Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Microsoft Security The Almighty Buck

Security Affecting Microsoft's Bottom Line 416

kidlinux writes "The Globe and Mail has an article discussing the impact of viruses and security flaws in Windows. Apparently Microsoft has bounties out on virus writers. 'The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.' The effects of various worms and security issues are becoming visible in financial terms - having to deal with the security issues keeps Microsoft from closing new deals, and governments and businesses are starting to look at the alternatives, such as Linux. 'For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model.'"
This discussion has been archived. No new comments can be posted.

Security Affecting Microsoft's Bottom Line

Comments Filter:
  • by -kertrats- ( 718219 ) on Saturday November 08, 2003 @06:04PM (#7425724) Journal
    Microsoft has such ridiculous control over the market that it would take an act of God (namely Bill Gates) to bring it down. Like discontinuing support for its OS's. Commence flaming.
    • by leerpm ( 570963 ) on Saturday November 08, 2003 @06:13PM (#7425779)
      Yes they have a lot of control over the desktop market, but not in the server market. They have pretty much saturated the desktop market. If they are going to grow like they have in the past, they need to find new markets and succeed in those markets like gaming consoles, server software, and embedded devices. So far they are not fairing that well in all of these markets.
      • by DoraLives ( 622001 ) on Saturday November 08, 2003 @06:42PM (#7425906)
        If they are going to grow like they have in the past, they need to ...

        If they are going to grow like they have in the past, we're gonna have to populate a few new planets and then let the sonofabitches take monopoly shares of the OS market there too!

      • Exactly how well are they doing in the embedded and gaming markets, though?
        • Think of a PDA/Laptop combo.
          Thinking about tabletPC? What OS is on that?

          Think of a games console.
          Thinking Xbox? What OS is on that?

          Insidious little company, this upstart from Redmond. We should nip it in the bud before it starts becoming a problem for all us C/PM users.
          • Think of a PDA/Laptop combo. Thinking about tabletPC? What OS is on that?
            Not just MS products: http://www.lycoris.com/products/tablet/

            Think of a games console. Thinking Xbox? What OS is on that?
            Actually, I wasn't thinking of XBox at all. If PS2 and the Gamecube didn't exist, I may have, though.
    • by Anonymous Coward on Saturday November 08, 2003 @06:47PM (#7425933)
      I think you are underestimating this whole thing. Virus' and worms are a positive reason to use anything other than Microsoft.

      I have talked to many people who seriously were considering disconnecting from the internet due to worms. I suggested using something other than Outlook, and most of the problems would disappear. And don't use IE.

      There was a phone-in program on CBC the other day about this. There was an obvious chasm of experience between those who used Windows and those who didn't, ie Mac, linux, etc. It was amusing to hear a professor at a university say that he was moving away from using computers for sending stuff back and forth due to the instability of it all. Yes, and putting the blame squarely on Microsoft.

      Microsoft has a real serious problem here. The solution is very scary for them: put all their best and smartest programmers for the next 3 years on rewriting critical parts of their application stack. Will they be able to hold onto the market? Will they be able to hold on to their talent? All this to produce something that is unmarketable.

      It is very funny actually. Microsoft spent years building a marketplace that functions the way they want. Then some kid spends 15 minutes writing a script (yes, it is that easy) and the whole thing tumbles down.

      Derek
    • In its latest quarterly results, Microsoft said revenue from multiyear contracts dropped $768-million (U.S.) from the previous quarter.

      This will hurt even Microsoft. Governments, small businesses, developing countries, and people who don't want to or can't afford to spend $500 on Windows/Office will continue to eat away at MS desktop sales.
  • by pohzer ( 561713 ) * on Saturday November 08, 2003 @06:04PM (#7425727)
    Time to protect the monopoly. Once in that phase, funds are diverted away from R&D and into protectionism -- the great money pit.

    Is it really easier or more cost-effective to change the world (pay bounties for crackers, lobby for prtctionist laws) than to change your business practices (write more secure software)?

    This had better be a temporary endeavor conducted in parallel with major shifts toward better busines practices, or MS is starting the downward spiral.
    • by kingkade ( 584184 ) on Saturday November 08, 2003 @06:09PM (#7425766)
      A lot of people realize that most of their new software will run on the .NET runtime virtually eliminating (probably) most of the programming vulnerabilities that exploits take advantage of (buffer overflows, unchecked casts, etc).
      • .NET runtime virtually eliminating (probably) most of the programming vulnerabilities

        That was one of the core idea of Java. Microsoft takes these ideas and makes them easier to use. Security is hard to understand. That's usually the first thing they remove to make their shit popular. How much of the code of a real production system will be secure managed code? And how much of it will be "fast" and "easy to use"?
      • by JVert ( 578547 ) <corganbillyNO@SPAMhotmail.com> on Saturday November 08, 2003 @06:35PM (#7425879) Journal
        Using .net doesn't eliminate your exploit capabilities, it places your vulnerabilities in their hands. Things like this [cigital.com] can be patched but as they add more features they will add more flaws. Suddenly MS's ability to prove secure code is more important. If .net has an issue, all applications written with it will have an issue.
        • Thanks for the link it was interesting. I believe Java also had some issues, but I'm going on the notion that the runtime does what it's supposed to do, which is not unreasonable to obtain, even after some unavoidable mistake are found.
          Of course there is no silver bullet to make your code secure and robust. Just because a buffer overflow is impossible or remote code execution/system privilege or root is unattainable, it doesn't mean someone can take advantage of a badly written service that doesn't check ar
      • by kfg ( 145172 ) on Saturday November 08, 2003 @06:40PM (#7425899)
        Except that on an infection by infection basis most Windows exploits are based in the architecture, not faulty code, per se.

        Garbage collection is no cure for intentionally failing to follow secure practice by default in order to "enhance the user experience" or gain an apparent performance advantage over those systems that use some portion of machine capacity to maintain security.

        Ever denormalize a database to gain performance? Well, than you serve as an example yourself of the sort of thing Microsoft does. That performance increase came at the price of less secure data (in the sense that your data can become unintentionally corrupted).

        If you make choices of that nature in kernel space no programing enviroment in the world is going to save your security ass.

        KFG

      • A lot of people realize that most of their new software will run on the .NET runtime virtually eliminating (probably) most of the programming vulnerabilities that exploits take advantage of (buffer overflows, unchecked casts, etc).

        Hrm... with Microsoft's track record, and the Mono Projects [[really big]] gaping flaws... do you really belive that?

        Better Yet, lets imagine .NET becomes the de-facto API for programming... in the case that is [[probably is]] flawed, instead of having one or two gaping holes

    • This had better be a temporary endeavor conducted in parallel with major shifts toward better busines practices, or MS is starting the downward spiral.

      Yes, yes and not exactly.

      My impression is that Microsoft is fully engaged in attempting to address their security problems. They will persue both tracks you mention, and any others that present themselves, to try and get a handle on the situation. However, I disagree that this is the beginning of a downward spiral for Microsoft. The hits they are taking no
      • MS kept going because their stock was high enough to attract people who thought mostly of making lots of money, integrity and skill be damned. They were happy to grind out feature after feature without worrying too much about how sloppy the feature itself was, or the code that implemented it. The high stock price also kept investors happy, knowing the value would go up and they coudl sell to the next greedy sumbitch. A nice pair of positive feedback circles.

        Sooner or later the stock would hit its limit,
    • What's interesting here is that this is mostly a DESKTOP problem. If it's hurting Microsofts sales is this only a delay in purchasing more buggy Microsoft software or is there REAL consideration from moving away from Microsoft on the desktop? If it's the latter, it shouldn't be long before we see alot more desktop LinixPC migration news.

      My thought is that Microsoft does not know how to satisfy it's customers with regards to security and with the next end-all OS releases not due til 2006, I doubt patching
    • by Cid Highwind ( 9258 ) on Saturday November 08, 2003 @06:41PM (#7425903) Homepage
      Is it really easier or more cost-effective to change the world than to change your business practices?

      Well, it seems to work for the RIAA...
    • They already started down the downward spiral. It's called evil. Pay for a complete upgrade when it should have been done right the first time? Think not. Each time I see a price on XP or Office, I think of how much money MS has already scammed.

      They can run on fumes for a few more decades before they finally go broke or smarten up. I'll hedge bets on the former before I lay a dollar on the latter.
      • by Artifakt ( 700173 ) on Saturday November 08, 2003 @08:23PM (#7426363)
        Fortunately, companies that size don't usually coast downhill gracefully for decades. A big corporation can bleed out with surprising speed. Look at the amounts involved in the IBM/SCO case, and imagine MS, with declining revenues, getting into lawsuit after lawsuit with stakes that big. What MS is spending on catching virus writers is actually reasonable. What they have spent encouraging SCO is less so, and what they are spending on lobbying governments to use windows, or on developing new lines such as console gaming or net server tech is worse, as little of it has shown any profit yet. When every new action starts costing them lots of extra money to fend off the consequences of the last ill advised plan or lawsuit, they will find themselves suddenly posting a multi-billion quarterly loss, and the deadline to go broke or smarten up will be a few months rather than a few decades away.
  • by __aavhli5779 ( 690619 ) * on Saturday November 08, 2003 @06:05PM (#7425731) Journal
    Security failures are beginning to hit Microsoft hard not because of the enterprise, but because of home/personal installations.

    Whereas a competent MCSE or IT director will have properly secured a corporation's machines against remote exploits (a properly designed network, even if none of the machines had been patched, should've been able to stay free of worms like Blaster and Welchia, for example), home users have been thrust into the unfortunate situation of running an enterprise OS (anything from the NT family), with no experience on securing it, and often, no knowledge that it needs to be secured at all.

    Windows NT-based operating systems listen on so many ports, and are designed so wide open, because they are meant to sit inside a secured corporate network. Though Microsoft's unification of the NT and personal trees of Windows starting with XP gave personal users much of the speed and stability they had been lacking for so long, it also gave them security issues they should not have been expected to deal with.

    This is why, though NT-based OSes have had widely publicized security flaws for years, their flaws are now in the spotlight.

    Microsoft's recent steps to finally globally disable the Windows Messenger service and enable the firewall by default are a late, but necessary, effort to help bridge this divide.
    • competent MCSE

      mod this up as Funny :]
    • by just someone ( 13587 ) on Saturday November 08, 2003 @06:26PM (#7425842)
      What company do you work for?

      0) you assume that a system admin has time to address the daily patches that were coming out at the peak.
      1) patches take time to test and apply. You might be able to break a users computer (as long as it's not the company heads), but you can't break the server.
      2) MS charges $$$$ for the systems which give you the ability to maintain many systems.

      3) things get behind the firewall. Probably a lot less since these worms, but they do get behind the firewall.

      MS is paying for bad decisions.
      * Trust. Trust will work on the internet. Nobody would click ok without reading what the message says.
      * Sandbox, VB don't need no stinking sandbox
      * No user permission separation
    • Whereas a competent MCSE or IT director will have properly secured a corporation's machines against remote exploits (a properly designed network, even if none of the machines had been patched, should've been able to stay free of worms like Blaster and Welchia, for example)

      Please show me this "properly designed network", that allows an unpatched Active Directory domain and blocks traffic on RPC ports.

      This may work in a perfect environment where the users don't run untrusted junk, run email attachments
      • Makes me wonder if the original poster IS the "competent MCSE" or hired a "competent MCSE".

        Or has no idea what they are talking about and has no buisness running their mouths...
      • by ericman31 ( 596268 ) on Saturday November 08, 2003 @08:05PM (#7426295) Journal

        Please show me this "properly designed network", that allows an unpatched Active Directory domain and blocks traffic on RPC ports.

        I've been hearing this bit of FUD for a while now about how it's not Microsoft's fault. If only all of these incompetent network and system administrators would patch their systems and maintain their firewalls how there wouldn't be any problem.

        Well, I'm here to tell you that I work for an organization with about 1500 employees. We process over a hundred million transactions annually in our systems. Our average system administrator or network engineer has about 7.5 years of experience in the IT industry, our security staff (I'm the security director) has an average of 9 years of IT industry experience. Except for the Windows administrators (our office automation network is Windows based), everyone comes from either a Unix or mainframe or both background. We know what we are doing, have a very good network and well maintained servers and appropriate security levels.

        And every damn Windows virus/worm that comes along impacts us, even our mainframes and unix boxes. Why? Cause the stupid things propagate with attack vectors that are ridiculous. Root exploits in a web browser or via an email message and you don't even have to execute the damn thing? RPC worms with multiple attack vectors (browser, file shares, mail, RPC)? Local user exploits using html pages and scripts that can bypass web browser security settings and then execute arbitrary code!

        It doesn't matter how well built your network is, if you are not running it like an NSA network, with no connectivity to the outside world, no email, no web browsing, no nothing, these damn Windows attacks are going to get in and cost money. I've lost more than a thousand work hours this year to dealing with SQL Slammer, MS Blaster and SoBig. Even if I got rid of all the Windows systems in my network, I'd still have a problem because the attacks would continue, and continue to affect me, although only at the boundaries, which would be better. Except for all the crap the mail servers have to deal with.

    • Whereas a competent MCSE or IT director will have properly secured a corporation's machines against remote exploits (a properly designed network, even if none of the machines had been patched, should've been able to stay free of worms like Blaster and Welchia, for example), home users have been thrust into the unfortunate situation of running an enterprise OS (anything from the NT family), with no experience on securing it, and often, no knowledge that it needs to be secured at all

      Except that when I worke

    • Whereas a competent MCSE or IT director will have properly secured a corporation's machines against remote exploits (a properly designed network, even if none of the machines had been patched, should've been able to stay free of worms like Blaster and Welchia, for example), home users have been thrust into the unfortunate situation of running an enterprise OS (anything from the NT family), with no experience on securing it, and often, no knowledge that it needs to be secured at all.


      See, it's funny becaus
    • by dpilot ( 134227 ) on Saturday November 08, 2003 @08:09PM (#7426311) Homepage Journal
      Funny, my corporate deployed laptop, following standard practice, set ME up as admin. I understand this is standard practice for WinNT-family (mine is Win2k) deployments, in general.

      With that ONE practice, the single greatest/easiest chunk of security - separation of user from admin, is gone.

      From what I understand, quite a bit of Windows software actually depends on this practice, and can't run without admin priviledges. So regardless of who takes the blame, Microsoft or the Windows Culture that has grown up around their products, there's an architectural-level problem, here.
  • Perhaps (Score:3, Insightful)

    by SargeZT ( 609463 ) * <pshanahan@mn.rr.com> on Saturday November 08, 2003 @06:06PM (#7425743) Homepage
    If microsoft had put more of there bottom line in the past into the security of windows, this wouldn't be such a concern now, would it?
  • by Anonymous Coward
    Actually, MS doesn't want people talking about security holes they find in MS software:

    http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/columns/security/essays/noarch.as p

    http://www.pcworld.com/news/article/0,aid,63784, 00 .asp

    As Steve Jobs once said, "Every security scheme that is based on secrets eventually fails."
  • About. Bloody. Time! (Score:2, Informative)

    by hbo ( 62590 ) *
    Truth and Justice cannot be forever denied!

    Seriously, now is when we find out which model of software development really is more secure. Results like these will energize Microsft's management to try and address security even more forcefully. My money is on FOSS, but we'll actually get to see how it plays out in the real world.
    • That's a difficult one.

      Stability used to be a major reason for avoiding MS operating systems. Win9x crashed frequently, others didn't.

      As of Windows 2000 SP1, they managed to pretty much eliminate that problem. It took them about 5 years, but they got there in the end.

      Possibly by the time Longhorn SP1 comes out, in about 2006, they will have pretty much sorted out the security problem. I guess it will still require stupid amounts of memory and CPI time compared to other systems, but that is becoming le
      • Possibly by the time Longhorn SP1 comes out, in about 2006, they will have pretty much sorted out the security problem.

        In Longhorn (or whatever version theoretically becomes secure) perhaps. But there are businesses still running DOS. Win9x still has a significant presence in the business workplace, not to mention home use. This legacy will not change fast enough to save them from the consequences of their earlier shortsightedness.
    • Yes it's about time. Finally us Mac & BSD fans can join in the chorus: Microsoft is dying! Whew that felt good.
  • About time! (Score:3, Interesting)

    by myov ( 177946 ) on Saturday November 08, 2003 @06:10PM (#7425767)
    This is what happens when you let marketing run the company :) Shiny new graphics in this version! More features you don't need! Security? nope.

    If OpenBSD can produce a secure distro for FREE, why can't Microsoft with all the resources available to them? Marketing never thought that it was important. End users are finally starting to realize that it doesn't need to be this way.

    At this point, it's a little late to go back and design security into a system which never had it.

    Of course, there goes my job security...
    • Re:About time! (Score:5, Insightful)

      by dirk ( 87083 ) <dirk@one.net> on Saturday November 08, 2003 @06:22PM (#7425825) Homepage
      The reason BSD can produce a secure OS for free and MS can't is because MS focuses on usability. There is a reason most people haven't heard of BSD much less use it, and that is because it is extremely hard for the average person to use. Hell, it's hard for somewhat knowledgable people to use.

      MS has made a decision to give people extremely usable products, and this comes at the cost of some security and reliability. They could make the most secure software around, but them it wouldn't be usable. They are now trying to balance their products more between security and usability because they have gone too far away from security. Security and usability are generally on 2 different ends of the spectrum. To make things easy to use, you have to give up security and vice-versa.
      • Re:About time! (Score:5, Insightful)

        by Penguinshit ( 591885 ) on Saturday November 08, 2003 @06:58PM (#7425973) Homepage Journal

        The flaw in your argument comes when you realize that a company with the resources of Microsoft (money and personnel) should be able to realize that balance between usability and proper security in about one fiscal quarter.

        Instead, for years and years, since there was little incentive for them to do anything about it due to their monopoly (and the tactics to keep it), nothing was done to make the software more secure. Even the normal "usability" features were largely unexciting past Windows 95.

        So, in the 8 years since the release of 95 (wherein the current Windows user interface and experience was defined) the security problems have gotten quite a bit worse while the usability has been marginally increased. Some stability was added with the 2000 release, but with an even larger decrease in security.

        This is why people hate MS so much (well, one of the reasons). Despite the fact that they COULD do better, and SHOULD do better, they don't. There is no excuse in the world why they couldn't have produced truly top notch software when companies working for free can.

        • by A nonymous Coward ( 7548 ) * on Saturday November 08, 2003 @07:13PM (#7426040)
          They have $50 billion in the bank, as ready cash. There are a lot of unemployed programmers, and if they wanted to outsource to India and China, there are a whole lot more even cheaper.

          It might take a year or two, but they could squash future bugs if they wanted to. And yes, I know about the mythical man month and adding manpower to a late project, but this is not a single project, it is hundreds of small projects.

          Microsoft is still not serious about fixing security holes. They never will be.
          • It might take a year or two, but they could squash future bugs if they wanted to.

            I doubt it. A complete rewrite is the only way to clean up the cobled together mess of intentionally spagetti coded junk they have purchased and stolen. The might be able to do that in a year or so, but it would not be Windblows it would be OSX1 or some other varient of BSD with an ugly and non-intuitive Redmond themed desktop.

            They can complain all they want about it not being cost effective to fix bugs. I think they are g

      • "The reason BSD can produce a secure OS for free and MS can't is because MS focuses on usability. There is a reason most people haven't heard of BSD much less use it, and that is because it is extremely hard for the average person to use. Hell, it's hard for somewhat knowledgable people to use."

        Well...that was the theory anyway.

        Isn't there an old saying that goes: "Those who would trade freedom for security deserve neither."?

        I guess the geek version of that would be: "Those who would trade security for
  • by Izago909 ( 637084 ) <tauisgod@g m a i l . com> on Saturday November 08, 2003 @06:14PM (#7425785)
    Instead of writing more secure code or locking down system services by default, MS is going after the people who write viri. How is this going to fix the (in)security problem? Do they think this is the last generation of assembly hackers? Bah. Every day I'm reminded of why the Voluntary Human Extinction Movement is a good idea. Just remember that one day MS will be one of the many corporations that provides sponsered funding for your child's or grandchild's school.
    • There is no such word as virii.
      The computer usage of this word stems from the medical word virus and the correct pluralization is VIRUSES - Dorlands 28th ed Medical dictionary.
      No doctor that I know uses the word virii..we all use viruses.
      • If non-computer people can corrupt the usage of hacking, then non-medical people can corrupt medical terminology to their own purposes.

        Besides, you understood what was meant, so where is the problem?

        And even more, I think it was Andrew Jackson, President of the US around 1820 or 1830, who said "It's a poor mind that can only think of one way to spell a word."
  • by morelife ( 213920 ) <f00fbugNO@SPAMpostREMOVETHISman.at> on Saturday November 08, 2003 @06:15PM (#7425791)
    Speaking about the "cash bounties" campaign Microsoft is offering:

    The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.

    The campaign reveals just how much extra cash Microsoft has lying around and is willing to put up to make the buying public think it gives two shits about security.

    • The campaign reveals just how much extra cash Microsoft has lying around and is willing to put up to make the buying public think it gives two shits about security.

      I know how much cash Micros~1 has on hand, and what they did to the industry, their competitors, and their customers to get it. Before I would even think about lifting a finger to help that company, they would have to increase their bounty by at least two orders of magnitude, minimum.

      Schwab

  • by Detritus ( 11846 ) on Saturday November 08, 2003 @06:16PM (#7425799) Homepage
    The article says that Microsoft need to put a priority on customer satisfaction. Is that really possible? Over the years, my experience with Microsoft is that they pride themselves on being a "take no prisoners" and "shoot the wounded" type of company, always looking forward to the next challenge, never taking time to fix and support older products. When I once asked when some severe bugs were going to be fixed in one of their current compilers, I was told that they were never going to be fixed, the programmers had already been reassigned to the next big project. From a bottom line point of view, it made sense, but it showed a total disregard for their customers.
    • always looking forward to the next challenge, never taking time to fix and support older products.

      Well, Microsoft has supported NT4 for 7 years, compare that to Linux distributions...

      They make choices regarding what they fix, they won't release a patch for a small issue which doesn't affect many people, but all real problems are addressed usually.
    • Is it just Microsoft? I got virtually the same answer from AT&T: Me: "We've built software for our customer designed around a standard Unix IOCTL that's documented in the manual for the Unix box you sold us and it doesn't work." AT&T (after about an hour of automated phone system navigation.) "We're aware of the problem, and we have no plans to fix it. Ever." Novell was simularly arrogent: Me: "I've found a bug in your software, and I'd like to report it." Novell: "We charge $200/hour for consulting
  • by 192939495969798999 ( 58312 ) <info AT devinmoore DOT com> on Saturday November 08, 2003 @06:23PM (#7425828) Homepage Journal
    I see the bounties as a cheap way to fix the security bugs... microsoft offers $500,000 for someone to find the author of the bug, then M$ gets them in a contract to either fix their software or go to jail... NICE!
  • by Anonymous Coward on Saturday November 08, 2003 @06:23PM (#7425831)
    If Microsoft were really serious, they would pay the bounties to people who find their flaws.
    • Or how about Fix flaws when identified... Theres flaws in IE that will never be fixed. Why offer a bounty when you have no intention of fixing what is pointed out. Right now thier interests are In Security and anything else that is going to lose them money
  • This is great (Score:2, Interesting)

    by Ann Elk ( 668880 )
    IMHO, this is a Good Thing (tm). If security issues start affecting the MS bottom line, then they will start taking security seriously. Microsoft is not evil, they're just greedy. Hit them in the bank account, and they will notice. Losing a few $100 million in random lawsuits is not a big deal to MS. Losing desktop market share (especially in the home market) is a huge deal.
  • It's only fair (Score:5, Insightful)

    by serutan ( 259622 ) <snoopdougNO@SPAMgeekazon.com> on Saturday November 08, 2003 @06:25PM (#7425840) Homepage
    The impact on Microsoft's bottom line only reflects the impact on their customers' bottom lines. Well crafted EULAs may exempt MS from liability, but they can't exempt themselves from a deservedly bad rep created by poor security in their software.

    If the wind blows right, sometimes shit does roll uphill.
  • Solution (Score:3, Funny)

    by Stile 65 ( 722451 ) on Saturday November 08, 2003 @06:27PM (#7425847) Homepage Journal
    If Microsoft buys Symantec, they can create a "real options" type scenario.

    Microsoft creates insecure software. Microsoft-owned Symantec secures networks which runs insecure Microsoft software. End result: PROFIT!

    Too bad the anti-trust laws would probably break the whole deal up.
  • 'For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model.'

    Now, I heard about Red Hat stopping selling it's consumer version OS. I haven't heard about MS dropping any products. So, how are these flaws being "translated"? A $1/2 million bounty? Big fucking deal. That's peanuts. They spend more than that on toilet paper every year.
    • Well, if you *ahem* read the article *ahem*, you'd realize that the reason they're taking such measures is because they're actually losing deals because of security -- customers spending more money on patch management and like infrastructure and not having money left to spend on shiny new MS products are the same customers who are liable to decide that they get more bang for their IT dollar going with IBM.
  • by rice_burners_suck ( 243660 ) on Saturday November 08, 2003 @06:29PM (#7425856)
    Hey billg, all I can say is, "Told you so!" Well, I haven't actually told you that personally, but for quite a few years, I've talked to many people who use your products, and we've all agreed that your security issues will eventually cause serious damage to your company.

    (In this post, I am going to describe two or three reasons that I believe Microsoft will soon become a regular industry player, and will no longer rule at the top.)

    Think that putting a bounty on virus writers is going to solve the problem? That's the trouble with you, billg, you think you can buy your way out of all your problems. Heck, if I had as much money as you, I could buy my way out of anything, too. The only trouble is that your mighty empire is slipping through your fingers, and because of what I'm about to say, you cannot fix it, no matter what you do.

    Many companies have realized that using free software, and contributing to that software, both in fixes and in features, provides many advantages, such as independance from a vendor. If you think about it, suppose you get a contractor to add a room to your house and he does a crappy job. You could fire him and get someone else to do it. But when you use proprietary Microsoft programs, there is nobody but Microsoft that can fix them. While this may not have been an issue over the past 20 years or so, this is becoming a very critical issue.

    Not only does the proprietary status of your software prevent others from finding and fixing its problems before they cost billions, but you continue to do everything in your power to isolate your software from anything else out there. Other companies want their software to interoperate with the competition, but you just want to embrace and extend. Why do you do that? If your software is so good, why can't you make it friendlier with your competitors' stuff? I know the answer: It's because you're insecure. You know that perhaps the biggest thing that kept people using your software was the fact that they were locked in to it and were forced to upgrade repeatedly.

    By doing what I just described, you tightened your fist as much as you could on this software, but now governments, corporations, and individual users are beginning to look elsewhere in significant numbers. This is the beginning of the end of your monopoly. Soon, you will no longer rule at the top, but will be just another player in an industry. I'm sure it was fun while it lasted, though.

  • by Futurepower(R) ( 558542 ) on Saturday November 08, 2003 @06:31PM (#7425867) Homepage

    From the Slashdot story: "Apparently Microsoft has bounties out on virus writers."

    Offering a bounty is no substitute for providing secure software. Maybe the OpenBSD [openbsd.org] team would help teach Microsoft how. Or, is someone in the U.S. government interested in having security vulnerabilities in the software everyone uses? There are just too many; is Microsoft really that sloppy?

    Who was using Microsoft security vulnerabilities before they became public knowledge?

    OpenBSD's motto: "Only one remote hole in the default install, in more than 7 years!"

    Microsoft's motto: "Extremely serious flaws that allow an attacker complete control, every week."

    Something is fishy about this. It is not that difficult to write secure software. If the extremely well-funded OpenBSD team can do it, the poor Microsoft people should be able to do it, too. ... Oh, wait...
  • Rewards (Score:3, Insightful)

    by TomDLux ( 28486 ) on Saturday November 08, 2003 @06:32PM (#7425873)
    Rewards are a lot cheaper than devoting facilities to developing secure code.
  • This is just a mere marketing scheme. $250,000 with strings attached! They couldn't have bought this much "good, warm & fuzzy" press with a quarter-mill. I can just imagine Sheriff Bill saying, "Round up the usual suspects and IF we can prosecute, I'll dish out the cash." The real reason for the announcement was/is to put the townspeople at ease -- without Microsoft actually have to DO anything about their flawed OS.

    Newt-dog


  • My name is Boba Fett. I do thy bidding....

    just don't forget to let me use those damn cool carbonite freezer to chill 'em virus writers.
  • by ShatteredDream ( 636520 ) on Saturday November 08, 2003 @06:37PM (#7425890) Homepage
    Why don't they just go ahead and have a clean, reimplementation of Windows started while they work on Longhorn? By the time they have Longhorn out a clean reimplementation could be at least ready as an Alpha or maybe a Beta.
    • by Pompatus ( 642396 ) on Saturday November 08, 2003 @06:53PM (#7425958) Journal
      Why don't they just go ahead and have a clean, reimplementation of Windows started while they work on Longhorn?

      2 reasons. First, support for legacy apps has to be included in any new OS Microsoft developes. Second, imagine how long that would take to complete. It took what, 5 or 6 years, for the NT kernel to be able to reliably run 95/98/ME apps. Imagine the press release, "Longhorn to arrive in 2009".

      Starting over would render close to a decade of work worthless. That kind of suggestion is hard to justify.
    • My first rule of software design: "Anything backwards compatible with a kluge is, by definition, a kluge." A secure reimplementation of Windows would, by necessity, break most existing software. Microsoft developers are not stupid; they have many top-notch technical people. Unfortunately they are hindered by their legacy architecture, and product design driven by Marketing, not Engineering. I beleive most of the security holes can be traced to product misfeatures, not programming bugs.
    • It is not the MS way or to be honest the linux way. Apple did it a couple of times. It allowes them to move on and leave all the ancient legacy crap behind but it costs them. Why? People hate not being able to run their old apps anymore or use their old hardware.

      The famous MS instability is often a fault of the insane amount of crappy obsolete hardware that is still attached to machines. I recently heard someone bitch on how none of the P4 boards had an ISA slot for his modem and now he had to upgrade and

  • Governments and big corporations are starting to realize that the cost of using Microsoft includes:

    • Windows licensing fees
    • Third-party firewall software
    • Third-party antivirus software
    • Salaries for IT personnell competent to put out constant security fires and keep on top of each new security hole and workaround <wry grin>

    Linux isn't free of security holes, but it has considerably fewer because the underlying design isn't nearly as permissive to start with. Further, the open source model means tha

  • by smartin ( 942 ) on Saturday November 08, 2003 @06:53PM (#7425963)
    Microsoft is smart enough to use their security flaws as the reason to grab total control of your machine. Palladium (or what ever they are currently calling it) means that they will establish a secure layer between the o/s and the hardware and in doing so, allow the o/s to enforce absolute control.

    What this means is
    • no virsus (theoretically)
    • no unregistered/unauthorized software or drivers.
    • elimination of cracked software.
    • elimination of unathorized files (read mp3, mpg, avi) in the name of DRM.

    It's a great thing for them, it's a great thing for the RIAA, it's a great thing for the MPAA (sp?). It's a shit lousy thing for you. But they are going to give you a secure platform. Makes you wonder if they couldn't have planned things any better.
    • and i will be laughing my ass off when someone creates a palladium worm that not only infects EVERY palladium machine connected to the internet, but is able to mess with the encryption so that nothing can be accessed on any of those machines. Imagine a virus that operates on a layer below software and uses network interfaces that slip under both software firewalls and security monitoring. Palladium's release will usher in a Golden Age of unstoppable virii and virus writers identities cloaked by the same tec
  • Even if your'e a strict creationist you should learn darwins principles, it will prevent you from making mistakes like Microsofts. So Microsoft is now offering bounties against Virus writers. The death penalty doesn't stop murderers. Jail time doesn't stop criminals. What this will do is setup a fund that will be consumed by stupid people, and it will leave the more dangerous to do their damage. As long as the motivations to write viruses are in place blunt tactics like Microsofts will just escalate the pr
  • by iantri ( 687643 ) <iantri@gmxSTRAW.net minus berry> on Saturday November 08, 2003 @07:20PM (#7426076) Homepage
    Security must be a joke to Microsoft. I recently had to do two fresh installs of Win2K+SP3 from behind a dial-up connection.

    With the first machine, I connected to the Internet and was infected with Welchia about 24 minutes later.

    With the second machine, it was FIVE MINUTES.

    In neither case did I even have enough time to get the latest patches (over 25mb of standalone patches + IE SP1 + SP4) before I was infected with a virus.

    It's just plain ridiculous -- What happens when Joe Average User connects his computer he just bought from a local computer store (who I doubt would have installed the patches on every machine going out the door)? How is he supposed to know what to do?

  • by bfields ( 66644 ) on Saturday November 08, 2003 @07:26PM (#7426105) Homepage

    Wouldn't they be better off spending that $250,000 on another programmer-year or two of code audits?

    This whole business with bounties for virus writers is just an attempt at misdirection: draw the public's attention to the people writing the viruses instead and away from the fundamental flaws they're exploiting.

    It's important that the public realize that the security holes exploited by the virus writers are also exploited in less public and more nefarious ways.

    --Bruce Fields

  • Now if only they would put out some contracts on the big spammers, maybe we could all have some peace in our inboxes :) I think $1M per head (with or without the rest of the spammer!) should suffice...
  • So when will someone put up a $250,000 for a judge /jury who will convict Microsoft for their irresonsibility and gross negligence in propagating non permissions-based filesystems across the entire network and creating the only software ecosystem in which viruses can exist and flourish? The rise of Microsoft is the apparently the concomitant with the death of personal responsibility. Not trying to flame here folks, just an opinion formed from a life lived on Unix/Linux/Irix/BSD/OSX systems and never havin
  • by Jah-Wren Ryel ( 80510 ) on Saturday November 08, 2003 @07:47PM (#7426226)
    All you guys celebrating this release and thinking it marks the begining the end of for Microsoft have got your head in the clouds.

    There is no way MS would publish this information unless doing so is in their interest. They could had have played the same old games with accountants and auditing, etc, etc to hide this information if they had wanted to.

    But no, they pretty much came right out with it and most of you have been taken hook, line and sinker. All this is not about any real pain that MS is feeling. No, it is about providing another justification for Palladium aka NGSCB "enscub" aka Next Generation Secure Computing Base.

    MS can now point to how a lack of security is hurting their bottom line so whater bogus Palladium schemes they come up with to sell as increasing security (rather than just stealing control of your computer and divvying it up between MS, the MPAA and the RIAA) so of course Palladium will really provide better, more secure system becaue MS's ass is on the line too, see it if even says so in their SEC filings!
  • by jonwil ( 467024 ) on Saturday November 08, 2003 @08:49PM (#7426465)
    there wouldnt be anywhere near as many virii and worms and crap about.

    The design of windows means that it is insecure.

    A really great way to make windows more secure:
    Make it so that by default, windows is installed with an administrator (who you cant actually login to from the login prompt without extra effort) and 1 or more "regular users".
    a "regular user" basicly has access to all normal stuff (i.e. anything thats not a risk to the system) but if they want to do something thats "risky" (e.g. if they or something they are running wants to add something to "load this at startup") they need to enter the Administrator password first. If they dont, the action is denied (for example, windows returns a "cant open file for writing error" or a "cant write registry key error" or whatever as appropriate.

    Some things that should be "restricted":
    1.putting any file in c:\windows\system or its sub-folders (such as c:\windows\system\drivers). Also modifying, deleting, changing etc those same files.
    2.adding a program to the "this program starts at startup" list (this would also cover drivers, services etc)
    3.modifying key Windows Sockets settings (for example, like how some Spyware inserts itself into those places to hook winsock)
    4.perhaps there are other key settings that could be blocked (for example, access to certain control panels or changing the display settings or whatever)
    and 5.there should be a way for someone (with the administrator password) to specificly add extra things to the "block list" (e.g. someone could show settings as to how to stop spyware crap from changing the homepage of M$IE)

    Some benifits:
    1.Viruses, Worms, Trojan Horses and other crap wouldnt be able to just "silently" install themselves (since it would say "c:\documents\your settings\temp\abc123.tmp.pif wants to write to c:\windows\system\dontdeletethisorwindowswontwork. exe. If you want to allow this, type in the administrator password"

    2.Spyware (e.g. Gator, New.Net etc) wouldnt be able to install without specific authorization (for example it would say "c:\downloaded files\newnetinstaller.exe wants to modify winsock settings and install its own custom crap. If you want to allow this, type in the administrator password"

    3.On shared computers (e.g. family PCs or kids PCs), the parents could be the only ones that know the administrator password (and therefore prevent the kids from changing the settings)

    4.On computers e.g. work machines or machines in labs at schools, the sysadmin would be the only one that knows the administrator password and therefore e.g. you dont get people installing kazza or whatever.

    Thats not to say that my system would prevent installing new software, it would only prevent it if:
    1.the new software wants to modify important windows settings.
    2.you dont have the administrator password.
    and 3.when the install program gets the error back from windows "cant open file" or whatever, the install will fail in a way that makes the program unusable.

    Basicly, this would be a benifit since:
    1.if some program wants to do something behind your back (e.g. virus or spyware), you can be notified and more importantly block it.
    and 2.you can be sure that the users of your machine arent installing anything that messes with the settings or messing with them themselves.

    Some might say it would cause problems but I dont believe so.
    For example, if a kid brings home a new game from school (that he has "borrowed" off a mate or more likely these days gotten that mate to burn him a copy of) and wants to install it, the kid puts the disk in and runs the installer. Then, if it needs to install system things (for example, new DirectX), the box asking for the password will come up and the kid will have to wait for the parents to give the OK before it can be run.

    Another benifit is that if the user has to enter the password, its likely that (unless they are so cluless that they think that the "any" key is the
  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Saturday November 08, 2003 @10:31PM (#7426800)
    Comment removed based on user account deletion
  • by ducomputergeek ( 595742 ) on Saturday November 08, 2003 @11:49PM (#7427077)
    I am a tech consultant and we had a client that ran a number of kiosk based advertising and application specific content. He had one competitor in the area with a slightly different product that did basically the same thing. Both ran Kiosk software ontop of Windows 2000 pro. Last spring we switched our client from windows 2000 to the linux based firecastOS since 90% of his special content was written in Flash and Java.

    Well this past spring and summer, he said he saw a drop in service calls by an amazing 85%. Those remaining calls were either hardware or the three windows boxes he had to maintain because of that customer demanded it, they owned the kiosks, he just provided service so he was making money on the service call.

    When the "Work of the Week" started, the other guy lost at least 30 customers that switch to using our client because they were getting complaints from their ISP that their boxes were being used in DDOS attacks from the competitor's product. In last week business journal, our client's competitor has filed for chapter 11.

    Now, chances are they were having cash flow problems, the manufacture of their product is also having problems, however I know that our client has been able to undercut his competor by 20% in price because and he is still reporting increased profits of 10% after slashing prices. That's how much his TCO has lowered on service calls in the last nine months.

    I know in our consultancy that using Apples with OS X have lowered our costs and increased productivy over Windows dispite their higher initial cost. Why? most of our units are about 4 - 5 years old and are now in use by administrative staff and going stong. That, and we make about $400 a week from the company on the second and fifth floors for fixing their computers.

  • Home computer hit (Score:4, Interesting)

    by rjamestaylor ( 117847 ) <rjamestaylor@gmail.com> on Sunday November 09, 2003 @04:27AM (#7427836) Journal
    My home computer, used by my 4 year old for educational games and web sites and by my non-technical wife to check email, look at her personalized MyYahoo page, and other surfing runs Windows XP Home. All patches in place, the family all have their own accounts with reduced privileges (no passwords and we have fast user switching enabled, but Daddy is the Administrator account) and the system is sitting behind a Toshiba Magnia SG20 (running a modified Redhat 7.3) firewall/router. I didn't get anti-virus software, though.

    For an email client my wife uses Outlook Express and has a Hotmail account. She gets very little mail and almost no spam -- maybe one a month and it goes to the Junk Mail folder (my Hotmail account fills with email worm infection attempts every 2 to 3 hours, which is the price I pay for redirecting all incoming mail to "slashdot@rjamestaylor.com" to my Hotmail account. I figured if a worm went through Hotmail it would be checked for viruses. Unfortunately, that is true ONLY if you are using the Web Client to attempt to download an attachment. If you use OE, they don't bother to check the attachments.

    Earlier this week my wife told me the computer is running really slow. I told her to press Ctrl-Shift-Esc to bring up the Windows Task Manager and she replied "something popped up but went away." I told her not to hit Esc twice (my assumption being that she had). She tried it again -- "nothing happened this time." Crap I thought - we've got Klez, or some other virus that kills WTM and other attempts someone may use to discover/remove it.

    Turns out she received a spam that had Kelz and also used the iframe expoit -- and when the email was displayed in the Preview folder, *splat*, Agent Smith began infecting our machine's programs.

    So, on my weekend I get to disinfect my home computer because I failed to install an Anti-Virus program. But really, I was let down by Microsoft 3 times:

    1. Windows is architected for ease of development and not security in the Internet{worked} Age
    2. Windows XP Home, which required a huge series of patches to be installed upon initial installation (I bought the full version for my OS-less homebuilt PC), yet did not have anything to stop Klez. (In fact, this is puzzling -- I thought a patch fized the iFrame exploit...and my system was and is fully pached. ???)
    3. MSN Hotmail doesn't check attachments as they arrive, only when yoy request the emal for download in the Web client. But OE is made to interface directly with Hotmail!
    I am in the process of downloading Lycoris. Maybe Lindows. Probably WineX and Cross-over plugins, too. (Yes, I'll pay.) I'm going to test those two distributions on my wife and son. If either pass the test, that will be our OS at home on the desktop. I may try SuSE and Mandrake, but I like Lycoris/Lindows' "KISS & MAKEUP" (Keep It Simple Stupid and Make it Act Kinda Equivelent to Understood Patterns).
  • by Mr.Spaz ( 468833 ) on Sunday November 09, 2003 @10:18AM (#7428624)
    There's been a lot of MS bashing in this thread; some justified and most just pure bile. A lot of people have pointed out that Linux systems are not vulnerable in the same manner that MS systems are, and that it's all due to bad code design and terrible programmers who steamrolled security in the name of features.

    I think in many of the arguments here, a critical fact has been overlooked. Users of MS products generally want the features that allow for the problems we've seen in the past to crop up. The average user wants automation; they don't want to configure software, or have to understand how the system does what it does, they (here it comes) just want it to work. It's this attitude that has fueled MS' design process; they build software that the end user can turn on and have "just work." No fiddling, no .conf files, no having to know things like DNS servers or what display adapters work in X and all them "whatchamacallits."

    I think that if similar products existed in a Linux environment, we'd still be seeing a lot of the same problems, simply because the level of automation required to satisfy the typical user is inherently insecure. I am willing to concede that a suite of applications built on Linux could be more secure, and that Microsoft definitely has a problem in that the flaws in their system are very deep, however: I can recall a number of occasions where I've seen articles here on Slashdot that announce "security hole in (whatever) allows root access! Come get your patches...." If Linux held sway in the desktop world, why would we expect the typical user to be any more willing or able to patch their OS than if they were using MS systems? Granted, there's fewer holes, but they're still there. If typical user never patches their default OS install, then why shouldn't we expect mass root exploits?

    Don't get me wrong; I'm not wholeheartedly defending MS. They could have done things better, but I'm not ready to jump on the "Linux is more secure" bandwagon. I firmly believe that if similar applications had been developed for Linux to meet the same demands that MS has answered, we'd still be seeing problems.

news: gotcha

Working...