Ballmer Touts Focus on Security 322
kevinvee writes "Microsoft's Steve Ballmer announced a renewed focus on security at the Worldwide Partner Conference yesterday. He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."
I'm sure he does wish they would be quiet (Score:2, Funny)
Re:I'm sure he does wish they would be quiet (Score:3, Informative)
They want to educate people but do not want the people who really know to talk about it? This seems a bit paternalistic even for microsoft. They want to be the ones who work with people to make updates but do not want anybody else to have a voi
Re:I'm sure he does wish they would be quiet (Score:3, Insightful)
I don't understaaaand (Score:2)
---My mother-in-law, after meeting our friend Swen.
Oh yea, what a good idea. Lets get people used to clicking on things that say patch. How about just teaching them to be responsible users instead of feeding them this crap that if only they install all patches, everything will be fine.
Favorite quote (Score:2)
Hahahaha!
we'll focus on security .. this time we mean it! (Score:5, Insightful)
He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this. Also included in his statement was a response about computer researchers who publish flaws in Microsoft products, 'I wish those people just would be quiet.' The end of the article gives unbiased coverage of some people's opinions about the latest announcement."
Yeah, and we wish that this gigantic wealthy company would just FIX THEIR SOFTWARE. But it ain't gonna happen.
I still can't figure out why a company with Microsoft's resources has such mediocre security. They should be blowing Linux and BSD and Mac out of the water with tight default firewalls, statistical intrusion detection, distributed monitoring, sandboxed executables, no executable mail attachments, modular software, and anything else short of palladium. Yet they don't. Why? Because they know if legislation is passed, they will be able to afford it and nobody else will? Because they know they have such a huge lock-in, managers will grumble but renew licenses anyway? What's the deal MS?
It bugs the hell out of me that they have the audacity to lock us into their products (which work okay most of the time, I'll give you that) yet can't give us the common courtesy to solve these problems. I really don't give a shit if Office 2003 is based on XML or EBCDIC, I just need the computer to be "Secretary-Proof" for at least a week or two after it's turned on. Monthly security updates? Good grief!! How about getting it right the first time!
Microsoft needs to snap into action ASAP. They need to fix the bugs, do whatever it takes, cut performance by 3/4 and run everything in a virtual machine, I don't care. They need to send out CD's to every single customer who ever made the mistake of buying their product, which looks more like a beta version than a finished program.
Or.. or.. well, okay you got me. We can't afford to switch from Windows. But it seems we can't afford to stay with it either!
Re:we'll focus on security .. this time we mean it (Score:5, Funny)
I know. If only Linux weren't so damn expensive.
Re:we'll focus on security .. this time we mean it (Score:2)
RESPONSE: I know. If only Linux weren't so damn expensive.
But he mentioned the cost of switching from Windows. Switching to Linux CAN be pretty damn expensive, even if the cost of the OS itself is free.
'Switching to Linux' is a project, not a product.
Re:we'll focus on security .. this time we mean it (Score:2)
tar cvf /foo.tar ~ /foo.tar newmachine:/home /home && tar xvf foo.tar
scp
ssh newmachine
cd
Re:we'll focus on security .. this time we mean it (Score:2)
After all, it's Sooooo much more difficult to click on a menu item under X than it is under Windows. And when they insert a CDROM, how will we ever train them that the window that pops open just like in windows works just like the one in windows?
In other words, there are a few differences here and there for the user, but nothing a chimp couldn't work out in a day or so. Admin and support is different (easier actually), but that's a small cost to retrain and will be made up for with their added productivit
Re:we'll focus on security .. this time we mean it (Score:3, Insightful)
There's an analogy in the article which explains this perfectly: "Computer security is almost like car insurance. Nobody wants it unti
Re:we'll focus on security .. this time we mean it (Score:2, Insightful)
Probably about the same way you explain TCP/IP to the average home user who just wants to read e-mail and surf the web. You don't. That doesn't mean it can't be of use to the user even if he or she doesn't understand it--or probably even knows it exists.
Re:we'll focus on security .. this time we mean it (Score:2)
Besides, how do you explain "statistical intrusion detection" to the average home user who just wants to read e-mail and surf the Web?
Dunno. How did they explain to all their users that they had to have anti-virus software running at all times without explaining why? Considering the way people pay for BestBuy extended warranties, Microsoft should have no problem selling security. Hey, they could even charge more for the XP-Secure version.
Re:we'll focus on security .. this time we mean it (Score:3, Insightful)
"Consumer demand" (or what they can force the consumer into "demanding")is king. They aren't a technology company at all and claims they make of such are simply part of the marketing.
Security has no meaning to them other than as an advertisable "feature."
As such they have made certain decisions regarding the architectu
Re:we'll focus on security .. this time we mean it (Score:2, Troll)
Maybe before you start running your habitually complaining, slashdot party line spewing mouth, you should get your REAL facts straight.
In fact, yesterday there
Re:we'll focus on security .. this time we mean it (Score:4, Insightful)
Would implementing any of those things make Microsoft more money than not implementing them? It's all about profit margins. Proactive development cuts into profitability, as does the practice of hiring experienced developers instead of fresh-faced children just out of engineering school who are willing to work twice as hard (although not twice as smart) in exchange for a free mountain bike and occasional use of the game room.
do whatever it takes, cut performance by 3/4 and run everything in a virtual machine, I don't care.
You may not, but all the rest of Microsoft's customers do. "Fast but wonky" is all too often perceived as preferable to "slow but bulletproof."
How about getting it right the first time!
Microsoft needs to snap into action ASAP.
You just have all the answers, don't you? Maybe Microsoft should hire a fresh new voice like you to oversee their development efforts.
Are you willing to work 60hr weeks for $55k and all the free Mountain Dew you can drink?
It's the design, not the code (Score:2)
You can't fix that with a bunch of smart people looking for buffer overruns.
Design? (Score:2)
--grendel drago
Re:Design? (Score:2)
'jfb
Re:Design? (Score:3, Informative)
http://www.securityfocus.com/archive/1/337662/2
Any other questions?
Re:Microsoft's $40 billion cash on hand (Score:3, Insightful)
Could we assume that the cost of really hardening Windows and the other core products should cost less than one billion dollars? (I'd certainly hope so.)
So, for 1/40th of MS's cash, or way less than the cost from all the worm/virus outbreaks, we could fix windows.
Lets see. Programmers cost $100K a year. (They should be serious kick ass programmers.) Lets also assume 25% of all costs are overhead and non-salary costs.
Thus, for $500,000,000 we should be able to hire 7500 programmers
Re:we'll focus on security .. this time we mean it (Score:3, Informative)
'I wish those people just would be quiet.' (Score:5, Funny)
Re:'I wish those people just would be quiet.' (Score:2, Interesting)
"Securing the perimeter" is an excellent idea (Score:2)
BINGO! (Score:2)
I just won security buzzword Bingo with the parent post. You owe me $20.
Re:"Securing the perimeter" is Flawed (Score:2)
'Automatically updated' is a fundamentally flawed security hole in itself. What is also flawed is how the MS operating system will execute any file if the name ends with .exe, .bat, or .com.
Re:"Securing the perimeter" is Flawed (Score:2)
Obviously the filter rules would be cryptographically signed, so crafting malicious ones would require that you compromise Microsoft's physical security and obtain their private DSA key, or that you compromise the DSA itself. Neither of these are particularly realistic possibilities...
Re:"Securing the perimeter" is Flawed (Score:2)
1. "cryptographically signed" updates, not simple MD5s.
2. A better way than their silly etc-update script for updating files
3. A "default", a "security", and a "bugfix" update tag, so I could choose to only have to update ebuilds on my machine when there was a security or bugfix related issue. I mean, if App v2 has a problem until 2.22.53, then I need to update it if I am running anything less, right? If it's just a newer version, I don't want to know about it.
Re:"Securing the perimeter" is an excellent idea (Score:2)
If you want to allow MS to take over the internet just let them give everybody a packet filter (as in XP) and then provide automated patches to be applied without user intervention. On that day MS controls access to the internet for 90% of PC users.
Its not the computer researchers fault (Score:5, Insightful)
mostly true. then there's... (Score:2, Informative)
J
Quiet eh.... (Score:2, Interesting)
Next your going to say you dont want people pointing out your obvious personal flaws, just because it might hurt your feeling.
I swear, i
Seems like... (Score:2)
actions speak louder than words.
Interesting Wording (Score:3, Insightful)
He's not saying, "Please don't release the findings so that blackhats can't use the exploits."
He's not even saying, "Please delay telling the public about your findings so that we have a chance to fix the flaws."
He's saying, "I wish they would be quiet so that we don't have to spend the time/money/manpower to plug our holes. It's not our fault people are exploiting the holes, it's the people who release security reports."
I know, you're saying that it's obvious a company would want to help it's bottom line, but he didn't even have the decency to make his statement very cryptically.
"I really wish they would just shut up." (Score:5, Insightful)
Me Too... (Score:5, Funny)
I wish they would too. There is nothing worse than finding an exploit that gives me total access to any network I want, and then when some other chucklehead finds it, blabs all over the net, and then Network Administrators start locking down the ports I use to run willy-nilly through their network. I would have about another month to own their network before the patch comes out. But noooo, some jerkhead has to cut me off a month early. And I have to find an unknown exploit all over again.
Maybe I should post anonymously, nah to hell with it.
Renewal of another renewal? (Score:3, Interesting)
Sure they'll announce more security measures this month. The PHBs will get comfortable and clueless people will back off. Next month there will be another exploit (guaranteed). Businesses go down, networks get destroyed. PC-using schools are shut down, and Mac/Linux-using schools who aren't affected are ignored by the press. MS puts on the spin that hackers should be treated as terrorists. Clueless journalists blame it all on Windows popularity, rather than lack of a focus on security.
Then MS annouces once again a renewal on its focus on security.
Rinse. Repeat.
In other news ... (Score:5, Funny)
"It looks like you're writing a virus. Would you like to:
Re:In other news ... (Score:2)
So Office 2000 was released in 1997? (Score:2)
We've heard this one before. (Score:2)
Now is this in addition to the employees pulled from across the company for last year's Secure Windows Initiative? Looks like that didn't work very well. I have equal expectations for this charade.
==============
What you don't know can't hurt you! NOT (Score:2)
What you don't know can't hurt you! NOT
Let's Compare (Score:2, Interesting)
Since that time, browsers like Mozilla and Opera have put out many new releases of their programs, each one containing many bug fixes and new features.
Microsft has released no new versions of Internet Explorer. No new features. No bug fixes.
The only "improvement" has been a haphazard series of patches, each one only released several months after somebody discovers a major security hole.
I wish Steve Ballmer would just be quiet.
Re:Let's Compare (Score:2, Insightful)
No bug fixes? You ever heard of service packs?
No new realeases? What about Windows 2003?
I'm not a big Microsoft fan (hell as I write this reply I'm loading Mandrake 9.1 on my subnotebook), but your comment is patently false.
Re:Let's Compare (Score:2)
What version of MSIE ships with Windows 2000 (I don't know). Is it MSIE 7.x or 6.x? Please list some of the new features that are found in the version of MSIE that ships with Windows 2003.
Not counting patches to fix security holes, please list some of the new features that have been introduced in MSIE -- AFTER the initial release of Windows XP.
Re:Let's Compare (Score:2)
Patently false? Most folks, when keeping up a software product, do a rewrite every once in a while to incorporate those bugfixes and patches. The OP says that since IE has been released, it's gone from what, version 3.1 to 4.0 to 4.1 to 5.0 to 5.5 to 6.0 to 6.1 to 6.1+SP1 or what
Wish they would keep quiet... (Score:2)
Oh, and is Slashdot getting
My number one question... (Score:2, Funny)
If not... I don't buy his sincerity...
Renewed focus AGAIN? (Score:2)
This is news?
Re:Renewed focus AGAIN? (Score:2)
Yes, this is a refreshing change from their trustworthy computing initiative of 2001 which sharply brought security into focus. MS is clearly tackling a new issue now that computers are trustworthy.
Fatal User Flaw? (Score:2)
So you're saying you can DIE from this?
Hurr... (Score:2)
SECURITY, SECURITY, SECURITY, SECURITY!
I... Love... This... Company, YEAH!
Whatever happened to (Score:2)
Is this just MicroSoft part II: security refocused? Will the sequel be as good as the original?
Re:Whatever happened to (Score:2)
Whatever happened to MicroSoft shutting down all new development, and focusing entirely on security for a month? Didn't they get all the problems fixed them?
That was for all the existing code. It's 19 years until the next code review.
Hype merchants.. (Score:2)
You gotta wonder.... (Score:2)
I always wonder when the higher-up corporate people say things like this.....are they really laughing inside? Or do they honestly BELIEVE it? I mean....god.....it just boggles the mind how he could keep a straight face while saying this.
Brain.......heating......critical temperature...........WARNING WARNING WARNING......*BOOM*
Meanwhile... (Score:3, Informative)
Gartner echoes concerns on Microsoft reliance [com.com]
A copy of the Gartner research note seen by CNET News.com mirrors the conclusions of seven prominent security researchers, who released a paper stating that Microsoft's dominance in software could have serious consequences for national cybersecurity [com.com]. The Gartner report is scheduled to be published Friday.
(The point is not what they are saying, it who's saying it.)
They still don't get it (Score:3, Informative)
Steve Balmer's recent statement about vulnerability researchers - 'I wish those people just would be quiet' [yahoo.com] - is downright silly. They are the biggest company on the block right now, and there's always going to be someone who wants to make the big corporation look silly. Microsoft needs to wake up to the fact that there will *always* be someone who is a) bored, and b) wants to make them look bad.
Microsoft's problem (Score:2)
Of course, they could do one other thing which is to change coding practices so that code is built robustly and securely t
Microsoft "renewed" security program. (Score:2)
Yet Another Secure Security program
Sort of Like yacc. Anyone remember yacc? (Yet Another Compiler Compiler)
Great for building compiler parsers, or any sort of parser, because you had to build them so often.
Sort of like Microsoft, it has to build Yet Another Secure Security program.
yass anyone?
Maybe Microsoft should make something like yacc, that way it can turn out a new yass every year with minimal effort.
Damn. I would hate to see the state machine for that puppy.
A
Isn't that sort of like... (Score:2)
'I wish those people just would be quiet.' (Score:3, Funny)
.
.
How about automatically removing foreign malware? (Score:3, Informative)
- Often had official sounding names in the add/remove programs list like "MS Explorer update Q3395"
- Popped up five or six windows every time a link was clicked in IE, and inevitably one of the popups was for a service or program that claimed to "stop those annoying popups."
For these reasons (trademark infringement, extortion), it would be completely within Microsoft's rights (and perhaps duties) to check for and remove such software as part of the normal update process.If they don't do this already, Microsoft should set up a room full of computers with people just dredging the sleazier parts of the web and installing whatever the latest malicious spawn of Bonzi Buddy and Gator, etc. happen to be. They would have to have non-MS IP numbers, because that would be too easy to check for in one's malware.
Of course, I had a talk with my cousin about clicking "OK" to install every little thing that comes down the pipe, but it felt like trying to talk about genital warts or something.
Re:How about automatically removing foreign malwar (Score:3, Interesting)
Problem is, you'd be screaming just as much about this "solution" as you are right now about the popups, etc. And you'd be perfectly justified in doing so.
If a MS OS is going to have the ability to run arbitrary executables (arguably the OS's most important job), then it can't be responsbile for what those apps do.
I'm not sure what the solution is, but one pos
Re:How about automatically removing foreign malwar (Score:2)
Re:How about automatically removing foreign malwar (Score:2)
Sounds like.. (Score:2)
Have you had 'the talk'? (Score:2)
That's what we need. Education. Public service ads that ask kids "Have you talked to your parents about viruses? Don't you think you should?" and say things like "Adults *want* internet boundries. Be a responsible teenager and punish them when they install malware."
Re:How about automatically removing foreign malwar (Score:3, Interesting)
Please no! I already run into plenty of situations where updates cause problems of their own so the last thing I want is for MS to start making their updates more complex.
Patches (Score:4, Interesting)
I think the major problem is how patches are structured, i have no idea of how many and which patches i need to install because microsoft site is very confuse and there is always a new bug on the news
Another is the way microsoft sells their OS, the version i bought on store is the same of one year ago. So just after install i need to download and install tons of patches, this is a problem while handling several machines (or several installs on the same one
And there is another one ( i think that's the one i don't update
Examples are: MS WindowsMediaPlayer 6.x vs 7 and up, MSIexplorer 5.5 vs 6.x. I can't patch them, i need to install a new one (often the installing process says it's a patch but is just a install of a newer version).
Re:Patches (Score:3, Interesting)
How is Windows Update hard to understand? It scans your computer for you and tells you which patches you need to install. Security patches are listed as critical, other patches are listed under the "Windows" heading, and drivers by themselves. I can't think of a way to make it easier without removing the
Monthly updates? Bah.... (Score:2, Interesting)
What kind of security updates aren't emergency situations? This sounds like they'll be prioritizing these things -- in effect, determining on my behalf which security hole is more important.
As Schneier said later in the article, "Announcements never secured anything." This particular announcement, ho
Steve Ballmer? (Score:3, Funny)
Let's not listen.
be vewy vewy quiet (Score:2, Funny)
somehow, i see steve ballmer walking around like elmer fudd, saying "shhhhh, be vewy vewy quiet, we're hunting bugs" -- with as much success as elmer has.
if they've been unable to find the bugs so far, and attempt to take the pressure off from those publicising the bugs, they run the risk of further, undetected, breakins. this is dangerous, and stupid.
but what else would you expect from a cartoon company?
Microsoft's New Security Initiative (Score:3, Funny)
"Unbiased coverage" (Score:3, Interesting)
It's almost impossible to avoid bias in anything, but this one is plain as day!
Re:"Unbiased coverage" (Score:2)
Microsoft makes the same empty promises, and the usual suspects respond with the same empty sound bites. 'Round and 'round the roundabout, and back where we began.
But if the submitter hadn't made that "unbiased coverage" remark, it wouldn't be trollworthy enough for Mikey to accept it. Wouldn't want him to break the pattern by simply reporting, now, would we?
How insightful... (Score:2)
Barney from MS says that security companies shouldn't tell anyone about MS software problems. (Disagree)
Barney from MS says that they're really, really going to focus on security this time. (Vehemently Disbelieve)
Head of MS security, Gomer, reiterates that security is number one at MS. (Denying urge to vomit)
Smart people from around the world say "Bullshit, MS hasn't done shi
Re:How insightful... (Score:2)
Not smart enough to find themselves in a position to make strategic IT decisions, apparently.
Slashdot topics for MS security? (Score:2)
IE? (Score:2)
Re: (Score:2)
Same song, different year (Score:3, Funny)
Was there a dramatic decline in Remote root exploits? Sure didn't look like it to me.
Explain to me again, why we should believe in it this time?
MS is a day late and a dollar short. Security hasn't been a marketable feature, according to MS. Thus, they haven't done much with it.
Now it's too late. MS is known as a broken dick dog on security. They are not going to lose that reputation for years.
Good luck Steve. Your company sucks.
Cheers,
Greg
All of a sudden the light bulb went off (Score:2)
Steve is Uncle Fester [yahoo.com]
Dun-nuh-nuh-nuh
Snap, snap
Dun-nuh-nuh-nuh
Snap, snap
Dun-nuh-nuh-nuh
Dun-nuh-nuh-nuh
Dun-nuh-nuh-n
Snap, snap
write secure software? (Score:2)
It's worrying to note that the book Writing Secure Code published by Microsoft Press is out of print [amazon.co.uk].
Fatal "user" flaw? (Score:5, Interesting)
Ballmer can blame users all he wants. It comes down to Microsoft having a crappy security model and poor development practices. Having a bunch of temporary employees programming black boxes gets them into a lot of trouble. So does having DCOM services a majority of users will never need or use enabled by default. A WindowsXP Pro system shouldn't be listening to RPCs from the internet.
Ballmer needs to have his developers look more closely at how they are designing their systems. Windows shouldn't have a broadband connection as part of the damn system requirements. Even with an automagic updater people without fast persistant connections will still run around without the proper patches. Maybe Microsoft needs an ounce of prevention to release more secure and robust systems in the future.
Renewed? (Score:2)
He recognizes the fatal user flaw of not applying patches and introduced an educational plan to help correct this.
Well, that should fix THEIR own boxes. But what about the rest of us?
Oh I get it! You'll fix your boxes and the hell with the rest of us!
Jeese! You just gotta love that kind of business plan! Well heck! Crap to you too!
OK, THIS time we're REALLY serious! (Score:3, Funny)
Summary (Score:2)
Microsoft's attitude towards security merits either a feature on the comedy channel, or a visit from Homeland Security. Exposing 99.8% of the desktops in the world to malicious data thieves must surely be a violation of the Patriot Act. (Everything else is!)
Put your patches where your puss is... (Score:2)
MS Security Rep. Talk (Score:2)
Anayways, enjoy:
Thought I would pass on this story, as I found it a bit amusing. Today I went to a presentation at my school called "Security: Just Plain
Re:Deja vu? (Score:2)
Re:Deja vu? (Score:2)
The version just released is great, much better than the previouse version (which in that case could have been better) but the NEXT version is going to solve all you problems, listens to your problems and buys you a beer too! yawn...
Re:Why they should not keep quiet (Score:2)
Then those same people should revert to paper and pencil.
If a program is complex enough to act as an Internet server (file sharing, network printing, etc.) then it is going to have security bugs. No OS is immune. If an Internet client program has more than the most basic of features (like a text-based FTP) then it is going to have security bugs. Even text-based FTP programs have had some interesting bugs, like bein
Re:Why they should not keep quiet (Score:2)
Better to take the chance that they don't know about a hole while it's being patched than announce the details of the exploit publicly and remove all doubt that they know...
I am of the opinion that the proper course of action upon finding a security hole is to warn the company of the specifics, but otherwise keep it quite for a reasonable amount of time. After a reasonable time has passed, or when they release a patch and a reasona
Re:Yeah, and the Nazi's wished... (Score:2)
Well, because as far as I know Microsoft haven't gassed several million people. A minor detail I know, but I feel it's an important one.
Re:It'd be a good idea for them to be quiet... (Score:3, Interesting)
That is exactly what most of them do, and they get ignored... After months of letting them know quietly, they realize the only way to get action is put MS under the gun (publish the fault). If MS fixed holes as they got reported to them rather than as they got reported to the public, Ballmer would have his wish...
Re:It'd be a good idea for them to be quiet... (Score:3, Informative)
There's still a time window to hack between the announcement of the bug and when most sy
Re:Firewall program? (Score:2, Insightful)