Security Community Reacts to Microsoft Announcement 471
A number of readers have collected stories concerning the change of focus by Bill Gates to security. Bruce Schneier and Adam Shostack have written a piece, while Crag Mundie of MSFT has also chimed in, along with some commentary from ZD folks. SecurityFocus has other words, as does InfoWarrior.
Security is everyone's problem (Score:4, Interesting)
True Names are important for a reason.
Craig's article... (Score:5, Interesting)
But we're still in the early years of the computer revolution, and there are many technological, social and regulatory hurdles we must overcome before computers truly become a ubiquitous--and essential--technology.
The early years? No. When you've got one person on top who can't get their sh*t together...
I mean, we could be farther along in this 'revolution' he speaks of. Why aren't we? Because the Big Guys [read:Microsoft] are doing what they want to do. Why are they now only focusing on security?
Oh! Pick me! I know! --- Because they do what they want to do, and that's it. They don't give in to customer demand; most of their product is cooked up by visions that Bill and others have.
Really good or really bad. (Score:3, Interesting)
Either way, its going to take quite a while to tell.
Windows needs a clean break (Score:4, Interesting)
I guess that's the problem when you are a huge software company trying to appeal to everyone. You end up supporting everything and it turns into a big mess.
mark
Getting ready for the setlement (Score:5, Interesting)
The settlement with the DOJ specifically allows Microsoft to exclude documentation of APIs that relate to security. This new initiative makes damn near anything in some way relate to security. Gotta love it.
Re:Windows needs a clean break (Score:3, Interesting)
My box has a Linux partition and a Win2k partition. I keep Windows for games, and because in all honesty 2k isn't that bad. It's got all the stability and such of XP, but none of the Big Brother. 2k is also quite secure if you know what you're doing. And I like playing games. I have vowed to not update to XP however, as the whole embedded passport thing and such really scares me.
However, if say, 2 years from now Windows RG (Really Good edition) comes out and is NOT backwards compatible, now new games only come out for it. I'd presume that if anything this hypothetical WinRG will be worse then WinXP in terms of Big Brother-ness, ergo I'd be even more hesitant to upgrade. That and it'll be even more eye-candy and more dumbed-down and all that stuff. But if I want my games, I'll have to upgrade.
So that's why it's scaring me. I hope they keep their backwards compatibility, as I would personally like to just keep running 2k for as long as I can. Or at least if they do lose the backwards compatibility, wait until Linux gets enough market for games to be more available for it.
And yes I realize the irony in talking about Linux games in the wake of the death of Loki.
Security APIs (Score:2, Interesting)
Even despite the fact that security through obscurity is no security, how does closing the security API make the system more secure? Surely all this achieves is to allow Microsoft to put backdoors in Windows' security features.
Security vs. privacy (Score:1, Interesting)
Of course, one can turn the tables around and think about dealing with privacy first and think about "the new meaning of security" in "the face of privacy". Huh?
Case in point: Intel's chip ID. Customers protested because it can be used for privacy violation -- although it really CAN be used for security. So which priority is it for you? Privacy? Security?
DRM! (Score:4, Interesting)
Billg says:
"Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways...It should be easy for users to specify appropriate use of their information including controlling the use of email they send."
Of course, this new "secure" email won't work on those unamerican Linux computers.
Am I the only one nervous about that?
Trust Microsoft? Who are you kidding (Score:3, Interesting)
It doesn't matter what sort of clothes they wear or how pretty they smile, when the bully comes around the next day, the kids run and sream in terror. They know the bully only wants to get them backed into a corner; what makes us treat Microsoft any different?
Am I one of the few optimists? (Score:3, Interesting)
Bad security practices can be expensive - I know I've lost a few hours of work due to not having an up-to-date-and-scanning virus program. This has to have a definate impact on MS's operational budget, trying to figure out how to spin the latest virus while testing solutions against the entire MS suite. On top of that, there has to be some managers and employees that still believe the old lines, that customers pay for new features, not bug fixes, that interoperability and ease of use sell, not security.
Microsoft knows that it has won the Desktop OS wars, that it's closest competators are Apple's OSX (only runs on expensive hardware, so it will have a minimal impact on business sales) and Linux (still playing catch-up with MS). Now it needs to figure out how to sell upgrade units to existing customers, and has to think about the eventual multi-computer households with home servers, where it is currently losing to Linux. Most reviewers that tried XP loved it's stability, and I've even been tempted to upgrade my 98 desktop (which runs fine once you get all the programs working together).
Extra bells and whistles aren't doing it anymore - customers are tired of gaining ease of use at the cost of patches and bugs. Customers want an invisible operating system, which makes easy things easy, and they almost don't care about making hard things possible. This will require MS to transition from a company focused on beating competators by innovation (by whatever means) to beating competators by having a better product (more stable, less supprises, better cooked).
To make a change in basic philosophy requires a redirection of management. The Gates memo is the first step, and I think we can take it at face value. Sure, it's a strategy to further MS's competative edge, but I really don't think that there's anything underhanded going on here. I think Bill is giving the lowest guy on the totem pole a weapon to tell his boss - Here, I want to work this bug out before we release it; if you have a problem, take it up with Bill. That a Good Thing, and I'm planning to be suprised by what the folks at MS can do when they have the will to make a secure product.
Re:Windows needs a clean break (Score:3, Interesting)
The usual press response... (Score:3, Interesting)
MS will do a barely useful job of improving security, and the press will proclaim that they invented it.
It will be just like multi-tasking in Windows 95 (i.e., "Users can now run two or more programs at the same time!!").
Actually, it's a little more complex. (Score:2, Interesting)
MS may now be trying to move into to a different market, one that values security above point-and-click.
The BBC sums it up nicely [bbc.co.uk].
Re:SOAP and the MSFT way (Score:3, Interesting)
FUD
What you, Adam and Bruce appear to miss is that firewalls are rarely configured to allow incomming HTTP requests. If they are the requests are typically handled by a server located in a DMZ between two firewalls.
The firewall bypass problem is for outgoing requests. There is not actually a whole lot of difference in the security implications of an HTTP client posting a form in URL encoding and posting an XML document.
But that's a big part of MS's assets (Score:3, Interesting)
Apple is a very different animal. They can sell anything. Just not to everybody.
In any case, "going back and rewriting everything" always sounds like a good idea, but seldom is.
"Going back and rewriting the worst stuff" is probably a much better idea.
Security Focus gets it right. I doubt M$ will (Score:5, Interesting)
As an example, we wrote a test app with a different foundation class library that was bug- and memory-leak free in all of the major WinXX OS's up through 98 and NT 4), and even compilable and bug free back into Win 3.XX. The whole app was a total of 123K: the Microsoft Foundation Class (MFC) [version 3.2, IIRC] test app as created by the wizard came in at just over 1 Meg, riddled with memory leaks, logical errors, etc. Our determination was that it wasn't just a bad wizard -- the MFC itself was causing many of the leaks and problems.
Now then, if you look at the Win API set now (Y2002), it is just that much more massive than when I last actively coded to it -- but the underlying code classes look much the same. [I haven't done a diff, so I can't prove it.]
So accurate or inaccurate, I don't think Microsoft has the corporate will to change from a company built on FUD (fear uncertainty doubt) to a company whose software is something I can trust because it doesn't even look to me like they have fixed all of their original problems in the foundational code classes from the early days of Windows 95.
Re:Jesus H. Fucking Christ (Score:3, Interesting)
Except a lot of times (in NT 4 anyways) when you kill the web service with the 'kill' utility from the reskit, you are unable to restart the service. You go to the Services control panel applet and the "start" button is greyed out.
I'll never understand why 'end process' in the task manager won't work and the 'kill' utility which you have to get from another CD only sorta works. You'd think that the desingers of NT might have thought to include the ability to properly terminate a rogue process.
M$ vs. Softimage. Why does no one talk about it? (Score:1, Interesting)
Oh yea, Slashdot rejected this story. Hmmm...
Cyberia by Jack Kapica [globetechnology.com]
Re:Getting ready for the setlement (Score:1, Interesting)
Are these dudes completely out of their fu**ing mind?! WRT security those are the most important API's to document!
Re:SOAP and the MSFT way (Score:3, Interesting)
Any you would put a machine of that type providing an external service in your internal network???
You entirely miss the point, for every service there is also a client. The port 80 / firewall issue has nothing to do with the server end. It is when the client is behind a firewall that you have a problem.
There is no firewall bypass issue at the service end, a company that is providing a published dotnet service will modify its firewall configuration to deploy its product. The problem with firewalls comes when the IT dept refuses to modify the firewall configuration to allow use of services provided externally.
If you think Adam and Bruce are offbase on security, you obviously have no concept of the capabilities, experience or dedication of either individual.
I know Adam and Bruce very well, they know me very well. I don't think either of them would claim that they had greater expertise or experience than I do, and in particular not on this particular topic. Certainly neither would expect the automatic deference to their views you appear to think due.
On this point they happen to be mistaken. Bruce is very rarely 'wrong' about security, that is I do not recall an instance of him calling a system secure when it was not, he is however quite frequently mistaken in describing a system as insecure when it is in fact secure. If he could learn to discuss them in private with the relevant designers before launching public attacks his reputation inside the security industry might match that outside.
The point in question is a sngle sentence paragraph tacked onto the end of a section. I suspect that it was an afterthought that they had not thought through in great detail. If they want to call me up and discuss it I can go through the detailed analysis I have.
Re:Free market baby (Score:2, Interesting)
Yes, you can go against the stream and use Apple, or Linux, or *BSD on the desktop -- but it's not a simple decision. It isn't an equal comparison -- not because Linux or Apple's OS aren't as good as Windows, but because when you decide to use something else, suddenly you have all these compatibility problems. They're not the result of deficit on the behalf of the MacOS or Linux -- they're the result of the existing dominance of Windows, and the assumption that Windows will continue to be dominant. That's a very hard trend to change. The average customer isn't up to fighting that trend, if they're even aware of the alternatives -- which I would have to say that the majority of people still aren't. Not well-informed, anyway.
Apple is a joke. Not the OS -- the prices for the hardware. The majority of Apple hardware is exactly the same -- the RAM, hard drives, video cards, -- the only real difference these days is the CPU, which is lagging behind x86 by more than 1GHz the last time I checked. Sorry, you're not getting what you pay for, you're getting a lot less these days. It might have been true five years ago when SCSI disks were the standard for Apple and they had a better graphics system, but it's no longer true. Price an Apple machine vs. the same hardware on Dell's site or HP's or Compaq's. Either the folks at Apple are content to remain a marginal part of the computer business or they're idiots. You can't enter a market where your main competitor has >95% and maintain a price point that's much higher than the competition with no real advantage over their product. Then again, I doubt that Apple would live through a price war with Dell, Compaq, HP, IBM and Gateway long enough to gain 10 to 20 percent of the market.
People usually do not choose to buy Microsoft software -- they choose to buy cheaper hardware (PCs) and many people (still) aren't aware that there's any real choice.
I'd like to see a survey of computer buyers where they're asked "how did you decide to buy a Windows PC?" -- The majority would probably say "what, I had a choice?"
On the server side, many companies do choose Sun or IBM or a Linux or *BSD solution. Microsoft doesn't have a monopoly in that market yet, though they surely covet it.
In short, people will continue to use Microsoft untill something "better" comes out.
The vast majority of Microsoft's business practices are dedicated to snuffing out any competing products that might pose a threat to one of their product lines. Considering their deep pockets and willingness to do anything short of murder (so far...) to protect and extend their monopoly this isn't necessarily true. And you know it. Arguing that "the market will decide" might be true -- if the market ever really got to choose. As it is, Microsoft does everything it can to keep that from truly happening. That isn't the market making a decision, it's a stunted list of options being presented to the market. It's very much like voting in presidential elections, most people suck it up and vote for the lesser of two evils rather than voting for someone they really believe in because (like the last election proved so well) the odds of a third-party candidate winning are virtually nil. It's technically a choice, but even people who are aware of Linux and Apple are afraid to invest in an OS that might go the way of OS/2, BeOS, Dr-DOS and so on. Again, that's not really choice.