Can You Trust Microsoft On Security?

simetra writes "Here's a shocker... This story on Yahoo! is pointing out the obvious. How many of these until the suits start believing us?" Maybe the article is just trying to stir up trouble, though: ladislavb points out that Windows XP is an Operating System you can trust. (The review is also available on mirror1, mirror2, mirror3, mirror4.)

Umm...

[evil_one]

I don't think that the Yahoo! story is a Joke... it was posted 03/31 not 04/01... If it is, please correct me. I'd like to be wrong here.

Are we surprised?

[rf0]

With the recent spate of MS problem such as the slammer worm, IIS vunrabilities etc their public image is tarnished at best. However I think what people realise is that most programs have potential security holes. What people want is a quick response to the problem.

Take the two recent sendmail issues. Two big holes were found but fixes were available straight away. What about MS? Well I believe the record is 6 months after an exploit is in the public domain. Now thats why I have trouble trusting MS

Rus

Again ?

[Thanatiel]

This one is not even funny ...
That's why I don't like 1st april : You can't really trust what you read on the news for a whole day. I mean you can trust the news even less than usual.

obvoiusly not.

[ethelred]

Trust is earned. You don't becone trustworthy, just by marketing. Ask yourself "Has Microsoft earned my trust?"

..Why would you be using M$

[Anonymous Coward]

I would avode using M$ software for this very reason and because Windows Server(s) get more unstable the longer they are running. With a Linux or BSD system you can have it running and very secure right out the box. I know that Linux has had a few security run-ins but at least when you apply a Linux patch it does bring down the entire system -

1999 - Applied cumalative security fix to IIS and ended-up having to completely re-install the entire server after it became unstable. The two things might not be linked but I don't think so.

What's with that photo?

[the_pooh_experience]

So it is an article that for the most part says nothing

For the /. laziody, the synopsys is as follows:

Microsoft, while maybe not the most secure operating system in the world, is

1. trying, vis-a-vis the whole "trusted computer" thing
2. not really to blame for many of the egregious stuff as of late, as they have issued many security patches that would take care of problems. They are blaming lazy sysadmins for not updating machines.

But the real story is... what is with that picture? It consists of two guys looking at a screen. I can understand the difficulty of coming up with a picture that has anything to do with this article, but maybe you can leave a picture off this article instead of putting random images in the article

The caption of the picture says:

CJ Saretto, left, lead program manager with Microsoft, and Eugene Mesgar, program engineer with Microsoft, demonstrate Microsoft's Threedegrees software in Seattle, Wednesday, March 19, 2003. The software is geared for teenagers that has instant messaging, group chat rooms, shared music and photos.

I wish I had more to say on the subject

Looking at the NT4 no-patch issue...

[Lolaine]

I cant trust a company that says they cannot patch their own enterprise-level Operating System (only to force customers to buy a new one, because, IMHO "technical" excuses like that are ridiculous).

If Microsoft says they cant patch, then open the source for us to patch it for free :)

Course of least resistance

[krygny]

The easiest thing to do, is to do what everybody else does and hope you're not a victim:

"I hope the hackers pick on some other company."
"I hope they lay off someone else in the next reorganization."
"I hope the terrorsts blow up the Holland Tunnel when I'm not in it."

Please...

[Tsunamio]

Either post real news or post funny fakes, but don't combine the two, it just confuses people-which are real, which aren't? And that ruins the whole 'news for nerds' part. If you're bound and determined to do multiple April Fools stories, just give up April 1st for real news, it can wait a day.

And if this is just not funny, work on that too.

In reality

[KoolDude]

Three-fourths of computer software security experts at major companies surveyed by Forrester Research Inc. do not think Microsoft Corp.'s products are secure

The other one-fourth use *nix and were unable to comment... ;)

Re:Definitions of "trust"

[Pharmboy]

So, clearly people *do* trust Windows, in that they are using the software for "sensitive applications".

Actually, its doesn't prove that at all. Its partially a matter of who makes the decisions about applications (often clueless managers) and some may only run on windows. The other part is left over infrastructure from years past, like our office, where we still have programs we use left over from windows 3.0 days. yea, i know...

BSOD Screenshot not really from XP

[Ececheira]

Granted, it's from an April Fools story, but couldn't they even try to get the BSOD screen shot right?

That BSOD version is from Win9x versions... the NT-based BSOD has the text at the upper left of the screen, and no CTRL-ALT-DEL message either.

Let's wait: Windows 2003 is out

[m00nun1t]

It's all very easy to sit around and put each other on the back and say "yes, well, we've known this for years". We know that Bill made his big trustworthy computing announcement, and he said it was a forward looking initiative - they were going to focus on getting new products right rather than going back and re-architecting old products (a decision I agree with).

So, Windows Server 2003 was RTMed last week - the first OS released post-trustworthy computing. Let's wait and see the fruits of Bills initiative, rather than keep flogging that same dead horse. If windows 2003 has good security, well, maybe they have a chance. If it doesn't, forget it, game over.

Re:obvoiusly not.

[TopShelf]

Trust is truly the operative word here. As the article points out, patches were available for Slammer and other attacks, but admins didn't feel confident that installing these patches wouldn't cause further problems. The patch is worthless if people won't install it...

Slammer

[SgtChaireBourne]

Security is the last nail in the coffin.

People aren't applying the patches in spite of clear warnings.

Even Microsoft's own servers got hit by Slammer. It has been quit common for Microsoft's security upgrades to break something else, fail to fix what they claim to fix, and/or introduce additional holes. The Slammer worm showed that even Microsoft knows that it's patches can be unhealthy for production systems. Other companies and software projects just don't have this kind of quality problem.

Even if the patches worked, and even if it had been an old-style, slow worm, you can't patch fast enough [gartner.com]. But it wasn't. Slammer reached saturation in 8.5 minutes [berkeley.edu]. Most likely this story was a tidbit to draw fire away from the quarterly financial statement or from the DRM/Palladium stealth payload in Windows Server 2003 + Office 2003.

Sure folks may wish to run Microsoft products for ideological reasons, but there aren't any technical ones and now the market is changing [zdnet.co.uk]. C*Os have figured out the OS X, RedHat, Mandrake, Debian, OpenBSD, etc. are much easier install and maintain than Windows Xp and far more flexible and secure -- both on the workstation and the server. Novell Netware should also be mentioned as excellent. C'mon when was the last time you heard of MS machine reaching an uptime of more than 200 days? That would be embarassingly short for QNX and Novell.

Microsoft has been to computing what Big Tobacco was to sports.

35 People A Field Doth Not Make

[Flamesplash]

The survey polled 35 software security experts at $1 billion companies.

35 people speaking for how many actual software users/developers?

Isn't this the same as saying that if the president agrees with something then all americans do to?

Security is multifaceted, don't just look at theSW

[That_Dan_Guy]

Anyone who just looks at the SW to be secure and doesn't put up firewalls and IDS all throughout their enterprise is going to get screwed. Likewise, if all you do is put up firewalls and IDS and don't bother to keep your servers (Windows or otherwise) patched and monitored, you're still going to lose your data.

Purchase your components based on need. (duh!) If you need to run a certain app, then you may be left with Windows. It is then up to you to secure it with your own effort.

All these articles about how poor "MS" security is do is make people aware that security is up to them, since MS hasn't bothered. But install the most secure system possible without configuring it properly and you might as well have left the door to the building unlocked with big cartoon arrow signs to that effect telling everyone you don't have any security.