Microsoft Delays Stirling Security Suite

An anonymous reader writes "Microsoft's long-awaited integrated security suite, codenamed Stirling, has been delayed by months and will now not be available until the fourth quarter 2009. According to Microsoft, the delay is due to the further development of the firm's behaviour based technology, the Dynamic Signature Service, 'to help deliver more comprehensive endpoint protection for zero-day attacks,' and efforts to add interoperability with third-party solutions, as per customer requests. When completed, the suite will combine a number of tools, such as the ISA Server and multiple Forefront products."

In other words

[NaCh0]

It doesn't work yet.

There is so much legacy cruft in Windows I doubt it will ever be secure. MS has too many conflicting priorities.

Re:In other words

[saleenS281]

No, in other words they've got so much extra work to make sure they don't violate anti-trust they've had to go back to the drawing board 30 times to satisfy symantec, mcafee, etc.

Because hey, it's horrible that I have to buy anti-virus software, but it's even worse if MS gives me something to replace third-party for free!

Re:

[Capt James McCarthy]

Where do you get "free" from? You are paying for it.

Re:

[saleenS281]

Refer to previous anti-trust comment...

Re:

[Cube Steak]

I think he's pointing out the fact that Microsoft Forefront isn't free it's something you have to buy.

Re:

[saleenS281]

I think you're both missing the point that it isn't free because of anti-trust law. I didn't realize I was going to have to spell it out.

Re:

[Cube Steak]

I think you're both missing the point that it isn't free because of anti-trust law.I didn't realize I was going to have to spell it out.

No, I'm not missing any point at all. You're just making something up without any evidence your statement up with. This is an enterprise-level tool and they aren't going to make such a thing and give it away for free. This is no different than for any other enterprise tool that they sell.

Re:

[FaxeTheCat]

ISA server was never free, and will be part of the suite, so spelling it out really does not help you at all.

Re:

[causality]

I think you're both missing the point that it isn't free because of anti-trust law. I didn't realize I was going to have to spell it out.

In my opinion this entire thread misses the point because plenty of operating systems manage to maintain security without any sort of anti-virus or anti-spyware scanner. Those things are forms of damage control and are not actually security at all. With Windows they are used as a substitute for a proper security system because they are much better than nothing. That is, real security is about prevention; damage control is about detection and removal.

So how about if Microsoft makes the OS itself inhere

Re:

[cayenne8]

"So how about if Microsoft makes the OS itself inherently more secure? If they made something comparable to the Unix security system (even if its mechanisms are quite different) then you would not need all of these scanners to double-check every last action taken or file opened or e-mail viewed etc."

THANK YOU!

Geez, I was on one project where we were on windows that was locked down pretty badly....trying to do some dev work...and McShield was on scanning every fscking thing or file you'd touch...got ridic

Re:

[ivucica]

I'm an active Debian user on desktop, so I think I am pretty unbiased when I put these few things out:

• NTFS provides pretty neat ACLs, and Windows Exploder provides a nice way to configure sharing/security. Much more detailed than three octal digits specifying R-W-E. (More confusing, too, but if someone needs it...)
• People going through with the default of running their desktops as administrators is not Microsoft's fault.
• Third party developers requiring users administrative privileges to install any kind of s

Comment removed

[account_deleted]

Comment removed based on user account deletion

Actually The Problem Is Dancing Bears

[EXTomar]

The actual problem is that Windows is a "dancing bear" ala "The Inmates Are Running the Asylum". The real problem is Windows is the bear and it shuffles around never really dancing well at all but people are amazed by its activities instead of questioning the entire endeavor in the first place. Asking the users to make sound decisions about permissions and other settings given way Windows works is like asking people at the circle to critique the dancing bear.

Stop blaming the user. Users of other electron

Re:

[Your.Master]

The only possible way to account for the user's actions is to set up what amounts to a very strict DRM scheme where the entire system is controlled by one party (Microsoft, or perhaps some blesséd parter of Microsoft) and the licenses to let other users install this software are doled out with barriers to entry so high that typical users cannot cross them on their own. This strictly-controlled system is why video game consoles, or DVD players, etc., rarely get infected.

Other than that, for all of your

Re:

[zx-15]

WRONG. He STILL managed to completely bone the system to beyond bootability in less than a week. How? Because he didn't like getting software through the package manager so he typed in "Linux Software" into Google and downloaded a bunch of stuff off Freshmeat and ended up in dependency hell. So now I just keep him in a locked down XP account and clean it out a couple of times a year when he fills it with malware.

The difference between dancing bunnies and installing software from freshmeat is that people

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[zx-15]

This doesn't answer question about simple worms that could infect machine that is just on the internet, without any actions on the part of the user. Still, in your example everything that goes under user account should not completely hose the machine, just the user account.

The major difference between java script and activeX is that javascript runs in a sandboxed environment and activeX is integrated deep into the system, so in an ideal world compromised javascript might kill your browser session but compro

Re:

[Joe U]

So how about if Microsoft makes the OS itself inherently more secure? If they made something comparable to the Unix security system (even if its mechanisms are quite different) then you would not need all of these scanners to double-check every last action taken or file opened or e-mail viewed etc. That would neatly avoid any anti-trust issues that might be raised by the likes of McAfee or Symantec and would be a significant performance boost as well. Of course such cottage industries may complain for a different reason, in that a more secure Windows could put them out of business, but if they really are obsolete then this is what should happen.

Like forcing the users to run under limited accounts and then prompting them when they need elevated privileges http://en.wikipedia.org/wiki/User_Account_Control [wikipedia.org]. Or locking down the kernel http://www.toptechnews.com/news/Vista-Security-Still-Issue-for-McAfee-/story.xhtml?story_id=11300C1NIA8R [toptechnews.com]

Good ideas, might get some complaints though.

Re:

[vistapwns]

I love posters like you. They always allude to the fabled 'lack of a secure system in windows' without any proof or idea of what they are talking about. Windows Vista supports ACLs, MACs (for sandboxed applications like IE), ASLR, DEP, pointer encryption, heap and stack protection (cannary values to detect corruption), exception handling white list, user accounts that are 'security boundaries' (look it up on wikipedia or google), site zoning in IE so untrusted sites can't launch browser plug-ins, a firewal

Re:

[ericrost]

Ahhhhhhhhhh.... Stroturf!

Re:

[vistapwns]

A one word rebuttal? LOL. Guess you don't want to overwork that tiny brain of yours. And it's the same tired crap that always gets trotted out when the open sores and crapple cultists run out of arguments...

Re:

[LordLimecat]

Im not clear on which of his points you were so eloquently refuting. Last time I checked, many desktop linux distros lacked at least some of those features, so whatever massive flaws vista had, Im not sure security was one of them.
Binaries are binaries, and stupid users running them from untrusted sources will screw up just about any OS so long as tools are able to do the sorts of things 'dd', 'rm', and 'sh' can.
His comment may have come off as slightly fanboyish, but thats probably because this is sla

Re:

[ericrost]

You must be new here.

Re:

[Chyeld]

It was unlikely to have been released for free, period. The target audience for Stirling wasn't one which thrived on 'free' products.

And to clarify for you and those who either haven't quite caught onto the history of Microsoft or have forgotten it, the reason Microsoft isn't suppose to release products bundled with Windows (as opposed to a free product you can go online to download) is only peripherally tied to anti-trust law.

Specifically, Microsoft got caught blatantly abusing their monopoly of Windows to

Re:

[Runaway1956]

Actually - my operating system offers an anti-virus package with the installation media that is pretty damned reliable, gratis as well as libre. Starting with a decent security model, and reliably enforced security policies, and ending with an anti-virus software, which I never even use. When Microsoft can offer all of that, I may consider paying a couple hundred dollars for their operating system. Oh - wait - uhhh - why would I want to pay MS for what I already have at no cost? Ooops, I think I had a bl

Re:In other words

[CarpetShark]

they've got so much work to do to make sure they don't violate anti-trust

Yeah, right, because they've always worked so diligently on that.

it's even worse if MS gives me something to replace third-party for free!

You have that backwards, bub. Third-party was charging to cover microsoft's glaring omissions.

Re:

[MMInterface]

Yeah, right, because they've always worked so diligently on that.

They have always worked diligently on making money, so if breaking anti-trust is going to be less profitable in a given situation, then it is no stretch to suggest that they are trying to avoid it in that case.

They did back down on the Vista security plans because of antitrust threats from 3rd parties. MS doesn't want to get sued, especially in cases where it thinks it might loose, so yes they spend a lot of time making changes so they don't get caught violating anti-trust law. Nobody said they were doin

Re:

[CarpetShark]

They have always worked diligently on making money,

This I have seen.

then it is no stretch to suggest that they are trying to avoid it

This I have not seen.

Both statements are true and not mutually exclusive.

On a most basic level, yes. On a more conceptual and ethical level, you cannot give as a gift something that was already owed.

Reading between the lines

[mangu]

"efforts to add interoperability with third party solutions, as per customer requests"

Is this spelled "DRM"?

Re:

[purpledinoz]

Good thing, because that'll just be another thing Microsoft has to patch every month.

Or maybe...

[roc97007]

They found a virus on the CD and have to reprint.

Priorities!

[grub]

Perhaps they realized that a good code audit and general cleanup would eliminate the need for much of the bolt-on "Stirling".

Re:

[MarkRose]

But what about all the existing Serevers out there?

Re:

[causality]

Perhaps they realized that a good code audit and general cleanup would eliminate the need for much of the bolt-on "Stirling".

I notice that many of the Windows vulerabilities are buffer overflows. Aren't there automated tools and other procedures that can be used to locate and fix such flaws? Couldn't these tools, plus some auditing, enable Microsoft to produce a Windows codebase that has no buffer overflows? I know it's basically impossible to prove that a piece of code has no bugs but isn't it possible to prove that it has no buffer overflows? If so, wouldn't that alone go a long way towards a more secure Windows?

I hope m

OneCare for Business?

[KBlommel]

It looks like this is Microsoft's security suite for the business/enterprise environment, much like their OneCare is for the consumer market.

I'd be careful buying any security software from Microsoft, not only because of their "track record" when it comes to security, but because it's not their main focus. When you've got such big priorities as Windows, Office, xBox, ect, you can't expect them to produce and support a security suite very well.

They need to learn to leave the security products to those companies who specialize in it. They're the ones who do it day in and day out, and they're the ones who you can trust in an enterprise environment.

Re:

[Anonymous Coward]

it's not their main focus. When you've got such big priorities as Windows

This is nonsense! They make an OS so security is their business.

MS need to secure their software, and all these bottom feeds like Mcafee and Symantec need to die.

Re:

[topham]

Their track record for security products is the strewn ruins of product after product.

Re:

[dave420]

Microsoft is not a company of 15 guys in a small office, fyi. :) I think they have more than enough resources to properly focus on security.

Re:

[UnknowingFool]

I think they have more than enough resources to properly focus on security.

It's not a question of resources. It's a matter of focus. Microsoft these days is very unfocused about they need to do. Their forays into areas other than operating systems and office productivity software have been less than successful. Even in the case of the Xbox, while it enjoys popularity as a game console, MS paid for that popularity with $7 billion in debt as the division has only been profitable in the last several quarte

Re:

[Etrias]

It looks like this is Microsoft's security suite for the business/enterprise environment, much like their OneCare is for the consumer market.

Yes, and we know how OneCare was SO successful...

An interesting question would be what Microsoft considers zero-day security flaws. Ones that are recognized by industry leaders, or ones that Microsoft magically declares zero-day the day after they rolled out the patch to fix it.

Re:

[BitZtream]

It doesn't matter how well written Microsoft makes their product, if its popular it will be exploited and bypassed. Just like every other protection package out there regardless of who its from.

This is one of the few cases where security though obscurity is a good thing. Not obscurity in the sense that its hard to figure out whats going on, but in the sense that if there are 10 different relatively equally used packages out there, it makes it 10 times harder than attacking one package, assuming that each

Re:

[x2A]

Dude... you forgot the '<a'... there was a '<a' first, it looked like this:

<a href="http://www.telegraph.co.uk/scienceandtechnology/technology/technologynews/5105

*reminisces*

The Big Switch

[XaviorPenguin]

Since their defunct [zdnet.com] Microsoft Live OneCare is leaving in June of 2009, this Stirling is replacing it. It kind of makes one wonder if this will fail just like OneCare did.

Re:

[westlake]

It kind of makes one wonder if this will fail just like OneCare did.

OneCare was a paid subscription service for the consumer market. To be replaced by a free - lightweight - solution code-named Morro. [live.com]

It's likely your ISP already offers something similar to its residential customers. There just isn't any money to be made here.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Windows virus devastates millions of idiots

[David Gerard]

A computer worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough [today.com] to still think Windows is not ridiculously and unfixably insecure by design.

Despite many years' warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying "COME AND GET IT."

Microsoft cannot believe people have not applied the patch for the problem, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. "Don't they trust us?" asked marketing marketer Steve Ballmer.

Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. "There's a reason the Unix system on Mac OS X is called Darwin," said appallingly smug Mac user Arty Phagge.

"It can't be stupid if everyone else runs it," said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. "Macs cost more than Windows PCs."

"Yes," said Phagge. "Yes, they do."

Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can't say we care.

Re:

[David Gerard]

Frankly I'm just fucking sick of dealing with people's fucked-up Winders boxes. "NO. You get UBUNTU. Because you won't FUCK IT UP." Kubuntu 8.04 with all the restricted extras is pretty much ideal - it's stable, it gets security updates, it's KDE 3 so it looks and works just like XP.

Re:

[le_sean_moon]

If you give them the ability to install anything, guaranteed they'll break it. Especially when they start googling to find out how to get device X or program Y to work, and then follow a 4 year old tutorial and issue a ton of superuser commands, the last of which finally breaks their grub and then they just install windows over ubuntu again

Delaying?

[gmuslera]

How much could take to Microsoft to relabel an Ubuntu install CD?

Re:

[David Gerard]

http://mslinux.org/ [mslinux.org]

Re:

[icannotthinkofaname]

And guess what - modify KDE a little, and this would be exactly what you get.

As an April Fools' joke, I left live CDs running Kubuntu 8.04.2 live sessions in school computers. I had to leave immediately after, but according to a friend of mine, all people noticed was that there was no flash player installed. Other than that, no one was really lost at all.

This was at a community college that is 100% Windows XP machines.

Replace some of the images in KDE with the MSWindows equivalents (like, for example, rep

Re:

[owlstead]

BIOS open and/or closures not locked down -> shoot admin.

Re:

[anjilslaire]

Maybe if they did that, they could save budget to retain their employees, rather than shutting them out the door during the worst economy of the last 60 years. They have the cash, and are just going to rehire 1000s more when the economy picks up in a year or two... That way they could actually finish their projects, maybe.

see Stirling in action

[viralMeme]

'See "Stirling [microsoft.com]" in action'

I can't cause I don't have Silverlight installed and am using Chrome [google.co.uk], so I most probably don't need it ..

Here we go again...

[hyades1]

Why do I get the feeling that using this is going to be like half killing yourself with a steady intake of chemotherapy drugs just because some day you might get cancer?

Re:

[anjilslaire]

I used to go through computing life like that when I had Norton installed on my Windows 2000 pro system back in 2001. I don't know about now, but Norton was a nightmare back in the day about using up all the system resources to the point that your box was too slow under the weight of the AV suite get anything done, including getting infected. Been on Linux since 2006 at home, haven't looked back.

Re:

[hyades1]

I think you're completely right. When this XP Pro installation finally croaks, I'm moving to Linux.

I know exactly what you mean about Norton, too. Scrubbing it out of XP after it let me get infected was more of a pain than getting rid of the damned virus. Between a firewall and a weekly scan with Avast, I've never had another problem in two+ years.

Re:

[drachenstern]

Just so you're aware, Norton hasn't REALLY changed their game lately, but they have begun to suck less. If you can hear a little more clearly lately when you go outside, that was it. If not, well, consider yourself lucky you're not close enough to hear it constantly.

Still drags a box down though...

Its what they get for the layoffs

[anjilslaire]

Maybe if they didn't cut the 1400 employees and thousands of vendors the last couple of months they'd be able to have the staffing to actually finish this security suite on time. I imagine the other 3600 will fall after Win7 RTMs...