out more release clients to testers before they release the next completed version of software to the public. Before they make their next release they need to DEBUG DEBUG DEBUG and grab a much wider variety of people willing to test their stuff. If their aim is really to "protect" the end user, then this is what they should have been doing all along.

Re:Rock and a hard place

[mauryisland]

Why wouldn't they want to clean up their act? I'd imagine that this will lead to their *loyal* customer base always jump for their latest and greatest releases. New Windows, new apps, new everything, all ready for Palladium!

Removal of a Linux adoption barrier

[RichMan]

One of the main arguments buisnesses have been using against looking for Linux solutions is that legacy applications (of the windowsNT/95 variety) must be runnable. Now with Microsoft saying that they may not support all legacy code this is removing one of the last barriers stopping some companies from looking at Linux.
If a company is looking at redoing an application for the windows base it may just be easier for them to make it work with WINE than with the new windows code base.
I am sure Microsoft is aware of this. There must be some really big holes they are going to close with action or they would not consider dropping the support for legacy applications.

Look, I don't want to state the obvious, here, but

[Multiple Sanchez]

Nice to see Microsoft taking reponsibility for their mistakes, but they really should have done so when they designed Windows.

Next you'll be criticizing the quality of the beef at McDonald's.

Most Americans want to surf the web, download MP3s, and spend $2500 to watch the Matrix DVD on a two hour flight, and they'll pay the same amount for Windows whether Microsoft makes it secure, or not.

Bill Gates is a smart business man. Microsoft is a successful business. As such, the $ is the bottom line. Analzying their products from any other perspective is a waste of time.

Enough!

[Psarchasm]

Microsoft is doing the right thing.

Every vendor Microsoft, Apple, Sun, Red Hat, Debian can create an incident where a patch breaks a vendors application.

I've personally seen it happen with 4 out of the 5 vendors already. Deal with it. AFAIK there is still no forced patching. Your OS doesn't just up and DIE if you decide not to patch your OS because you are aware that patching will create problems for you.

On another note - Certainly Slashdot leans a little left politically and leans a lot toward "open solution" computing but everything about this story just reaks. "windows-ain't-done-while-competing-apps-still-run dept." -- GIVE ME A BREAK. If that were the goal, Microsoft would quickly be driving itself out of business. "... but they really should have done so when they designed Windows" -- again, who are you trying to fool here?? The same argument could be said for every operating system in mass production use today.

Give it a rest. Your just starting to look foolish now.

NNYYYYEEEAAARGHHHH!

[nanojath]

"Microsoft's security honcho has a message for Windows users: Let's roll."

AAAARRRRRGGGGHHH! You know, people went DOWN in that freaking airplane, went down and smashed into the ground and died and burned up. And I am SICK TO DEATH of now hearing the phrase used to hawk and shuck and promote every kind of consumeristic bullshit and political jingo. Can we pass a consititutional provision to the First Amendment that you aren't allowed to use the phrase "Let's Roll" in public unless you're actually about to confront terrorists on a hijacked plane?

Re:Whiners

[photon317]

Oh it's on now :)

We're bitching because their extremely late fix breaks non-shitty apps that were coded to the best of coders' collective abilities with the docs and design microsoft presented at the time.

"They should have fixed them when they designed Windows" is no bullshit logic. Many of Microsoft's security problems are not simple bugfixes, they are serious design flaws, which are irrepperable without breaking userland in bad ways. Nobody "moans that Linus is a stupid mangina because the virtual memory in the early 2.4 kernels was trash" because it got fixed without changing the interface to userland, so it didn't break anything to fix it. The overall big picture of linux's VM design from the apps' point of view was correct all along, there were just implementation bugs in early 2.4 that got fixed later.

Get with the fucking program: MS IS all that bad, and they *are* forcing upgrades down many user's throats because of the way updates, the EULA, and customer legal obligations interact.

I will agree with you on your last sentence though.

PPRR

[Docrates]

I hope everyone realizes that they're doing this for PR purposes. Right now there are lots of government that are trying to get away from MS products so that they don't put all their information in the hands of an American Company. Also, this is one of the main selling points of OSS vs. MS. As soon as they feel people aren't paying that much attention to security, they'll back away from "cumbersome nuances" like security

I'll buy it that they really care about this stuff when they start building software over previous security-related experience, and I'm not talking patches here, I'm talking OS re-writes based on what works and doesn't security wise.

ONce Again

[Quill_28]

>but they really should have done so when they designed Windows.

No they shouldn't have. Can you imagine the problems with Windows 95, if they would have put tight security on it.
Inexperienced computers users would have throw their hands up in frustration(why can't i install this program!, why won't the printer install! I forgot my password) why do i have to add a new user).
Most people just want to get e-mail, surf the web, run quicken. As users starting demanding more(functionality, security, stability) they will switch to a different OS, or MS will have to improve. Which it seems they are trying.

Windows has plenty of room for improvement, but statement seems a bit of a reach.

lets not be illogical monkeys throwing poop!

[Anonymous Coward]

There are basically two choices here:

• make drastic fixes for security that by way of plugging up the gapping design flaws will break many machines that rightly used those flaws (back when they were features)
• leave the flaws in and have a sorta working and insecure machine

It is correct to say that Microsoft should have actually not designed crap. It would also be right to muse that if MS had put more into Engineering solutions instead of what was put into marketing, legal and making things break (remember the mantra from the DOS days, "DOS isn't done till Lotus doesn't run")

These things are a definite reflection on the ethics and values of MS, much less their committment to consumers. However, now that is the reality so what are you going to do? Myself, I take this as either an "about time" change in strategy, or could take it that they are only concerned about quality when legal liability is involved. Personally, I just don't trust them based on there track record. However if I had to support (and admittingly I don't) Windows users who wanted security... then I would probably see about testing what breaks and why. Somethings may not be as hard to find work arounds. For example, if some internal pathway or routine is rerouted or castrated causing anything that depends on it to die... then perhaps the shared library that uses that could be rewritten and released (by MS). In cases of hard coded (to which I say, you TOO are learning a hard but necessary lesson about proper software design) pointers to things that will soon push up daisies then I suppose some emulation or redirection layer could be implemented... but still that is an ugly fix.

As someone who often has to work on MS boxes (I am typing this on one at work, sadly) or has to develop things for them (I like to refer developing for MS platforms as a thousand dollar effort for a temporary tatoo on your lungs... it hurts like hell, is very invasive, very expensive, requires a crap load of recovery time where risk of infection is massive yet is not only temporary but NO ONE will ever see it.) Optimizing software for MS platforms is kind of silly considering how the crapware they incorrectly refer to as an OS only cuts the apps throat. I say save money and just hack it together! </sarcasm>

The submitter is coming off as the very thing that no one wants (except for kiddies) and that is a poser zealot who really lashes out at others while looking over his shoulder to make sure it is making him look "cool." I thought we were slowly moving away from that crap! Michael should show a bit more maturity when reviewing then posting submissions.

Wait a minute...?

[n3uxf]

So what they are saying then is that they know there are problems with our software that need fixed, we are going to fix those problems, but if we FUBAR your system in the process, tough luck... If this was any other company other than MS, they would be crucified for this same mentality. Why is it ok for MS to do this, but other companies would not survive?

Re:NNYYYYEEEAAARGHHHH!

[HeghmoH]

Yes, the phrase "Let's roll" was certainly never used for anything, ever, before September of last year.

Re:Rock and a hard place

[Queuetue]

The only thing MS "wants" is to increase revenue. Secure systems are typically less friendly. Therefore, until now, MS has not wanted thier systems to be secure.

Now, the flak from Nimda, melissa, et. al. have begun to impact thier market share (or thier internal analysts believe the market will follow that trend), and they have started to give lip-service to security.

But they still can't alienate that customer base they spent 20 years numbing into ignorance. Will we see real security? Not for long time. Will we see secure "wrappers" around the inherently insecure MS offerings? Yes, but I guarantee there will be ways to disable them immediately if it impacts revenue.

BTW, there's nothing wrong with a company's management considering market growth and revenue when making decisions. Decent people do, and temper it with service to the greater community, morality, and improving the lives of thier employees and customers. MS operates as though all of those issues are served by the marketing department.

Couple of things....

[frozencesium]

This story is nothing but PR...

The story never mentions *how* they plan to force users of older systems to patch and upgrade their security. As has been the topic of many a comment, the biggest problem in security is an admin/user who doesn't patch. If they haven't been able to get people to patch in the past, how do they think they can force a win95 user to patch their box now?

The best they can hope to do as far as *forcing* upgrades is making the automatic "microsoft update" manditory and non-removable. Imagine the uproar...

Second, a reality check...you will never squash all bugs. Software is a dynamic beast, especially when it comes to operating environments. As the systems grow and functionality increases, so do the chances for bugs. It's a simple fact that the more lines of code you have, the more bugs you have. Microsoft is as able to squash all bugs in all their software as any *nix system is to fix every single bug in theirs. It just isn't going to happen...no system is perfect.

"Nice to see Microsoft taking reponsibility for their mistakes, but they really should have done so when they designed Windows"

I particularly liked that part...as the current incarnation of the internet did NOT exist when the first versions of DOS came out. Heck, most people didn't know what a dialup was when 3.1 came out. Early MS systems were never designed to be multi-tasking, let alone multi user, and therefore never needed security...it simply wasn't thought necisary. If the computer is going to be used by one person and not connected to the net (such was the case in the early 80's), then why include extra usless security code? The same design base was used and simply extended to maintain backward compatability as time progressed. Thus MS saying that their design is fundamentaly insecure...because it didn't HAVE to be secure in the early days. After all, it's easier to expand than re-write...especially if you do want to backward compatability.

As I see it, the sins of the past are more about business practice (which is abhorent), than it is about software design. After all, they have migrated their new OS's to a fundamentaly NT based system, and have increased security and stability in the process. I'm not saying they don't have a ways to go, I'm just saying that it is better than it was.

In anycase...I'm happy with debian, so I don't care what they do for my sake. I hope that something good comes of this so that my parents can get a more stable and more secure OS...

-Frozen

Re:Life of Brian jumps to mind...

[Beliskner]

Nice to see Microsoft taking reponsibility for their mistakes, but they really should have done so when they designed Windows."

I mean, come on. When they do something right, you just GOTTA change it around to make it a negative. And you wonder why MS is after Linux, right? Who's being childish now?

Yeah, and now Micro$oft can also force those "security" updates onto *nix systems as well, oh oooops our "security" update is incompatible with Samba, you'll just have to upgrade to WindowsXP and deal with product activation and force DRM down your throats. I'm happy with my Win 98 on my P2-450 with IE4. I don't need your IE6 with DRM auto-updates

Not so.

[dvt]

Microsoft's reputation for intentionally breaking competing applications is based on well-documented incidents where Microsoft added code specifically for this purpose.

Most recently (about two years ago) Microsoft added a "Security Update" for Outlook supposedly to protect users against viruses. It also broke a lot of applications that did things like synchronize with a PDA, at a time when Microsoft was focused on competing with Palm. The security update could easily have been designed to prevent this side effect.

Based on its ruthless history, it is entirely reasonable to expect that Microsoft will once again use its control of Windows to sabotage competitors products. It is not Microsoft-bashing to judge a company based on its past behavior. Microsoft has only itself to blame for developers' suspicion and hostility. A company that plays nice 95% of the time and plays dirty tricks 5% of the time is still going to be mistrusted *all* of the time, and rightly so.

Re:Designed

[afidel]

Not sure how many times I have to post it, but YES Outlook does benifit from scripting. Your company may not use the features but many do, including some of Microsoft's largest customers. Some companies have entire verticle platforms built around the exchange/Outlook combo. For instance one insurance company has a field rep's form that they launch at the scene and fill in details, then when they get to a network connection (home VPN or office) Outlook hooks up and send the email. Then based on rules embedded in the form email it is either routed to the check writing people or sent to adjusters/fraud inspectio/ whatever other department for a further look. And on Linus shoehorning unix onto x86, what are you smoking? Linus made Linux because he could not afford a commercial unix on x86 implementation. Linus was not the first to have a working unix on x86, they have been there since the 286 launched.

What's going on with the editors lately?

[lay]

Okay,let's be serious for a moment, guys. There was this week when you had 10 stories from new planets being discovered that probably would lead everyone to "rethink what they know about the universe". Then you had the week of nonsense "ask slashdot" questions. Now we're getting to a point where Slashdot is ceasing to be "News for nerds" go turn into a MS bashing forum. I mean, from "News for nerds" to Linux advocacy to MS bashing, what is this turning into?

Can't you guys be scientificaly honest? These are complex subjects and it's not a question of "wanting" to design a good OS, it's a question of complexity in designing a good OS. Or are you guys just trying to look cool to your friends with that 'anty-MS' stance? Take a look ate the usage logs on Slashdot visitors' OSes. Then come back to tell me that the vast majority is at work and is forced to use Windows. I'll just laugh

I would gladly pay a disuation fee to discuss on slashdot. Wasn't there an ideia like that sometime?

Re:Microsoft and Linus

[pmz]

And he's right, the only way to avoid massive layers of backwards-compatible cruft is to just slough off the existing infrastructure and create the OS anew for every release.

True. However, if the userland apps are written properly using a sufficiently high-level language, even C, and using standards-based and/or portable APIs, then kernel changes should break only the invervening abstraction layers. Download the updated API or whatever (not much effort), and the huge amount of effort that went in to the userland app is preserved.

This is why I feel so sorry for people who write applications using Windows-only or UNIX-only or whatever-only APIs, when there are portable ways of doing things. Taking standards documents and black-lining the parts that aren't implemented on all the target platforms (thus achieving the lowest-common-denominator) goes a long way towards producing an application that will tolerate volatility at the operating system level. And, really, it isn't much effort for an important piece of software (and a week or two sifting through documentation will only improve the end product, trust me).

And guess what: even the lowest-common-denominator is usually very useful and sufficient to meet the requirements for the software. People who whine otherwise are usually the eye-candy babies who demand using all the nifty Internet Explorer extensions to make dancing mouse trailers and other garbage (for example).

The only excusable applications are those written before truly portable APIs came around. For example, old UNIX apps written with Motif should be forgiven, because Qt, Java Swing, and other fairly recent APIs weren't available. But new applications? No excuse at all.

Re:Life of Brian jumps to mind...

[Mortanius]

I hear this argument time after time, regarding MS and Samba. I'm curious to hear someone say why they feel that Microsoft is obligated to maintain interoperability with Samba. It's an MS-owned technology, the specs to which aren't terribly open in terms of what's coming down the 'pike. While Microsoft is no doubt aware that Samba has become a rather integral part of many computer users' experience, both in Linux and now OS X, it's acting as something of a rope around their neck; if they wish to implement any major changes to their file sharing protocol, samba likely would be unable to operate properly with it, requiring MS to keep a certain level of backwards-compatability in the protocol if they wish to not alienate these platforms (granted, they probably don't care a whole lot about alienating Linux users, but the OS X market may be more lucrative to them.)

In a perfect world, operating systems would be perfectly interoperable. 100% compatible operating systems don't (given less than a minute of thinking, at least) strike me as a very lucrative market. Why buy a particular OS when you can do the same with the others?

And, to continue my downward spiral to flamebaitdom, let's address the "...and deal with product activation and force DRM down your throats." What is the big deal about product activation? You fill in the form, which only asks you what country you're from (the rest is purely optional, at least on my install CD's) and hit the submit button. That'st he end of it. I've installed WinXP on two desktops and one laptop with this CD and haven't had the MS storm troopers come knocking on my door yet. As for the DRM technologies, so far I have felt no impact from them. While it does apparently exist in Media Player, there's a simple solution around that, don't use Media Player to rip your CD's. I use this marvelous little program called CDex [n3.net] that does a one-stop rip from CD to MP3, Ogg, or any number of other formats. All DRM-free, plays on any computer with the proper codecs. Windows is not forced DRM-land yet, and personally, I doubt it ever will be. Right now we're hearing scares from the 'for the people' organizations about how horrible the future will be and that all this is being pushed through the system without opposition. Believe me, the instant the average consumer is impacted negatively by this, the backers of whatever measure that struck a nerve will be forced to back off.

Good day.

Re:Life of Brian jumps to mind...

[_bug_]

I think given Microsoft's failure at past attempts to secure its OS, the number of vulnerabilities in Microsoft products that are found each week, and the overall poor stability that the operating system offers I find Microsoft has earned the default cynicism and skepticism it faces.

Microsoft needs to earn my trust, I will not just give it to them.

And yes, I most certainly will give them the chance to.

Reminds me of a Chris Rock routine...

[gosand]

I agree with a lot of the opinion here that the commentary on this article is crap, and is clearly anti-MS in the worst way.

But this story reminds me of that great Chris Rock routine. (paraphrasing, and substituting the N word)

People always want credit for something they're supposed to do.
I ain't never been to jail. What do you want, a cookie?!

I take care of my kids. You're supposed to you dumb motherfucker!

So yes, while it is good that MS is doing this, I think that it is no big deal - they should do it. I am not going to praise them for it, this is what they should have done long before now. I am not going to rail on them either, because they are making some kind of effort. Assuming that they actually do what they say they are going to do. Sorry, but they have a bad track record, I am not going to believe it until I see it. Why am I skeptical? Among other things, I have seen the Win2kSP2 EULA. I wonder what the EULA on these new security patches will look like...

Re:Microsoft and Linus

[AndroidCat]

Perhaps. They're also trying to force people to upgrade. What happens when you keep getting Word files that have a new incompatable format?

Microsoft lives on the income from OS/Office upgrades at least as much as from new installs.

Why this is good, why this is bad.

[Whispers_in_the_dark]

It is true that hindsight is 20/20 and noone ever codes software such that it works exactly perfectly the first time out. HOWEVER, it can also be said that Microsoft had a habit of pushing whatever out the door, regardless of known bugs, poor security, or otherwise (Windows ME comes to mind). That they are now requiring the customers to pay for upgrades and such should be a message to the customer as to the type of software supplier they're dealing with -- a fly-by-nighter clothed in its own weight and self-importance.

The good is that Microsoft is finally going to fix their problems. It's about damn time. The bad is that Microsoft is spinning this thing as if they weren't greatly responsible for the mess they are about to inflict. IMHO, and it is only that, if Microsoft spent more time and resources on testing their crap in the first place instead of pushing it out the door then perhaps so MANY holes wouldn't need to be patched now. There will always be bugs and security flaws but Microsoft as made releasing filth and spinning it as if it were a good thing an art form in itself.

As always, this is just my opinion. Your milage may vary.

Re:At least it appears they are trying

[suman28]

It's a ploy. Get with it man. This is M$ we are talking about. They have been found guilty of doing anti-trust violations. I think, a mass murderer might eventually find it in his conscience to change, but I feel like M$ will always be up to its old tricks. As long as they have the power, they will force you to update and sneak EULA changes that might someday mortgage your house.

As long as it isn't on purpose...

[Maul]

There is a difference between writing a security patch that happens to break an application, and a security patch that is designed to break an application.

A security patch on any OS could potentially cause problems with software that runs on it. However, it wouldn't put it past me for Microsoft to purposefully make sure that competing products are broken.

At best case, MS isn't going to purposefully break anything. This is a legitimate attempt to fix security.

At worst case, this might Microsoft's first step in "testing" the strength of the court to see if they'll notice/tolerate them purposefully breaking applications and then claiming they can't release the fixes to the application maker because it is part of Windows "security."

Its always the same trade off

[teqo]

I bet this has been said here before, but generally increasing security often includes breaking applications by definition. Like application proxies and firewalls, which purposely break some network funtionality in order to secure the network. And for instance, removing the double-click-and-Word-will-open feature for Microsoft Word documents in Microsoft Outlook, which has caused lots of havoc, will break a major convenient functionality of Outlook, from the view of its users.

So, <paranoid disclaimer>whatever Microsoft is implying when they say that they will break applications</paraoind disclaimer>, it is always "Give me convenience or give me security" (Kudos to these fine guys [deadkennedys.com]), otherwise we wouldn't use passwords, encrypted authentication and other inconvenient stuff etc. "Why not just skip all these logins? They make my brain hurt from all the stuff I need to remember..."

So again, either you demand more knowledge, responsibility and work from the user, or you leave all the necessary security decisions to the software... There is a lot of reason for criticizing Microsoft in many ways, but I think its quite unrealistic to ask for ultimately convenient, ultimately secure software simultaneously... Consequently, either bash them for being insecure or for giving up convenience, please don't do both at the same time, because that doesn't seem to make much Sense(TM) to me... .)

Comes the Real Wolf

[KalenDarrie]

It's hard to trust Microsoft. They've made it their business to be duplicitous. Whether they are honestly concerned about security for its own sake or as a new tool for furthering their goals of profit and dominance, its not easy to look at them and not keep into the shadows and see if anyone is sneaking up to blackjack you in the back of the head.

All this talk of breaking apps and seemingly shoving things at people is justifiably worrying to many.

And now that the real wolf has come, its hard to decide if Microsoft is really pointing it out or if they're trying to fool us all again. This is what they have sewn and so they reap it now. Many distrust them and will continue to mistrust them until they show that they are trustworthy once more.

This is their chance to show everyone that they can be, if not perfect, a moderately upstanding company rather than a domineering bully. I'll be watching them. And I'm sure many more will be as well to see if they can woo back the skeptical.

Re:Life of Brian jumps to mind...

[Deth_Master]

The thing is though, that when the kernel version increased, it improved on things. In certain versions of windows (ex: ME) stuff went downhill instead of an improvement.
Another point is that the updates aren't fixing bugs, they are creating them, in a way. The security holes that, for the most part, have been plugged by other methods, that are being fixed may end up breaking a number of other programs. That's not a good reason to update your software. You should update software to make it work better with all the other software, not necessarily just to update. If your 0.0.1 kernel works for everything you need to do then you have no reason to upgrade.

I think that its good that MS is fixing the security bugs, but they should not fix them if it breaks other programs. That would force other companies to adapt to rewriting the software (can you say monopoly?). That's akin to changing the roads to rails and expecting the people to get their cars adapted or whatever. It's not the best analogy, but it's close.

Unfortunately, we may have no choice but to accept their updates and patches and hope that they are smart enough to not break too many other programs, or at least provide work arounds.

$0.02

What of End-User Responsibility

[DanXP]

Granted, I'm not a user of Linux and most of my computing is done on the Windows platforms but I have to ask what of end-user responsibility when it comes to computer security? I realize there are (and will always be) security issues that end users simply aren't aware of until they're exploited but given the software/application development cycle, the overall complexity of our modern-day computing systems, and the propensity of some to do little but find these security holes, I feel that developers do a fairly decent job in addressing them. Of course they *should* never be there in the first place but it's unreasonable and irrational to expect that with millions of lines of code and hundreds of developers (if not more), human error and simple oversight will be a factor in any application. Windows bashing is entertaining and a good way to get a crowd stirred up but in reality, aren't we in some way responsibile here as well? How many uninformed and ill-prepared users are there out there that don't so much as use anti-virus software? or free and easy-to-use firewall protection? or apply the latest service packs, patches, and updates? After all, would we blame Ford or Chrysler if we left the doors to our car unlocked and were robbed? Of course not. Or maybe we would ;>

in the nema of security

[hany]

IMO in the name of security they will "force" some othether updates upon users.

Example: See latest EULA changes introduced in service pack which is (or was) supposed to plug security holes.

So to add some speculations: This other stuff will be things which will be good for Microsoft, not users (or good also to users, as side-effect). Like DRM, auto-updates, spyware, slow-this-machine-down-on-demand-so-this-luser-buy s-new-machine(TM), etc. :)

As long as there's no DRM packaged with it...

[Rai]

I'm all for security updates as long as they don't force Digital Restrictions Management or their usual abusive EULAs upon those who install the updates. I want my windows box to be secure, but not at the cost of limiting what I can use it for and what control M$ would gain over my system.

Re:What?

[jonnythan]

Do you think they would have made those billions if they slowed down the development cycle so much as to eliminate most of the bugs in their operating systems?

If they slowed it down to a large degree *now* in order to do this, don't you think Linux and other OSs have a legitimate shot at taking over?

MS will do whatever MS decides will let it maintain its position in the marketplace, and God bless them for it.

Re:Rock and a hard place

[Queuetue]

Let's face it, if Windows and Windows apps didn't have all those security holes, there wouldn't necessarily be a need for Linux.

According to everything I've ever read, and my own personal experience, Windows' security holes have absolutely nothing to do with the creation or popularity of Linux.

I don't use Linux to avoid using Windows. I use it because it's the best thing available.

WERE they happy and willing?

[Anonymous Coward]

were they willing or did they feel as though they 'had no choice'? after microsmurf killed other os's at an alarming rate in the early/mid nineties (NOT by making better products, but by marketing F.U.D.- ask caldera, os/2, beos, etc.) the users were left feeling that m$ was the best, because the others had 'gone away'......so if a woman believes she is stranded on an island with native pygmies, waits 5 years, marries one, then goes to the other side of the island and finds normal sized people (sic)- did she really marry a pygmy willingly? well, yeah, BUT, did she really have a choice? not in her mind. microsmurf is the pygmy, and the users are stranded, they just don't realize it yet, cause the island is so crowded, people are falling off the edges, and eaten by the sharks before they can warn anyone else.

oh yeah, here comes the 'battleship macintosh', which can only carry 15% of the island population off at a time.

Microsoft SUCKERS.

let's try to be fair

[GunFodder]

The trade rags may be sycophantic pole-smokers, but I'd like to think the Slashdot population is more fair than that. We have been kicking Microsoft square in the nuts about their lack of security for years now, so does it make sense to flipflop and start kicking them for taking security seriously?

Now if the article was more like "Microsoft breaks apps to implement security, offers expensive upgrades" then we could continue kicking M$'s family jewels guilt-free.

Re:Forced Security update = Forced Application upd

[Anonymous Custard]

Why then should Billy and his thugs be able to just come in and render everything useless?

Why should they let these vulnerabilities, some of which can be used for massive digital attacks, continue to exist in a product with their name on it? And it's not going to "render everything useless," Mr. Hyperbole.

When you have your computer connected to the internet, it is your responsibility to make sure you don't do any damage with it - intentional or not. Too many people have ignored that moral/social obligation.

Think of it as a Digital Emissions Inspection. If your old car can't pass modern emissions regulations, but you want to still drive it, you'll need to replace some old parts with new parts, and those repairs aren't guaranteed to be cheap.

What if people had a wireless phone that, due to age and poor initial programming, started jamming all other wireless signals within 500 feet. Is it fair to let these phones continue operating, just cause they were able to many years ago? Of course not. The FCC or some agency would recall/outlaw these phones. Well, computers are approaching that level of potential for damage, in that compromised systems can easily be used for massive DoS attacks that can seriously disrupt large networks. Software developers and users have a responsibility to do their best to make sure this does not happen.

Everyone complains about the security problems in Windows, and have derided them for it for years. So when Microsoft trys to own up and fix the problems, 3rd party application developers should do their part and follow suit.

Re:What's going on with the editors lately?

[LordSah]

When I first started visiting Slashdot, the articles were much more geek-friendly and much less anti-Microsoft. In the 3-4ish years I've been reading Slashdot, it's definitely seemed that it's devolved into a MS bashing forum.

One or two Microsoft stories are published everyday, no matter how insignificant the news is. Even if the news is a good thing, typically the submitter of the story puts a negative spin on it (like today's submission). Of course everyone jumps in and bashes away, not only at Microsoft, but at anyone who tries to speak positively about Microsoft. It doesn't do well to encourage intelligent discussion--anyone who is happy using Microsoft products and speaks up about it around here quickly becomes bitter and defensive. Or they leave.

Slashdot nowadays is quite similar to the media in the middle east. My grandfather lived in Dubai for 8 or 9 years, and he was amazed that the newspapers had an article about "The Jews" on the front page, every day. The Dubai media never referred to Israel. "The Jews" were always killing Muslim children, subverting the government, doing-random-very-crappy-thing, etc. The media was breeding hate among the people.

The big difference between Slashdot and Dubai is that the Dubai government was intentionally making people hate to distract them from shady things it was doing, and Slashdot's de-evolution is (probably) not intended. It definitely seems that the editors have got some bug up their ass about Microsoft, but I think they're just publishing what kicks up the most response rather than trying to fan the flames.

I think it's because Slashdot has become the epicenter of a pro-linux geek subculture. In this subculture, it's cool to hate Microsoft. Folks want to fit in somewhere, so they come to Slashdot and bash Microsoft.

Linus said in this interview [bbc.co.uk]:
"I've tried to stay out of the Microsoft debate. If you start doing things because you hate others and want to screw them over the end result is bad."
I don't think he hates Microsoft. He likes Linux.