Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Security Community Reacts to Microsoft Announcement 471

A number of readers have collected stories concerning the change of focus by Bill Gates to security. Bruce Schneier and Adam Shostack have written a piece, while Crag Mundie of MSFT has also chimed in, along with some commentary from ZD folks. SecurityFocus has other words, as does InfoWarrior.
This discussion has been archived. No new comments can be posted.

Security Community Reacts to Microsoft Announcement

Comments Filter:
  • MSFT? (Score:2, Funny)

    I watch that MSFT3K all the time and they never talk about computer stuff... I am suspicious of the validity of this reference...
    • Re:MSFT? (Score:2, Funny)

      by Anonymous Coward
      Which one is Bill Gates? The human or the talking gumball machine?
  • It seems to me (Score:4, Insightful)

    by OpCode42 ( 253084 ) on Friday January 25, 2002 @11:30AM (#2901026) Homepage
    It seems to me like MS are doing this just to counteract the recent bad press they have got in the security area.

    I have said it in the past, and I'll spew it backup now for those who missed it, MS do not make the best software - bu they do have the best marketing department and business sense.
    • One other reason (Score:3, Insightful)

      by ouija147 ( 467204 )
      They have always gotten people to upgrade software for the newest features. This will be the way they can get people to buy the latest software. Their products are so bloated with useless features that no one sees a reason to upgrade what they have, but to stay secure? People might buy that "feature"

      The revenue stream has to stay flowing and this will force IT people to upgrade. If they don't and they get hit by some nasty bug/virus/worm the CEOs will have their heads.

      But does this leave MS open to lawsuits...nah not likely what with their EULA

      Oh well
    • Re:It seems to me (Score:5, Insightful)

      by Proaxiom ( 544639 ) on Friday January 25, 2002 @11:47AM (#2901154)
      It seems to me like MS are doing this just to counteract the recent bad press they have got in the security area.

      Well, duh!

      It's the timing that gets me. They made the announcement shortly after a major OS release. So whenever somebody points out a bug in existing software (XP or earlier), they can shrug and say "That was the old Microsoft, the new Microsoft no longer makes those mistakes."

      And since it'll be sometime before they release another highly-vulnerable product, nobody will be able to contradict them.

      • I wonder though... (Score:3, Insightful)

        by ackthpt ( 218170 )
        Is this really the -NEW- Microsoft, taking responsibility for security in their OS and applications OR is the the -SAME OLD- Microsoft doing this because they'll roll out their own Security Consulting Service or certified specialists (let's call them Microsoft Certified Security Specialists) to tell clients, "Yeah, that's one of our gaping holes, lemme call it in, by the way, it'll cost you a few thousand for Microsoft to repair this and issue the fix."

        Sure the security gaps, shoddy Q/A (i.e. let the customer do this) and worms have made interesting press (including Gartner Groups suggestion business dump IIS, you may disagree with Gartner, but PHB's everywhere listen to them, not you) and is probably costing them a few bucks, but there's still an army of people out there who still buy M$ only, because "nobody ever got fired for choosing Microsoft."

        I'm too jaded to accept this as a genuine effort by Microsoft, which has left the security worry squarely on the shoulders of the client, to clean up their own mess and stop making them. I think there's an ulterior motive which we'll see later, like waiting for the other shoe to drop.

    • MS may now be trying to move into to a different market, one that values security above point-and-click.

      The BBC sums it up nicely [bbc.co.uk].

  • by Score0, Overrated ( 550447 ) on Friday January 25, 2002 @11:31AM (#2901038) Homepage

    It will be good if they succeed; we hope they try as hard as their PR says they will.

    Have a nice day.
    • > [Speedreader's Summary:] It will be good if they succeed; we hope they try as hard as their PR says they will.

      Tackhead's One-Liner:

      If they put 10% of today's PR budget into the next release's security budget, they might have a chance.

  • by crumbz ( 41803 ) <<remove_spam>jus ... o spam>gmail,com> on Friday January 25, 2002 @11:32AM (#2901042) Homepage
    It seems that the various tones of the above mentioned pieces reflect a Microsoft good or Microsoft bad attitude. Unfortunately, the problem being discussed transcends the usual polemics of such a debate. Good security, whether from Microsoft, Sun, Novell, Cisco or others, is in everyone's best interest. If Microsoft has finally awoken to this fact, good for them. Their previous security through obfusication was a travesty and insulting. If my personal information is going to be stored on a computer that is linked to a network, I want the best damn security money can buy. For that computer, for the database software, for the firewall, for the remote machine at the local insurance agency that is accessing the info, et. all.
    True Names are important for a reason.
    • Gullibility (Score:5, Insightful)

      by epepke ( 462220 ) on Friday January 25, 2002 @01:53PM (#2902057)

      The problem is that an alarmingly large number of people cannot distinguish between the following:

      • Security
      • Words about security

      What has happened to the software industry in general is exactly what has happened to the American political process. If you make promises and then cash the check, it doesn't really matter if you deliver. The reason is that people are gullible.

      So you think, "gosh, wouldn't it be great if they've finally decided to do it right." But they haven't done it; they've just said that they are going to do it. Any support for mere words on the hope that it might come to pass will remove any incentive for actually doing it.

      Most people get off so much on the hope and the promises that they don't realize how they're encouraging integrity-challenged behavior with their actions. It takes a real cynical bastard not to get caught up in this, and then we get told, "Oh, you Microsoft Bad Religious Types."

  • Craig's article... (Score:5, Interesting)

    by ImaLamer ( 260199 ) <john.lamar@NospaM.gmail.com> on Friday January 25, 2002 @11:33AM (#2901044) Homepage Journal
    ...says:

    But we're still in the early years of the computer revolution, and there are many technological, social and regulatory hurdles we must overcome before computers truly become a ubiquitous--and essential--technology.


    The early years? No. When you've got one person on top who can't get their sh*t together...

    I mean, we could be farther along in this 'revolution' he speaks of. Why aren't we? Because the Big Guys [read:Microsoft] are doing what they want to do. Why are they now only focusing on security?

    Oh! Pick me! I know! --- Because they do what they want to do, and that's it. They don't give in to customer demand; most of their product is cooked up by visions that Bill and others have.
  • Cringely, too (Score:5, Informative)

    by what_the_heck ( 317513 ) on Friday January 25, 2002 @11:33AM (#2901048) Homepage
  • by Proaxiom ( 544639 ) on Friday January 25, 2002 @11:35AM (#2901056)
    Schneier and Shostack say:
    Separate Data and Control Paths
    Use Secure Default Configurations
    Separate Protocols and Products
    Choose for Security over Features
    Make it Transparent and Auditable
    Give advance notice of Protocols and Designs
    Engage the community

    All that stuff sounds great, but I can say the same thing in far fewer words:
    Start from scratch. Do it right this time.

  • by st0rmshad0w ( 412661 ) on Friday January 25, 2002 @11:35AM (#2901063)
    Considering the amazing amount of interest at hammering away on MS products, this new "shift in focus" will either wind up producing one of the most sercure set of products ever(highly doubtful, IMO) or it will be a long, drawn out, yet abysmal failure as each new change becomes defeated as fast as its implemented.

    Either way, its going to take quite a while to tell.
  • by gspeare ( 470147 ) <geoff AT shalott DOT com> on Friday January 25, 2002 @11:36AM (#2901065) Journal
    The first thing Microsoft is going to do under their new "security first" paradigm will be to announce that due to security concerns, they can't tell us what any of their security upgrades actually are.
  • A whole bunch of people, a few days ago, seemed to think that Billy's statement only made sense in the context of the settlement. He and MS wouldn't be required to give out so much information if they claimed a security concern.

    I mostly think it's advertising. XP didn't sell nearly as well as they had hoped, and a bunch of people flying around with Madonna playing in the background didn't seem to send their message. And I'd be willing to bet that security concerns were most of the reason-they WERE the reason with my employer.

    The tech world is full of reviewers and publishers who will publish Gates' statements as thought they were spoken from the burning bush. God only knows, they shill for advertisers just as bad as gun magazines.

  • by Dephex Twin ( 416238 ) on Friday January 25, 2002 @11:37AM (#2901079) Homepage
    Windows is too backwards compatible, IMO. Too much building off of old stuff. Microsoft needs to make a new version more or less from scratch, like Apple's transition from the old Mac OS to OS X. It isn't a quick or easy transition, but it will pay off in the long run.

    I guess that's the problem when you are a huge software company trying to appeal to everyone. You end up supporting everything and it turns into a big mess.

    mark
    • You are right in the sense that doing that would be the best for Windows, especially in the long run. However, that scenario terrifies me more then anything.

      My box has a Linux partition and a Win2k partition. I keep Windows for games, and because in all honesty 2k isn't that bad. It's got all the stability and such of XP, but none of the Big Brother. 2k is also quite secure if you know what you're doing. And I like playing games. I have vowed to not update to XP however, as the whole embedded passport thing and such really scares me.

      However, if say, 2 years from now Windows RG (Really Good edition) comes out and is NOT backwards compatible, now new games only come out for it. I'd presume that if anything this hypothetical WinRG will be worse then WinXP in terms of Big Brother-ness, ergo I'd be even more hesitant to upgrade. That and it'll be even more eye-candy and more dumbed-down and all that stuff. But if I want my games, I'll have to upgrade.

      So that's why it's scaring me. I hope they keep their backwards compatibility, as I would personally like to just keep running 2k for as long as I can. Or at least if they do lose the backwards compatibility, wait until Linux gets enough market for games to be more available for it.

      And yes I realize the irony in talking about Linux games in the wake of the death of Loki.
      • What if all this security talk is ... Preperation for building a DRM (digital rights management) OS? The insecurities of the current MS OS's is what makes a DRM os impossible ... Right now I get around alot of DRM stuff with my 10 channel sound card ( m-audio delta 1010), by routing sounds out the digital outs and sending a copy to its internal mixer ... then I can record the mixer (digitally) :) ... of course Im a true pirate, mostly I use this technique to save (real player) NPR broadcasts for my father :) But I think that wont be possible soon
      • by Tackhead ( 54550 ) on Friday January 25, 2002 @12:42PM (#2901571)
        > However, if say, 2 years from now Windows RG (Really Good edition) comes out and is NOT backwards compatible, now new games only come out for it. I'd presume that if anything this hypothetical WinRG will be worse then WinXP in terms of Big Brother-ness, ergo I'd be even more hesitant to upgrade. That and it'll be even more eye-candy and more dumbed-down and all that stuff. But if I want my games, I'll have to upgrade.

        Three words: Removable drive racks.

        As long as IDE exists (which should be good for another 2-3 years), if you must use Windows, keep an old '98, W2K, or Linux/FreeBSD install on separate a hard drive with your data and applications, and install Windows RG on another drive.

        Wanna work? Use the main drive. Wanna play the l33t new game? Yank it out and boot RG. No Gatesian DRM tech or spyware will ever be capable of corrupting or leaking data stored on an unpowered hard drive that's been physically disconnected from your machine.

    • They can't, they don't have any say in the matter. Many consumers still want to be able to run DOS and legacy software especially for accounting software.

      If Windows isn't too backwards compatible, people will complain like hell and use another OS.

      Having a huge marketshare certainly have its advantages but it sure have a lot of disavantages.
    • Can you provide some specific instance that illustrates your point? It appears to me that the backwards-compatibility bits of Win2K and XP have provided a more secure Windows environment, rather than less. For instance, the Virtual Machine used to house 16 bit Windows applications provides a sandbox for ill-behaving applications.

      Backwards-compatibility is at the core of none of the current security problems currently within Win platforms - at least none of those I can bring to mind. Please, prove me wrong.

    • I can think of another OS that has a lot of legacy gubbins in it. In fact it's based on a design that's been around far longer than windows.
      I'll give you a clue: it begins with the letter L.;)

    • Backwards compatibility sells MS products. Losing it will open the floodgates. MS won't do it.

      Apple is a very different animal. They can sell anything. Just not to everybody.

      In any case, "going back and rewriting everything" always sounds like a good idea, but seldom is.

      "Going back and rewriting the worst stuff" is probably a much better idea.
    • Legacy is Windows most important feature. All other considerations are secondary. If you don't have a legacy, you have no reason to use Windows.

      If they made a clean break, then they would be on a level playing field with competitors. Is improving their product, which people are buying anyway regardless of its flaws, worth losing customers?

  • Announcements.... (Score:5, Insightful)

    by tcc ( 140386 ) on Friday January 25, 2002 @11:37AM (#2901082) Homepage Journal
    Let's wait and see, announcement are just words, let's see how they will react when there's going to be another big security hole (because there always are going to be, and that on just about any platforms, but especially with Microsoft), if they've really changed philosophy, they will react more quickly (as in programmer-wise and not PR-marketting-wise), and not handle this as a press release taking their customers for complete idiots and reacting immaturely blaming people that finds the bugs as "terrorists".

    And anyways, for those of us that are on some security mailing lists like NTbugtraq, we'll see how the people got their discovery handled by Microsoft, if they change for real, maybe we won't read as many "We notified microsoft 3 weeks ago about this matter and nothing was done, now it's time to bring it public" and then having the Microsoft PR and legal team on their back.

    I think they are starting to feel the heat of people that are really not satisfied and claiming that buisness damage due to insecure OS should be fined to the creator of the OS, especially when they claim it's secure. Heh.. good thing.
  • by bitty ( 91794 ) on Friday January 25, 2002 @11:38AM (#2901091) Homepage
    Someone brought this up in another article, so I can't take credit.

    The settlement with the DOJ specifically allows Microsoft to exclude documentation of APIs that relate to security. This new initiative makes damn near anything in some way relate to security. Gotta love it.
    • Security APIs (Score:2, Interesting)

      by Hajoma ( 161358 )
      It's not problems with the security APIs that cause exploits. It's the bugs in other APIs, like XP's recent plug and play exploit.

      Even despite the fact that security through obscurity is no security, how does closing the security API make the system more secure? Surely all this achieves is to allow Microsoft to put backdoors in Windows' security features.
  • by Ars-Fartsica ( 166957 ) on Friday January 25, 2002 @11:39AM (#2901094)
    I think people are generally wise to be jaded about security in current MS products, but this company has demonstrated over the years that they will go into overkill mode on issues that appear to have a profound affect on the share price.

    I would look for MS to make at least two major acquisitions in order to shore up their security offerings - they have used acquisitions in the past to shore up problem areas.

    Of course the caveat is that they are not so much concerned with security as an intrinsic value but in the selling of security, and there is an important distinction here. As with any growing software market, you can't underestiamte Microsoft's efforts, and I think it is largely naive for the readership here to snicker and write off MS in this regard.

    • I would look for MS to make at least two major acquisitions in order to shore up their security offerings - they have used acquisitions in the past to shore up problem areas.

      An acquisistion can't fix their problems. It's not like they can buy some 3rd party program, and then Word and Excel macros suddenly won't work any more. Buying a product won't fix Outlook's "click here to execute virus" user interface. The only way an acquisition could fix their problems is if they use acquired products to replace existing products. (e.g. buy a new word processor and sell it instead of Word.)

  • ... All Pig Flight Training School Opens
  • by NetRanger ( 5584 )

    Here's a memo leaked to me from Bill Gates himself:
    January 25, 2002

    Fr: Gates, Bill (Microsoft-Redmond, WA)
    To: All Mail Users
    Re: New Security Focus

    I'm sure that everyone here has read our previous announcements in reference to the new security focus here at Microsoft. Let me be the first to make sure it is clear that these announcements will be followed up by actions, not just words.

    Of course new technology is what Microsoft is all about, so I am dictating this letter to you as you read it.

    Of course you know we have already taken the initiative to instruct the Windows team to cease development of new features, and focus on using existing technology from our competitor's software for placement into Windows, over ten years ago.

    Now it seems that some of the "glue" holding all these technologies together has, shall we say... uh, cracked.

    Therefore it is imperitive that we cease adding new functionality not relevant to squashing those little bastards who think they have a better haircut than me!!!! and... uh...

    I mean, we really need to focus on stability and security, I mean, after all, to meet our vaporware deadlines we didn't really get the chance to read the code we stole... I mean, to reincorporate new ideas properly into Windows.

    You know, I'm turning this damn dictation off now ASH!*%(#@$

    [End of File]

  • by petej ( 36394 ) on Friday January 25, 2002 @11:45AM (#2901138)
    Usually, Bruce Schnier writes good stuff, and I enjoy reading it. This time, though, the piece is riddled with misinformation and poor advice. I'm surprised.

    SOAP isn't just a Microsoft protocol, for one, but the main problem with that paragraph is that SOAP was not designed to elude firewalls, any more than RPC was. SOAP is just an RPC mechanism that happens to flow over HTTP, mostly because Dave Winer only knows one protocol -- HTTP. Mr. Winer didn't try to evade protocols, he just couldn't conceive of creating a different protocol for this application -- an error of omission, not commission.

    In terms of file and media distribution, the function of a HTTP server, FTP server and gopher server are very similar, so there's actually some sense in bundling the three together (and MS isn't the only group to do this). The security problems come when dynamic execution is added to the mix in HTTP. Mssrs. Schnier and Shostack desperately want to undo this, but they don't have the right answer -- the problem isn't stocking the three protocols together; it's that the Internet gave us three ways to do the same thing. To really address the security issue here, we should probably go back and redo the protocols so that dynamic content and media content flow over separate protocols, but there's no chance of this happening -- HTTP didn't kill FTP, and even gopher is making a mild comeback, so we're stuck with this mess for a long time.

    There's some good advice regarding security in that article, but the authors' notions of product design are off-target, and contrary to the direction a lot of folks (even those beyond MS) are taking.
    • That's somewhat incorrect. SOAP is illustrated as running over HTTP/HTTPS for the very reason that those protocols on default ports are already open. This was discussed in Microsoft's own announcement of the protocol. It had a pragmatic, if misguided purpose. Companies already had these ports open, and thus no additional work or effort would be required by the system administrators and network admins to enable the use of SOAP.

      The idea is unfortunately short sighted, and will result in holes to be opened in what was previously a manageable service port. This was for expediency, not security. The SOAP spec team followed along as the adoption would be accelerated, but again, this was done without any real eye towards security.

      I seriously hope MSFT takes these comments to heart and at least begins to adjust their practice and products to be more secure.

      • The real stupidity is those who think that by blocking all ports except http, ftp, and email, you thereby ensure system security for all time, and you don't have to keep up with new developments like SOAP. Firewalls are better than nothing but they're certainly not enough.

        • I agree in principle, but bundling services together is still a bad idea, and in fact Adam and Bruce state that rather clearly at the outset. The ability of the firewall to separate, manage and in some cases via stateful inspection assist in the security of each service separately is still a desirable methodology.
    • SOAP is just an RPC mechanism that happens to flow over HTTP, mostly because Dave Winer only knows one protocol -- HTTP. Mr. Winer didn't try to evade protocols, he just couldn't conceive of creating a different protocol for this application -- an error of omission, not commission.

      One of the principal architects of SOAP was Henrick Frystick Nielsen, who certainly knows about more protocols than just HTTP since he implemented them all in the CERN libwww code.

      The point is that running SOAP over SMTP or NNTP does not make a lot of sense except to looney email junkies who need a strong does of reality. SOAP over FTP makes no sense because FTP is a fundamentaly bodged protocol, it is less efficient that HTTP in every circumstance, it is also designed as a human/machine interface and is actually fairly brittle when used as a machine/machine interface due to different incompatible implementations and interaction between the ftp daemon and the file system semantics. The number of special case code paths for FTP in the libwww code is quite large. Some folk are trying to combine FTP and SSL which is not a good plan because FTP is actually built on Telnet and there are good reasons not to use SSL with Telnet which is why SSH is no longer based on SSL.

      Henryk certainly knows about designing new protocols as well, he was one of the principal architects on HTTP-NG which people refused to use because HTTP was good enough for them.

      SOAP actually layers over several transport protocols but the only one most people have any interest in is HTTP. There is a small interest in BEEP, but BEEP is a fairly new protocol that is probably only simple because nobody has used it yet and so we don't know what it lacks.

      I don't have much sympathy for folk complaining about the use of the 'firewall bypass protocol'. Firewalls are like chastity belts, they are mainly bought by people who intend others to wear them and suffer their inconveniences. They are also like chastity belts in that they tend to be less effective than the purchaser imagines.

      SOAP traffic is actually quite easy to detect in HTTP, just examine the Content-Type field. It is strange that Bruce should get so excited about this and say nothing about Java that deliberately disguises itself as application/binary to prevent firewall filtering (and yes I did suggest Gosling chage this before they release Java, they refused).

      • ...are good reasons not to use SSL with Telnet which is why SSH is no longer based on SSL

        Err, when was SSH ever based on SSL?


      • >The point is that running SOAP over SMTP or NNTP
        >does not make a lot of sense


        A free clue:
        $ cat /etc/services

        No one is (seriously) suggesting running SOAP over FTP or NNTP. The point is that one of the fundamental features of the IP suite is that unique services should run over unique ports. This has a wide variety of benefits, one of which is that you can SHUT IT DOWN AT THE FIREWALL (or border router or whatever) when someone blurts their new exploit all over Bugtraq without bothering to inform the vendor. As it stands, when this scenario comes to pass (or the first .NET worm breaks out, or whatever) the network admin will have to make a choice between killing all web traffic as well as the (completely unrelated) SOAP services ,or leaving them open and taking a chanceon not getting hit. [Or running an application-layer proxy, with the concomittant issues of security, resources, latency etc etc.) And when the MD or CEO calls up asking why he can't get to CNN.com, what's he going to say? Running SOAP over port 80 is a really dumb idea.



        Incidentally when I said this here, a few months back, I got the most severe flaming I've ever had on Slashdot... nice to see that everyone's nodding sagely and saying "yes, of course, how true" now that Bruce Schneier says so, too. Apologies accepted =)


        > FTP is actually built on Telnet and there are good
        > reasons not to use SSL with Telnet which is why SSH
        > is no longer based on SSL.


        I have no idea what are you talking about here. ftp is "built on telnet"?

        And FYI, SSH - OpenSSH at any rate - still had OpenSSL as a dependency
        last time I compiled it (a couple of months back.)
  • this is an interest question.

    when MS wanted to take advantadge of the Internet, they bullied their way in to the browser market. Now they are going to bully their way into the security market, in orde to provide an integrated solution?

    Sounds good on paper, for them. another step towards a microsoft world, which things security by obscurity is the pattern, etc.

    feh

    the thought of microsoft salemen becoming the thought police sickens me.

  • New Levels (Score:5, Funny)

    by Sir Tristam ( 139543 ) on Friday January 25, 2002 @11:47AM (#2901152)
    "We must lead the industry to a whole new level of Trustworthiness in computing."
    - Bill Gates internal memo, 15 January 2002.
    Hasn't this already been accomplished? I'd feel a lot better if it had stated that this would be a higher level of trustworthiness. All software (other than a "hello world" program, TeX and anything I write ;-D ) have bugs; that's simply life. Admit them, correct them, and move on instead of trying to ignore and bury them, and people would feel a lot more trusting of the products. The same applies for "gee-whiz" features that end up being security holes; admit that they were bad ideas and remove them (or at least disable them by default)

    Bottom line is, words are easy. I'm going to wait to see the action.

    Chris Beckenbach

    • We're all gonna die anyway, so there's no point in trying to put off the inevitable!

      Let's smoke and drink and eat nothing but onion blossoms and have unprotected sex with gutter-crawlers. We're all gonna die anyway!

      And we can't forget about Joe - ate well, exercised, etc., and he still got cancer and died at 24. Why bother?....

      What will it take to kill this damn "all software has bugs" crap? Of course it's possible to write bug-free software - look up "formal methods" or "correctness proofs" on goggle. It's just very expensive and isn't used unless a bug will result in death.

      But more practically, I've been at few shops (maybe one in almost 20 years) that couldn't eliminate the vast majority of their bugs with some simple changes. Things like TURNING ON COMPILER WARNINGS - you would be shocked how many times I've come into a site (as a troubleshooting consultant) with a flaky code base, turned on compiler warnings (which are inevitably disabled), made sure every variable was initialized and functions were called with the right types of arguments and the code was immediately described as "more reliable," "less fragile," etc. Yet this rarely takes more than a week to complete.

      If I were security czar at Microsoft (and pigs could fly....) my first order would be that every developer drop everything else to turn on compiler warnings and eliminate these warnings. (Some warnings are acceptable, but not uninitialized variables, wrong number of arguments or wrong types of arguments.) Shouldn't take more than a week, even if function prototypes have to be defined from scratch, and the code will be a lot more solid.

      Then there's the buffer overflow issue - "grep" is wonderful at locating sprintf(), strcpy(), strcat(), scanf(), and other problematic code. It's normally easy to convert them to the safer functions. "grep" can also find snprintf(), strncpy(), memcmp(), strncmp() etc with hardcoded array sizes - too easy for the size of a buffer and the function calls to get out of sync if you don't use a manifest constant or sizeof().

      Overall, there's about a dozen simple steps you can do that will eliminate essentially all of your serious bugs. Some of these steps can be done quickly, others can be painful if a shop has been sloppy (e.g., 'programming by contract' and adding assertion checking to existing libraries.)

      To be sure a nontrivial application will still have bugs, but they're much less likely to be ones that an attacker can exploit and there's no justification for a site not following these practices. Yet we keep hearing the fatalistic "all code has bugs, we're all gonna die anyway!" chants and nobody takes the simple first steps to fix bugs or eliminate the worst of their personal habits.
      • Yet we keep hearing the fatalistic "all code has bugs, we're all gonna die anyway!" chants and nobody takes the simple first steps to fix bugs or eliminate the worst of their personal habits.
        Every point you make is quite valid. However, there is a distiction between "all code has bugs" and "bugs in code are inevitable". If a program has a bug in it, it's in the vast majority. There should be little stigma in admitting that there was a bug and fixing it, instead of ignoring it and hoping that not many people will notice. Perhaps I should have said, "All software ... have bugs; that's not unusual. Admit them, correct them..." instead of "All software ... have bugs; that's simply life. Admit them, correct them..." We'll just chalk it up to a bug in my previous post, which will be fixed in the next release. I was trying to state the current status of reality, not an attitude of being resigned to rampant bugs being unavoidable.

        By the way, correctness proofs only demonstrate that the code correctly implements the algorithm specified and still doesn't handle the problem of selecting or designing the correct algorithm. They therefore attack only one point in the development process where bugs can enter. (You already know this; just letting the others in on the fact that there's no silver bullet.) Full compiler warnings are a good thing; another thing I would insist upon is that a programmer use a debugger to step through every line of code affected by a change, and make sure that the program execution flow is what they had intended. It's amazing how many bugs I've caught this way.

        Chris Beckenbach

  • Microsoft's new focus on security will not help them sell any upgrades. If their customers were worried about security, why would they have started using Microsoft in the first place?
  • How can a company hope to achieve "a whole new level of Trustworthiness in computing" if they don't have an ounce of trustworthiness in their own business and political practices? Some may argue that this is a whole other subject, but personally I think that a company with real ethics will perform leagues above in the field of security, bug-fixes and general product improvement.
  • Denny's (Score:5, Insightful)

    by pfaut ( 18898 ) on Friday January 25, 2002 @11:57AM (#2901227) Homepage
    I once heard a story about the Denny's restaurant chain. I'm not sure if it's true but the moral is. The story goes like this.

    Apparently, Denny's had intended to be a 24x365 operation, never closing its doors. Therefore, when they built the restaurants, they didn't bother putting locks on the doors.

    One year, they decided to give their employees Christmas day off. In order to close the restaurants, they needed to be able to lock the doors. Therefore, they had locksmiths go out to all of the stores and install locks.

    Now, instead of having spent about $10 per door when the store was built to have locks installed, they needed to send locksmiths to all of the stores and pay them for a couple of hours work resulting in a cost of a few hundred thousand dollars to give their employees a day off.

    The moral: It's a lot easier to design security into a system in the first place than to try to add it on later.

    Microsoft has their work cut out for them.
    • True or not, it's a good story.

      Regarding Microsoft; they REALLY have their work cut out for them. They can't hide this with press releases for very long and failures won't be excused as easily. Then again the public has accepted a daily ritual with Ctl-Alt-Del for over a decade.....

      I'm pretty sure they, Microsoft, lost the server battle but by buying into the home entertainment maket( xbox ) and controlling the content they'll have another shot back at the server market in 5 years. A BLACK-EYE between now and then will seal their fate. IMHO.

      LoB
    • Therefore, when they built the restaurants, they didn't bother putting locks on the doors.

      While I can't be positive this statement is true, I seem to recall seeing it printed in local newspapers back when, so I think it is true. They way I heard it, it wasn't that they didn't bother, they made a specific deal of it, as a marketing trick. Think about it. You don't design locks in, you have to design them out. Doors without locks aren't the default, I'm sure you realize.

      C//
  • facinating... (Score:3, Insightful)

    by jeffy124 ( 453342 ) on Friday January 25, 2002 @11:58AM (#2901229) Homepage Journal
    .. the cnet article by mundie was part of a pair of pro/con articles. Mundie wrote the pro, Bruce Schneir the con.

    I find it just facicinating that CNet had to go with Microsoft in order to find someone willing to write an article for the "pro" half of the article pair.
  • The ability to act over plain HTTP DOES have a use.

    Now, I know one camp will say it's not necessary to wrap protocol within protocol, that it is a bad practice... but here's the thing.

    To build really successful network apps for the mass market, you can no longer rely on network transparency.

    What does that mean?

    Back in the day, you could assume that every computer on the internet had an IP address, and could deal with unfiltered TCP/IP. That's how it was designed.

    Nowadays.. we have NAT everywhere. Yes, NAT is a kludge to get more machines online.. but it's here to stay.

    Example: I live in Costa Rica. The local cable company uses NAT. (yes, lame, I know).
    My office also uses NAT.

    Lots of home gateways use it.

    And stuff like video, voice, remote desktops, VPN, etc will just plain not work over nat. Some things, I can hack up to work.. and I'm a real hacker type guy. What can my mom do? Nothing.

    I'm all for MS paying more attention to security, separation of code and data, absolutely.

    But bitching at them for SOAP, or for (not mentioned here) implementing raw sockets in XP is plain bunk... it's GOOD for them to support a full, flexible machine.
  • I don't see Microsoft's new focus on security as anything other than the old Embrace and Extend tactic.

    Step 1: Embrace some technology.

    Step 2: Extend it in proprietary ways, locking the users in to Microsoft.

    How long before we hear,

    Microsoft cannot guarantee the security of your application/computer/network unless all your products and platforms are from Microsoft.
    How long before the security protocols used are known only to Microsoft (for security reasons, naturally)?

    Three months—at the most!

  • Lately on /. when there is a headline about linux on the desktop, the M$ trolls come out of the wood work Linux isn't ready for the desktop, by a long shot, stop pretending that it is. This isn't news.

    OK in the same light, call it trolling if you want, let me say M$ isn't secure. Not by a long shot, please stop pretending that it is or will be soon. Thank you.
  • Probably MS's next step... Doing exactly what they did to the browser market, but now their going for the Security market. They'll integrate their own security site and antivirus software with their OS. Then they'll buy up mailing lists and security sites (hey they have the money and anyone can be bought for a price).

    Then all we have for security is what MS tells us and gives us!

  • But like all MSFT software, it won't be till they reach version 3 that it will actually be workable. Will it be acceptable to their corporate customers? Yes - Bill G is many things, but "stupid" ain't one of them. ("Criminally arrogant" might be :))

    Just look at their history of innovative products:

    Windows: Sure they were caught a bit off guard by that fruity company down south of Redmond, but Bill G. made a GUI the main priority and they invented FUD (or did they license it from IBM?) to confuse and delay the corporate world for the years it took to get up to Windows 3.1

    Similarly, when the Internet torpedoed Bill's fledgling MSN, he made the internet the company priority. It took a few years, but just look at the market share of MS IE nowadays. Even AOL uses IE as their main browser (and they own Netscape - why don't they "eat their own dog food"?)

    So I think that MSFT will be able to bring about this shift to secure their OS and applications. 40 billion dollars in actual cash on hand is only chump change for a first world government. It can finance one heck of a lot of spin doctoring (Just the interest off that would come to more than all the US Congress - House and Senate races plus what Bush and Gore spent combined in the 2000 election campaigns). And of course, however much various folks like to grumble, MSFT actually does spend some money on programming as well as marketing. Heck, they might just make their own version hyper secure version of BSD (given how much BSD code they have alrady borrowed) and call it MS Fortress 2005.
  • by FauxPasIII ( 75900 ) on Friday January 25, 2002 @12:02PM (#2901270)
    This reads alot like the dilbert where dogbert is a consultant and says something to the effect of "I'm going to make a bunch of recommendations that I know you are too cowardly to implement. Later, when you fail, I'll laugh at you for ignoring my advice."
  • the register (Score:3, Informative)

    by horster ( 516139 ) on Friday January 25, 2002 @12:02PM (#2901275)
    register has been following this pretty closely.
    they have a good editorial on what it would cost to ms to implement this as well (like dropping .net until the security implications are thought through)

    here is the link -
    http://www.theregister.co.uk/content/4/23791.htm l
  • Security potential (Score:2, Insightful)

    by Anonymous Coward
    The real problem is default configurations. Exploits aside, the NT OS is very securable. However, when the software for it, like IIS, is installed virtually open wide for the world, it's a picnic for hackers and crackers alike. From what I've read about the next Windows server line, a lot of this is being changed. IIS is no longer installed by default, and must be installed explicitly by the admin. Even then it will only be capable of serving static pages from a single directory, and every method of dynamic content processing will have to be abled explicitly. This, coupled with the excruciating combing of code for buffer overflows (and various implements that will prevent their execution, such as a SEH handler in VC7 which can kill the thread that has it's buffer overflowed,) I think Microsoft will be able to pull themselves out of this spotlight.
  • DRM! (Score:4, Interesting)

    by mikeee ( 137160 ) on Friday January 25, 2002 @12:10PM (#2901328)
    What really scares me about this is the talk about taking desktop control away from users, the one thing MS has always been good about in the past.

    Billg says:

    "Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways...It should be easy for users to specify appropriate use of their information including controlling the use of email they send."

    Of course, this new "secure" email won't work on those unamerican Linux computers.

    Am I the only one nervous about that?
  • by Catiline ( 186878 ) <akrumbach@gmail.com> on Friday January 25, 2002 @12:11PM (#2901339) Homepage Journal
    All thoughts of their past products aside, who really is going to trust Microsoft? They are a convicted monopolist; we've seen from the evidence how their mental level does not exceed the school yard bully, beating up weaker kids for their lunch money. This attitude locks them into a win/lose philosophy (when we win, you lose).

    It doesn't matter what sort of clothes they wear or how pretty they smile, when the bully comes around the next day, the kids run and sream in terror. They know the bully only wants to get them backed into a corner; what makes us treat Microsoft any different?
  • by Toodles ( 60042 ) on Friday January 25, 2002 @12:12PM (#2901347) Homepage
    At the top of Mundie's spiel:

    "...they've helped transport people to the moon and back safely, they manage critical aircraft systems for thousands of flights every day, they support business operations at companies of all sizes, and they move trillions of dollars around the world to keep the global economy"

    It's a shame that none of these run Microsoft software. MS didn't exist in the 60's (moon landing), has nothing to do with aircraft systems (most still in use run on late 70's mainframes and mini's), and god help the bank/brokerage who runs their mission critical software on an Wintel platform. End flame.

    Mundie does have one idea right though; make it ubiqutous (sp?). He indicates computers should have the same reliability that requires no thought. I agree whole-heartedly. However I don't believe MSFT can do it without rewriting the whole damn thing over. I cannot count the amount of times an NT server had to be manually power cycled because a service hung and wouldn't restart. This wasn't some oddball, third party service; this was IIS ("WWW Publishing Service" I believe) Until simple things like the separation between kernel and application (EVERY application, no exceptions for the ones you need to tweak for benchmarks) is complete, NT will have problems

    Toodles

  • by mmaddox ( 155681 ) <.moc.liamg. .ta. .oofpoo.> on Friday January 25, 2002 @12:16PM (#2901372)

    Being quite the 'nix afficionado myself, I understand some of the rather hateful sentiments expressed toward MS. I take issue with some of Mr. Schneier's (whom I greatly respect) comments, however, as being opposed to the mindset of progress.

    For instance, Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn.
    strikes me as an ill-conceived statement. SOAP [w3.org], for the uninformed, is just an XML-based protocol carried through HTTP. It doesn't BYPASS the firewall, it passes through the port generally held open for the use of web servers. We're packaging an XML envelope that a SOAP implementation can open and use, not passing some magic packet that your web server can use to format its harddrives. Firewalls can be made to use SOAP information to block SOAP packets, and servers don't have to respond to ill-formed, ill-conceived, or ill-meanings SOAP calls. How the heck can removing SOAP all-together be considered a practical security measure, anymore than simply removing the web server from the net entirely? Sure, you might get your C-2 rating, but is it worthwhile?

    MS has attempted to create a high-functionality server platform, one that installs with the purpose of usability as its default. This simplifies the installation process, creating a process that relies less on the intelligence and experience of the user and more on the good nature of MS itself (as the one who created the installation system). MS does not necessarily have YOUR interests in mind, but the interests of a non-specific "user" in mind - a user whose needs profile may or may not fit your own. Microsoft needs to expand their thinking to include the needs of secure-minded individuals, granted, but the needs of ALL users should still be taken into account, and documentation created that explains the differences.

    I'll be the first to admit that Windows has security issues, however, I contend that the nature of networking imposes security problems on ALL operating systems. I doubt too many persons could implement a secure 'nix OR a secure Win box. Intelligence and experience are required in both.

  • I know most people will assume such a statement by Microsoft is just response to the bad PR they've endured after stating XP was their most stable OS and then a major hole was found in it. But, when you think about it, it really would seem plausible for MS to finally get serious about security.

    Take all the factors that normally influence major business decisions - especially IT decisions - and you start seeing really compelling cases against MS.

    First, there's cost. We all know Linux wins that one hands-down, since it's hard to compete with free. Next, consider stability. We all know Win95/98/Me are horrible when it comes to this, but let's remember that most businesses are running at least NT - which is mostly stable - and many have now upgraded to Win 2k, which is very stable (IMHO). XP is as stable as Win 2k, but I don't think most businesses have an interest in upgrading to XP from 2k, so I'm mostly ignoring XP.

    Then comes the big one: support. Many IT people that manage MS-centric offices and networks will tell you that they don't trust the availability or amount of support for Linux. Linux gurus, on the other hand, call MS support a joke. This one, IMHO, is more or less a draw since both sides see it differently.

    But after all that, you can mention the factor that makes even the non-tech execs cringe: security. If the CEO - now matter how technologically uneducated said CEO is - reads in the Wall Street Journal that there's a major security hole in Windows version Blah and the hole is large enough to present danger to critical corporate systems, said CEO is going to make damned sure the IT people either get the hole patched or ditch Windows version Blah to avoid security problems. In the past, the IT people could shoot down such directives because going from MS to Linux could present too many problems. But now we have Lindows and Wine to help support any critical Win32 apps and KDE and Gnome to make the desktop transition easier.

    Again, this could just be MS lip service. But with all the current pressures combined with the future potential of Windows replacements, it wouldn't be all that surprising to see MS start trying to produce a product that deserves the corporate mega-bucks.
  • with words Security and Microsoft is Taliban and Democracy
  • by Mnemia ( 218659 ) on Friday January 25, 2002 @12:20PM (#2901410)

    I thought that looking at these two articles provided an interesting comparison. Mundie's idea of "trustworthy computing" is a world in which people don't think about the technology that makes their computing devices work. This seems to me to be pretty much the same philosophy that Microsoft has followed for a while now, ie lowering the level of knowledge required to operate computers.

    By constrast, in the Schneir article, the viewpoint expressed seems to me to advocate people getting involved in the operation of technology. More configurability, plus more modular components, more transparent auditing/logging of OS functions etc. In the author's view, users should be aware of what their computer is doing.

    This is the fundamental problem with Microsoft's view of security. Their focus on making things transparent to the lowest common denominator is at the root of all the architectural problems from lack of logging to Outlook viruses arising from scriptable email. They need to change their view that people should just view their computers as mysterious black boxes before their security record will ever improve.

  • So does Robert X. (Score:2, Insightful)

    by sootman ( 158191 )
    http://www.pbs.org/cringely/pulpit/pulpit20020117. html


    New products and upgrades based on increased security have a certain appeal. After all, you can never have too much security, so users can be convinced to upgrade over and over almost forever (just look at Mcafee). But there is a downside, too, which is that security and security performance are now firmly on the table. If Microsoft says it is going to make its products trustworthy and they aren't, then customers can rightly be upset. To this point, remember, Microsoft has pretty much disclaimed security, saying that all operating systems and applications are vulnerable. "It's not our fault." Well in the age of Trustworthy Computing, it WILL be their fault, though the cost to us will probably be continual and expensive upgrades.

  • by JWhitlock ( 201845 ) <John-WhitlockNO@SPAMieee.org> on Friday January 25, 2002 @12:26PM (#2901461)
    Am I one of the few people here that took Bill Gates' message at face value? That they have decided to make a top-down corporate commitment to security, probably due to external and internal pressures?

    Bad security practices can be expensive - I know I've lost a few hours of work due to not having an up-to-date-and-scanning virus program. This has to have a definate impact on MS's operational budget, trying to figure out how to spin the latest virus while testing solutions against the entire MS suite. On top of that, there has to be some managers and employees that still believe the old lines, that customers pay for new features, not bug fixes, that interoperability and ease of use sell, not security.

    Microsoft knows that it has won the Desktop OS wars, that it's closest competators are Apple's OSX (only runs on expensive hardware, so it will have a minimal impact on business sales) and Linux (still playing catch-up with MS). Now it needs to figure out how to sell upgrade units to existing customers, and has to think about the eventual multi-computer households with home servers, where it is currently losing to Linux. Most reviewers that tried XP loved it's stability, and I've even been tempted to upgrade my 98 desktop (which runs fine once you get all the programs working together).

    Extra bells and whistles aren't doing it anymore - customers are tired of gaining ease of use at the cost of patches and bugs. Customers want an invisible operating system, which makes easy things easy, and they almost don't care about making hard things possible. This will require MS to transition from a company focused on beating competators by innovation (by whatever means) to beating competators by having a better product (more stable, less supprises, better cooked).

    To make a change in basic philosophy requires a redirection of management. The Gates memo is the first step, and I think we can take it at face value. Sure, it's a strategy to further MS's competative edge, but I really don't think that there's anything underhanded going on here. I think Bill is giving the lowest guy on the totem pole a weapon to tell his boss - Here, I want to work this bug out before we release it; if you have a problem, take it up with Bill. That a Good Thing, and I'm planning to be suprised by what the folks at MS can do when they have the will to make a secure product.

  • by BlackStar ( 106064 ) on Friday January 25, 2002 @12:26PM (#2901462) Homepage
    There is a side thread in progress that touches on how SOAP is addressed in the article. I think SOAP deserves a lot more attention, especially as it affects MSFT, and the new .NET initiative.

    SOAP is designed to use HTTP/HTTPS as the most common implementation of transport and protocol underneath. Schnier and Shostack touch on how poor a decision this is. I think this goes a lot further than many developers and companies are realizing.

    You just removed your firewall.

    The idea of SOAP is to allow IT services to be exposed as remotely addressable and usable procedures. Essentially with every web service or SOAP receiver, you have written a brand new server that parses XML protocol messages to decide on action. Thus every web service you create may have overrun, DoS and other exploits inherent in it, in your code, as you are executing paths based on a message from the outside. Just like a web server, ftp server or any other available server.

    So now, everyone has to become better at security, to the point that the web services are safe. Ideally they should all run within a sandbox environment with restricted permissions, but considering SOAP authentication is based on HTTP authentication, the models may or may not match up properly.

    Most importantly is that the SOAP specification team, including MSFT and the .NET portions pertaining to web services have basically increased the difficulty of every network administrator's job by stuffing all this over port 80.

    Now if there is a vulnerability in a web service, the network admin has to take out port 80, probably taking down the web service, the web server, and who knows what else that's been tunnelled through there. They can't simply block a set port. UDDI could have advertised a port for the service as well, and stateful inspection could be implemented at some level on each service port to increase security and leverage off of the firewalls. Instead, a rat's nest of information is getting funnelled through http/https. The firewalls aren't designed for this, and the inspection task is only going to get more difficult as SOAP grows in popularity.

    MSFT is always looking at first to market, and I can almost assure you that for that reason, SOAP was designed around port 80 and into the web server engines. I can also say with a fair bit of confidence that the first time MSFT gets beat to market due to a security review, that the security priority is going to get thrown right out the window of the executive windows at Microsoft if it causes the stock to slip.

    • The idea of SOAP is to allow IT services to be exposed as remotely addressable and usable procedures. Essentially with every web service or SOAP receiver, you have written a brand new server that parses XML protocol messages to decide on action.

      FUD

      What you, Adam and Bruce appear to miss is that firewalls are rarely configured to allow incomming HTTP requests. If they are the requests are typically handled by a server located in a DMZ between two firewalls.

      The firewall bypass problem is for outgoing requests. There is not actually a whole lot of difference in the security implications of an HTTP client posting a form in URL encoding and posting an XML document.

      • I really think you need to examine SOAP, especially as it relates to RPC. When you make a request to SOAP, it's an incoming request over HTTP. Coming from an outside party to your ticket selling system to reserve a flight. That's the whole idea of published web services.

        You might with to browse the powerpoint from Microsoft itself detailing .NET and Web Services at this location [vbxml.com] and then try to get a grip on how it works before decrying "FUD!". If you think Adam and Bruce are offbase on security, you obviously have no concept of the capabilities, experience or dedication of either individual. As for myself, say what you want. :-)

        • I really think you need to examine SOAP, especially as it relates to RPC. When you make a request to SOAP, it's an incoming request over HTTP. Coming from an outside party to your ticket selling system to reserve a flight. That's the whole idea of published web services.

          Any you would put a machine of that type providing an external service in your internal network???

          You entirely miss the point, for every service there is also a client. The port 80 / firewall issue has nothing to do with the server end. It is when the client is behind a firewall that you have a problem.

          There is no firewall bypass issue at the service end, a company that is providing a published dotnet service will modify its firewall configuration to deploy its product. The problem with firewalls comes when the IT dept refuses to modify the firewall configuration to allow use of services provided externally.

          If you think Adam and Bruce are offbase on security, you obviously have no concept of the capabilities, experience or dedication of either individual.

          I know Adam and Bruce very well, they know me very well. I don't think either of them would claim that they had greater expertise or experience than I do, and in particular not on this particular topic. Certainly neither would expect the automatic deference to their views you appear to think due.

          On this point they happen to be mistaken. Bruce is very rarely 'wrong' about security, that is I do not recall an instance of him calling a system secure when it was not, he is however quite frequently mistaken in describing a system as insecure when it is in fact secure. If he could learn to discuss them in private with the relevant designers before launching public attacks his reputation inside the security industry might match that outside.

          The point in question is a sngle sentence paragraph tacked onto the end of a section. I suspect that it was an afterthought that they had not thought through in great detail. If they want to call me up and discuss it I can go through the detailed analysis I have.

  • by DrCode ( 95839 ) on Friday January 25, 2002 @12:29PM (#2901480)
    If the past is any indication:

    MS will do a barely useful job of improving security, and the press will proclaim that they invented it.

    It will be just like multi-tasking in Windows 95 (i.e., "Users can now run two or more programs at the same time!!").
  • by archen ( 447353 )
    I remember some MS propaganda stating that Linux and other Unix based OS's inherited 30 years of vunerabilities, yet NT was wonderfully secure because it was a much more modern OS. NOW they're making security a priority? Don't tell me M$ has been lying to me!
  • Removing that idiot extension to Kerberos that broke compatibility and modified without examination (at release -- it's been plenty examined now) is one thing they could start with. Release the modification, and the Kerberos networking code for MSFT OSes into the public security community. Interoperate and cooperate on the stuff that's really central in secure environments.

    Or you could look at that act as proof that they want to own the security. Not necessarily create it.

    • Start with NSA Security-Enhanced Linux.
    • Break up some major applications, like Apache and a mail handler, into modules that run with different privileges. Basic rule: if it's trusted, it doesn't do much, and if it does much, it's not trusted. As an example of an untrusted process, in mail handling, each process talking to a network port runs in a jail. It can talk to its network port, and, with restrictions imposed at the database end, to the database. It can't do much else. So even if it has a buffer overflow, it can't do much.
    • One of the remaining Linux companies (is anybody but Red Hat left?) should offer a warranty program. If it breaks, we fix it; if it damages your data, we pay. Offer this to corporate customers along with a support contract.
    • Kill Sendmail. It's never going to be secure.
  • MSFT could start by releasing all the crap they did with Kerberos and the 1 bit extension they put in to ensure incompatibility and create a semi-proprietary extension. Release that to the public with the code so that the experts can see if Kerberos was in any way broken or compromised by the MSFT implementation.

    Doing that to the protocol was before Bill's memo, but it's indicative of at least a few people involved in security interoperability that really don't get it.

  • In their article [securityfocus.com], they say that trustworthiness is something earned. That's right. Microsoft's past security breaches and spyware have caused me to totally lose faith in the company. As a result, I am now a Mac OS X fan. (Well, that and the fact that OS X is for now the best desktop Unix around.)

    Microsoft will have to drop its spyware and its insane licensing policies before I will try Windows again. Microsoft will have to drop the Globally Unique Identifier before I will use Windows Media Player.

    In short, this is a good move for MS, but for me it is too little, too late. I have switched to Mac OS X and will never go back to Windows.

  • Propaganda (Score:2, Insightful)

    Given Microsoft's business success record (legal or not, they make a lot of money) if Microsoft says they are going to focus on security, that should be taken seriously. I have no doubts that if Microsoft wants to, they can make products as secure as their competitors' software. (After all, when Microsoft decided to kill Netscape, they did so fairly well. If they decide to be secure, they can do that too.)

    The question is, how badly do they want security? Their new focus on security may require them to make their new software and OS less backwards-compatible, or not quite as user-friendly. Microsoft may have trouble seeing their products' ease of use drop in the short run--they've put a lot of work into making Windows easy to use. So basically it comes down to this: are they willing to sacrifice some ease of use (and beef up their technical support) in order to produce more secure products? If so, great. If not, then it's all just propaganda.
  • by Aceticon ( 140883 ) on Friday January 25, 2002 @12:54PM (#2901649)
    Dear Bill

    It saddens me to see Microsoft exiting the highway of consumer satisfaction into the dirt road of security.

    As a long time fan and appreciator the Microsoft way, i feel i must stand up and ask:

    Why?

    Microsoft has done more than any other company to turn Desktop Computing into a thriling adventure. From the very moment i turn on my PC, i feel i'm entering a world of wonder and surprise, where new adventures can happen at any moment:
    - Maybe Windows will not start-up and i end with a black screen.
    - Maybe it will start in VGA mode
    - Maybe clicking in the explorer toolbar wil result in a blue screen
    - Maybe Word will crash when i'm editing an important document.
    - Maybe installing the newest IE will make half my applications stop working.
    - Maybe after installing the newest DirectX Windows will stop working.
    - Maybe i'll open an e-mail an my PC starts acting funny.
    - Maybe i'll get a phone call from my ISP saying a Denial of Service attack to the Whitehouse site has been detected from my machine.
    - Maybe the mouse pointer will start moving by itself
    - Maybe all my files are deleted.

    Why? Why do you want to remove all the thrill and adventure from my life???
  • Of course, the only appropriate response to Microsoft's initiative:

    *What* security problems?

    Think about it, if the industry plays dumb the way that Microsoft has for the past 10 years, then they will have to enumerate their history and how they might address the problems. Speculation on my part, sure, but they sure don't deserve all of these free ideas.

    I'm an MCSE, and while Microsoft's lameness has provided me with a nice career for the past several years, but I still have nerdy idealism governing my attitude. :) It's been many years that my standards of quality have been much higher than Microsoft's, and now we see that they want to "lead" into the future. Well, start by catching up.

  • Having done an amount of C++ coding back in the early years of Win9x, I have extreme doubts that M$ has the commitment or the ability to do anything more than "patch the leaky tires". Here's why: IMO the code structure upon which most MS apps are built (MFC classes) has some deep down design flaws which can't be rectified without introducing serious compatibility issues with any other MFC apps already out there.

    As an example, we wrote a test app with a different foundation class library that was bug- and memory-leak free in all of the major WinXX OS's up through 98 and NT 4), and even compilable and bug free back into Win 3.XX. The whole app was a total of 123K: the Microsoft Foundation Class (MFC) [version 3.2, IIRC] test app as created by the wizard came in at just over 1 Meg, riddled with memory leaks, logical errors, etc. Our determination was that it wasn't just a bad wizard -- the MFC itself was causing many of the leaks and problems.

    Now then, if you look at the Win API set now (Y2002), it is just that much more massive than when I last actively coded to it -- but the underlying code classes look much the same. [I haven't done a diff, so I can't prove it.]

    So accurate or inaccurate, I don't think Microsoft has the corporate will to change from a company built on FUD (fear uncertainty doubt) to a company whose software is something I can trust because it doesn't even look to me like they have fixed all of their original problems in the foundational code classes from the early days of Windows 95.

    • You are reading them all wrong. Microsoft has shifted focus several times in its history. From the DOS-type environment to Windows. To the LAN. To the Internet. And now Security. Yup, Security with a capital S because it will, of course, be MS-style security. They have played the games differently with everything else (LAN, Internet, all kinds of standards), and they will set the rules here as well.

      Realize that it will take them three or four tries to get this Security thing down though. It has with everything else:

      - How many incarnations has MSN had?
      - Do you even remember Windows 1 or 2 -- or even 3.0? (I'm sure someone will reply in the affirmative, but most of you haven't)
      - those stupid e-book tablets (haven't won here yet) or palm computing (same here)
      - What was the first version of IE that didn't completely suck? (You want to say that IE is different, but it isn't. They basically play all their games this way.)

      And with $20b in the bank, they can afford to have an army of coders comb through existing libraries looking for defects. They can afford to have scores of UI designers and HCI evaluators to see exactly how much security people are willing to deal with. Better yet, they can afford to screw up two, three, maybe even four or five times before they finally get it right. And the world will just have to live with it.

      They will screw up someday. It might be Security that does it. It might be something else that brings them down. But don't just dismiss the new Security focus as FUD. Pay attention.
  • by gwillden ( 447979 ) on Friday January 25, 2002 @02:08PM (#2902191) Homepage
    This one kills me. From Craig Mundie:

    "Many people today are still reluctant to trust computers with their personal information, such as financial and medical records, and few people would knowingly entrust their lives to them"

    Every time you fly on a plane your life is in the 'hands' of computers. Every time someone gets an x-ray or a CT scan or any one of many now normal medical procedures you are entrusting your life and health to computers. Most (if not all) medical and financial records are entrusted to computers.

    We do it everyday and the reason we do it is because these devices are designed and built by companies that have earned our trust by building quality products to very strict specifications for safety. These companies have good track records of safety and if they have problems then they are reported.

    What Mr. Mundie should have said is:

    "Many people today are still reluctant to trust Microsoft with their personal information, such as financial and medical records, and few people would knowingly entrust their lives to Microsoft."
    --
  • by Dan Crash ( 22904 ) on Friday January 25, 2002 @02:36PM (#2902417) Journal
    I was going to do exactly what this fellow did, but he beat me to it. Clever. Let's hope this URL gets around: http://www.trustworthycomputing.com [trustworthycomputing.com]
  • by pointym5 ( 128908 ) on Friday January 25, 2002 @03:43PM (#2902995)
    Reading Mundie's article made it crystal clear what all of this Microsoft security stuff is about. It has nothing to do with increasing security of their products, per se. It's all about engineering a market perception that Microsoft is a single entity that has the ability to make announcements like this, to offer commitments (empty or not), and be a focus of trust. Read the article -- note the implications that in order to have trust in software, you need some corporate entity in which to place your trust.

    Guess what competition will be easy for their marketing machine to paint as being lacking in the trustable big established multi-billion-dollar company department? Sure there's IBM, but experience suggests that Microsoft are fully up to the challenge of out-marketing IBM.
  • Some history (Score:4, Insightful)

    by Zeinfeld ( 263942 ) on Friday January 25, 2002 @04:05PM (#2903195) Homepage
    Back at the start of the 1990s the general consensus in the computing industry was that UNIX could never succeed outside academia because it was chronically insecure.

    It would be good if the people who spend so much time attacking Microsoft's security issues considered that UNIX generally and Linux in particular are not exactly fault free.

    How can anyone who runs sendmail throw stones at Microsoft? sendmail is a textbook case in how to write software that can never be secure. The program breaks every single one of the rules Bruce and Adam set out. There are plenty of better alternatives, yet sendmail remains the default through sheer inertia (you might want to route some bang path UUCP or OSI mail sometime you know).

    UNIX only became secure as a result of trial and error. There never was a security architecture worth a damn. For many years the main contribution to the security world from the UNIX security architecture folk was discouraging people from using shaddow password files.

    The security model of all modern operating systems is based on the security model of MULTICS and comes from the age of the Multiple Access Computer. The security problem is defined in terms of a single machine that has multiple concurrent users. The addition of the network is an afterthought.

    What this means is that very few of the security features in a modern O/S are actually of the slightest relevance to a machine running a Web server. In effect we end up with two parallel permissions structures, the one managed by the O/S and the one managed by the Web server.

    Win2K and XP have Kerberos and PKI integrated into their core. The standard condfiguration supports IPSEC, S/MIME, SSL, Kerberos, Smartcard login, Encrypted File system. Measuring security in terms of cryptographic features Microsoft wins hands down (Microsoft are good on features).

    Linux on the other hand is not in anywhere near such a good position. Security packages are available but it is left to the end user to integrate them. Linux also lacks anything that resembles the 'Security Administration Guide' mentioned in the rainbow series books.

    Security is not a binary condition. The problem I see for Linux is complacency. There are too many weenies out there whose knowledge of security is actually minimal who tell people Linux is secure because that is what they have been told. None of the O/S on the market are particularly secure. Windows has a great security architecture that the crappy applications completely bypass. UNIX has a crappy architecture and some very well tested applications whose security bugs have been largely eliminated by trial and error.

    People in the OSS community can go arround telling each other that Linux will always be more secure than Windows if they like, but that won't make it true. Gates has essentially served notice that Microsoft is going to be upping the ante here. That does not mean that they will win, but a lot of work is going to have to be done if Linux is going to keep up. Fotunately it is not necessary to integrate PKIX into Linux as Microsoft did with Windows, the OSS community could skip a PKI generation and move straight to using new technology such as XKMS and SAML.

    • Back at the start of the 1990s the general consensus in the computing industry was that UNIX could never succeed outside academia because it was chronically insecure.

      Citations, please? By most accounts, Unix had already penetrated far outside academia by the time the 1990's rolled around.

      ...UNIX generally and Linux in particular are not exactly fault free. ...How can anyone who runs sendmail throw stones at Microsoft?

      So what? Does one sin excuse the other? Is there any lack of focus on Unix and Linux security issues? If I run IIS do I give up the right to criticize Apache?

      ...sendmail is a textbook case in how to write software that can never be secure.

      Never is a long time. What box-breaching flaws are in the latest release? Oh, you were referring to those older releases still installed all over the place. Like the old NT 4 boxen, and the unpatched IIS, and Win95's nukable TCP stack, and ... yeah.

      My retort is the same as Microsoft's: UPGRADE

      The program breaks every single one of the rules Bruce and Adam set out.

      Bruce and Adam are not the only ones writing rules. Appealing to authority plays well to the unwashed masses who don't know any better. That's why it's a favorite of Microsoft spin doctors (and government spin doctors, and media spin doctors, and...)

      UNIX only became secure as a result of trial and error.

      This is partly why it has the level of trust that it does. We have experience with it, and know what to expect.

      For many years the main contribution to the security world from the UNIX security architecture folk was discouraging people from using shaddow [sic]password files.

      I think you meant "encouraging people to use shadow password files".

      Win2K and XP have Kerberos and PKI integrated into their core.

      What does that mean?

      The standard condfiguration supports IPSEC, S/MIME, SSL, Kerberos, Smartcard login, Encrypted File system. Measuring security in terms of cryptographic features Microsoft wins hands down (Microsoft are good on features).

      Microsoft is also good at winning irrelevant feature comparison contests. What is there to assure anyone that these features are any more secure than the other featureful crap that got Microsoft into trouble in the first place? How do we know these services do not harbor even bigger holes than the ones we know about already elsewhere in the OS? At least with IIS, we can have a clue that it ought not be left turned on except where it is required. Who is going to turn off security "features" as a matter of course, even if it's the right thing to do, as it is with IIS features? Today's features are tomorrow's embarrasing exploit. It matters not one bit whether the features are characterized as the "security" type of features. If they are written poorly, they can be exploited. If they are not needed, but are enabled anyway, they pose a needless risk. Needless risk is where Microsoft excels.

      The problem I see for Linux is complacency. There are too many weenies out there whose knowledge of security is actually minimal who tell people Linux is secure because that is what they have been told.

      That's pretty fucking funny. Complacency on the part of MCSE-types is why Microsoft software is such a problem. Nimda was not propagated by web servers running on Linux. It was propagated by IIS webservers running on Microsoft systems operated by complacent Microsoft admins.

      But Linux users and distro preparers are learning. Newer distros come with everything turned off. Even after it was shown that unwitting NT and W2K users' PCs were propagating worms because the users had no idea a web server was even running, much less that it needed patching, XP still comes with everything turned on.

      Wake me up when XP2 ships, and let me know if stuff is still on out of the box.

      Windows has a great security architecture that the crappy applications completely bypass.

      If it was a great architecture, the apps would not be able to bypass it.

The best defense against logic is ignorance.

Working...