Forgot your password?
typodupeerror

Microsoft No Longer a 'Laughingstock' of Security? 282

Posted by Zonk
from the set-the-bar-high-guys dept.
Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"
This discussion has been archived. No new comments can be posted.

Microsoft No Longer a 'Laughingstock' of Security?

Comments Filter:
  • by yagu (721525) * <yayaguNO@SPAMgmail.com> on Friday September 21, 2007 @10:52AM (#20696347) Journal

    I have to sometimes wonder how, when security is considered so important, how Microsoft has been allowed to take so long. It's also a bit funny to consider how high the bar is set that they get credit for achieving "no longer the laughingstock..." status.

    It kind of reminds me of the cell phone industry and their "high" standard where they get away with advertising braggadocio like "the provider with the fewest dropped calls". It's funny, I grew up with a phone infrastructure where I never experienced a dropped call -- granted, a less complex (wired) achievement, but had "wired" phone service been invented today, I suspect the standard would have been "less dropped calls", too... because maximized profit dominates the industries' collective motivations, not quality products.

    (Case in point... if you'd ever owned the amazing Harmony() remote controls before they were bought by Logitech, they were wonderful devices -- rock solid, great feel to them... now, they're sexied up with cheap buttons, lousy feel, and questionable reliability. And get ready, Logitech just bought Slimline devices. Thought the Squeezebox was a great gadget? Better get the remaining quality ones before profit-think forges it into a cheap crappy imitation of it's former self.)

    And, to save you all a little time.... mod(self, -1, offtopic);

    • rear-view mirror (Score:5, Interesting)

      by Anonymous Coward on Friday September 21, 2007 @10:57AM (#20696435)
      Inasmuch as this constitutes any sort of admission that Microsoft products were not always exemplars of good security, it should not be forgotten that Microsoft has always insisted that they were.

      So really, they are not saying anything different than they have always said. "Back then" when their products were insecure, they insisted that their products were secure. Now, they are admitting that "back then" their products were not secure, and are continuing to insist that their products are secure.

      Why should we believe them? Once bitten, twice shy, and with good reason.
      • by darkonc (47285) <stephen_samuel@@@bcgreen...com> on Friday September 21, 2007 @02:43PM (#20700191) Homepage Journal
        In other words, the headline really should be:

        Microsoft Finally Admits Lying About Security
        Admits that security is still bad, but claims to be no longer 'laughing stock' bad.
      • Re: (Score:3, Informative)

        by Jerry (6400)
        Especially in view of these results, where Microsoft's "OneCare" detected only 90% of new malware thrown at it:
        http://www.av-comparatives.org/seiten/ergebnisse_2007_08.php [av-comparatives.org]

        Those results are in improvement. The March results had them finding only 82%. Meanwhile, much more viable commercial products are around 99+%. Still, even for them, letting 50 out of every thousand bugs in doesn't say much about their security, even if OneCare is so much worse.
    • Re: (Score:3, Insightful)

      by nine-times (778537)

      It's also a bit funny to consider how high the bar is set that they get credit for achieving "no longer the laughingstock..." status.?

      Do you mean how low the bar is set? It seems kind of funny to me to hear someone from Microsoft admit that they were a laughingstock, and that they're looking for kudos for not being a laughingstock. It reminds me of Chris Rock's bit about people who brag, "I've never been to jail!" What do you want, a cookie?

      Anyway, I guess it's true that Microsoft has gotten more sec

      • by SgtChaireBourne (457691) on Friday September 21, 2007 @02:06PM (#20699565) Homepage

        Anyway, I guess it's true that Microsoft has gotten more secure and therefore isn't as much of a security laughing stock.

        Wait a sec. Don't project your own values onto a group that may not share them, nor assume a causal relationship where no data has been shown to indicate one.

        So the claim is that it's no longer a laughing stock in the realm of security. All right then. Let's pretend for a moment that claim is true. The next question is why?

        There are at least two possible answers:

        • the design of the software has been changed (security == design)
        • the public relations and marketing activities have been better at quashing unfavorable press and burying complaints

        We can see from the systems affected by vulnerabilities that the former has not happened, no redesign. Maybe it's the latter, better PR.

      • by CommandNotFound (571326) on Friday September 21, 2007 @04:04PM (#20701607)
        It seems kind of funny to me to hear someone from Microsoft admit that they were a laughingstock, and that they're looking for kudos for not being a laughingstock.

        This is classic Microsoft MO: as soon as a Windows version has been released for a few months, start badmouthing the previous versions. They did the same with XP to 2K/ME, ME to 98, NT4 to NT 3.5, etc.

        Just Vista marketing. Nothing to see here, move along.
      • Re: (Score:3, Interesting)

        by encoderer (1060616)
        I LOVE how many people misunderstand what UAC is and what it will accomplish.

        I recently opined on this subject and I'd rather not retype it, so here's the copy/paste from a few weeks ago. Please excuse the parts that are obvious retorts and don't really apply here....

        1. I wasn't bashing Linux or OSX or anything else for being insecure. Well, I suppose you could say I was, but if you do, you'd have to acknowledge that I was bashing them all equally. And I certainly gave them credit for being more secure than
    • And get ready, Logitech just bought Slimline devices.

      Fucking hell. I just went 10 rounds with a Logitech Quikcam and lost. Better splurge on that Squeezebox, I suppose...
    • by mosel-saar-ruwer (732341) on Friday September 21, 2007 @12:33PM (#20698055)

      You know, the little things, like always remembering your </i>, and never forgetting to preview your work.





      Glass houses.

      Projectile stones.

      Whatever.

    • Phone Quality (Score:5, Informative)

      by PackMan97 (244419) on Friday September 21, 2007 @12:54PM (#20698409) Homepage

      It's funny, I grew up with a phone infrastructure where I never experienced a dropped call -- granted, a less complex (wired) achievement, but had "wired" phone service been invented today, I suspect the standard would have been "less dropped calls", too... because maximized profit dominates the industries' collective motivations, not quality products.


      What's really funny is that 20 years ago, wired long distance carriers were waging advertising battles over who had the clearest call. Sprint's "Pin Drop" ads probably set the bar in this respect.

      So, while you take the wired phone service for granted, it hasn't been that long since call quality was a very important part of a consumers purchasing system.

      Go back another 20 years to the '60s and you still had a significant portion of the phone network that was manually switched by human operators.
  • Says who? (Score:4, Insightful)

    by A beautiful mind (821714) on Friday September 21, 2007 @10:52AM (#20696357)
    I'm sorry, respect in security is like with all kinds of respect. It is earned, not demanded or bought.
    • by morgan_greywolf (835522) on Friday September 21, 2007 @11:03AM (#20696525) Homepage Journal

      I'm sorry, respect in security is like with all kinds of respect. It is earned, not demanded or bought.
      But look [Allow | Cancel] "Allow" at how much more [Allow | Cancel] "Allow" secure Microsoft's [Allow | Cancel] "Allow" products are [Allow | Cancel] "Allow" today!

      How can you [Allow | Cancel] "Allow" say that they [Allow | Cancel] "Allow" are still a [Allow | Cancel] "Allow" laughingstock?

    • Re:Says who? (Score:4, Interesting)

      by mpapet (761907) on Friday September 21, 2007 @11:13AM (#20696679) Homepage
      You've never noticed the Microsoft public relations jugernaut then.

      I admin a combination of 2000/2003/2003r2 boxes and there are still things that make a security-minded sysadmin's head spin.

      -The boxes *still* advertise and have a great number of open ports.
      -Root is *still* is allowed remote access by default. System root, under a domain controller still advertises itself as ready and waiting for you to login.
      -Did I mention root remote control is still enabled by default?
      -I doubt most win32 sysadmins have any idea the number of undocumented systems logging in and doing who-knows-what to the system. If they configured and read their logs the way I do, at least a few of them would wonder what the heck is going on.
      -Don't get me started with their Rube Goldberg security objects system. Complex and extremely difficult to use, yet exceptions abound when trying to simultaneously harden a system and keep the undocumented features from throwing errors.

      Their security reputation has been purchased and PHB's everywhere are lulled into another false sense of security. The good news is I'll never run out of work because they require so much baby sitting compared to a Linux server.
  • Riggghhhht! (Score:3, Funny)

    by Mikkeles (698461) on Friday September 21, 2007 @10:53AM (#20696367)
    Now we just snicker and giggle!
  • by navygeek (1044768) on Friday September 21, 2007 @10:57AM (#20696421)

    No Longer a 'Laughingstock' of Security

    He keeps saying those words... I do not think they mean what the thinks they mean...
  • not there yet (Score:2, Interesting)

    by Reader X (906979)
    I concede that MS is not the laughingstock that it once was, but they are a ways from the respect that some of their competitors of similar scale (cough*IBM*cough) have long since earned. Eliminating the repeat vulnerabilities such as the recent ANI vuln might be a good place to start.
    • I concede that MS is not the laughingstock that it once was, but they are a ways from the respect that some of their competitors of similar scale . . .

      I've had this thing as a triple sell, and I am upgrading it, right here, right now! I think this thing could even go as high as a "Don't Buy."

  • by downix (84795) on Friday September 21, 2007 @10:58AM (#20696443) Homepage
    I'm thinking (in part to stroke Theo's ego a bit) set OpenBSD as the security standard out there. Every OS, compare it security-wise to OpenBSD. Put a "percentage" for how secure, then we can see hard numbers for how securly an OS is out of the box.
    • by Barny (103770)
      Hey, that could be good, since it would be an "out of the box" test, it might even stop MS from having IE as part of the OS.

      "where would you like to go tod..."

      "ahh shit, its got smitfraud again"
    • by forrestt (267374)
      I say do it the other way around. Make Windows the standard and measure every other OS in Window Security Units. Then you can have a measurement on the box sort of like how Scoville Units [wikipedia.org] are used for hot sauce.
  • by 15973 (861573) on Friday September 21, 2007 @10:59AM (#20696457)
    ...now if you'll excuse me, I have to go delete the spam that was sent from a botnet of computers that are running a series of a particular OS that shall remain nameless...
    • If a user becomes a part of a botnet because the user just must download the cool new toolbar, is it the fault of the OS? If the user chooses to use administrator privileges? What stops a linux box from being the victim of a similar program?
      • Re: (Score:2, Insightful)

        by Spy der Mann (805235)
        Not all botnets are spread with a browser toolbar. Most of them infect unpatched machines via insecure open ports. Linux is safe from these, while Windows is not. My specific concern is pirated machines which CANNOT be patched due to Microsoft's policies (see my nearby post).
      • by mattpalmer1086 (707360) on Friday September 21, 2007 @11:44AM (#20697161)
        Yes, it is the fault of the OS. No, linux isn't any better in this regard. They all essentially use the multi-user (on a single box), non-networked security models devised in the late 60s and early 70s.

        Why should downloaded (i.e. tainted / potentially unsafe) code have any rights at all except to its own files by default? Should it be able to read your documents, open a network connection and send them out? Should it be able to format your disk? Hell, why even have a globally accessible file system at all?

        We can't improve the users much, so we're going to have to improve the OS. Actually, some of the early security models were much better than the ones we use now, but carried too much overhead for the machines of the day.

        • Re: (Score:3, Interesting)

          by badboy_tw2002 (524611)
          I think the Singularity OS [microsoft.com] (interestingly enough its being developed at Microsoft Research) has a pretty cool model of forcing components in the system to only interact over a well established contract. They also have the concept of installing built into the OS, such that only verified code can be built into the system. If you can't run a malicious program and it can't get out of its box, what can it do? I just wish they would release more to the public for outside analysis of their ideas.
    • I had asked Microsoft's Security VP, Mike Nash, about the problem of infected pirated machines [slashdot.org]. And what did he say?

      "It's hard for me to feel too bad for the person who you know who doesn't have a licensed copy of Windows and is infected. They are using stolen software."

      In other words, we ALL are suffering spam, viruses and worms because Mike Nash got picky about not providing security to "stolen software".

      It $hould be clear now that Micro$oft got their prioritie$ $traight. Right?
      • Re: (Score:2, Insightful)

        by geeknado (1117395)
        I agree with you principally on one point-- this is everybody's problem-- but realistically, how is Microsoft going to support owners of pirated software? Let's assume for a moment that they don't just download a version of the OS that's already rooted by something nasty...By the very nature of the thing, these OSs aren't going to be consuming automated updates and thus maintaining a current patch level.

        There also seems to be a disconnect here-- if pirated Windows machines are presenting a problem that ever

        • why do we blast Microsoft for its desire to see these machines taken offline?

          The problem is that Microsoft does NOT desire to see these machines taken offline. If that was the case, they could have set a virus that would disable network connectivity on infected machines, as a "security measure". I would vote for this measure! We'd get rid of thousands of botnets in one pass.

          Instead, They keep these machines ONLINE, unpatched, and vulnerable to botnet infection.
          • Re: (Score:2, Insightful)

            by geeknado (1117395)
            What I'm trying to establish here is just why it's Microsoft's responsibility to deal with these particular machines. Their software is being used without their permission. Moreover, given some of the reaction to WGA and other attempts by Microsoft to exclude pirates from their services, wouldn't we likely be blasting them for being draconian tactics?

            I don't think that Microsoft actually can solve this problem so long as piracy exists. As I'm not actually anti-pirate, I'd suggest that a community response w

      • by i.r.id10t (595143)
        And if they really cared, they'd provide "updates" that break the OS completely... Sure, some honest folks who bought computers from dishonest "local dealers", etc. will get burnt but MS has already said they were willing to fix those people up with valid licenses if they reported who they got the machine/os from...
  • Botnets (Score:4, Insightful)

    by Megane (129182) on Friday September 21, 2007 @10:59AM (#20696463) Homepage
    So Microsoft is so secure that those botnets with hundreds of thousands of zombie computers running Windows will disappear overnight? Great!
  • by duplicate-nickname (87112) on Friday September 21, 2007 @11:00AM (#20696467) Homepage
    I think a good example of this is how many security problems have been found in IIS in recent years. For example, go to the MS Security Bulletin site and look up bulletins for IIS 6.0 compared to IIS 5.0 -- http://www.microsoft.com/technet/security/current.aspx [microsoft.com].

    There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.
    • IIS and SQL server were the biggest laughing stocks. The slammer worm (I think that was it anyway) was the fastest spreading worm ever at the time. It may still hold this record. It spread around the world in just a few minutes. While I would still only say their security is average and many times they don't take it seriously, they had a responsibility to their shareholders to clean up their act after the many embarrassing SQL server and IIS worms. It's not nearly as bad as it was at its crest.
      • Re: (Score:3, Insightful)

        by masdog (794316)
        Slammer was embarassing, but that one was hardly Microsoft's fault (although they do share some blame). They had released a patch for that vulnerability six months before the attack occurred.

        Security isn't just something you can pin on the software vendor and expect them to solve all your problems. It takes good system admins to keep the systems up-to-date with security patches and have them on a network that is designed for security.
        • by khasim (1285) <brandioch.conner@gmail.com> on Friday September 21, 2007 @11:52AM (#20697293)

          Slammer was embarassing, but that one was hardly Microsoft's fault (although they do share some blame). They had released a patch for that vulnerability six months before the attack occurred.

          Yes, they had.

          But the problem was that that port was left OPEN on machines that DID NOT NEED IT OPEN.

          With security, you CANNOT rely upon the end user to keep current on patches. Your system HAS to be able to defend itself WITHOUT those patches.

          And the simple way to do that is to not have ANY open ports by default.

          Security isn't just something you can pin on the software vendor and expect them to solve all your problems. It takes good system admins to keep the systems up-to-date with security patches and have them on a network that is designed for security.

          Security is a process. You are arguing about the high end, theoretical levels ... meanwhile Microsoft systems are still at the very lowest end and every day more zombies are added.
          • Re: (Score:3, Insightful)

            by dave562 (969951)
            With security, you CANNOT rely upon the end user to keep current on patches. Your system HAS to be able to defend itself WITHOUT those patches.

            You bring up two things there. One, you can't rely on the end user to stay current with their patches. Microsoft went ahead and setup Automatic Updates. Therefore the end user doesn't really have to think about it. The box will reboot itself automatically once a month to install the latest patches.

            Your second point about a box being able to defend itself without

      • by Blakey Rat (99501)
        Except Slammer was patched months before the attack happened. How is it Microsoft's fault that a lot of MS-using system administrators hadn't installed the patch?
    • Re: (Score:3, Insightful)

      by UncleTogie (1004853) *

      ...and Microsoft doesn't play down threats? Hark to the ol' l0pht website:

      Microsoft - ""That vulnerability is completely theoretical."
      l0pht - "Making the theoretical practical since 1992."
      ...and thanks for the laugh!
    • by asuffield (111848) <asuffield@suffields.me.uk> on Friday September 21, 2007 @11:29AM (#20696873)

      There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.


      You do realise that you are measuring the "quality" of IIS by counting the number of security flaws that Microsoft will admit to having fixed?

      You're not counting the number of known flaws. You're not counting the number of flaws that Microsoft knows about. You're not even counting the number of flaws that they've actually fixed. You're interpreting this change in the numbers as indicating an improvement, when it might just as easily indicate that they fix less flaws than they used to.

      And don't forget that Microsoft has a long history of not bothering to fix security flaws until significant numbers of exploits have been noticed in the wild. We can only guess at how many unfixed flaws there are in IIS today.
      • No doubt you are correct about counting bulletins, but that doesn't invalidate my point that IIS has become much more secure over the years. Maybe you could point out to us how IIS 6 contains many more unpatched vulnerabilites compared to IIS 5 or IIS 4?

        Also, take into consideration how IIS 6 finally installs with most features/filters/add-ins disabled by default, where as previous versions enabled rarely used features and dropped insecure .vbs scripts into your site by default.
      • by I'm Don Giovanni (598558) on Friday September 21, 2007 @01:56PM (#20699371)
        IIS 6 Vulnerability Report since 2003: [secunia.com]
        Three vunlerabilies, none classified as "highly" or "extremely" critical, all patched.

        Apache 2.x Vulnerability Report since 2003 [secunia.com]
        33 vunlerabilies, 3% classified as "highly" critical, 9% unpatched, 3% only partially patched.

        Sorry, I know if offends the delicate sensibilites of slashdotters, but IIS6 has a virtually perfect record since its release.
        You spouted a lot of speculation that IIS6 has tons of undisclosed flaws, but you've provided zero evidence. If there are so many flaws, why have they not manifested themselves? Microsoft is better on security than they were in the past, whether you like it or not. Deal with it.

    • I think a good example of this is how many security problems have been found in IIS in recent years. For example, go to the MS Security Bulletin site and look up bulletins for IIS 6.0 compared to IIS 5.0 -- http://www.microsoft.com/technet/security/current.aspx [microsoft.com].

      There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.


      Third party vendors are to blame as well. I had to instal
  • There's no question that Microsoft is responsible for some of the most powerful [slashdot.org] computing initiatives in the world today.

    Redmond's other bots will want to set the record [wikipedia.org] straight.

  • by jcr (53032) <jcr@NoSPaM.mac.com> on Friday September 21, 2007 @11:08AM (#20696607) Journal
    Sorry, I don't see why this story is even here. Microsoft has been telling bald-faced lies about their security for at least a decade. What's different this time?

    -jcr

  • Pardon? (Score:3, Insightful)

    by kaiwai (765866) on Friday September 21, 2007 @11:08AM (#20696609)
    No longer a laughing stock?

    Mate, people have stopped laughing, not because Microsoft has changed but because we've become so desensitised to the security issues it no longer brings the same attention it used to; its expected.

    If Microsoft do want to correct their security issue, they need to start at the bottom and work their way up; they need to go through their product, they need to document, clean up, remove parts that are security risks, replace parts which are added because they're nice rather than needed. They need to stop the lie that 'computers are easy to use' when in reality, they're complex machines that actually might require a bit of book reading and learning (to the screams of the ignorant out there).

    They also start needing to stop re-inventing the wheel and start working in groups; yes, groups are inefficient but like any brain storming, issues are raised which the original author might not have thought about - when you're an organisation all thinking along the same line, you can't adequately scrutinise the specification for every possible scenario - that is why standardisation is desirable. Issues of compatibility and security can be raised, and addressed. Microsoft on the other hand thinks because it has the cash and are a big organisation, it can address all the concerns internally.
    • by truesaer (135079)
      Mate, people have stopped laughing, not because Microsoft has changed but because we've become so desensitised to the security issues it no longer brings the same attention it used to; its expected.

      Despite all the bleating about how security is as bad as ever, it simply isn't true. A current version of XP is pretty secure, comes with a firewall, recommends anti-virus software to users, the browser has anti-phishing technology, etc. You would almost have to try to get infected on an up to date version of w

      • Re: (Score:3, Insightful)

        by businessnerd (1009815)

        why haven't there been any more iloveyou or other crippling vulnerabilities since SP2?

        Partly due to the maturation of the criminal population. Today's criminal population is now computer literate and have discovered how much money is to be made in taking advantage of Window's vulnerabilities. The iloveyou virus was both brilliant and retarded. It was brilliant in that it could replicate itself in so many ways and so quickly, which is what caused all of the destruction. Most of the damage was not from

  • ...but I'm still laughing. :-)
  • hahahahaahahahahah! *falls over* hahaha haa lmao lol hahahahahahahahahahahahahahahahahaahahahahahaahaha ha... *breath* haha... ha ahhhhhhhh Nope, still works.
  • Microsoft Security in its software has never been funny to its victims. From my perspective; Scott Charney's observations are like observing a battered wife rationalize the need to live using wires, and tubes.
  • I have to say I have used many OS's and really have never had a security problem with any of them. That includes Windows in most iterations. Most of the security stories I have heard have been from other people on the net. The odd time I have attended to a friend or relative's machine, it has almost always been because of something they themselves have done. I still maintain that the main source of computer (including security) problems is with the users themselves. Not saying the others are liars but if th
    • by psbrogna (611644)
      MANY people do have problems with Windows security. Here's a summary of my personal experience.

      Work: I've been responsible for a small (75 users) heterogeneous (Win & Posix) server & desktop infrastructure for 10 years. I observe all the best practices regarding securing boxes (firewalls, o/s specific tightening, anti malware & anti virus, etc). In this time frame I've had two incidents of Posix boxes getting hit and ten instances on Windows boxes (viruses). In the case of the Posix boxes the

  • Windows is still a disaster, and I think I know why people don't care. It is the "Big target" rational nonsense.

    Microsoft has been successful in seeding in people's minds that "all computers are insecure and the only reason why Windows *LOOKS* so bad is that they are so many of them, and if [apple][linux][foo] were as popular, there would be just as many security holes."

    It is a plausible argument when one is ignorant, as most are, of the basics of security. Unfortunately, the argument is getting traction an
    • The thing is, it's true and it's not.

      Linux is an inherently more secure OS than, say, Windows XP. It makes much smarter choices about what's enabled by default. It doesn't leave a bunch of ports open for no reason.

      It's also true that there's much, much more incentive to try to find a security hole in Windows XP because it's the most popular desktop choice and is thus most likely to have the highest density of ignorant users with credit card information.

      So! The reason that the argument is plausi
      • by mlwmohawk (801821)
        Linux is an inherently more secure OS than, say, Windows XP. It makes much smarter choices about what's enabled by default. It doesn't leave a bunch of ports open for no reason.

        This is, possibly, a reason but not a main one.
        It's also true that there's much, much more incentive to try to find a security hole in Windows XP because it's the most popular desktop choice and is thus most likely to have the highest density of ignorant users with credit card information.

        So, you have fallen hook, line, and sinker in
  • In line with microsoft's pronouncement,

    I want to recognize how much respect and admiration everyone at Slashdot now has for all my posts.

    ---

    Cool-- did that change anything? No. The fact is, that compared to the AS/400, microsoft operating systems are festering mounds of viruses that crash without warning at 10 times the rate. Compared to linux, microsoft O/S are boxers with glass jaws.

    Instead of adding all of these new features in Vista (which sucked a ton of performance) they needed to shut down all the
  • Feh! (Score:2, Funny)

    by r3b00tm0nk3y (806499)
    All modern operating systems are still struggling to catch up to the Atari 800.
    Even now it sits impenetrable with layer one security from both the Internet and power grid in my closet!
  • "we were the laughing stock of security" - so it was like that. So then, you were serving faulty, lacking products to customers ?
  • The biggest problem is, of course, the HTML control.

    Until Microsoft abandons the entire "security zone" model and makes the HTML control default to a secure or "closed" state completely under the management of the calling application Windows security will never be anything but a joke. The recent hole in Yahoo Instant Messenger, for example, is primarily Microsoft's fault... because the "security zones" should not be able to "fail open". Blaming Yahoo for not 'sanitizing' the input is nuts.

    No other HTML rendering library works this way. The two leading alternatives... Mozilla's Gecko and KDE's KHTML (and thus Apple's Webcore)... both implement a closed sandbox. If an application wants the page to have more capability, it must explicitly install hooks to grant it that capability. This way when an application renders a page using Gecko or KHTML there's no possibility of there being prepared holes to attack. In addition, when they DO install a controlled hole in the sandbox, they know that they're the only agency doing so... there's no concerns about some insecure ActiveX control in the system becoming an avenue of attack.

    Until Microsoft completely changes the API for the HTML control they won't solve their image problem, and they shouldn't expect to... because until they do this, they have a problem and the image only reflects that.

    ActiveX use in the HTML control, of course, is completely insane. Given all the layers of bandaids and patches and dialogs and settings and security levels wrapped around them, it's actually less effort to explicitly install a plugin than to open IE up to the point where you can use a "trusted" ActiveX control. They need to deprecate and eventually eliminate this.

    There are other problems, too. Applications have to parse command lines completely, using their own code to break them up into arguments and perform wildcard expansion. Both OS X and Linux use the UNIX "exec" call, which doesn't require the application to add this additional evaluation step. Many of the "URI" related holes found in applications on Windows... including several recent ones involving IE, Firefox, and Second Life... are due to this flaw in Microsoft's APIs.

    There's a second flaw in their URI handlers, and that is the inability to separate internal handlers that may expose more powerful capabilities than a sandboxed object should have access to with the ones that are designed for use by untrusted documents. The 'patch' to fix this is to try and sanitise the list of URI handlers that each application will use. This, like any other "sanitization-based" approach, is inherently flawed. They need to create a second registry that only supposedly secure applications will use... and then they won't need to worry about web pages containing links to ".CHM" files.

    (Apple, by the way, has copied this flaw from Microsoft. But at least they don't share the rest of the burden)

    The lack of a standard mechanism to bind network services to specific interfaces is a third problem. In UNIX most network services have traditionally been run from inetd, so if you replace inetd with something like xinetd or tcp wrappers you can prevent services from listening to anything but the local interface "localhost". This means that a firewall on UNIX is an extra defense, where on Windows it's the only way to keep insecure protocols from accepting connections from external sources.

    For Microsoft to get the same reputation for security that UNIX based systems have earned, it will have to correct these flaws. The easiest way, perhaps, would be for it to BECOME a UNIX-based system. It wouldn't take much, so much of the API is already inherited from Microsoft's one-time infatuation with UNIX, and they ship a subset of teh UNIX API with Windows in the POSIX subsystem.

    Or, though it would be less desirable from the point of view of people who have to write portable code, they could implement their own secure APIs and make the existing ones a deprecated and eventually optional add-in.

    But so long as they keep the current API unchanged in all details, though, they can not solve these problems they're faced with.
    • by rs79 (71822)
      Good point.

      Of course this all started when Misrosoft decided HTML in email was a good idea. This was around the time Netscape was hot shit and t othe average user it seemed like a cool idea "ooooh, red text".

      Which if course is the moral equivalent of a crow going "oh, a shiny thing".

      Bad juju.
  • by Vellmont (569020) on Friday September 21, 2007 @11:24AM (#20696831)
    I love this comment. It's such an interesting insight into the mind of a Microsoft guy:

    Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.

    I don't know anyone who thinks a major bridge in major US city in the richest country in the world not collapsing is an "unrealistic expectation". I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal. Comparing that to a major bridge disaster that never should have happened is kind of a strange comparison though.
    • I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal.

      That's not what they're being asked for. What they're being asked for is for systematic holes to be eliminated, so they don't have to keep being patched over and over again. I've listed some of the systematic holes in the design that they keep getting bit by in the message I posted just before yours.

      The thing that really bothers me is that people are accepting the argument that holes Mic
  • Heh (Score:2, Funny)

    by gammygator (820041)
    They aren't a laughing stock because it just isn't funny anymore.
  • by Cro Magnon (467622) on Friday September 21, 2007 @11:34AM (#20696989) Homepage Journal
    is that MS is no longer a laughingstock. The bad news is, now we're crying instead.
  • It is not for you to determine when you are, or are not, a laughing stock.

    The subject of a joke does not get to determine whether or not it is funny. ;)
  • The reason is that u get the window idiot here who claim that virus etc. attack Windows BECAUSE there are so many, Even with the virus writers saying that they attack windows because of the ease of doing it. But if Windows becomes more secure than Linux and OSX, then they will retarget weaker systems. The good news for /., is that finally we can put to rest that piece of FUD.
  • Is that where they've set their bar? "Let's not be the laughing stock?" I can relate to that actually. Given how complex software & it's design process has become it certainly is a realistic goal to get software out the door that just "doesn't suck." However, I'd prefer if my server OS vendor aimed a little higher.
  • And people will begin to believe it. That doesn't make it true. Saying Microsoft is no longer a laughingstock in the area of security is like saying heart attacks are no longer a laughingstock in the area of medicine. They're still a problem, but no one is laughing at such a serious problem. Their security issues are gumming up the Internet and causing billions of dollars a year in internet fraud-related cases. No one is laughing about that.

    If we're past the laughing phase then it's only because we're mov

  • by phorm (591458) on Friday September 21, 2007 @12:16PM (#20697737) Journal
    My girlfriend recently called me because the wireless internet connection on her laptop stopped working. After screwing around with it for awhile, updating the drivers, etc, I noticed a small notation on the latest driver that it would only work if the actual firmware on your card was greater than version XX. After updating the firmware, the wireless worked again.

    The apparent cause of the problem? Windows update happily auto-updated the wireless driver, neglecting to check that the firmware was compatible, and neglecting to also offer a firmware update. MS Security might have improved, but I don't think their reliability has. Many big corps tread carefully with update patches for this very reason.
    • Windows Update never updates drivers?

      They're available on the Windows Update site, but they won't install automatically and they're not selected by default on the website either.
  • What do you think he is going to say? That the security of Microsoft software is poor? Do you really expect a Microsoft employee not to lie?

    Most computer users are so accustomed to Microsoft's products being insecure, that they don't really notice the insecurity any more.

    If Microsoft product security has improved so much, they why do we still have all those Windows zombies spamming us each day?

  • .. and it becomes true. MS has been engaging in this kind of 'talk it up' behavior for years. "Okay, we admit we weren't that secure before.. but NOW, /now/ is a much different story." The sad part is, it works. If they repeat it often enough, loudly enough, and with enough different voices, the people responsible for making purchases will believe it's true. A prime example of this is the Linux v Windows TCO "debate" -- which didn't exist until MS spent millions of dollars to /make/ it exist.

  • Somebody please explain to Mr. Charney that his Jedi mind tricks may work on the general public but we're not falling for that!
  • An onion pretty much describes the MS security model. Take a core, wrap some layers around it, then add more annoying layers to protect the existing layers. And not every layer has to be from the same kind of onion.

    Coding practices can only get security so far... MS needs to revamp their security design.

  • ... from the VP of Trustworthy Computing at Microsoft?


    He sort of reminds me of the Black Knight [wikipedia.org] from Monty Python's Holy Grail.

  • by rs232 (849320) on Friday September 21, 2007 @01:03PM (#20698561)
    "One of the things I talk about often is my mom, because she is 78 and she's found e-mail .. You have to educate consumers not to make mistakes like clicking on attachments from unknown sources [computerworld.com] and not following links and all of that"

    No, all you have to do is build a Desktop System that can't be compromised by opening an e-mail attachment or clicking on a URL ..

    "more people are like, 'Microsoft got its act together, and others should follow their lead,' technologists say, 'OK, our job is done -- what next?'"

    "What I explain to people is that this isn't actually a technology problem we are solving; it's a crime problem"

    Self serving imaginary made up quotes and a nonsensical opinion expressed. Making it a twenty year felony crime for hacking Windows isn't going to make Windows any more secure ...

One small step for man, one giant stumble for mankind.

Working...