Microsoft on Security: We'll Break Your Apps 609
jointm1k writes "Wired.com is running a story about how Microsoft is trying to act responsible and all by fixing (or trying to fix?) many (if not all) security holes in Windows. Not only new versions of Windows will be patched or improved, but as I understood they also plan to force security updates for older versions of Windows down peoples throats. Even if that means that some applications will mallfunction.
Nice to see Microsoft taking reponsibility for their mistakes, but they really should have done so when they designed Windows."
Application designers should comply, too. (Score:4, Interesting)
But shouldn't 3rd party application designers be held similarly responsible for relying on these holes in their programs, and release patches of their own to avoid problems, possibly through Microsoft and bundled with the windows patch?
Designed (Score:4, Interesting)
Microsoft Vs. Linux (Score:3, Interesting)
Disclamer: Yes, I do love Linux, no I do not hate Microsoft, as a matter of a fact I am a
Not Correct (Score:5, Interesting)
The editiorial is innacurate and opinionated.
They are actually giving up on trying to secure older products.
And they are stating that for new security fixes on current products they are now putting security as a higher priority than not breaking the apps.
So rather than provide the security turned off, in the hope that some MCSE will turn it one once the app has been patched, the security is on even if the app breaks.
Now, regardless of the anti M$ feelings, this has got to be a good approach.
Yes you can read it as "Hear comes DRM, suck it down" or you can read it as "Secure by default really does matter, becasue we know 95% of users never change from the default settings" - the latter approach is taken by Suse in 8.1 and I don't see
Novell guilty of the same (Score:3, Interesting)
There is a bigger problem out there -- laziness. Microsoft and others have made security patches available that admins simply do not install. If they did, the world would be a better place. I mean, I still get tons of Code Red hits on my web server. Patches have been available for that for....how long?!?!?!
God dammit! (Score:4, Interesting)
Ass (Score:1, Interesting)
I don't say this often, but... what a fucking wanker.
How does he plan to address these security issues? Say they were all "attacks", and then push legislation through to outlaw them?
Jesus. The fact that he even put a Microsoft fuckup in the same sentence as a 3500-life firebombing shows that he isn't fully mentally developed. I'd stay far away from any corporation who allowed this guy anywhere near their podium.
Implications for software interoperation (Score:5, Interesting)
And Samba is just a randomly picked example.
Re:Microsoft and Linus (Score:2, Interesting)
Re:Life of Brian jumps to mind... (Score:5, Interesting)
Re:Designed (Score:3, Interesting)
As they moved forward to later versions of Windows, they were willing to let some, but not all of the backward compatibility slip. However, as the Internet came along, they seemed to have become more concerned with delivering functionality over security - does email really benefit from a scripting language IN the message content?
The goal for the early Windows designs however, had always been about the "isolated" consumer and small business, while the *NIX implementations were looking at shared user environments and workspaces, and had the horsepower to enforce them. The amazing fact that Linus T. managed to shoehorn a *NIX implementation into a cheap x86 box was also largely a testament to the platform had grown beefy enough to handle it.
wonder if this has anything to do with that CA law (Score:3, Interesting)
With that new law, companies would have to report hacks of systems. If MS fixes as many holes as they can before this new law can get swung around, the public won't find out how vunerable they are by using their OS.
How about 1% ? (Score:3, Interesting)
"... slides also showed the surprising results of automated crash reports from Windows users. A mere 1 percent of Windows bugs account for half of the crashes reported from the field."
Misleading... (Score:2, Interesting)
Starting with the benefits:
1. Patches in their current form do not work very well as sysadmins don't tend to keep up to date as much as they should. (Windows Update is an attempt to address this. Success is arguable...). Forcing people to install patches "Plugging those holes, he said, would require not just rolling out new versions of Windows, but forcing security fixes onto users of older Windows versions, which he claimed was 30 to 40 times larger than the installed base of current versions" would definitely address this.
2. This would make a lot of currently running, older microsoft machines more secure
On the bad side now:
1. You are forcing people to act in a way that might cause financial damage to them (breaking existing applications), and which might be unnecessary. There is no such thing as blanket security, it's all rather individual. (If someone is running an in-house webserver for their private intranet, patching the OS will not stop the people who might want to damage this as the probability is that they're also working for the company.)
2. This kind of approach is misleading as to the total security of the system. What's the point of patching Win95 when anyone can log in and have adminstrative privileges? Even Microsoft accept that their old OSs (win9X) are not capable of being secure. [theregister.co.uk]
3. We have yet another misleading claim that microsoft are secure and that security is achieved through Microsoft because they are getting tough!!! They're effectively saying that their products will make you secure... Security is not about products, it's about risk and what you do about it. Mr Schneier says it perfectly "Security is a process"...
Re:the fact of the matter is (Score:2, Interesting)
windows just doesnt seem like it was designed to take on improvements
How many software projects as large and mature as the Windows code base can you name that are not terribly brittle? It's hard to create code that is extensible and maintainable.
When Win2K was being developed, peoples concerns were crashes and reboots, so they focused on that. Now concerns are centered around security. I'm no lover of M$, but it seems to me they are listening to their customers.
[/troll]
Two Things (Score:5, Interesting)
I don't fault Microsoft for not keeping up with Windows 95 compatibility and security issues this far down the line. Yes, admittedly it's a self-serving decision to push people into buying new Microsoft products that gain them revenue. But it's also a huge cost to maintain the old creaky code for little or no return.
I would no more blame MS for dropping support for old software than I would blame the Linux kernel developers for not supporting older kernel interfaces.
Second, this is a real opportunity for Linux to take up that ball of mud. I know it's ugly, but there's lots of people out there running crusty old Windows 95 compatible applications that would break if they upgraded to Windows XP.
They might really love that particular application, see no other need to upgrade, and not want to upgrade if they're going to lose the use of their favorite application.
Let them drink WINE at the Linux table!
Wonderful! (Score:5, Interesting)
We can't even get the users to try and open the spreadsheets in Excel or Word. They just refuse to do it. My recommendation in the last meeting was to just turn off Lotus 2.4 and WordPerfect (apps run on server) and tell the user either to use Microsoft Excel and Word or find a new job.
My point being, Microsoft is doing exactly what should be done. You want everything to be stable and secure, well you better be ready to upgrade or patch whatever doesn't work after we do our fixes.
Re:Microsoft and Linus (Score:5, Interesting)
Re:Microsoft and Linus (Score:1, Interesting)
The fact is that 2.4.x has been a horrible series with only a couple usable versions.
Re:Microsoft and Linus (Score:5, Interesting)
"I might be threatening to write code."
Re:Life of Brian jumps to mind... (Score:1, Interesting)
Wait do you mean 18 years ago? Or do you mean they shouldn't shoot for the perfect OS every time they release a new re-hash of the previous operating system?
Albert Brooks said plan to throw one away, not release it as Millenium Edition.
Re:Microsoft and Linus (Score:2, Interesting)
Re:God dammit! (Score:3, Interesting)
Forced Security update = Forced Application update (Score:2, Interesting)
Now all users on win98 will be FORCED to upgrade if they did not turn off garbage auto update.
See, just like homeland security, automatic patching starts out with a clean purpose, then they change it on you.
Recall how many "tricks" were necessary to get around M$ BS. Now their going back to erase those. Yea I can see WordPerfect 7 blowing up now. But I can't see Corel having the resources to fix it.
This will basically ensure that nothing runs on old "patched" OSes.
I call this XP strategy #2.
Re:Whiners (Score:2, Interesting)
They haven't fixed anything yet, so what apps are you referring to?
Microsoft doesn't fix problems: you fucking bitch because it doesn't fix problems.
Call it what you will, but after paying 150 bucks for a piece of software with numerous bugs and security holes I damn well have a right to complain.
Now the submitter claims that "they should have fixed them when they designed Windows." What kind of fucking bullshit logic is this crap?
Microsoft has had more than six tries to get it right and they have yet to do so. SIX! Don't you think Microsoft should have had at least a good handle on the many chronic bugs and security holes that plauge its operating systems by at least attempt #4?! If you say no, then I say "What kind of fucking bullshit logic is this crap?"
"security hole laden soth of an OS"
Now come back to reality.
Forcing? Okay it's not forcing. It's extortion. "Upgrade now to protect yourself from our mistakes." My choice is run a buggy OS and risk having my box rooted and all my personal information stolen or upgrade to a newer version that has a better chance at protecting that information (at least while the bugs are still undiscovered).
It's that kind of irrational logic that drove me to Linux for a desktop OS in the first place.
Re:Application designers should comply, too. (Score:3, Interesting)
But you can't really do that until the base upon which the applications are written is itself secured. Can you?
Right. You'd have some serious application down-time between MS and 3rd party patch releases. Thus, the need for MS and 3rd parties to work together to release the patches concurrently (=logistical nightmare).
Re:Designed (Score:3, Interesting)
But kernel security is only a small piece of the problem. Most modern virii and trojans operate strictly in the applications domain - they don't need to touch any kernel files or memory in order to do their nasty work.
Microsoft adopted the COM mentality a long time ago. And it was a very good concept - it introduced componentized software for the first time into a large scale market (see caveat below). But unfortunately it was done without regard for security, with the result that any old script can use COM (or whatever the marketing droids call it this year) to control dangerous software (such as outlook). So on the one hand we have a very nice software concept, implemented by the largest OS supplier; but on the other hand we have a great increase in security holes.
Microsoft also did not until recently pay enough attention to the security monster they had created. In fact, it is very hard for them to do much at this point without breaking their nice paradigm. They can patch holes in network connected middleware and systems software (for example, exhaustively searching for buffer overflows cuased by careless C/C++ programming). But stopping users from executing viral scripts is much harder.
A couple of asides...
I discovered, by accident, that anything that windows considered executable can apparently be binary code! For example, a
Regarding COM. COM is a neat idea. Unfortunately Microsoft apparently became so enamoured with it that they just ignored another extremely powerful and much older concept for componentized software: command line execution of everything, with pipes (filtering), and with character (ASCII) formats for almost all files. This is the UNIX model and is a very nice, simple abstraction that beats the pants off of COM for many, many things. As one who uses Windows2000 as a primary desktop, with Cygwin as a primary software development platform, I really appreciate having BOTH models, and really get disgusted with the lack of scriptability for most Windows utility, and the cryptic, bloated binary file formats that most Microsoft software use for configuration and simple data storage.
Tightening up Windows (Score:4, Interesting)
Microsoft may prohibit self-modifying code and code on the stack. You don't get any performance gain with either technique any more, since processors went superscalar.
And maybe Microsoft will delete the 16-bit compatibilty engine. It's time. In NT 3.5x, the 16-bit engine was optional, the system ran fine without it, and it should have stayed that way.
Microsoft will probably do something to break Word 97, and blame it on "security". They need the revenue. But there's a problem:
Plugging those holes, he said, would require not just rolling out new versions of Windows, but forcing security fixes onto users of older Windows versions, which he claimed was 30 to 40 times larger than the installed base of current versions.
XP sales must be lower than Microsoft admits. Microsoft has to make sure that their pressure forces people to upgrade to XP, rather than locking people into the legacy OS. Expect something on the server side that makes Internet usage difficult for legacy users.
Re:Designed (Score:1, Interesting)
On the one hand, we have a system where the hardware is available for any app to fully utilize, where there are no real privelage seperations. It's Gamer Mecca, honestly. A Windows 98 box, firewalled, that does not and will not ever use IE for general browsing, is safe, so long as you don't run any old binary you get off the net. This is how I run my P3-933, with Win98, drivers, Phoenix/Mozilla plus the 3 games I play.
On the other hand, we have a system where there are privelages, administrators, normal users and all that lovely stuff. Which, in theory, should make you safe. In practice though, if you go around as a Power User or Adminstrator, the various IE sploits can own you. You're only a small amount safer than with Win98. You still have to follow the same safe practices.
Anyway, my point is this. Not everyone needs a aystem of permissions and protections, as those systems are still vulnerable if the user is not careful. If Win98 was a lot more stable (and it is surprisingly stable if you run a small number of apps and reinstall/re-image every 6 months), I'd want to use it on most of my machines.
A terrific move by Microsoft (Score:3, Interesting)
The biggest problem with NT is that it attempted to maintain compatibility with older stuff. It was important at that time they do it like this. (Personally, I think they should have thrown compatibility to the wind long ago to focus on stability and security... it's a SERVER after all, not a game machine or a workstation... make a separate workstation product with compatibility modules... but that's history now anyway...)
Now, with intense focus on security, they are proving themselves as serious players in sacrificing "performance and compatibility" by closing serious holes even at the expense of current software compatibility. I say BRAVO Microsoft for making such a bold and courageous move. Only a company with monopoly force can really afford to pull that move off and if you ask me, it's a decision late in coming.
Many people have me labelled as anti-microsoft [yacg.com] and a Linux pusher but actually I'm not. While I agree with most of the anti-microsoft commentary and just about all of the pro-linux and open source stuff, I'm not religious about it. If I like it or see value in it, I'll use it. It's that simple. I appreciate what I interpret as a mature direction Microsoft is about to undertake.
I think it's a bit unfair for jointm1k to tack on the bit about "shoulda done it before they designed Windows..." In an industry that changes as often with technology as it does with "fashion" (consider shifts to and from client-server) It's tough for any company to keep up with current times let alone predict the future of computing 10 years down the road... even a company that, at times, sets the standards of industrial computing.
Microsoft has lost a lot of respect in the industry -- not only in the eyes of IT professionals, but also in the eyes of blue/grey-suited business people. I think it's important for Microsoft's future to do that. I'm also a little afraid of what would happen to computing in general if there were a mass shift away from Microsoft. I wish it were, but I don't think Linux based business solutions are ready for prime-time. (* brace for impact! *)
Long live Linux and all it stands for. Peace out.