Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

Microsoft to Focus on Security 720

Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
This discussion has been archived. No new comments can be posted.

Microsoft to Focus on Security

Comments Filter:
  • Come on now... (Score:4, Interesting)

    by xinit ( 6477 ) <rmurray@f[ ]ca ['oo.' in gap]> on Wednesday January 16, 2002 @10:17PM (#2852293) Homepage
    We should know that this is more than just a simple PR move by Microsoft. I mean, don't they normally release information to the press in order to let their employees know how they're changing their focus?

    If you look at the other side of the story, this is pretty much admitting that they haven't cared about security at all. At least now they'll release more PR regarding security issues.

    Especially if they find that anyone's distributing exploit code.

    • Re:Come on now... (Score:2, Informative)

      by hogsback ( 548721 )
      They didn't release it to the press.

      In e-mail to employees obtained by The Associated Press, Gates referred to the new philosophy as ``Trustworthy Computing''

      Now, of course, they may have deliberately leaked it ...
    • Re:Come on now... (Score:4, Insightful)

      by sql*kitten ( 1359 ) on Thursday January 17, 2002 @04:38AM (#2853341)
      We should know that this is more than just a simple PR move by Microsoft. I mean, don't they normally release information to the press in order to let their employees know how they're changing their focus?

      The last time Microsoft made an annoucement like this, they refocused the company on the Internet, and started hammering out MSIE into a Netscape-killer. For all his faults, once Gates and his people get an idea in their heads, they can turn on a dime and they won't stop until they do what they want to do.
      • Re:Come on now... (Score:3, Insightful)

        by uebernewby ( 149493 )
        Agreed. Sure, Bill and his minions may usually end up the last people to "get it" (*starting* to think about the internet in 1995? sheesh), but like you said, once they've put it into their heads to do something, they'll get it done. Just don't expect results any time soon (witness the tediously long time it took to turnn MSIE into something useful, or how many versions of windows were released before they managed to build one that didn't suck).
  • timing? (Score:3, Flamebait)

    by cgenman ( 325138 ) on Wednesday January 16, 2002 @10:17PM (#2852294) Homepage
    Hmm... Now that basically all of our code is developed and systems are embedded in concrete... let's try to secure this, shall we?

    Maybe they should have thought of this BEFORE they rewrote the OS?
    • Re:timing? (Score:5, Funny)

      by daniel_isaacs ( 249732 ) on Wednesday January 16, 2002 @10:32PM (#2852392) Homepage
      Yes, it's all about timing. The rest of the email outlined thier other goals:

      1. To workout more
      2. To eat better
      3. To be nicer to the people we love
      4. To not drink so much

      The email closed with a lamentation about how these beginning of the year resolutions never seem to work, followed by a humorous panel from the comic strip "Cathy".
  • Normal slashdot staff overreacting again. You can turn that ID off. Granted, they should make it default to off, and ask you before they go around putting out supercookies, but it's possible to fix the hole. Even in WMP6.x. This was going across bugtraq today. Apparently, if you have the ID backdoor disabled, it generates a random number each time the control is queried. Spare his page, though, I wrote this with no replies (first post, almost), and the page was already horribly slow.
    • You make a good point that it can be turned off, but how many "normal end users" of Microsoft products are going to know this. It is not you or I, or for that matter anyone on /. (for the most part ;}) that I am worried about here. It is the people that do not have the first clue about computers, or security, and think that AOL is the internet that I am concerned about with security issues such as this one (and the countless others).

    • Just because it's possible to fix the hole doesn't make it "Normal slashdot staff overreacting again." Not only does the original report contain the information for how you can turn off the ID, it makes some good arguments for why that isn't good enough.

      So no, not an overreaction at all.
    • by blakestah ( 91866 ) <blakestah@gmail.com> on Wednesday January 16, 2002 @10:57PM (#2852495) Homepage
      Normal slashdot staff overreacting again. You can turn that ID off.

      The defaults are everything, Why do you think Microsoft has negotiated so hard for its icons to be on the Mac desktop(IE), and no other browser is allowed to be there ? Why do you think Microsoft has spent so much effort controlling system defaults for media players, and IE home pages, and startup icons ?

      This is standard user behavior - they do not change the defaults. Somehow it is the fault of the guy who installed NT server and NEVER WANTED IIS that he got broken into, and not Microsoft's fault for globally enabling IIS and asking the admins to turn it off.

      Giving the end user a chance to change a system default is a good way to ensure that 95% will use the default, and the company (Microsoft in this case) can blow blame aside by saying the user can change it.

      Now, you can argue users need to be more savvy, or you can accept that Microsoft KNOWS end user behavior and uses it to their advantage. Or both...
    • The problem with your "nothing to see here" attitude is that you have to know its a problem in order to change the defaults. If nothing else, this story alerts /. windows users that someone may be tracking them, so that they can change the preferences. And, its ironic that Gates wants Microsoft to be synonymous with "Trustworthy", while at the same time stabbing his customers in the back. Sorry, but I won't trust them with my money or my information, when they are so eager to screw me over for control of my digital media (DRM is the apparent reason for these supercookies), to the point where they would let anybody out there track me.
  • by The Spie ( 206914 ) on Wednesday January 16, 2002 @10:18PM (#2852304) Homepage
    Why does Microsoft saying they're going to focus on security remind me of the US government talking about campaign finance reform?
    • Campaign Finance Reform: individual contributions are capped while they put out a welcome mat at the back door for corporations and unions; finance candidates through tax revenues so that you are forced to finance the campaigns of those you wouldn't vote for if a gun were put to your head.

      Microsoft Security: store all your personal information at One Redmond Way so that malicious corporations can't invade your privacy; argue that public disclosure of exploits and bugs are criminal acts.
  • by ZenJabba1 ( 472792 ) on Wednesday January 16, 2002 @10:19PM (#2852309) Homepage Journal
    After reading the article, and also having my Microsoft account rep call me up after I have told her that I wont be installing my "enterprise" (every time I say that word, my whole team breaking to ST:TNG theme song), becuase the cost of making sure Microsoft's buggy software (generally Office and Windows W2K) costs me more than the operating system does itself in both actually purchasing costs of software and man power required to check, recheck and check again that everything is set up tight... My account rep had the hide to say this afternoon, "So now we have promised to do this, will you upgrade to Office XP now"...

    Nothing has changed as far as I can see, nothing will in the next 1 - 2 years because Microsoft will take that long to get what we currently have running NOW working correctly, and I just feel this is another ploy to get Microsoft to force us to upgrade to the latest and greatest operating system because they are promising that this time, really folks, this time it will be the most secure and stable release of Microsoft software EVER!, as if this is hard to to!

    Grrrr, too many NT crashes, not enough intellegent techs to figure out what went wrong, other than.. oh just reboot!
  • HAHAHAHAHAhahahahahaHAHAHAHAHAHAHAhahahahaheeheehe e.

    I guess those stories [slashdot.org] suggesting that software companies might become liable for damages arising from security holes put the fear of God into him.
  • by kootch ( 81702 ) on Wednesday January 16, 2002 @10:20PM (#2852319) Homepage
    so now all of the pr0n sites will know exactly what TYPE of pr0n to feature on the front page whenever I *happen* to stop by...

    well, atleast maybe I'll get more targeted advertising... ya know, nothing against transvestites, but the pr0n of them in an advertisement just does NOT make me want to subscribe!
  • That'll work. (Score:3, Informative)

    by Rothfuss ( 47480 ) <chris.rothfuss@g[ ]l.com ['mai' in gap]> on Wednesday January 16, 2002 @10:20PM (#2852322) Homepage
    Security over function. That makes sense. I already love it everytime windows warns me that I am about to do something dangerous, restricts me from seeing files I shouldn't touch by default, and dumbs down everything to the point where it takes me 45 minutes to make the machine useful after a clean installation.

    Now they are going to focus on security instead of function.

    I have a pocket calculator that adds, subtracts, multiplies and divides. The square root button is broken. I just jammed an RJ-45 cable into the slot where the battery normally goes. It appears to be doing nothing.

    I'm certain that my calculator now meets Bill's new objectives. It does nothing, but is entirely secure. Particularly since it is behind a firewall.

    Good idea Bill.

    -Rothfuss
  • by Publicus ( 415536 ) on Wednesday January 16, 2002 @10:22PM (#2852329) Homepage

    Hmmm, I think I'll go read slashdot today...

    It looks like you're trying to reach the internet, this is a potential security risk. Find out more about how your internet experience is made more secure with Microsoft by clicking "Find out more." If you wish to continue, click "Ok."

    Arrgh, *click ok* (stupid microsoft)

    Your computer has begun downloading information, this is a potential security risk. Find out more about how your internet experience is made more secure with Microsoft by clicking "Find out more." If you wish to continue, click "Ok."

    And so on!

  • Y'know... (Score:2, Insightful)

    by Anonymous Coward
    ..."Trustworthy Computing". This sounds suspiciously like a buzzword-name for digital rights management, especially after that paper on making an OS that prevents anything unauthenticated from getting at secure content.

    Anyone else notice this?
    • Compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are.

      Russ Cooper, a security expert with TruSecure Corporation, said the change occurred in part after a new security team assigned to attend every product meeting met resistance from product teams.

      I am not very surprised by this

      Customers could also see a downside, though. Other than fewer new features, product upgrades could come less frequently or could be pushed back.

      Somehow, this is not a drawback, and hopefully this throws the subsription thing out of wack.

  • uh micheal? (Score:2, Insightful)

    by jeffy124 ( 453342 )
    m:
    the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.

    It's not a security problem to have a number assigned to you, it's a privacy problem.
  • Writing Secure Code (Score:5, Interesting)

    by hogsback ( 548721 ) on Wednesday January 16, 2002 @10:25PM (#2852342) Homepage
    A couple of Microsoft's security people published a book - Writing Secure Code [amazon.com] - recently.
    It's obviously Windows biased with respect to code samples, but it's actually very good.

    Now they just need to read it themselves - for example, all the vulnerabilities exploited by the universal plug and play [microsoft.com] fiasco (buffer overruns, trusting untrustworthy data and denial of service attacks) are well described in the book,
    • A couple of Microsoft's security people published a book - Writing Secure Code - recently.

      Also coming soon from BitterIrony press:
      GNU [gnu.org]'s guide to user-frendly UI.
      The U.S. D.O.J. [usdoj.gov]'s guide to speedy legal precedings.
      And:
      Larry Wall [wall.org]'s guide to maintainable code.

    • by cooldev ( 204270 ) on Thursday January 17, 2002 @12:54AM (#2852898)

      To whet your appetite, a little excerpt from the beginning about how quickly machines get attacked:

      Surely, no one will discover a computer slipped onto the Internet, right? Think again. The Windows 2000 test site was found almost immediately, and here's how it happened... Someone was scanning the external IP addresses owned by Microsoft. That person found a new live IP address; obviously, a new computer had been set up. The person then probed various ports to see what ports were open, an activity commonly called port scanning. One such open port was port 80, so the person issued an HTTP HEAD request to see what the server was; it was an Internet IIS 5 server. However, IIS 5 had not shipped yet. Next the person loaded a Web browser and entered the server's IP address, noting that it was a test site sponsored by the Windows 2000 test team and that its DNS name was www.windows2000test.com. Finally the person posted a note on www.slashdot.org, and within a few hours the server was being probed and flooded with IP-level attacks.

      • by Sj0 ( 472011 )
        Finally the person posted a note on www.slashdot.org, and within a few hours the server was being probed and flooded with IP-level attacks.

        Sounds bad. Does that make us hacker terrorists?
  • How did this old story manage to make the front page of Slashdot when this new story [zdnet.com] with far greater implications didn't?
  • Hhhmmm... (Score:4, Insightful)

    by yamla ( 136560 ) <chris@@@hypocrite...org> on Wednesday January 16, 2002 @10:25PM (#2852347)
    Well, after all the ribbing, we have to give Microsoft [microsoft.com] some credit. There was no reason to believe that Windows XP actually was designed to be secure. Certainly, recent events have shown otherwise. But this really could be a change for the better.

    However, take a look at OpenBSD [openbsd.org]. They really are secure, or at least as secure as anyone can reasonably expect for an operating system. They have done a great job, but it takes time. A lot of time. OpenBSD was based on NetBSD, so security was always a priority, OpenBSD just made it more of a priority.

    But really... even if security really is job one now at Microsoft, we aren't going to see any concrete results in the near future. Forget Microsoft's next operating system. It is going to take years, not months, to get results. I mean, we are looking at 2006, likely, until Microsoft systems have a hope of being secure. Will Microsoft (would any corporation) invest that many years of development? Are their customers really demanding security?

    • openbsd is only secure if you don't install any third party software. after that, its not much better than any other bsd or linux flavor for server (non multi-user shell account) systems.
  • by Steve G Swine ( 49788 ) on Wednesday January 16, 2002 @10:26PM (#2852351) Journal
    Microsoft does have a pretty strong track record of hearing what their big customers want to buy, and then building it.

    I'm not surprised that they're hearing about security... and I won't be surprised if they find a way to build it.

    Hey, I'm just sayin'.

  • by guacamole ( 24270 ) on Wednesday January 16, 2002 @10:26PM (#2852354)
    Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.

    Right. This is not a security problem. This is a privacy issue.

    And speaking of which. Many of us have fixed IP addresses. Web sites already track our actions with cookies. Telcos sell information about us to anyone who wants to pay for it. Get over it. We have no privacy to begin with.

  • If.. (Score:5, Insightful)

    by AnalogBoy ( 51094 ) on Wednesday January 16, 2002 @10:27PM (#2852363) Journal
    If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux (I swear I didn't choose that just because its the godhead of this entire forum), What would we do?

    Honestly, and not trying to troll. What will everyone here do if microsoft ceases being the evil empire? What if they can pull this off, and find some middle ground with the government? I said before, in a much earlier post, that most religions have an antagonist; What happens if we lose ours? Will /. topics get more sensational?

    MS Press Release:
    "Microsoft released a patch today to save 15K of RAM in explorer.exe"

    Slashdot:
    Microsoft wasting gobs of memory for extra red-dot in windows logo.

    Personally, I say good for microsoft. Microsoft, right now, is an intergral part of so many organizations, and admittedly they have security problems; They could use the positive PR. They could also deal with less -unfounded sensationalism- nonsense from the peanut gallery (note, this does not mean the founded, intelligent, objective news items which from time to time may appear in the comments section.)

    Just my $0.02, Refundable with a $2.00 restocking fee.
    • Re:If.. (Score:2, Insightful)

      by Junta ( 36770 )
      One point, even if they do produce reliable, secure code, doesn't mean they are no longer the evil empire, they are the evil empire with better stuff :) They are the evil empire because they want to control a lot more than they should, and while this is no different than most other businesses, they are much closer to success... But then again you probably already knew that, just didn't think about it... Of course, AOL-Time-Warner is at least as scary as MS, if not more so now, IMHO...
      • Re:If.. (Score:4, Flamebait)

        by AnalogBoy ( 51094 ) on Wednesday January 16, 2002 @10:49PM (#2852459) Journal
        AOL/TW is, IMHO, a bigger threat now. They control major gateways to information, and can readily manipulate news and, in turn, ideas. THATS danger.

        Objectiveness is key.

        (AOL-TW-Microsoft-Oracle-KrogerCorp: All your neeeds. Period. If we don't make it, you don't need it. Sit, and Vegitate.)

        thought of the day:
        Do you think for yourself, or do you just think you think for yourself?
    • Re:If.. (Score:5, Insightful)

      by vondo ( 303621 ) on Wednesday January 16, 2002 @11:06PM (#2852531)
      I find AOL/TW less scary than MS, at least on a personal level.

      Sure, I watch CNN. Maybe I pick up Time occasionally, but I'm aware of who they are and what they are doing. If I want to avoid their media conglomeration entirely, I can. And if I do, it doesn't affect me. (Of course it affects the society around me.)

      Maybe I don't hear the incessant ads for AOL on CNN, maybe I have to use a smaller ISP. I think I can live without those things.

      Microsoft, on the other hand, by trying to extend its monopolies, is targeting my ability to communicate with other people. I can choose not to run Powerpoint or Word, but if 90% of the people around me only speak that "language" I can't see what they're saying. I can choose not to run IE, but if I can't read half the web because of it, I've lost. If I choose not to use Window's Media Whatever-its-called, I might not be able to hear the music I want to. And of course if I choose to run Linux, I can't even choose not to use all these MS products.

      When this happens, I've not just lost out on being able to use MS's products, but on a larger part of my world.

      AOL/TW is trying to control the content. MS is trying to control the underlying language. I find MS's intrusions more threatening to my lifestyle.

    • Tradeoffs (Score:4, Interesting)

      by dachshund ( 300733 ) on Wednesday January 16, 2002 @11:29PM (#2852626)
      If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux ... What would we do?

      The typical assumption (as I've heard it) has always been that Microsoft's poor security was a necessary side effect of their quick-to-market and add-lots-of-new-feature strategies. Though I don't think most people on this forum view those two strategies as a "good" thing, it appears that they've worked rather well for MS up until now.

      So the $50,000 question is, can Microsoft focus on security without falling behind on those other fronts? And if they have to slow down on their speedy rollout of new products and features, will they suffer in the marketplace?

      If MS can do security and still be as quick-to-market as they were before, they're probably going to be in a very good position. If, on the other hand, they are forced to make a tradeoff-- of speed and quantity for security, for instance-- then it might be a whole different ballgame. Worse yet, they might wind up compromising on both fronts.

      • Re:Tradeoffs (Score:3, Interesting)

        by Sentry21 ( 8183 )
        The typical assumption (as I've heard it) has always been that Microsoft's poor security was a necessary side effect of their quick-to-market and add-lots-of-new-feature strategies.

        I think one of the problems at Microsoft (and this was displayed eminantly in a story my uncle (who works big time in multimedia) related to me once, but which I won't repeat in its entirety because I'm tired and lazy.

        In the story, though, there were a team of programmers at Microsoft working on a project (don't know which), and they gave a presentation to Bill Gates himself, telling him when it would ship. He responded by getting angry, and telling THEM when it would ship - bumping up the release date by a huge amount.

        Well, the programmers had to work their asses off to meet the release date. They worked overtime, some burned out, some dropped by the wayside, some quit. Seriously undermanned, they missed their new release date, but the program did eventually get released - on the day that they'd originally said it would get released.

        The only difference is, now they have lost several key programmers on the project, the ones they have like their job far less than they used to, and the code is rushed for no good reason.

        I don't know if this story is true, or, if it is, if that still goes on today, but I get the feeling that it is, at least in part, a good indicator. What reminded me was the mention of 'rush-it-out' philosophy PLUS always being late with their products, both of which are still true today (remember how Win2K/ME were supposed to be WinXP? Remember Win93? Win94?).

        Just my two bits.

        --Dan
    • Re:If.. (Score:5, Interesting)

      by Pussy Is Money ( 527357 ) on Wednesday January 16, 2002 @11:38PM (#2852663) Homepage Journal
      Nice post.

      I think basically you are saying that when Windows' technical deficiencies disappear (which in itself makes the dubious presupposition that one size might fit all), there is no longer any reason why we should oppose them.

      This presupposes that such is the case right now; i.e. that we are opposing Microsoft because their code is supposedly so horrible.

      But that's bullshit. I have to admit I don't know myself where all the folklore of lousy Windows performance and lousy Windows stability came from. Sure their software can run slow. But have you looked at GNOME recently? And as for security, granted their track record is very bad. But at least they don't ship with telnet, right [redhat.com]? Besides there is nothing like designing security for a piece of software that runs on 95% of the desktops in the world.

      So it's all relative. In any case, I'll tell you the real reason why we should oppose Microsoft: because whatever business you are in right now, if you're successfull, it will be Microsoft's business next week. That's why we need to oppose Microsoft.

    • Re:If.. (Score:5, Insightful)

      by mjh ( 57755 ) <mark@horn c l an.com> on Wednesday January 16, 2002 @11:57PM (#2852718) Homepage Journal
      If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux ... What would we do?

      Declare victory. I think Linus once said, "If Microsoft starts producing good software, we've won."

      Personally, I think this is the goal: to get good software. I enjoy the fact that currently the best software around doesn't cost me any money to obtain. But I'm not going to maintain some sort of religious fanatacism about it. If better software comes along that costs money, I'll buy it.

      How many of you play only free games on your computers? Me either. I play Q3A or SimCity. I paid for them. Why? Because they're better than the free stuff. I'll pay for an OS too, if it's better than the free stuff.

    • Microsoft Focus (Score:3, Interesting)

      by _Sprocket_ ( 42527 )
      Honestly, and not trying to troll. What will everyone here do if microsoft ceases being the evil empire?
      Microsoft has a LONG way to go before they manage this. However, the company has turned on a dime before. If there is anyone who can do it, its them. But the changes will have to include technical and cultural shifts that go against years of activity that has defined the current Microsoft.

      But what would Slashdot do if Microsoft changes? They'll go on. Slashdot is not the anti-Microsoft site. There would be plenty of other news if Microsoft dropped out of sight tommorow. Microsoft just manages to do things often enough to become a prime subject of this community.

      Microsoft constantly stands out from their peers. The IT industry is full of large, powerfull corporations. They all put out products that could have their merrits debated. They all make marketing claims, promise things to their customers, and set company policy that impacts end users (including Slashdot readers). Yet somehow Microsoft manages to raise to the top.

      Sure, there is over-the-top bashing of Microsoft (ignoring Microsoft's own PR, reputation for FUD, and zelous proponents). But there are also lots of legitimate grieviences ranging from product quality to Microsoft's marketing tactics.

      Microsoft gets attention because they deserve it.

      When Microsoft changes its ways, they will fade in to the background with other industry leaders like IBM. And the news will march on with or without them.

    • What will everyone here do if microsoft ceases being the evil empire? What if they can pull this off, and find some middle ground with the government?
      We'll move on. I know some of you MS apologists think the majority of Slashdotters' hate of MS is irrational but it ain't. They earned it. But if they manage to change (and personally I don't think it'll happen until Gates is long gone and the culture he has fostered has changed considerably) we'll find a new target. After all IBM was the Evil Empire once.
    • Re:If.. (Score:4, Insightful)

      by Paul Komarek ( 794 ) <komarek.paul@gmail.com> on Thursday January 17, 2002 @03:03AM (#2853181) Homepage
      Microsoft has a lot to overcome to stop being the Evil Empire. The problem is that there is nearly no good will, benefit of the doubt, or trust left for Microsoft. They've screwed everyone multiple times. That includes business partners, OEM customers, end-users, you-name-it.

      Ballmer said they have a "popularity bug". It's no bug, it's by their own design. They've earned their place in the hall of shame. They want to win everyting, regardless of what's good for the people around them. Some people call that "hardball", but I call it antisocial.

      The question, then, is why should we believe Microsoft is really going to change anything? Why isn't this just another publicity stunt? They've lied to everyone many times, including falsification of evidence in a US court of law. If Microsoft magically transfigured themselves into a perfect company today, it would still take many years before I would trust them.

      -Paul Komarek
  • this is a good thing (Score:2, Interesting)

    by smash ( 1351 )
    Don't get me wrong, I'm no fan of Microsoft, however concentrating on security will have other benefits - the auditing their code will receive will likely fix many stability problems as well.

    Other than security problems and product activation, I have to admit, that XP is actually a nice product. I may not agree with a number of its design decisions (stuffing things into kernel space that don't need to be there, building the GUI into the kernel, Microsoft ASCII text,etc), but it IS very feature complete for the average end user.

    I still won't run it by choice (FreeBSD baybeee), but having to *support* the platform will be a lot less hassle...

    just my US0.01c (damn pathetic aussie dollar...)

    smash

  • by vondo ( 303621 ) on Wednesday January 16, 2002 @10:28PM (#2852375)
    Is this in the same vein as the day Bill Gates ordered everyone at MS to stop what they were working on and concentrate on how the Internet would affect their products?

    Of course, by that I mean Microsoft finally understanding something several years after the rest of the world "gets it?"
    • Of course, by that I mean Microsoft finally understanding something several years after the rest of the world "gets it?"

      Your jibe would carry more weight if only you could surf the internet without using Microsoft internet software in some way, be it a browser, streaming media format, or web server.

      Microsoft, like any huge company, is often late in 'getting something.' But once they do, they have a remarkable ability to use their [monopoly] power to dominate in that area later.
  • by eric434 ( 161022 ) on Wednesday January 16, 2002 @10:30PM (#2852387) Homepage
    They're doing their best to attack open source; from buying SGI patents to kill OpenGL to this new intitiative to cut off the age-old argument that open source is more secure (at least on the PR front...) and all the rest. I guess they really do see open source as the number one threat...

    What I really hate to see, however, is that we're not doing too much about it. In fact, the only new thing is Lindows, and I sincerely hope they live up to the hype. Unfortunately, Microsoft has realized that Joe Average Consumer *dosen't care* about anything that is not the easiest way to go; even in the server market the PHBs will stick to MS until they see something like the Gartner Report or the FBI declaring Windows XP to be insecure (or whatever).

    IMHO, a good part of the Open Source world needs to focus on making Linux a real competitor on the desktop market; such as idiot-proof install programs that need *NO KNOWLEDGE OF PARTITIONING* (and just ask, "do you want to install Linux on separate hard drive, or should I resize your Windows partition to X gigabytes and install it on this hard drive) and autodetect hardware (X Windows configuration is a *REAL* pain in the derriere if you don't know much, if anything about computers, for example) and whatnot. In order for Linux to be a real competitor for the computer of Joe AOLuser, it should take advantage of almost (or as much or more) autodetection/idiot proof default settings as Windows.

    Now I know, I know, we aren't after Joe AOLuser, but in order for manufacturers to keep making Open-Source compatible hardware, THEY NEED MARKET DEMAND. It's far easier to cave in to Microsoft if it means losing 5% of sales (to hardcore geeks) than if it means losing 50% of sales (to Joe Average User). And yes, I just pulled those figures out of my hat, but I wouldn't be surprised if they were true.

    • by ZxCv ( 6138 ) on Wednesday January 16, 2002 @10:55PM (#2852483) Homepage
      Last time I installed Mandrake 8.1, it automatically partitioned my drive, and auto-detected and properly configured every piece of hardware in my laptop (including my 802.11b card). There are still applications out there that could use some usability enhancements, but the major obstacle (installation) is pretty much out of the way. The only thing Linux needs to be a true competitor on the desktop is applications. These days, the desktop-oriented Linux distros are just as easy, if not easier, to install as Windows. It is the lack of applications that is holding back any progress Linux might make on the desktop.
    • I don't think they're worried about a Gartner report, Microsoft has been slammed on its poor security record for some time now. (Maybe not by the Gartner Group, but certainly in other PHB reports.)

      What probably got their attention was the recent visit from the FBI. Something most people forget is that one of the primary responsibilities of the FBI is counterespionage, and it doesn't take a genius to figure out how much damage a subtle virus could do on government computers. (Esp. after other countries had sensitive documents leak out with that "I write you for your advice" virus.)

      We'll never know what the FBI told them... but we can guess based on what we now know. Every group must explicitly consider security issues, senior management remindning the troops to take it seriously. Maybe this is my one cynical-free day each year, but I really don't see this as an ploy to attack open source software such as Samba. I think they finally understand that they have a serious problem.

      But, ironically, I'm now concerned that they don't have enough experienced security people. The corporate culture just hasn't encouraged development of the right skills. Any semi-decent programmer can check for buffer overflows and the like - even automated tools can do that in many cases now - but true security comes from an ability and willingness to challenge the most basic assumptions, to question the most sacred code, etc.
  • Oh my God, if Billy actually means what he says, what are we going to do now? We've always had a major advantage in security and stability with Linux. Our arguments have always been based on the fact that M$ windoze is a bloated hacker haven.
    Linux and the open source movemnet will most certainly never die, but I would really like to see a day where mom, pop and granny all used Linux, most games and popular software ran natively on it, and windows was a weird "fringe" thing like Macs.
    I honestly believed we could pull it off in 5 years, 10 tops. But with the full resources of a gigantic monopoly turned to focus on what has always been our strong point, dear lord, what are we going to do now???
    Worse than that, what if ole Billy also decides to make it a lot faster? What if the deepest pockets in the world turn to actually making windows a decent OS?
    • Our arguments have always been based on the fact that M$ windoze is a bloated hacker haven.

      I know plenty of bloated hackers who run linux.

      Worse than that, what if ole Billy also decides to make it a lot faster? What if the deepest pockets in the world turn to actually making windows a decent OS?

      Then I'd start using it. Linux is best suited for servers. That may change in the near future, but for now Windows has the desktop market and isn't going anywhere soon. If MS actually does manage to improve Windows security and stability, the end-users can only benefit.

      -Legion

  • Thoughts (Score:5, Interesting)

    by cascino ( 454769 ) on Wednesday January 16, 2002 @10:32PM (#2852390) Homepage
    First of all, it truly scares me that Bill Gates's announcement that Microsoft will "empasize security and privacy over new capabilities" is considered, in his own words, to be "a major strategy shift." Any reasonable developer knows that security is an inherent part of every feature - not a feature in itself.
    Second of all, it can't be said that this is the first time a company has put forth a gung-ho effort (if that is even the case) to secure their products - Oracle's Unbreakable [slashdot.org] database is clear evidence of this. To me, this seems Microsoft has placed itself further into the security spotlight, and that more holes will be exposed as a result.
    Finally, above all else, one has to admit that this announcement seems like the reactionary brainchild of Microsoft's PR department. On /. alone, this is the third article in 24 hours (not including the "Unbreakable" story) with direct relevance to Microsoft's security (or lack thereof). The case can be made that there is a low likelyhood that Microsoft would pay that much attention to the /. community - but on the other hand, I'd think they'd listen to this [latimes.com].
  • Your Microsoft Windows XP has detected a security violation

    A)bort R)etry I)gnore

    =tad=

  • Security risk? (Score:4, Insightful)

    by Speare ( 84249 ) on Wednesday January 16, 2002 @10:35PM (#2852405) Homepage Journal

    Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.

    It's not a security problem. It's a privacy problem.

    If it posted the user's passwords, executed arbitrary code, or removed network firewall configurations, then it would be a security problem.

    • Re:Security risk? (Score:3, Insightful)

      by jayed_99 ( 267003 )
      You're thinking about "computer security" (passwords, arbitrary code, etc) which is a subset of "information security".

      Information security is the protection and preservation of any data/information about or in the possession of an organization. One way you protect your information is through good "computer security". However, good IT security departments are also concerned with (among other things) backups, contacts with law enforcement and press agencies and legal issues. None of which appear to fall into your definition of security.

      It is common for system administrators and developers to view "security" in the context of "computer security." Paranoid IT security trolls [TM] usually adhere to the second view.

      Privacy is also a subset of information security -- think about the relationship between privacy, information and social engineering for a minute.

      I'm not saying that in this particular case that this privacy breach is an invitation to massive social engineering. I am saying that privacy issues are security issues.
    • From the WMP supercookie bug page [computerbytesman.com]:
      To block SuperCookies requires changing an obscure option in WMP which is barely documented.
      That is highly misleading at best, and complete bollox at worst.

      Now I'm someone who will cherily click past a click-through license agreement without reading it, but Microsoft still managed to draw my attention to the existance of this ID, then told me what benifits it gave, and then how to disable it (which I did).
      (They didn't mention the supercookie privacy bug tho :))

      When you install WMP7 it brings up a Privacy Policy dialog (and those words immediately make anyone who would actually care [about web pages being able to collate info about them etc] decide 'this is something I should read') which explains pretty much in bullet points every aspect of WMP that might violate your privacy, what advantge you get by having it on, and how you can turn it off (including the Content Rights Management). You then have to tick an "I have read the privacy policy" checkbox before you can continue the install.

      In that sense "an obscure option in WMP which is barely documented" is complete bollox. However, I imagine it's possible (now or soon) that you could buy a machine preconfigured from the store with WMP7, and not be provided with any information, or warning.

      Windows2000 (SP2) comes bundled with a much earlier version of WMP so no worries there, but I've not looked at XP.

      My question for anyone who has bothered to read this far...
      (I'll word the same question it 3 different ways)

      Is this just a bug, or would the only way to fix this bug defeat the entire purpose of the ID? / Can this feature exist without the side-effect? / Is it a side-effect or just the other side of a double edged sword?
      • Windows2000 (SP2) comes bundled with a much earlier version of WMP so no worries there, but I've not looked at XP.

        Win2KSP2 has WMP 6.4. It's in there.

        View => Options => Player => Allow Internet sites to uniquely identify your player

        Uncheck the box to fix.
  • I've had an open security issue on their site for months. [ http://www.devitry.com/security.html [devitry.com] ] They don't seem to be too concerned with it, even though they are running the Passport system. Will this Gates email change their minds and get their butts in gear?
  • Two questions (Score:5, Interesting)

    by Chris Johnson ( 580 ) on Wednesday January 16, 2002 @10:36PM (#2852410) Homepage Journal
    Two questions. One, it's all very well to talk about this but isn't it like rewriting Netscape from the ground up? Isn't it either totally meaningless or an announcement of a complete energy sink at Microsoft which will immobilize them?

    Two, to what extent is this an agenda for obliterating any shred of interoperability with other commercial products in the name of 'security'? Isn't it an open invitation to claim that total and complete lock-in is the only way to be 'secure'?

  • We all remember Jim Allchin saying that XP was "the most secure Windows ever." And everyone here knows about the UPnP bugs that were discovered the day XP was released. Their other recent announcements lambasting the process of full disclosure by Scott Culp also show that they have no real commitment to providing decent security in their products. Well, if this word from BillG is supposed to mean anything, we ought to see it in action. Unless "trustworthy computing" is supposed to mean trusted computers (a conceptual fiction) for use with digital rights management...

  • Microsoft to Focus on Security

    It's about fucking time.

    In other news, why does this story have a Borg logo on it instead of the Monty Python foot?

    -Legion

  • <QUOTE>Compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are.</QUOTE>

    If you know anything about managing people, that is probably the #1 way to get people who don't really want to do something to get results. Sounds like while it may be in part a PR stunt, it really is a serious push by Gates.

    -Pete
  • by guttentag ( 313541 ) on Wednesday January 16, 2002 @10:51PM (#2852465) Journal
    Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". ... Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users.

    "Trustworthy Computing" doesn't necessarily mean "secure computing." Microsoft wants you to think that, though, just like they want you to assume "we're innovating" means "we're making products better for you." (Incidentally, MS's definition of "innovation" means "finding new ways to solidify our market position.")

    Anyone remember Bill Gates's deposition [washingtonpost.com] in the MS antitrust trial? His version of the English language is so far out of whack he spent most of each session professing to have no understanding of common words and terms.

    In this case, "Trustworthy Computing" means "convincing computer users that they don't have to wory about security... that they can trust MS."

    • Actually, what will happen is that Bill Gates will act like he invented the concept of secure computing. And the media will believe it, just like they believe he invented the browser, email, the internet, and web services.

      Have you seen how much hype has gone into web services, with Microsoft acting like they were the first ones to the table? Arg.
  • by tswinzig ( 210999 ) on Wednesday January 16, 2002 @10:53PM (#2852472) Journal
    The last time Bill Gates was widely publicized for announcing a major strategy shift to his employees was back in 1995, when he sent out a memo saying they were going to focus on the internet.

    I bet I wasn't alone in laughing. The first version of MSIE that was out at the time was a JOKE. Netscape reigned supreme. RealAudio was king of streaming. Third parties actually had a shot at selling a Windows web server.

    How long did it take them to: (a) Kill Netscape with MSIE, (b) maim RealAudio with Windows Media, (c) shutdown 3rd-party Windows webservers with IIS, etc.? Not long.

    Extrapolate amongst yourselves.

    Goodbye ZoneLabs (makers of ZoneAlarm). What other big Windows security players will have their security software crushed within 3 years? McAfee? Symantec?

    Unix users laugh at the inherent security problems with Windows, just as I laughed at MSIE 7 years ago. I haven't been laughing lately. Will you still be laughing a few years from now?
    • by djrogers ( 153854 ) on Wednesday January 16, 2002 @11:00PM (#2852512)
      Adding functionality to an OS is much easier than adding security. There's nothing magic about building a web server or browser, and giving them away/bundling them makes it quite easy to gain marketshare. Note that everything you mention in your e-mail has been involved in HUGE security holes...
    • I suppose that Microsoft will have to re-think things like ".exe" at the end of a filename meaning "run me" to the OS.

      Until then, I for one will keep laughing.
  • by Jon Abbott ( 723 ) on Wednesday January 16, 2002 @10:54PM (#2852477) Homepage

    "Users should be in control of how their data is used" -- Bill Gates

    To that I say, put your money where your mouth is. Quit endorsing DRM. Quit using proprietary formats in your applications. Open your APIs. Include some decent text manipulation tools at the command line (like GNU textutils). Give the user some choice for a change.
    • by i_am_nitrogen ( 524475 ) on Thursday January 17, 2002 @12:55AM (#2852904) Homepage Journal
      "Users should be in control of how their data is used" -- Bill Gates

      Translation: [serious] Users should be made to think that our ideas of how their data should be used are also their ideas.

      -or-

      [humorous] Microsoft should be in control of how its users are used.

      Seriously, though, all those who fit Microsoft's definition of user already think they are in control of their data. They believe that Microsoft provides them freedom to do what they want. Look at those Windows XP flying commercials. People actually believe that stuff. Just a thought.

  • This is directed at legislators. As PR, it's pretty poor, and against form for microsoft - it admits that a problem exists (remember their old slogans about how windows was fast and reliable?) If they can convince legislators (who are, to some or extent or another, in MS' pocket) that they're doing something, than they can convince legislators to abandon the proposal [slashdot.org] to make software vendors liable for security failures, which could open up MS to unlimited liability.
  • ...for corporations? I expect that increased security means making it harder for us end users to listen to our music and watch our movies whenever we want rather than protecting us from things like viruses and intruders - after all, that's where the money probably is.
  • by bnenning ( 58349 ) on Wednesday January 16, 2002 @11:04PM (#2852525)
    ``Users should be in control of how their data is used,'' Gates wrote. ``It should be easy for users to specify appropriate use of their information including controlling the use of e-mail they send.''


    Ok, what the heck does that mean? Unless Microsoft plans on solving the trusted client problem, once I send you an email there is no way I can control how you use it. The only thing I can think of is letting users add a header to outgoing email, and if it was present Outlook would not allow copying or saving when the recipient viewed it. Of course anything like this is trivial to defeat, resulting in the illusion of privacy rather than actual privacy.

  • It's interesting to note how product teams resisted the security invasion. Now, while we know very little about how offensively these security teams were implemented, it does harken to a truism about coding.

    Properly securing products isn't fun.

    Implementing improved, automatic PGP hooks might be fun (hint hint), but slowly and methodically picking through all of your code to make sure that no buffers can overflow is just uninteresting and unglamorous. If we can't convince ourselves to sufficiently comment the code we write, even though we routinely curse ourselves for not having done it previously, security is going to be unfortunately naturally low on the list of things to do.

    Likewise, an ounce of glitzy new features tends to sell better than an ounce of better security. People are going to look down upon you if you encourage them to upgrade from the old software you sold them by pointing out the security flaws that it had. It's usually more marketable to say "Trust our products, we have new inline spell checking across all our platforms" rather than "Trust our products, we no longer grant root through tcp/ip overflows."

    All of this falls down like a rotten house if you allow your security to get too bad for too long, as is obvious to anyone reading this thread. You can let the support poles wear a little, and usually the cost of a *little* more wear is much less than the cost of fixing the whole thing properly. But unless you have that long-term vision, you'll be sleeping outside eventually. Microsoft didn't, and it is really starting to hurt them. The greatest threat to their monopoly has come from people being unable to use NT in critical applications. You don't want to force your customers to have to go to competitors.

    Microsoft has shown throughout history an ability to expend large amounts of money to get things done. IE... MSN... XBOX... WinCE/PocketPC... If they really do set their mind to security issues, I'm sure that they will be hammered out after several slow, unglamorous years. The press release would make it appear that they know that they are up against human nature on both sides but that the company needs to take action or they will lose their stability.
  • by Animats ( 122034 ) on Wednesday January 16, 2002 @11:45PM (#2852685) Homepage
    Microsoft can do this.

    First, Microsoft has finally flushed the security-hopeless operating systems (DOS, Win3.5x, Win95, Win98, WinME) out of their product line. The current product line is Win2K and XP, both of which have reasonable underlying security machinery. It's not well-used, but it's there.

    Given a reasonable underlying OS, it's quite possible for Microsoft to arrange things so that all executable content executes in a "jail". More generally, a security distinction has to be made between what the user is doing and what external content is doing, and the OS kernel has to enforce this.

    If MS does this right, it won't matter if IE has security holes, because trouble will get no further than the current IE document.

    We're all going to be doing a lot more forking and IPC.

  • Just Like Ford... (Score:3, Interesting)

    by ruiner13 ( 527499 ) on Thursday January 17, 2002 @12:07AM (#2852743) Homepage
    except instead of "Quality is Job #1", it is "security is job #1". And if Microsoft's version of security is similar to Ford's version of quality, we will see massive recalls on M$ products. Only M$ won't have Firestone to kick around for their mistakes. I'm sure they'll blame Roxio, Sun, or Apple...
  • by Polo ( 30659 ) on Thursday January 17, 2002 @12:43AM (#2852875) Homepage
    Robert X. Cringely [pbs.org] has already predicted that this would happen in this article [pbs.org]. An excerpt:

    Microsoft wants to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft -- that it will tout as being more secure.
  • by warpeightbot ( 19472 ) on Thursday January 17, 2002 @02:20AM (#2853084) Homepage
    To state the obvious, not no but hell no.

    Why?

    Because I know how Bill Gates' mind works, and if I can't see the code, I'm not going to run it. Yes, us Linux sysadms have a rep for being paranoid bastards. Yer damn right we are, and proud of it. That's what's kept me virus-free and crack-free the last five years, watching boxes powered by You Know Who drop like flies.

    Linux isn't perfect, no, but it'll take him a minimum of 2 years to get his codebase in order even with the army of people he's got.... and by then we'll have our world domination, and they'll be putting Linus' picture behind that Borg eye rather than Bill's. We might even get Mozilla to 1.0, who knows.

    But, seriously. Even if l0pht and friends were to publish with much fanfare, "holy penguins! I can't crack this thing!" I still wouldn't buy it, and not just because I'm opposed to getting on this $100 every eighteen months to upgrade kick.... Not when I can run a product I personally helped design if not build. And can look at the code and see that it is good... or fix it if it's not. And there's huge advantages to being able to talk to the guy that wrote it.

    Real-life situation, several weeks ago. I had a problem with the Mylex raid driver. Sent email to the guy who was listed in the headers for the source. A little email tag ensues. Eventually he sends me a patch. cut, paste, compile, init 6. Blammo. It worked. Total elapsed time, about 48 hours.

    You will never get that out of Microsoft. Ever.

    Then there's the principle of the thing. The Borg's stated objective is to take over the world and have it for his own. I'm not giving aid and support to that cause. I'm giving aid and support to another guy who wants to take over the world... and set it Free. I may be pagan, but there are some altars at which I will not kneel. Far more likely to torch'em.

    --
    Nuke'em from orbit.
    It's the only way to be sure.

  • by rediguana ( 104664 ) on Thursday January 17, 2002 @04:04AM (#2853287)

    Look at it this way. Developed countries have a set of systems that can be defined as critical infrastructure. These maintain the operability of a nation on a day-to-day basis. If any of these systems break down, then society will follow down too.

    Some examples? Well... water, power, sewerage, welfare, health, emergency services, police and justice, banking, government, communications, and one of the latest additions would have to be IT.

    IT must been damn close to being critical infrastructure, if it isn't already. We all know MSFT is very dominant in Operating Systems. Their systems are being used within many of these critical services, which would tend to suggest that MSFT is already inextricably linked to the other critcal infrastructures.

    Already countries overseas are opting for alternatives to MSFT because of some of the risks that their products provide. Govt's of Germany, France, and others are looking for more 'trusted' IT products - partly for cost, but also because some of the systems are critical.

    MSFT didn't have any choice but to accept security, much as they had to accept the Internet in '95. If they didn't, they would see dwindling market share, and their products being dropped from IT solutions involved in critical infrastructure. So, they have to get on the 'trusted' bandwagon to maintain market share. Govt's do spend a bit of money on IT after all.

  • Story's moved (Score:4, Informative)

    by PhilHibbs ( 4537 ) <snarks@gmail.com> on Thursday January 17, 2002 @05:16AM (#2853409) Homepage Journal
    here [siliconvalley.com]
  • by lateral ( 523650 ) <mark@compoundeye.co.PARISuk minus city> on Thursday January 17, 2002 @05:28AM (#2853439)
    The /. community have been crying out for Microsoft to take security seriously for a long time. Now that they have decided to do just that you think the community might be pleased, or just a little relieved. Apparently not. It seems MS will get a bashing even when they do what we want.

    There seems to be a feeling that MS aren't doing this sincerely. Maybe not they're not but we can't possibly know that yet. I think there is every reason to believe they will go through with this. Does anyone remember what happenned when Bill Gates realised his company had taken its eye of the ball by ignoring the internet?

  • by flacco ( 324089 ) on Thursday January 17, 2002 @05:29AM (#2853443)
    MS will clearly see this as a marketing and FUD opportunity for Passport.

    Vendors will have to use Passport in order to get a "Microsoft Trustworthy Computing" seal on their website (have they trademarked that fucker yet?).

    Users attempting to access Commerce sites without Passport integration will be warned with a big "THIS SITE NOT MS-TRUSTWORTHY-CERTIFIED!" messages.

    After all, every consumer knows you need a big, familiar, feel-good corporation like MS to ensure your Internet security and privacy...

  • From the risks digest....

    Re: "Buffer Overflow" security problems (Baker, RISKS-21.84)
    "Nicholas C. Weaver"
    Sat, 5 Jan 2002 13:15:52 -0800 (PST)

    I agree with Henry Baker's basic assessment that buffer overflows, especially in code which listens to the outside world (and therefore vulnerable to remote attacks) should be classed as legally negligent.

    However, it seems to be nigh-impossible to get programmers to write in more semantically solid languages.

    There is another solution: software fault isolation [1]. If the C/C++ compilers included the sandboxing techniques as part of the compilation process, this would eliminate the most deleterious effects of stack and heap buffer overflows: the ability to run an attacker's arbitrary code, with a relatively minor hit in performance (under 10% in execution time).

    An interesting question, and one for the lawyers to settle, is why haven't these techniques been widely deployed? The techniques were being commercialized by Colusa Software as part of their mobile code substrate [2] in the mid 1990s. In March 1996, Colusa software was purchased by Microsoft and it seems effectively digested, thereby eliminating another potential mobile-code competitor, something Microsoft seemed to fear at the time.

    The interesting RISK, and one which is probably best left to the lawyers, is that as a result, for over half a decade, Microsoft has owned the patent rights and the developments required to eliminate two of their biggest security headaches: unchecked buffer overflows and Active-X's basic "compiled C/C++" nature, yet seems to have done nothing with them.

    What is the liability involved when a company owns the rights to a technology which could greatly increase safety, at an acceptable (sub 10%) performance penalty, but does nothing to use it in their own products? Especially when the result is serious, widespread security problems which
    could otherwise be prevented?

    [1] "Efficient Software-Based Fault Isolation", Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham, in *ACM SIGOPS Operating Systems Review*, volume 27, number 5, December 1993, pp 203--216,

    [2] "Omniware: A universal substrate for mobile code"

    Nicholas C. Weaver nweaver@cs.berkeley.edu
  • by Spoing ( 152917 ) on Thursday January 17, 2002 @09:20AM (#2854009) Homepage
    As anyone who has worked on commercial software knows, the release schedule drives the features list and the features list drives both coding and testing.

    Security is one of those things that is required to come at the planning stage of any product -- not as an afterthought during the coding and test stages.

    MS needs profits to buy new companies so they don't have to pay divedends. They need big profits so that the stockholders will be happy with the 'value' of MS as a whole.

    Yet, the software side of thier business is a stagnent market -- huge and captive but not growing as it used to. Because of that they need to retain customers and get them to upgrade on a regular basis (subscriptions everyone?).

    Then, we're back to the schedule and the features and security getting short shrift.

    Does anyone expect it to be any other way?

  • by 4of12 ( 97621 ) on Thursday January 17, 2002 @10:14AM (#2854309) Homepage Journal

    That part is really central to the problem.

    Microsoft has been the dominant player for so long now (what, about 15 years?) that it has become complacent and arrogant. They can say, with all credibility,

    "Standards? We are the standard."
    even if it grates on the ears of their competitors and users.

    There are definitely some brilliant people working in Redmond, but if they are managed by the same people that bred this culture of arrogance, then only rare glimpses of that brilliant work will be revealed to the world. Most of that good work will be muffled and warped beyond recognition under various business pratices such as supporting Windows, leveraging Office, promoting .NET or whatever the fad (cf, Trustworthy Computing) of the day happens to be.

    The sooner that megalithic company is split into smaller pieces the sooner it will have a chance to bring genuinely good products to the marketplace.

  • by jcr ( 53032 ) <<jcr> <at> <mac.com>> on Thursday January 17, 2002 @01:08PM (#2855825) Journal
    Hugh Daniel went up there some time last year, to do some interoperability testing between NT's IPSEC, and free S/WAN. He asked them, what crypto they'd implemented and could test. They told him that they'd only done 40-bit DES.

    He just left.

    Personally, I'm not holding my breath for MS to ever implement a securable system. They'll do things that let them check off the boxes in their product literature, but as for those features being truly robust, I wouldn't count on it.

    -jcr
  • by joe_citizen ( 551864 ) on Thursday January 17, 2002 @08:18PM (#2859345)
    So when will I be able to to visit any of the Microsoft websites with IE browser security set to High?

Take an astronaut to launch.

Working...