Forgot your password?
typodupeerror
Microsoft

Gates Says Windows Reliability Is Greater 568

Posted by CmdrTaco
from the release-the-worms dept.
mogrinz writes "According to an interview with the New York Times, Bill Gates is proud of the achievements Microsoft has made in increasing the security of Windows. As for the effects on people being attacked by SoBig.F, etc? Gates says this is "something we feel very bad about". Gates summarizes the Microsoft position very succinctly: "We're doing our very best, and that's all we can do"."
This discussion has been archived. No new comments can be posted.

Gates Says Windows Reliability Is Greater

Comments Filter:
  • by Rosco P. Coltrane (209368) on Sunday August 31, 2003 @09:20AM (#6837813)
    Shit, it's so secure I need a password to read the article:

    Welcome to The New York Times on the Web!

    For full access to our site, please complete this simple registration form.
    As a member, you'll enjoy:

    In-depth coverage and analysis of news events from The New York Times FREE

    Up-to-the-minute breaking news and developing stories FREE

    Exclusive Web-only features, classifieds, tools, multimedia and much, much more FREE

    Please enter your Member ID:

    Please enter your password:

    Remember my Member ID and password on this computer.
    Forgot your password?

  • No? (Score:5, Funny)

    by jabbadabbadoo (599681) on Sunday August 31, 2003 @09:21AM (#6837814)
    "Q. Blaster included a message attacking you. Do you take these things personally?

    A. No. "

    He should.

    • Re:No? (Score:5, Insightful)

      by tomstdenis (446163) <tomstdenis@@@gmail...com> on Sunday August 31, 2003 @09:24AM (#6837845) Homepage
      Why? His company released a patch to fix it a few months before the attack started.

      Would Linus feel particularly hurt if a worm went around that attacked kernel v0.94 ???

      Tom
      • Re:No? (Score:5, Insightful)

        by militantbob (666209) <militant AT nycap DOT rr DOT com> on Sunday August 31, 2003 @09:56AM (#6837998) Homepage
        Agreed. Microsoft took the appropriate actions. They recognized the problem, and released a fix far before any damage was done. They even made AutoUpdate enabled by default, to cover the rear ends of lazy/unknowing/careless users. I think Microsoft is making steps forward - small but important steps, such as ahead-of-time patches, offering a foundation for cooperation with 3rd party IM client producers, and admitting to and showing indications of intention of addressing security and stability problems.

        Microsoft has a long way to go. There's no doubt about that. But *some* of the recent news concerning Microsoft has surprised and pleased me.

        If users would leave AutoUpdate on, or take the time to check for patches once every week or two themselves.. and MS doesn't bloat 2004 and instead focuses on security/stability... I think things will be just fine.
        • Re:No? (Score:5, Interesting)

          by Anonymous Coward on Sunday August 31, 2003 @10:10AM (#6838072)
          I agree with you, but I was pleasantly surprised to find that a lot of users actually cancel Windows auto updates when they become available because they think they're viruses attacking their computer...

          Again, what is needed is more education of computer users in general - Windows Update really needs paper literature devoted to it in the box as it really is that important - from the perspective that the end results can affect others. It's the same issues with anti-virus software updates - a lot of people think installing from the box is all that's necessary.

          What amazes me is that some large companies have a 'no executables' download policy on their networks. This umbrella policy also stops Windows Update working correctly, leaving a lot of exposed machines. Microsoft has supplied a way for larger companies to have their own internal Windows Update server running that will get around this problem and allow updates, but in some cases, company policy seems to be more important that IT common-sense.

          Patches are important, they're just as important as those product recalls for exploding monitors/laptops and monetarily can probably cause more damaged if not applied.
          • Re:No? (Score:5, Insightful)

            by militantbob (666209) <militant AT nycap DOT rr DOT com> on Sunday August 31, 2003 @10:39AM (#6838236) Homepage
            Turning off AutoUpdate is a scary thing, in the case of the casual user. This is one area where I wish there was *more* harrassment and hassle required before disabling could be accomplished. A big bold warning box as soon as that checkbox is clicked, and another when the changes are saved. Many of my non-technical friends have heard about the 'insecurity' or 'privacy concerns' that are 'inherent' in auto-installs such as AutoUpdate and virus definition updates... and so they figure out how to turn it off, not knowing that THAT is the most dangerous thing they could do.

            The harm caused by a worm to the user who disables AutoUpdate is his own responsibility. But the warnings should be more clear and in more places, when one considers what you pointed: that the user's choice may very well prove harmful to countless others. It is his machine, it is his choice. But he should be compelled by the software itself to make that choice in a more educated fashion.
            • Re:No? (Score:5, Interesting)

              by rblancarte (213492) on Sunday August 31, 2003 @11:11AM (#6838385) Homepage
              This is kind of the gist of the article. Gates talks about how people have to be accountable for their own machines. This is true. I mean, how many people out there run Linux servers unpatched allowing hackers to gain control of the machine and do far worse damage from it? Who's fault is that? Linus because the problems were there or the end user who didn't patch his system?

              However, this is where M$ has to step up. They have to realize as the biggest makers of software in the world, their software has to be MORE secure than everyone else's. They have to take bigger, more progressive steps to ensure security and reliability. I think the issue w/ AutoUpdate is a good one. However, what about other new features they have put into Windows? The built in messenger service that allows people top drop spam on your desktop? Universal Plug and Play? The security holes that allowed worms like Blaster etc to propogate? This is where M$ is striking out. These are pretty easy to see as problems or better yet, security issues. Why not leave THIS stuff disabled by default and then allow users to turn it on when they a)need it and b)know what the hell they are doing!

              That all being said, M$ is getting better, but they still have a ways to go. What I wish is that Bill Gates would step up and have accountability on these issues and more importantly give better answers. Sure these are ok answers that he gave, but they are really nothing more than company line. When asked:
              Q: You have enemies who are in a crusade to undermine Microsoft. How do you cope with that?


              A. I'm not aware of any systematic attempt by any group.

              That isn't the answer I am looking for. I am looking for something more along the lines of: "We understand that as the largest maker of software we are going to be an obvious target for hackers. As such we have to do better in the future to secure our software from such breaches." True Gates did say some of this, but I think he is foolish to say that there is not an actual effort to undermind his company. Slashdot alone is full of people who don't use M$ products out of shear distain for Gates and the flaws of Windows etc.

              Still, as I said a few times already, M$ is getting better. But they still have a lot of work to do before the stigma of poor software writing is off them (his claim that "Microsoft's reputation for doing great software research is very strong" was extremely funny and again is that company line that I am not looking for).
            • An issue of trust. (Score:5, Insightful)

              by digital photo (635872) on Sunday August 31, 2003 @01:18PM (#6839187) Homepage Journal

              For those who are completely ignorant of computer security and never update their systems, they are akin to someone buying a power tool, not knowing how to use it, then trying to sue when they lop off a body part. You don't blame the manufacturer for those problems, you chalk it up to natural selection.

              For those who are a bit more knowledgable, there is the issue of trust. After having used Microsoft's products for roughly 2 decades(since msdos), I feel I can't trust them to do something right anymore.

              I know of people who got burned by the auto-update feature and their system was rendered unusable until they either restored or went into safemode to undo whatever "fix" was applied. Granted this is better than the "good old days" when a patch might require a clean re-install. Lots of good weekends gone to waste because of MS's "fixes".

              Just this past week, I installed a update and suddenly, I couldn't make backups of my system because Autoupdate dinked with the drive access dll's. Thankfully, this only required the re-installation of the backup software to restore the DLLs to a working condition, but at what cost to the other parts of the system?

              I have auto-update's download feature enabled, but I review the updates before installing them. I didn't get hit by the worm since I patched my system almost immediately after the fix came out.

              The problem can't be completely attributed to users or to the producer of the software. But when the design of the software is so buggy that after literally tens of thousands of fixes, it is still riddled with security holes, you have to wonder if they are truly serious about security and about delivering a quality product to the end-user or if they are trying to do just enough.

              It is understandable that MS is saying that they are doing the best that they can. That is all well and fine. But there is such a thing as their best not being good enough. Especially when there is so much slack to be made up for.

              There is also the issue of this "got to be secure" attitude is recent. If it hadn't been for Linux arising quickly in the server and business markets both domestically and globally and if it hadn't been for the recent DOD government contract renewal, do you think MS would be so hot to trot to respond to problems like this?

              Having watched and used MS's products for as long as I have, my personal opinion is that they've got a long way to go still and they aren't breaking even.

            • Re:No? (Score:4, Insightful)

              by Tadrith (557354) on Sunday August 31, 2003 @04:31PM (#6840271) Homepage
              I agree that automatic updates should be something every causal user should have implemented. They simply don't know enough to properly administrate a computer and keep themselves from getting viruses and such.

              However, I also think that the community as a whole is a bit irresponsible. If you should something long enough, soon people will hear you... and when I find people I know talking about Linux who really don't know anything about computers, I'd say the voice of the community is certainly reaching the average user. The FUD coming from this side of the fence nearly equals that of Microsoft. Despite what everyone thinks, Microsoft isn't necessarily out to get everyone when they change their EULA that allows them to do something they couldn't before... companies have to cover themselves from frivolous lawsuits as well, and I would think that Microsoft is more wary of this due to the hostility and negative image with the courts.

              So, after so much screaming and yelling that Microsoft's updates are the devil, is it any surprise that people have learned how to disable it?
          • Re:No? (Score:3, Insightful)

            by sylware (646470)
            Duh... people on my side disable their auto update because they own a illegal copy of windows and they don't want to be busted.
          • It's a hassle. (Score:3, Insightful)

            by Cyno01 (573917)
            Windows update needs a little work. Its a pain in the ass. It pops up while your doing something, wihtout thinking you hit remind me later, because your in the middle of something and dont want to have to wait for it to install and the reboot the computer. What they need is a remind me at next shutdown option. I dont run windows update all that often because i'm always in the middle of something, but i know i wouldn't mind spending an extra five minutes before i shut down.
            • Re:It's a hassle. (Score:3, Informative)

              by Shippy (123643) *
              Please send this to mswish [at] microsoft [dot] com. I know for a fact that they do get and route this information to the right people. Many features and tweaks have been implemented in this fashion.
          • Re:No? (Score:3, Insightful)

            by BWJones (18351)
            I agree with you, but I was pleasantly surprised to find that a lot of users actually cancel Windows auto updates when they become available because they think they're viruses attacking their computer...

            No, actually many users disable auto update because Microsoft has a history of releasing updates that break other functionality. When your business or work relies on computer uptime, having this broken functionality happen is unacceptable. Therefore many folks 1) test the updates on non-essential systems
      • Re:No? (Score:5, Insightful)

        by gl4ss (559668) on Sunday August 31, 2003 @10:31AM (#6838198) Homepage Journal
        actually linus might take it pretty personally if there was a hole found in linux that affects every linux kernel from 0.94 to 2.6test4.. even if he did then release a patch for it a bit later.

        (as equivalent as the holes that have found to be in all nt based ms os's)

        -
      • Re:No? (Score:3, Informative)

        by blakestah (91866)
        Linus doesn't ship an operating system - he provides a kernel.

        A kernel, by itself, doesn't open any ports on the outside world.

        Of course Microsoft is to blame for this. They know
        a) users rarely change default settings
        b) rpc ports are open by default

        If Microsoft took the very tiny but reasonable step of making the RPC port closed until sharing is enabled, then Blaster wouldn't have done much.

        Likewise, Microsoft knows that users are horrible at patching systems, and should have a better system in place fo
    • Re:No? (Score:5, Funny)

      by Dark Lord Seth (584963) on Sunday August 31, 2003 @09:34AM (#6837890) Journal

      If he did, two minutes of reading slashdot would be enough to drive the guy to suicide.

      • If he did, two minutes of reading slashdot would be enough to drive the guy to suicide.

        What makes you think that Bill does not read Slashdot? Plenty of Microsoft employees do.

        If you want to find out his nym, simply look for the posts that start off 'I don't understand' and then go on to list some issue he has with the way windows or some other computer program works.

        Bill is just a geek like you or me with slightly more money.

  • by arnie_apesacrappin (200185) on Sunday August 31, 2003 @09:22AM (#6837821)
    Losers always whine about their best. Winners go home and fuck the prom queen.
  • by denisdekat (577738) on Sunday August 31, 2003 @09:23AM (#6837832) Homepage
    I like the part about "are you afraid of product liability suits". He should have answered. "no, now that we understand how to buy politicians and use lobbyists, we no longer fear the law".
  • by jamie (78724) * <jamie@slashdot.org> on Sunday August 31, 2003 @09:23AM (#6837834) Journal
    Bill's made it possible for any random high-school loser [reuters.com] to destroy $14 billion [net-security.org] of other people's hard work. He's soaked the world in gasoline and handed out a billion matches. That's an "achievement"?
    • What would you like to burn down today?
    • by xoboots (683791) on Sunday August 31, 2003 @09:54AM (#6837989) Journal
      > Bill's made it possible for any random high-school loser [reuters.com] to destroy $14 billion [net-security.org] Actually, they haven't found the creator of msblast yet--just some teenage copycat. In fact, that $14B is supposedly caused by SoBig, not msblast. And don't you love the figures that these organizations pull out of their ass, I mean, databases. Of course, it is a crying shame that microsoft is allowed to sell such unsafe software--but it took legislation to get seat belts into cars and even more legislation to get the great unwashed to wear them. My god, there was debate as to the need for drunk driving laws! To expect software providers to do the right thing is a bit of a folly, really.
  • Reg Free link (Score:5, Informative)

    by sheddd (592499) <jmeadlock@NOsPaM.perdidobeachresort.com> on Sunday August 31, 2003 @09:24AM (#6837842)
    for you lazy Geeks:

    Link [nytimes.com]
  • Easy math. (Score:3, Funny)

    by AltGrendel (175092) <ag-slashdot AT exit0 DOT us> on Sunday August 31, 2003 @09:24AM (#6837846) Homepage
    I think the formula he's using is:

    x+50%(where x = 0)

    You can alter the percentage to taste, Bill does.

  • http://www.nytimes.com/2003/08/31/technology/31SMI C.html?ex=1062907200&en=97bebbbc61452055&ei=5062&p artner=GOOGLE
  • Please. (Score:4, Insightful)

    by Fnkmaster (89084) on Sunday August 31, 2003 @09:26AM (#6837852)
    They didn't even bother locking down any of these dangling ports until somebody exploited the fuck out of them. Now they are at least going to ship Windows with the Internet Connection Firewall enabled by default, which is a good thing. They are a reactive organization - it comes with the territory of having a dominant market position and being scared shitless of change, unless and until it forces itself on them, usually by inducing fear of losing the dominant market position.
    • True dat. But let's not forget Featuritis. Billy-Boy's right that they've been doing the best they can ... while operating on an overdrive to stuff more sexy features into Windows CV (Current Version) and Windows NV (Next Version). There are only so many hours in the day to stuff the turkey, so you can only expect the 11th hour meat inspection to fall short of FDA standards.

      Billy and his monkey-dancin' posse were constantly rewarded for their Bad Code Production Line {tm}, and it's twice more the pity th
  • Dear Bill ... (Score:5, Interesting)

    by Ninja Programmer (145252) on Sunday August 31, 2003 @09:28AM (#6837858) Homepage
    Dear Bill,

    Far and away your #1 bug is the infamous "buffer overrun" flaw. These usually mostly manifest themselves in string libraries. I know that you have at least 3 library solutions in-house (Safestr for C, CString in MFC, and basic_string in STL) but your developers don't use them otherwise these problems wouldn't happen.

    I'd like to point you out to another alternative:

    http://bstring.sf.net/

    Which your developers may prefer. But whatever you do, why don't you simply make it a requirement that <string.h> simply be outlawed (you could easily write a tool to enforce that couldn't you?), or take some other drastic action?

    Buffer overruns are certainly the most common kind of bug that isn't caught by QA (the right answer is not to try to train QA to find them -- they would require the skill of a hacker.) If you concentrate on this one bug alone, you will probably easily remove 80% of these attacks.
  • by j_dot_bomb (560211) on Sunday August 31, 2003 @09:28AM (#6837861)
    I have never gotten a virus with xp. Never even even had one come up in a virus scan. But, I do all the right things like use a firewall and autoupdate. I also do things no one else does like use IE security settings and turn -everything- (java, activex) for all but say 40 sites on the net. This last step is just far too much work even for expert users (esp with that stupid site may not display properly dialog for ActiveX). Further it is just beyond the typical home XP user.
  • article (Score:2, Informative)

    by lethalwp (583503)
    here is a copy of the article, for the lazy bastards that don't want to register ;)

    August 31, 2003
    Virus Aside, Gates Says Reliability Is Greater
    By JOHN MARKOFF

    MICROSOFT, the world's biggest software maker, is the biggest target for computer viruses like the SoBig.F worm that wreaked havoc two weeks ago. Bill Gates, Microsoft's chairman and chief software architect, talked last week about what it is doing to keep hackers at bay. Following are excerpts from the conversation.

    Q. You wrote a memo last year ca
  • by ellem (147712) * <[ellem52] [at] [gmail.com]> on Sunday August 31, 2003 @09:29AM (#6837866) Homepage Journal
    For Chris'sake BILL what the fuck is taking so Goddamn long.

    Steal the fucking Linux Kernel slap a Windows sticker on it sue the GPL out of business and give us One OS To Bind (not BIND) Them All already.

    You ripped everything else off, how about ripping off so fucking security?
  • 4 Open Ports (Score:3, Interesting)

    by Kenterlogic (648880) on Sunday August 31, 2003 @09:30AM (#6837868) Homepage
    Linux and OS X ship with zero ports open. Windows XP and even Windows Server 2003 ship with 4 open ports. What does that mean? Four places that anyone can jack your system, and even if you have a firewall (a good one at that) programs that have managed to get onto your system whether through shadow installs (see Gator) or tricky web-pages that use java to make you download something and not tell you or even e-mail attachments-- all of those will be able to access the outside world and pull in information and throw it out there too without you ever knowing because those 4 ports are open.

    Windows is not secure. Instead of fixing little problems like this that are incredibly simple, they decide to invest billions of dollars into programs like Palladium which will, among other less desirable things, make the platform "more secure" both from the outside world and from yourself. Figure your shit out Redmond, please (by Redmond I mean Microsoft, not Nintendo America).
    • Re:4 Open Ports (Score:3, Informative)

      by Tim C (15259)
      Linux and OS X ship with zero ports open.

      Rubbish. Mandrake, at least, runs a number of daemons by default if you install them (such as sshd), and warns you about this fact at install time. Depending on the exact choices you make while installing it, it's entirely possible to have half a dozen or more ports open.
    • OpenBSD (Score:5, Informative)

      by rf0 (159958) <rghf@fsck.me.uk> on Sunday August 31, 2003 @10:03AM (#6838035) Homepage
      You are wrong about open ports. If you take OpenBSD which is the most secure OS on the planet ships with SSH open by default. Now yes it secure but its still an open port.

      Rus
      • Re:OpenBSD (Score:3, Informative)

        That's an open port done right.

        By default (on OpenBSD) sshd uses an unprivileged child process to deal with incoming connections, and the OpenSSH project is maintained by paranoid people that spend more time auditing code than writing code.
    • Re:4 Open Ports (Score:3, Interesting)

      by sheetsda (230887)
      Windows XP and even Windows Server 2003 ship with 4 open ports.

      My mothers WinXP (IIRC: Home, Dell installed) computer was also using uPnP to open a ~65000 port wide hole in my router firewall by default. Fortunately uPnP wasn't really necessary and could be disabled.
  • A friend of mine called MS years ago about a bug in on of their assemblers. It didn't understand an op code. The result is Billy Gates the Supreme coder fixed the bug. He added the op code but since he didn't add it to the opcode table, you had to enter it in upper case and only with a small subset of operands that billy thought about or saw in other nearby code. Mike claims to not have used any MS code since 1974 and hes much less stressed than I am.
  • Content analysis details: (20 hits, 5 required)

    AUTHOR_JOHN_MARKOV (20 points) Article written by John Markov
  • by monkeywork (614661) on Sunday August 31, 2003 @09:38AM (#6837910) Homepage
    I'm a big fan of linux, but I work in an eviroment where windows is locked in. Yea MS has some problems but so does everyone, what everyone needs to remember is that MICROSOFT RELEASED A FIX FOR BLASTER BEFORE THE BIG HIT CAME. The fact is the people who got hit by blaster didn't maintain thier system, or weren't running firewalls. You wouldn't be on here growling about how debian sucked if a bunch of users didn't do apt-get update / upgrade would you? These guys have a huge market share, have a reasonably good product that most of the population is happy enough using. Many of (myself included) like linux. Both have bugs, both get fixes... but the weakest link is if the admins / system owners update... in this case many didn't and it made MS look bad/
  • by jlrowe (69115) on Sunday August 31, 2003 @09:39AM (#6837914)
    Perhaps it just goes back to that old saying "You can't make a silk purse out of a sow's ear."

    Microsft software was never designed with security in mind. And it was and is not their primary goal, even now. It is quite different than non-Microsoft software.

    If security were *that* important, wouldn't they take some of those many *billions* and actually make that silk purse?

    Consider even just today's news post on Slashdot. Each and every one of them is about Microsoft is about money, and *not" about fantastic security advances. And yet the security problems plague us everyday.

    Microsoft Introduces IM Licensing [slashdot.org]

    Microsoft vs. Burst.com [slashdot.org]

  • by jordandeamattson (261036) <jordandm@nOSpam.gmail.com> on Sunday August 31, 2003 @09:41AM (#6837925) Homepage
    Hey, I am willing to beat up on Microsoft as much as the next citizen of slashdot city, but let's be fair here. A lot of the problems that are hitting people are due to people not applying the patches that are available.

    I use both Mac OS X and Windows XP. On both systems, I use the software update mechanisms and religously apply the patches that are made available. On Windows I also have a virus protection utility in place. I have never once been caught with my pants down by a worm, virus, trojan horse, etc. And to answer the question of this out there that are already preparing to ask it, I have also never had my system "broken" by a patch.

    So my respone, is that people shouldn "Just Apply The Damn Patches".

    Jordan Dea-Mattson

    Posting from China, where I am to adopt my daughter! Back to the US in a week!
    • "I use both Mac OS X and Windows XP. On both systems, I use the software update mechanisms and religously apply the patches that are made available. On Windows I also have a virus protection utility in place. I have never once been caught with my pants down by a worm, virus, trojan horse, etc."

      But unlike with OS X, when you faithfully download those Windows patches, you introduce ugly [theregister.co.uk] and scary [sillydog.org] conditions into your computer. Basically, with Windows you just can't win.



    • When Bill Gates spends the fucking money, we wont have to patch the software every second of every day.

      Yes every OS needs patches, even Linux and OSX, but on Linux and OSX, most of the bugs are in server software like Apache, not bugs in the Kernel itself!

      Maybe if Microsoft released a better OS itself we wouldnt have to worry about our computers being hiijacked via a simple virus, perhaps if the OS didnt run in root all the time, perhaps if they checked for buffer overruns and used their damn money we wo
    • So my respone, is that people shouldn "Just Apply The Damn Patches"

      Well that's the whole problem isn't it? "Just apply patches". Unfortunately, even the concept of a "patch" goes way above the heads of most Windows users I know. No one bothers to apply patches until they've been bitten. Now any properly administered box can be secure, even Windows. But administration of a Windows box isn't as easy as using it.

      I hear a lot of Microsoft apologists say "oh you Lunix people don't understand normal people

    • by jlrowe (69115)
      I have also never had my system "broken" by a patch.

      But yours is only one system. Hardly what one would base statistics on.

      OTOH, one of the websites I visited daily was down last week for 5 days. Finally it was only through *expensive* paid help calls to Microsoft that got it fixed. And it was the application of this last round of patches that killed it.

      My own experience as a sysadmin and company PC guru is similar. Patches don't cause a problem *most* of the time. But now and then they kill a machine

  • by bill_mcgonigle (4333) on Sunday August 31, 2003 @09:42AM (#6837933) Homepage Journal
    "We're doing our very best, and that's all we can do"

    Concerned about the impact of viruses like Blaster and SoBig on your business? Look, here's what Bill Gates has to say on the issue. Even he's saying it's not going to get any better, so you can expect these kinds of incidents to keep recurring.

    Now, let's talk about how to fix this...
  • by doodleboy (263186) on Sunday August 31, 2003 @09:43AM (#6837934)
    Q. Have these events created a serious public perception problem about Microsoft on the issue of security?

    A. Microsoft's reputation for doing great software research is very strong, and people are looking to us now and saying, "no other software company has solved this; you, Microsoft, need to solve it." We're rising to that challenge. The expectation they have of us is very high.
    I know he's just excreting the usual spin, but how can he keep a straight face?

    The truth is, every other mainstream OS has solved the security problem better than Microsoft. Most other OSes, especially *nix ones, have a philosophy of least privelege. But not Windows - its big "innovation" is to bundle the (insecure) web browser directly into the OS and enabling all sorts of nifty auto-executing controls so that drooling little kiddies all over the world can pass the time by bringing random network-connected Windows machines to their knees.

    The usual refrain from Microsoft and its apologists is that its software is attacked so much because it's so popular. No. It's attacked so much because it's so easy to do.
  • "Virus Aside, Gates Says Reliability Is Greater"


    Other than that Mrs. Lincoln, how did you like the play?
  • Er (Score:3, Funny)

    by cca93014 (466820) on Sunday August 31, 2003 @09:49AM (#6837966) Homepage
    We have some other ideas such as something called behavior blocking that will obviate the need in many cases to use patches.

    Time to get the tin foil hats out again. Longhorn is going to affect the part of your brain that writes worms...

  • by dpbsmith (263124) on Sunday August 31, 2003 @09:51AM (#6837976) Homepage
    Dear Bill: Would you please give me one good reason why a system intended for home use needs to implement remote procedure calls at all?

    Would you please point out one benefit this provides to the average home user?

  • by GoofyBoy (44399) on Sunday August 31, 2003 @09:51AM (#6837978) Journal
    Quote the article:

    "Q. You have enemies who are in a crusade to undermine Microsoft. How do you cope with that?

    A. I'm not aware of any systematic attempt by any group. "
  • This is worth a +5, Insightful.

    I cannot believe it: Bill Gates publicly stating that they are unable to fix the problem!

    Unfortunately most of their customers will not understand and stay with the company that cannot fix their problems.

  • MS's Best is takign 40 billion and giving free upgrades to all windows user not using winXP and Longhorn even hardware upgrade rebates when necessary..

    anything less is a con game!
  • With $40+ billion in the bank...that's the best they can do?

    That's sad.

    -Pete
  • by digitect (217483) <<digitect> <at> <dancingpaper.com>> on Sunday August 31, 2003 @09:58AM (#6838011) Homepage
    The fact that these [SoBig.F] attacks are coming out and that people's software is not up to date in a way that fully prevents an attack on them is something we feel very bad about.

    This is double-speak. He is trying to imply that people's failure to auto-update is somehow related to Windows' risk of virus/worm attack. But they are in no way related.

    System architecture that fails to maintain security is a design flaw, not a maintenance problem. Gates and Microsoft are attempting to blame shift their responsibilities to their product's users. Pretty much anyone would recognize this in a tort law suit, although I expect very few to make this claim in court simply because of Microsoft's size and reputation.

  • Best? (Score:3, Insightful)

    by RiscIt (95258) on Sunday August 31, 2003 @10:04AM (#6838042) Homepage Journal
    "We're doing our very best, and that's all we can do"

    In the words of George Carlin: "If this is your best, perhaps you should keep it to yourself."
  • by UnknowingFool (672806) on Sunday August 31, 2003 @10:23AM (#6838148)
    It's interesting how Gates tries to deflect the questions:

    Q. The buffer overrun flaw that made the Blaster worm possible was specifically targeted in your code reviews last year. Do you understand why the flaw that led to Blaster escaped your detection?

    A. Understand there have actually been fixes for all of these things before the attack took place. The challenge is that we've got to get the fixes to be automatically applied without our customers having to make a special effort.

    The interviewer asks how Blaster occurred despite Trustworthy Computing. Gates responds again and again that if everyone patched their systems, Blaster would not have been an issue. In essence, he is correct but he doesn't really answer the question. But this isn't a complete solution as not all users can automatically patch their systems.

    Before everyone starts chiming in on how real system admins would have been prepared. Remember a few things:
    1) After being burned by a few bad patches, some corporations now have a policy that specifically states that patches must be tested first. With the huge amount of patches that is released by MS, this is a full time job.
    2) Remote users (laptop users, VPN users, etc.) are like sailors coming back from overseas. Who knows what they were exposed to and what viruses they have. This is outside the control of most admins.
    3) Microsoft itself was not prepared for Slammer. SQL servers that were being used in a development environment (read outside of normal sys admin networks) were not patched. With large organizations, sometimes there are unknown, rogue installations.

  • by lanalyst (221985) on Sunday August 31, 2003 @10:39AM (#6838242)
    Q. The buffer overrun flaw that made the Blaster worm possible was specifically targeted in your code reviews last year. Do you understand why the flaw that led to Blaster escaped your detection?


    A. Understand there have actually been fixes for all of these things before the attack took place. The challenge is that we've got to get the fixes to be automatically applied without our customers having to make a special effort.


    Ahh their position for everything. The RPC 026 vunerability was discovered by a 3rd party.. not Bill's code reviews. The vunerability was in OLD code that existed back on Win 95... carried forward to the current versions. Even for those that deployed the fix, unless you had 100% coverage, you suffered the effects (Blaster.D ping traffic). And of course you lay blame with the very people that support your defective products (it's THEIR fault the fix wasn't applied).

    Great question, lame dodge.. and the 'solution' you propose will not fix the problem, but will only satisfy another agenda.

    Understand this, Gates: MS products are riddled with vunerabilities by the nature of your very development process. Peer review process is either non existant or done by folks who wouldn't know a Buffer Overflow if it smaked them over the head. Your programmers can get away with writing crap and because of the development model and your tight release schedules are forced to use 'quick and dirty' rather than 'quality' and 'wide peer review'. Code is slapped together and tucked away in a vault never to see the light of day... and forgotten. That is the best you can do with your business model - and it is not good enough and never will be.

    Give me open source any day: worldwide peer review.. garbarge code is rejected and sent back, fast. A developer learns very quickly in this development model to use best practices or face rejection. Can't get away with 'quick and dirty'. And the funny thing is this cannot be bought. IBM realizes this.

    Lawsuits won't fix this.. Marketing slogans won't, either. Insecure by design.
  • by Trolling4Dollars (627073) on Sunday August 31, 2003 @11:16AM (#6838423) Journal
    I think the whole Linux vs. Microsoft thing where security and stability are concerned comes down to the dilemma of the "soft" parent vs. the "hard" parent. Microsoft is the "soft" parent and *NIX/Linux distros are the "hard" parent.

    Remember when you wanted to go out somewhere with some friends of yours and your folks didn't? They did that for your own security and wellbeing. In some cases, you probably had a parent that was easier on you. For example, my dad was the "soft" parent for me. If I asked him something, he'd cautiously say that I could do X as long as I was home beore my mom found out. If I asked my Mom, the answer was most positively one of the following:

    1. No!
    2. Only if you've done everything else you need to do to get some free time.
    3. Why would you want to do that? Go do something useful.

    So you can guess which parent I asked more often. I asked the parent that gave me what I WANTED, not what I NEEDED.

    Microsoft is the "soft" parent. They give the average user what they want without thinking too much about what the implications are. Or they assume that the user will "do the right thing". *NIX/Linux distros are the "hard" parent since they don't (by default) allow the user to do anything they shouldn't be doing. It's a pain in the ass to have to switch over to "root" to take care of some administrative tasks in Linux. Newer distros make it a little easier, but they still throw up the password protection which would annoy an average Windows user to no end. Think of how many times a Windows user complains when they have to remember a password and they can't or they have to write it down somewhere. Windows doesn't do this kind of thing. Instead they thwart security by being the "nice guy" on the surface. I have plenty of friends who got pissed off having to deal with passwords on their boxes and logging out to become administrator. They eventually all asked me to reconfigure them so that they log in as admin by default automatically with no password. I told them what the implications were and they still wanted this. The real problem still comes down to lazy and uneducated users. The PC industry is giving them the keys to Ferarris and nukes even though they aren't qualified to handle them.

    I think that eventually it will become necessary to give people what they need with no respect given to what they want. However, it doesn't have to be impossible to deal with from the end user's perspective. I think RedHat's root dialog box when trying to run an administrative command from the GUI is a perect example of how it can be made slightly easier, but still secure.

    Until the average user understands why they SHOULDN'T run as root or Administrator, we are giving them loaded weapons pointed at their heads without telling them how to use them.
  • by pesc (147035) on Sunday August 31, 2003 @11:27AM (#6838487)
    Most stack buffer overrun problems (Blaster bug, etc) are possible because the stack is executable. Other systems, such as VMS on Alpha don't have executable stacks, making this kind of exploits very difficult to do.

    At least, the problem seems to have been fixed in the x86-64 hardware, but the operating systems need to take advantage of it. See here [x86-64.org].

    So when will we see M$ take advantage of good simple security features in the hardware instead of trying to invent new fantastic schemes (Palladium)? Why wasn't buffer overflow attacks fixed 5-10 years ago? I'm not sure if earlier x86 chips allowed non-executable stacks, but if M$ were serious about security, they could certainy have requested that feature from Intel. It's not rocket science.
  • by ratfynk (456467) on Sunday August 31, 2003 @04:08PM (#6840154) Journal
    Get a list of all e-mail addresses to as many individuals with MS, Symantec, and all the other computer security outfits spawned by Gates. Include these in your address book and nothing else. Run an old unpatched MS office IE and Outlook express, get everybody that is pissed at MS security to do this world wide. Then do not run a firewall or virus scan. Now if everybody just let address book based garbage run wild and target the people who profit from garbage ware, and security patching, Gates might get the picture. Sometimes a little revolution is a good thing!

Wasn't there something about a PASCAL programmer knowing the value of everything and the Wirth of nothing?

Working...