Microsoft No Longer a 'Laughingstock' of Security? 282
Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"
Says who? (Score:4, Insightful)
Botnets (Score:4, Insightful)
A good example - IIS (Score:5, Insightful)
There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.
Re:the bar is set so high. (Score:3, Insightful)
It's also a bit funny to consider how high the bar is set that they get credit for achieving "no longer the laughingstock..." status.?
Do you mean how low the bar is set? It seems kind of funny to me to hear someone from Microsoft admit that they were a laughingstock, and that they're looking for kudos for not being a laughingstock. It reminds me of Chris Rock's bit about people who brag, "I've never been to jail!" What do you want, a cookie?
Anyway, I guess it's true that Microsoft has gotten more secure and therefore isn't as much of a security laughing stock. There's still something to make fun of in how annoying UAC is, but I guess it's better than what they had before. So... yeah, I guess I'll give it to him. Microsoft is no longer a security laughingstock. They're just a marketing laughingstock for producing the disaster that is Windows Vista.
Comment removed (Score:4, Insightful)
Pardon? (Score:3, Insightful)
Mate, people have stopped laughing, not because Microsoft has changed but because we've become so desensitised to the security issues it no longer brings the same attention it used to; its expected.
If Microsoft do want to correct their security issue, they need to start at the bottom and work their way up; they need to go through their product, they need to document, clean up, remove parts that are security risks, replace parts which are added because they're nice rather than needed. They need to stop the lie that 'computers are easy to use' when in reality, they're complex machines that actually might require a bit of book reading and learning (to the screams of the ignorant out there).
They also start needing to stop re-inventing the wheel and start working in groups; yes, groups are inefficient but like any brain storming, issues are raised which the original author might not have thought about - when you're an organisation all thinking along the same line, you can't adequately scrutinise the specification for every possible scenario - that is why standardisation is desirable. Issues of compatibility and security can be raised, and addressed. Microsoft on the other hand thinks because it has the cash and are a big organisation, it can address all the concerns internally.
Re:STILL the Laughing Stock! (Score:3, Insightful)
I'm exagerating of course, but I hope you get the point, asking an uneducated user is not a security measure.
Re:my opinion of MS security (Score:5, Insightful)
Someone at M$: "XP with IE is full of 'critical' security holes."
Someone's manager: "Let's write a firewall and we can get away with calling those security holes 'important' and not fix them."
Re:A good example - IIS (Score:3, Insightful)
...and Microsoft doesn't play down threats? Hark to the ol' l0pht website:
l0pht - "Making the theoretical practical since 1992."
Re:Of COURSE they're not the laughing stock... (Score:2, Insightful)
Bridges not falling down is unrealistic? (Score:4, Insightful)
Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.
I don't know anyone who thinks a major bridge in major US city in the richest country in the world not collapsing is an "unrealistic expectation". I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal. Comparing that to a major bridge disaster that never should have happened is kind of a strange comparison though.
Re:A good example - IIS (Score:3, Insightful)
Security isn't just something you can pin on the software vendor and expect them to solve all your problems. It takes good system admins to keep the systems up-to-date with security patches and have them on a network that is designed for security.
May we be... (Score:0, Insightful)
Re:Of COURSE they're not the laughing stock... (Score:5, Insightful)
Why should downloaded (i.e. tainted / potentially unsafe) code have any rights at all except to its own files by default? Should it be able to read your documents, open a network connection and send them out? Should it be able to format your disk? Hell, why even have a globally accessible file system at all?
We can't improve the users much, so we're going to have to improve the OS. Actually, some of the early security models were much better than the ones we use now, but carried too much overhead for the machines of the day.
Re:Mod parent insightful! (Score:2, Insightful)
There also seems to be a disconnect here-- if pirated Windows machines are presenting a problem that everyone has to face, why do we blast Microsoft for its desire to see these machines taken offline? Moreover, why are we putting "stolen software" in quotes when we're talking about people who're actually willfully using unlicensed software?
Is the idea here that pirates are "good" because they're not playing the "evil" Microsoft's game? Is Microsoft still more "evil" because they aren't improving the security of machines that are already well out of the bounds of their support model?
Re:Pardon? (Score:3, Insightful)
Today we don't see as many of those super destructive e-mail viruses because they are pointless. You can't make any money with them because they are like walking into a bank with a black mask and a gun during normal business hours. Everyone knows you're there and what you're up to. Good luck making it out of the building with a sack of cash, cause the cops already have the place surrounded. Now if you were to exploit a hole in that banks security and sneak in and out undetected, now you're talking. Even better, use "zombie" employees to do your dirty work for you. And that's what we see today. Huge botnets full of zombie computers, whose users are completely unaware. All were infected by security holes in Windows XP (yep SP1 and 2). These guys aren't hackers, they're crackers. They make a profit (illegally) by hacking. The reason they make a profit, is because you don't know they were ever there.
They left the port open. (Score:4, Insightful)
Yes, they had.
But the problem was that that port was left OPEN on machines that DID NOT NEED IT OPEN.
With security, you CANNOT rely upon the end user to keep current on patches. Your system HAS to be able to defend itself WITHOUT those patches.
And the simple way to do that is to not have ANY open ports by default.
Security is a process. You are arguing about the high end, theoretical levels
Security through obscurity no longer gold standard (Score:0, Insightful)
Now teh Lunix and OSX are another story- their "reputations" for security are based exclusively on spin and obscurity, in a "OMG, look at the other guy!!!" effort to say that, since someone else's product may (or, as in reality, may not) be worse than theirs, that somehow means they are "secure". Teh Lunix and Apple have relied too long on MS-bashing as their method of "improving" their product... but ever since the release of Windows Server 2003, there has been a huge shift. They are now forced to compete on the merits of their software and code... and are being found lacking.
Rather than improving their products, they engaged in MS bashing. Now that the market has become more security conscious, Apple and Lunix are being hoisted by their own petards.
It's kind of interesting how computer software is about the only real case where a market-driven system actually works. But the true irony is how the market losers (Apple, Lunix, Open Office and IBM, Mozilla, Real Networks, etc) are the ones driving governments to interfere in that market dynamic. I guess we can just chalk it up to hypocrisy being the only core value of conservatives.
And they're not being asked to have "zero holes". (Score:3, Insightful)
That's not what they're being asked for. What they're being asked for is for systematic holes to be eliminated, so they don't have to keep being patched over and over again. I've listed some of the systematic holes in the design that they keep getting bit by in the message I posted just before yours.
The thing that really bothers me is that people are accepting the argument that holes Microsoft created are not Microsoft's fault. People are blaming applications that didn't sanitize untrusted content before passing it to insecure APIs, rather than blaming Microsoft for not providing a secure API they could use instead.
Security? How about reliability (Score:3, Insightful)
The apparent cause of the problem? Windows update happily auto-updated the wireless driver, neglecting to check that the firmware was compatible, and neglecting to also offer a firmware update. MS Security might have improved, but I don't think their reliability has. Many big corps tread carefully with update patches for this very reason.
Yeah, 'cause clean code is soooo easy to write. (Score:5, Insightful)
You know, the little things, like always remembering your </i>, and never forgetting to preview your work.
Glass houses.
Projectile stones.
Whatever.
Re:Offline != unpatched (Score:2, Insightful)
I don't think that Microsoft actually can solve this problem so long as piracy exists. As I'm not actually anti-pirate, I'd suggest that a community response would likely be necessary to resolve this issue on pirated machines...Pirate-spun patches, etc, would be helpful. I don't like the virus idea for the same reasons other benevolent viruses are generally a bad thing...They frequently have unintended consequences.
Re:May we be... (Score:4, Insightful)
While I certainly wouldn't say that the three have perfect security (and certainly not WRT dumb admin/user mistakes), I can say with confidence that they can rightfully be claimed as being among the most secure out there. Windows cannot, not has ever been, able to credibly claim that. Whether it can do so in the future remains to be seen.
Re:Yeah, 'cause clean code is soooo easy to write. (Score:2, Insightful)
I think there's at least a small difference in using monopoly powers to push a product on the open market vs a comment to
Scotts mom and Internet security .. (Score:4, Insightful)
No, all you have to do is build a Desktop System that can't be compromised by opening an e-mail attachment or clicking on a URL
"more people are like, 'Microsoft got its act together, and others should follow their lead,' technologists say, 'OK, our job is done -- what next?'"
"What I explain to people is that this isn't actually a technology problem we are solving; it's a crime problem"
Self serving imaginary made up quotes and a nonsensical opinion expressed. Making it a twenty year felony crime for hacking Windows isn't going to make Windows any more secure
Re:They left the port open. (Score:3, Insightful)
You bring up two things there. One, you can't rely on the end user to stay current with their patches. Microsoft went ahead and setup Automatic Updates. Therefore the end user doesn't really have to think about it. The box will reboot itself automatically once a month to install the latest patches.
Your second point about a box being able to defend itself without patches is unrealistic. Software is constantly evolving. Nobody ever gets it right the first time. To make a car analogy here, you're pretty much saying that if Microsoft were an automotive company, they should sell cars that automatically change their own oil, but even if they don't automatically change the oil, the oil should never need to be changed in the first place. A properly designed machine should never need any maintenance, right?
Re:A good example - IIS (Score:4, Insightful)
Three vunlerabilies, none classified as "highly" or "extremely" critical, all patched.
Apache 2.x Vulnerability Report since 2003 [secunia.com]
33 vunlerabilies, 3% classified as "highly" critical, 9% unpatched, 3% only partially patched.
Sorry, I know if offends the delicate sensibilites of slashdotters, but IIS6 has a virtually perfect record since its release.
You spouted a lot of speculation that IIS6 has tons of undisclosed flaws, but you've provided zero evidence. If there are so many flaws, why have they not manifested themselves? Microsoft is better on security than they were in the past, whether you like it or not. Deal with it.
but has it improved? (Score:4, Insightful)
Wait a sec. Don't project your own values onto a group that may not share them, nor assume a causal relationship where no data has been shown to indicate one.
So the claim is that it's no longer a laughing stock in the realm of security. All right then. Let's pretend for a moment that claim is true. The next question is why?
There are at least two possible answers:
We can see from the systems affected by vulnerabilities that the former has not happened, no redesign. Maybe it's the latter, better PR.
Re:rear-view mirror (Score:4, Insightful)
Re:Says who? (Score:2, Insightful)
By default, Remote Desktop for Administration is installed when Windows Server 2003 is installed. However, Remote Desktop for Administration is DISABLED for security reasons.
http://support.microsoft.com/kb/814590
Now tell me, where did you get the idea that it is enabled by default? Certainly not from first hand experience... unless that experience is installing images that someone else created for you?
Re: Straight from the MS playbook... (Score:4, Insightful)
This is classic Microsoft MO: as soon as a Windows version has been released for a few months, start badmouthing the previous versions. They did the same with XP to 2K/ME, ME to 98, NT4 to NT 3.5, etc.
Just Vista marketing. Nothing to see here, move along.