Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

164 comments

Sorry! There are no comments related to the filter you selected.

first? (-1, Offtopic)

magamiako1 (1026318) | more than 3 years ago | (#33409032)

first?

Re:first? (-1, Offtopic)

GrumblyStuff (870046) | more than 3 years ago | (#33409040)

By all means, go ahead. I mean, it couldn't possibly be a trap.

Re:first? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33409344)

Even if it is, at least it's a CC trap.

Oh boy... (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33409038)

Cue a multitude of Slashbot posts pointing out that Microsoft could never do "secure software development".

Re:Oh boy... (3, Funny)

somersault (912633) | more than 3 years ago | (#33409074)

Yeah, this is kind of like the church releasing its guidelines for picking up hookers under Creative Commons.

Re:Oh boy... (5, Insightful)

DJRumpy (1345787) | more than 3 years ago | (#33409156)

Yes and no. The MS OS is actually written with a lot of safeguards in place to make the OS more secure. Years of being attacked tends to make one a bit defensive and certainly more technically adept.

I think their problems are on multiple fronts:

Overly complex code
Lax permission requirements,
Too many admins (still default on workstation installs)
Poorly written apps that in turn requires them to bend the rules or to provide workarounds.

MS could take a hard line, and force apps to comply with OS guidelines, but they'd be shooting their compatibility in the foot. although I see them nudging folks in that direction, with more functions locked out by default, they have a long way to go. Instead, they bend over backwards to try to work around compatibility issues and legacy support, and as a result, leave tons of loopholes. I had great hopes for their VirtualPC bit and was hoping they would take a more Apple-centric approach, allowing them to just start with a fresh slate while virtualizing old OS compatibility. It appears that was a wasted hope however...

Re:Oh boy... (1, Funny)

bill_mcgonigle (4333) | more than 3 years ago | (#33409332)

I think their problems are on multiple fronts:

Or "they're not done re-inventing UNIX yet."

Re:Oh boy... (0, Flamebait)

frist (1441971) | more than 3 years ago | (#33409470)

Pretty sure you have no idea about Unix internals vs NT internals. UNIX doesn't have ACL security.

Re:Oh boy... (4, Informative)

bill_mcgonigle (4333) | more than 3 years ago | (#33409518)

UNIX doesn't have ACL security.i

Take your pick: SELinux, GRSecurity, classic or new Solaris ACL's. Use a supporting filesystem with NFSv4.

You can even go MAC with SELinux if you're at a TLA or similar.

Re:Oh boy... (0)

Anonymous Coward | more than 3 years ago | (#33409524)

Unix has had ACLs for donkeys years ("Posix ACLS", though IIRC the spec was never formally rubberstamped by POSIX). Even the free unix and unix-alikes have them (linux etc.).

Nowadays, NFSv4 also has ACLs in-standard, that are more like the windows ones than the traditional unix ones. Pretty sure you learnt your unix internals from some early 80s textbook or something.

Re:Oh boy... (3, Interesting)

Anonymous Coward | more than 3 years ago | (#33409594)

Pretty sure you have no idea about Unix internals vs NT internals. UNIX doesn't have ACL security.

So, the "Unix internals vs NT internals" is resumed as UNIX not having ACL security?

Pfffff.. Yeah, looks like you know a lot more on the subject.

WRONG. Unlike windows, which only supports ONE ACL scheme which is builtin, the most variety of UNIXes out there supports complex ACL mechanisms through a modular design or patches. Windows ACLs are also very basic compared to the full access control provided by SELinux.

Keywords: SELinux, GRSecurity, FS extended attributes, PAM, ...

Now go back under the rock you came from.

Re:Oh boy... (3, Insightful)

lgw (121541) | more than 3 years ago | (#33409506)

Or "they're not done re-inventing UNIX yet."

Now, now, they've been reinventing VMS, not Unix, as anyone should know.

Re:Oh boy... (1)

bill_mcgonigle (4333) | more than 3 years ago | (#33409650)

Fair point. I could have used BOOT.INI;(n-1) more than once in the day.

Re:Oh boy... (0)

sznupi (719324) | more than 3 years ago | (#33409350)

So, still, the release (if it's very accurate in its desciption) could also act as a guideline of what not to do? ;p

Re:Oh boy... (4, Interesting)

jimicus (737525) | more than 3 years ago | (#33409396)

I think it's simpler than that.

Windows can be very heavily locked down so end-users can literally do nothing more than that which is explicitly made available to them. Heck, with something like SteadyState, it can even roll back any changes with a simple reboot.

But far too many third party developers seem to actively go out of their way to break any security - they seem to have some sort of mental block understanding that the assumptions you make when you're designing an application which will run on a system which you can more or less guarantee will only ever have one person using it (and that person has no realistic hope of screwing it up badly simply because there's so little to screw up) simply do not work on a modern multi-user, multi-tasking networked operating system.

I've lost count of the number of applications - and these aren't crappy things you find on download.com, they're expensive commercial products that are intended to have multiple users - that explicitly expect the end-user to have local admin rights and their first support response is "Does the user have admin rights? No? Go away and come back when they do. I don't care if you can explicitly prove that this isn't the issue here...".

Re:Oh boy... (1)

gilesjuk (604902) | more than 3 years ago | (#33409552)

As Bill Gates once put it, they create software that adds new features. They don't think about big fixes, people don't buy software for big fixes.

So it's the same at 3rd party software companies. They add new features so people buy their software, fixing the software security model isn't something many end users would care about unless you explained what benefits that would provide.

Re:Oh boy... (-1, Troll)

RobertM1968 (951074) | more than 3 years ago | (#33409712)

I think it's simpler than that.

Windows can be very heavily locked down so end-users can literally do nothing more than that which is explicitly made available to them. Heck, with something like SteadyState, it can even roll back any changes with a simple reboot...

...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it, locked down or otherwise, due to exploiting the numerous .NET security holes that are still not patched. In which case, your machine will possibly be still as nicely infected after your reboot.

Sadly, .NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.

Sadly, though I may get modded troll for this, it is true. The last time (covered in June's article on .NET and Microsoft's snuck in Firefox plugin) that Microsoft promised this exploit was fixed, I boldly claimed that, just like the 6 other MAJOR attempts, and hundreds of minor attempts to fix it, Microsoft was making an incorrect statement (their marketing team was either brain dead or lying, in claiming that the vulnerabilities were fully patched forever). Sadly, there are people who still believe those statements. Sadly, there are those of us who actually check what the Windows updates are that are being installed, and have noticed numerous attempts to re-fix the same vulnerability that Microsoft previously promised was fixed. As a matter of fact, the most recent attempt was in the last two weeks, via multiple patches.

And sadly, of the infected machines that come into our shop, far more than half of them have a rootkit component that comes with the malware, and the vast majority of them get installed via the .NET exploits.

THUS, not being very familiar with the current state of SteadyState, how does it handle removing rootkits on a reboot to a previous state? If it can actually do that, (not if it CLAIMS it can do that, but if it REALLY can do that), then I will have to renew my interest in it.

Re:Oh boy... (2, Informative)

nmb3000 (741169) | more than 3 years ago | (#33409792)

...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it

A user without administrative access cannot install a rootkit.

Sadly, .NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.

It sounds like you're talking about a local privilege escalation exploit, and those are usually patched pretty quickly. Do you have any examples or sources to back up that claim?

Re:Oh boy... (1, Informative)

RobertM1968 (951074) | more than 3 years ago | (#33410346)

...unless a serious rootkit gets installed with whatever piece of malware infected your machine while you were using it

A user without administrative access cannot install a rootkit.

Incorrect (at least as I was discussing). The *user* doesnt have to install it, the escalated malware (via .NET or other methods) does. There are a bunch of escalation exploits available via .NET and especially it's ClickOnce crapnology. But they've been fixed!!! For almost TEN years, that promise has been made repeatedly. The June announcement went way too far in claiming that all such issues were permanently and properly fixed - as opposed to the more truthful statement that the should have used indicating that a patch for the specific exploit was released (and leaving it at that).

Sadly, .NET is still broken. The exploits still affect all versions of the OS. The exploits still dont need the user to have admin rights. The exploits still bypass security measures on a locked down machine.

It sounds like you're talking about a local privilege escalation exploit, and those are usually patched pretty quickly.

No... those are sometimes patched quickly, sometimes not (like the .NET exploit noted in June that took months to improperly patch.

If you are referring to the hotfixes they release that hope to mitigate the circumstance until a real (though usually not fully fixed - at least in the case of .NET) patch is released, well, I dont count those, since, as I noted, they generally dont really fix the hole.

Do you have any examples or sources to back up that claim?

Yeah, as I indicated, it's called "Windows Updates" - check it out sometime! You can go right into your (XP) "Add/Remove Programs" or (Vista upwards) "Programs and Features" and enable viewing of all updates, and check the last few weeks - then check the associated Microsoft pages which will tell you exactly what I posted in Microsoft's own words.

Use Google if you really want to learn more. In the meantime, with your lack of knowledge, and lack of interest/willingness to do the very simple check on a Windows machine that's up to date to verify my claims, don't assume/claim they are wrong.

But to give you a head start, here's ONE of the various CRITICAL updates (this one from this month):
We Never Really Fixed the .NET issue [microsoft.com]

This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing the page, as could be the case in a Web hosting scenario.

This security update is rated Critical for all affected releases of Microsoft .NET Framework for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2; Microsoft Silverlight 2; and Microsoft Silverlight 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Even users with "fewer user right" than "users who operate with administrative rights" could be impacted (though "less impacted"? What the hell does that mean? That less exploits (only those taking advantage of privilege escalation) will affect them, but crap script kiddie stuff that doesnt, wont?).

Perhaps now you see what I am talking about... if not, check your hotfixes/ Windows updates, read what they supposedly fix, then look at the similarities between the multiple attempts to fix the same damn issue over and over again.

If you shoot holes in a boat with buckshot, the problem is you shot holes in it. Patching one hole, of the same type as the rest, caused by the same "vulnerability" (in this example, the stupidity of shooting holes in the boat), does not fix the problem - it only fixes a tiny subset of it, and the boat still takes on water.

Re:Oh boy... (4, Insightful)

nmb3000 (741169) | more than 3 years ago | (#33410516)

Yeah, as I indicated, it's called "Windows Updates" - check it out sometime!

Perhaps now you see what I am talking about... if not, check your hotfixes/ Windows updates, read what they supposedly fix, then look at the similarities between the multiple attempts to fix the same damn issue over and over again.

So the answer is... No, you don't have any real sources. The generic description that comes with a Windows Update is just that -- generic. They all sound pretty much the same. Even the MS security bulletins like you linked to are usually pretty scant on details because they're designed to give an overview, not the nitty-gritty exploit information found elsewhere. I did look around Google for references to privilege escalation issues with .NET and didn't find anything.

If multiple updates which all say "This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight." has you convinced they've been trying to patch the same vulnerability for 10 years, then you have other issues.

As it stands, the specific vulnerability you point out doesn't even mention privilege escalation! It's also blazingly obvious what "Users whose accounts are configured to have fewer user rights on the system could be less impacted" means. If you don't have admin rights the worst thing the malware can do is put some entries in your startup folder/registry. If you're a full-on admin then we're talking kernel-mode drivers, raw disk access, machine-wide registry changes, the whole shebang. Big difference between the two.

Re:Oh boy... (1, Interesting)

RobertM1968 (951074) | more than 3 years ago | (#33410574)

Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you? Gee, adding things to the startup folder/registry means it might take what... two boots? to fully infect a machine with a piece of malware that has then gained full privileges? I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges. All it took, on a locked down machine, was a couple reboots. So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.

Re:Oh boy... (5, Informative)

nmb3000 (741169) | more than 3 years ago | (#33410678)

Wow, okay, let's take this slowly, piece by piece.

Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you?

I did read it, and I do understand.

Gee, adding things to the startup folder/registry means it might take what... two boots?

A standard user can only write to HKEY_CURRENT_USER. This key controls only their profile. So yes, malware run as a standard user can be set to run when that specific user logs in. Not upon machine startup.

to fully infect a machine with a piece of malware that has then gained full privileges?

Only if that user has administrative rights. If it was a standard user, then no, the malware did not magically gain more rights than the installing user had. That's why I asked about privilege escalation -- an exploit like that makes the situation much, much worse.

I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges.

Yes, it's common for malware to use existing system services to run. There are several methods from DLL injection, App_Init DLLs, remote thread creation, etc. However, ALL of these require administrative access. A process cannot play with system services unless it has rights to. A standard user cannot inject DLLs, write to shared memory, or do anything else to processes running with SYSTEM access unless the user itself has admin rights.

All it took, on a locked down machine, was a couple reboots.

There's nothing magic about rebooting Windows. Some registry keys aren't processed except at boot-time, but there are MANY ways to infect a machine with malware without rebooting the computer. Of course, these ALL require administrative rights.

So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.

No, they aren't. The results for malware infection via standard user and that via an administrator are drastically different, with the latter being terribly worse. A standard user's infection can be cleaned up in 5-10 minutes with ease. Simply deleting their user profile and creating a new one is the easiest method. Anyone can do it.

A machine that's been infected by somebody with administrative rights may as well be infinitely worse. Without taking the system offline and analyzing the hard drive in a separate computer (or maybe by booting to a different OS), you will never, ever know if the system is clean. Even offline analyzing isn't guaranteed to work unless you know of and can check every single infection vector, a very challenging task. You're almost always better off reinstalling the machine.

Hopefully that helps clear things up.

Re:Oh boy... (1, Redundant)

RobertM1968 (951074) | more than 3 years ago | (#33410722)

No, it does not. A standard user infection that utilizes privilege escalation (exploits), then becomes the same as one installed when an admin was logged in. There have been numerous.

Here's an example of one escalation - and NOT a big (or prominent) one, that was only partially fixed.

http://en.wikipedia.org/wiki/Shatter_attack

There are bigger and worse ones. Now perhaps my statements make more sense.

Re:Oh boy... (2, Informative)

LordLimecat (1103839) | more than 3 years ago | (#33410348)

A user without administrative access cannot install a rootkit.

Thats inaccurate. A non-admin can very easily get infected with a userland rootkit with no exploits necessary. Google "n00bkit".

Re:Oh boy... (1)

nmb3000 (741169) | more than 3 years ago | (#33410590)

Thats inaccurate. A non-admin can very easily get infected with a userland rootkit with no exploits necessary.

It depends on your definition of "rootkit", I suppose. The term has been watered down drastically over the last few years with people using it to describe malware in general. If we take Wikipedia's word then:

A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. [...] Once a rootkit is installed, it allows an attacker to mask his intrusion while gaining root or privileged access to the computer.

If the installing user does not have administrative rights then it's not possible for a rootkit to gain those rights (failing the requirement of gaining privileged access). A standard user might somehow get a user-mode "rootkit" on the machine, but it will only have access to their files and other users will be generally unaffected (barring some other kind of exploit [such as the recent DLL loading issue]). This means that an administrator who logs onto the system will easily be able to see and remove the compromised user's "rootkit", thereby failing the other requirement of remaining hidden.

Google "n00bkit".

It appears to be a user-mode rootkit. If an administrator installs it, then I suppose it would qualify as a full-blown rootkit on the machine. However, if installed by a standard user it would just fall under "tricky malware". Only machines can be "rooted", not users.

Oh boy, you really don't know much about .NET (1)

benjymouse (756774) | more than 3 years ago | (#33409852)

and nor about SteadyState.

.NET is actually a security success-story. Compared to similar (i.e. Java), .NET has experienced almost an order of magnitude fewer vulnerabilities, especially if you consider the severity of the vulns.

.NET (using 2.0): http://secunia.com/advisories/product/6456/ [secunia.com]

Java (JRE 1.5 which is contemporary): http://secunia.com/advisories/product/4228/ [secunia.com]

------

SteadyState makes a virtual harddisk. In essense it is itself a "rootkit" in that uses copy-on-write at reads/writes the changed block from/to a log file. When rebooting it simply deletes the logfile and the disk is back to the original state. I would like to see the rootkit which can survive that...

Re:Oh boy, you really don't know much about .NET (1)

RobertM1968 (951074) | more than 3 years ago | (#33410418)

and nor about SteadyState.

.NET is actually a security success-story. Compared to similar (i.e. Java), .NET has experienced almost an order of magnitude fewer vulnerabilities, especially if you consider the severity of the vulns.

.NET (using 2.0): http://secunia.com/advisories/product/6456/ [secunia.com]

Java (JRE 1.5 which is contemporary): http://secunia.com/advisories/product/4228/ [secunia.com]

------

SteadyState makes a virtual harddisk. In essense it is itself a "rootkit" in that uses copy-on-write at reads/writes the changed block from/to a log file. When rebooting it simply deletes the logfile and the disk is back to the original state. I would like to see the rootkit which can survive that...

Wouldnt the answer to that last statement be ANY real rootkit? Just curious. Isn't infecting the MBR the way that rootkits bypass such protections? Wouldn't some rootkits then also be able to hose SteadyState's ability to revert the file system back to previous state? Aren't the file system and MBR two different things, even though they work in conjunction?

Just curious, hence the questions instead of statements.

Also, it's a bit disingenuous to simply pick one version of .NET, as systems come with all of them installed and in use from at least 1.1 upwards. Also, it's a bit irrelevant to look at the advisories for .NET as opposed to the numerous hotfixes (hundreds) and multiple large patches (near a dozen) to fix known, in the wild, exploits. Then one should probably factor in the length of time it took for these fixes to come out... and then consider (in the context of this conversation, thus regarding privilege escalation) which, on a properly locked down system can escalate (with NO user interaction and NO user prompts) it's privileges to infect a locked down, limited rights system - I think the answer to that one is .NET - what do you think?

Re:Oh boy... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33410544)

Sadly,

Sadly,

Sadly

Sadly

And sadly

You must be really sad.

Re:Oh boy... (0)

Anonymous Coward | more than 3 years ago | (#33409398)

www.bilisimforum.org

Re:Oh boy... (2, Informative)

RobertM1968 (951074) | more than 3 years ago | (#33409660)

...I think their problems are on multiple fronts:

Overly complex code
Lax permission requirements,
Too many admins (still default on workstation installs)
Poorly written apps that in turn requires them to bend the rules or to provide workarounds.

You forgot a few very very important ones:

- Way too much legacy code that was not written with network security in mind

- Way too many technologies, that by their design and the functions they provide, can never be made secure (ActiveX, .NET Click Once and more)

- NO interest in removing "core components" that compromise the security of Windows systems (.NET and ActiveX) as (1) too many of their clients use it and (2) (the really important one) those technologies are Microsoft's bread and butter in the server marketplace and the only thing that differentiates them from other implementations. With the ease of use of .NET and ActiveX, it allows a larger IT entry point and provides a support model that xAMP does not have (and while that does not make the choice better, we all know there are numerous "admins" and "developers" who do not deserve their titles - but the Microsoft products and "technologies" give them an entry point into those fields that other technologies (PHP for instance) do not - all with Microsoft's support behind them.

I had great hopes for their VirtualPC bit and was hoping they would take a more Apple-centric approach, allowing them to just start with a fresh slate while virtualizing old OS compatibility. It appears that was a wasted hope however...

C'mon, you really didnt, did you? I dont know anyone in the IT or support industry who thought that or even had any real hopes for that to happen. The day they bought Connectix, we in the OS/2 world knew that the OS/2 version would be killed, followed by the MacOSX version (I even made such posts on the OS/2 World Forum when the announcement of the acquisition was made public), followed by any version Microsoft deemed as detrimental to their server and high end client OS sales. Of course, their promises of the exact opposite behavior notwithstanding, that is exactly what happened. Maybe because we're part of the OS/2 Community and have seen it happen to a far greater extent, it made it easier to see the writing on the wall. So, I cant blame anyone for that. I suspect that MacOSX users may have seen that writing as well, especially after the broken promises on fully feature compatible versions of Office, updated versions of IE and so on.

Fact is, as some of us speculated, due to issues they've had and never fully resolved with backwards compatibility, we were quite sure that Microsoft's biggest intent was to grab the Connectix stuff to use it as a compatibility layer, while at the same time, preventing people from using other operating systems as the host OS. And thus, the current (Vista onwards) WoW implementation was born. This too was finally admitted to by Microsoft when they touted the better backwards compatibility Vista would provide due to their acquisition.

I'm not saying that's a bad thing... I'm saying I dont know any IT Professional who thought of any of those situations differently or didnt understand the reasoning behind it, or what the outcome would be. I suspect that you too saw where things would go. I guess the only difference is you decided to hope, while my colleagues and I knew it wasnt worth hoping.

Re:Oh boy... (1)

ysth (1368415) | more than 3 years ago | (#33409784)

xAMP? x stands for Linux or GNU/Linux depending on which side of the fight you are on?

Re:Oh boy... (1)

RobertM1968 (951074) | more than 3 years ago | (#33410262)

As I wrote it, xAMP was to stand for "(anything)AMP" (where x is any operating system, such as Linux, AIX, OS/2, eComStation, and (ugh) Windows and so on).

Coulda just written AMP I guess, but figured people would understand xAMP with less brain effort than they would simply AMP - and it was easier than writing "LAMP/WAMP/OAMP (or WAMP or AMP2)", etc.

Re:Oh boy... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33410400)

Gee whiz, you're the stupidest fucking cunt troll I've ever read here. Can you say anything that isn't filled with lies? Go back and suck your mother's dick.

Re:Oh boy... (1)

bertok (226922) | more than 3 years ago | (#33410620)

Your comment about ActiveX is valid, but .NET is about as safe as Java. Other then implementation bugs, it's a secure virtual machine that can run applications in sandboxes, just like Java applets.

Not everything Microsoft does is insecure.

Re:Oh boy... (1)

RobertM1968 (951074) | more than 3 years ago | (#33410758)

That's odd. I thought there were hundreds of fixes (and near a dozen large patches) for the .NET framework due to a plethora of vulnerabilities. Well, I know that's the case. The list is daunting. I thought that the most recent one was just this month (3 fixes for exploit vectors).

And I thought that Java implementations could not escalate privileges on a fully secured machine that a user was not using as an admin without explicit permission(s) being given. And I know that various .NET "technologies" allow bypassing that stuff, such as ClickOnce (or "DontEvenNeedToClick,JustVisit_aBadSite" as it should really be named).

Re:Oh boy... (1)

sznupi (719324) | more than 3 years ago | (#33409444)

Yeah, this is kind of like the church releasing its guidelines for picking up hookers under Creative Commons.

Don't you mean "guidelines for running kindergartens"?

Re:Oh boy... (1)

sam0vi (985269) | more than 3 years ago | (#33409610)

Ouch?

At least they're trying. (1)

cosm (1072588) | more than 3 years ago | (#33409048)

At least they're trying.

Trying what? (0, Troll)

SgtChaireBourne (457691) | more than 3 years ago | (#33409102)

Whatever for? It's not like it's worth publishing except to document years of fail. Every generation of Windows has been the model of bad design and insecurity, including Vista and Vista7. Before M$ reps revised it, /. even had a vista failure [slashdot.org] tag, for the version to come along after tagging was implemented.

Re:Trying what? (0)

Anonymous Coward | more than 3 years ago | (#33409142)

Document years of fail...do you know what the SDL is? What specifically is your problem with it?

Re:Trying what? (-1, Flamebait)

SgtChaireBourne (457691) | more than 3 years ago | (#33409154)

Yes. It's what has contributed to very shitty quality. Of course the raw material, the managers and the engineers have to be mentioned as being incapable.

Re:Trying what? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33409174)

M$

good job ruining any credibility your post might have had and classifying yourself as a troll.

Re:Trying what? (0)

Anonymous Coward | more than 3 years ago | (#33409318)

I used to think that, too, but after years and years of putting up with the absolute crap that came out of Redmond, I can't fault people for being well and truly fed up. How many times must someone stomp on your livelihood before you break? Especially when there are technically better options available?

Re:Trying what? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33409646)

It doesn't matter how shoddy I think Microsoft products are. The moment I resort to name-calling like Republitard, Democunt, or M$, I take on the mental image of a 5 year old. Everything I said should be dismissed. If I can't stay serious for the 30 seconds it takes to write a post on the Internet, I don't have anything of value to say.

Re:At least they're trying. (5, Funny)

symbolset (646467) | more than 3 years ago | (#33409168)

This is not the Special Olympics.

Re:At least they're trying. (2, Funny)

davester666 (731373) | more than 3 years ago | (#33409360)

It is for Microsoft.

Re:At least they're trying. (0)

Anonymous Coward | more than 3 years ago | (#33409718)

Never mind that a process can't be licensed anyway, it can only be patented, which they wouldn't be able to do with these. It would actually be a great stunt if they're able to pull this off. Appear open when in fact they've diluted copyright/patent law. Hats off.

What are they trying? Not engineering. Not PR. (2, Insightful)

SgtChaireBourne (457691) | more than 3 years ago | (#33409722)

Why waste time publishing that crap? It's not even good for PR because it only serves to highlight the failure. It's only worth is documenting years of fail and we have Mitre [mitre.org] and CERT [cert.org] for that. Every generation of Windows has been the model of bad design and insecurity, including Vista and Vista7. Before M$ reps revised it, /. even had a vista failure [slashdot.org] tag, for the version to come along after tagging was implemented. Otherwise there would have been a special tag for the XP SP2 [google.com] disaster.

The SDL is what has contributed to very shitty quality. Of course the raw material, the managers and the engineers have to be mentioned as being incapable.

Re:At least they're trying. (1)

cyber-vandal (148830) | more than 3 years ago | (#33410378)

Microsoft are very trying.

secure? (3, Funny)

Murdoch5 (1563847) | more than 3 years ago | (#33409056)

Microsoft and Secure? I'm I missing something here.

Re:secure? (2, Interesting)

GarryFre (886347) | more than 3 years ago | (#33409300)

if the thieves are getting past the guards, I would not want to emulate them. Something is wrong and needs to change, and till its changed I would not want to copy a security model that isn't secure. The question is, is it insecure because of a failure in the model or is it because so many resourceful thieves are finding ways around the so called safeguards. Who can know?

Re:secure? (2, Insightful)

KarmaMB84 (743001) | more than 3 years ago | (#33409604)

Most of their problems have been in old code they're undoubtedly afraid to change until it's proven there's actually a vulnerability there. I haven't hard anything to indicate their fresh code produced since adopting their current security process is any more insecure than the stuff produced by the open source world.

Re:secure? (3, Informative)

PhrostyMcByte (589271) | more than 3 years ago | (#33409880)

Talk I've heard from friends in Microsoft indicate that they're quite paranoid about security, putting strict checks on all levels of development. To mention one small portion of it, C and C++ contain some functions that, if misused, can be easy attack vectors. VC++ has a number of non-standard replacement functions for these that they use that include runtime safety checks. They're warned off the "insecure" functions, and anyone that uses them needs a full rationale written up on why. Needless to say, most coders will have an adjustment!

Re:secure? (2, Informative)

symbolset (646467) | more than 3 years ago | (#33410178)

Actually, even dead-simple basic security like closing ports by default, reducing default services, not including the current working directory in the executable or library search paths, not auto-running anything, reducing app attack surface by turning off embedded format decode by default and a vast many other things are completely off the table at Microsoft. Doing security breaks backward compatibility. It removes popular features, and the fact that the features are in and of themselves the security vulnerability makes it a no go.

They see these essential vulnerabilities a large part of their value-add. It's not that they're afraid - it's that basic security primitives we've known about for decades are antithetical to their culture. As long as they hold that strategic position, discussing minor tactical matters like how they compose applications for security is simply a waste of time.

That Microsoft Icon On Slashdot (3, Insightful)

Anonymous Coward | more than 3 years ago | (#33409072)

Isn't it long past time it be updated and possibly the correct one be used?

Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.

It would be like used the Edsel to represent Ford, or still using the New Coke logo.

It no longer serves its purpose, and says more about slashdot than Microsoft these days.

Re:That Microsoft Icon On Slashdot (1)

lseltzer (311306) | more than 3 years ago | (#33409296)

Mod this coward up. AFAIK there are no other icons on /. that are designed to denigrate the subject.

How about using (1)

crovira (10242) | more than 3 years ago | (#33410046)

Balmer's ugly, bald, sweaty, monkey-boy mug for the Microsoft icon?

Gates is gone and now the marketing and legal departments are now in charge over there.

Might as well call a spade a spade...

Re:That Microsoft Icon On Slashdot (1)

furbearntrout (1036146) | more than 3 years ago | (#33410726)

Mod this coward up. AFAIK there are no other icons on /. that are designed to denigrate the subject.

Like that thumb-sucking gnu holding his blankie. We at Slashdot are equal-opportunity; we pick on everybody.

Re:That Microsoft Icon On Slashdot (0)

Anonymous Coward | more than 3 years ago | (#33409596)

This is Slashdot. Bigotry and zealotry sells in spite of the so-called liberal mindset.

Re:That Microsoft Icon On Slashdot (1)

RobertM1968 (951074) | more than 3 years ago | (#33409754)

Isn't it long past time it be updated and possibly the correct one be used?

Bill Gates hasn't worked at Microsoft in years, and really has almost no involvement with the company any longer.

It would be like used the Edsel to represent Ford, or still using the New Coke logo.

It no longer serves its purpose, and says more about slashdot than Microsoft these days.

I disagree. The Edsel is dead and gone. The legacy Gates has left us is definitely very alive and prevalent. There is the big difference. Unless .NET and ActiveX are entirely killed and Windows is honestly rewritten from the ground up, and the damage that Microsoft has done to competitors is reversed, then Gates' legacy - especially as related to things like this topic, is alive, well and still on control of most of the PC related marketplace. Credit where credit is due thus indicates it should be his logo used.

lseltzer wrote this little bit of nonsense:

Mod this coward up. AFAIK there are no other icons on /. that are designed to denigrate the subject.

lseltzer, you do realize it's hardly denigration if it's true, dont you? The whole EEE principle. That's not myth. It's fact. It's proven fact. It's been proven in numerous courts of law. It's been proven via internal memos and emails from Gates and others. The image clearly indicates the concept of Embrace, Extend, Extinguish.

Perhaps when Microsoft actually (and truly) changes their tune and drops such behavior, then it's time to change the image - but in the meantime, these are principles that Microsoft, due to Gates' direction, have embraced (no pun intended) since their earliest days. Thus, his legacy, his actions, their continuing actions based off the direction he set. Very appropriate image, if you ask me. Let me know if they change direction, and I'll gladly change my mind about whether the image is appropriate.

Re:That Microsoft Icon On Slashdot (2)

hairyfeet (841228) | more than 3 years ago | (#33410182)

Oh please! At least Darth Gates was scary, and could do that whole "we'll crush you like a bug" thing real well. Ballmer is like putting the court jester in charge of the kingdom. What you have with Ballmer is "Hey, we can be like Apple and make cool stuff! Yes we can! We really can! STOP LAUGHING AT ME!!!!"

The whole EEE thing was Gates, Gates may have been a bastard but he, like Jobs and Ellison, was a tough bastard that played to win. The Ballmer monkey just flops from one idea to another and doesn't deserve the Borg Icon. It would be like pretending that IBM is the ruler of all things computing still and just ignoring the past 20 years. Gates is gone, and while Ballmer might try to do evil, he is a quasi-evil, he is the diet Coke of evil, he is the light beer of evil-half the taste and the buzz is a killer. In short he is lame and isn't worthy of being a pimple on Darth Gates's ass.

A MUCH more appropriate icon would be Ballmer in a jester hat with a I heart Apple!" T-Shirt, since he seems bound and determined to try to be Steve Jobs. And THAT would fit with the current situation at MSFT much more than the old Gates Borg, since without Gates it is like the Borg being led by Reno 911.

As for TFA MSFT's biggest weakness it hasn't ever been their own code as much as everyone else's. After SP2 MSFT code seemed to get better and better on security, whereas even with Windows 7 I have seen waaaaay too many apps that frankly shouldn't need admin for anything demanding admin rights. Sadly I doubt this will accomplish jack shit because too many lazy developers at too many lazy companies would rather just pretend everyone has admin and be done with it.

Re:That Microsoft Icon On Slashdot (1)

RobertM1968 (951074) | more than 3 years ago | (#33410376)

A MUCH more appropriate icon would be Ballmer in a jester hat with a I heart Apple!" T-Shirt, since he seems bound and determined to try to be Steve Jobs. And THAT would fit with the current situation at MSFT much more than the old Gates Borg, since without Gates it is like the Borg being led by Reno 911.

Well, you've got my vote for that!!!! :-)

We like it. (1)

symbolset (646467) | more than 3 years ago | (#33410314)

We like the Gates Borg icon. That's enough. It's not denigrating. The Borg are powerful and near immortal, technologically far superior.

It speaks to the power of Microsoft's business model of innovation through acquisition, their dominant influence in all the fields they enter.

Bill Gates is still Chairman of the Board so he helps set policy at the highest level. He's the largest stockholder. He formulated the business strategies that persist to this day being executed less subtly by others. As the iconic figurehead he still talks on Microsoft's behalf to the general public, heads of state, Congress. He's still a public speaker promoting their interests. He is not gone.

The GatesBorg icon should stay.

Seriously? (3, Insightful)

ratboy666 (104074) | more than 3 years ago | (#33409076)

The PROCESS is Creative Commons licensed. Not the tools. Ok, but you know what? I would never have taken Microsoft as an example of a company whose secure coding practice I would want to follow.

Just sayin'

And why bother with a CC license for this? Just publish the practice, and don't take out "business process" patents. Microsoft did that with "Code Complete".

Anyway, I now have to read the frakkin stuff, just to stay on top of it. Maybe I'll be pleasantly surprised...

I hope

Re:Seriously? (1)

Call Me Black Cloud (616282) | more than 3 years ago | (#33409084)

Whose secure coding practices do you follow? Or if they're your own, please share them. Thanks.

Re:Seriously? (5, Informative)

TheRaven64 (641858) | more than 3 years ago | (#33409210)

CERT publishes a good set. I've worked with some of the people behind them on some proposals for the C1X standard and they're very bright people. I'd trust their recommendations long before I'd trust ones from Microsoft.

Re:Seriously? (0)

Anonymous Coward | more than 3 years ago | (#33409338)

While everyone on /. appreciates the MS attack. They *MIGHT* know a thing or two about writing a secure system, or at least the theory. I know when your done laughing think about it. They have spent years as the 'top dog' 'easy to attack' OS. They know many of the tricks everyone uses. They know how to mitigate them. *IF* you use their OS in a specific manner it is actually secure. I have been using MS products for years and have maybe 3 times I have ever had to clean a virus off my computer. Back in the day with MAC OS 6 it was a daily occurrence. But I learned as a user what were 'bad habits' and 'good habits'. Those translated very nicely over to windows. MS does know how to write secure code. The problem they now have is they can not 'clean slate' their OS. They must have backwards compatibility. If MS released a new OS and it only ran 10% of the software out there very few people would buy it and we here on /. would be making fun of them. Apple has done this every few years and they ended up as a 5% market share. Now with mobile phones we are about to see a huge tidal wave of malware/trojans/viri out there. iOS and Android while semi secure today have vulins in them (it is usually how they are rooted). I know for a fact that many Android phones do (for example my droid x shipped with a 2.6.27 kernel that is ages old). MS has had the 'luxury' of years of attacks. They have the 'easy' ones out of the system. Apple and Google have not had this as much. They are about to get a rude awakening. Just as MS did in about 2002 with XP.

Also putting it CC sends a clear sign to everyone. USE THIS. We will not sue/bother/bug you for using our process.

Re:Seriously? (0)

Anonymous Coward | more than 3 years ago | (#33409392)

I'm not sure lawyers would see it that way...

Re:Seriously? (it's time to Thank MS!) (0)

Anonymous Coward | more than 3 years ago | (#33410476)

They *MIGHT* know a thing or two about writing a secure system, or at least the theory. I know when your done laughing think about it. They have spent years as the 'top dog' 'easy to attack' OS.

You're right - we should all thank MS for releasing this guide, and also thank them for releasing notoriously insecure operating systems that basically spawned the entire PC security/AV industry. As MS systems are phased out over time for linux or OSX, we'll still have useful firewalls and encryption in place for additional protection that we would have otherwise never have bothered with if it weren't for windows. Sort of like how the prevalence of gangrene contributed to development of the modern aseptic surgical practices...

It's already slashdotted (0)

Anonymous Coward | more than 3 years ago | (#33409086)

Few comments in and the server delivering this marvel already died.

But of course Microsoft is not only known for its security but also performance.

Sigh.

mistagged? (4, Funny)

Anonymous Coward | more than 3 years ago | (#33409120)

Shouldn't this be tagged as "humor"?

Re:mistagged? (1)

s1lverl0rd (1382241) | more than 3 years ago | (#33409436)

Strange date for an april fools' joke.

Does CC give a patent grant? (0)

Anonymous Coward | more than 3 years ago | (#33409136)

They probably have that process patented. If you use it, they will come knocking on your door.

MS Security... (5, Insightful)

leromarinvit (1462031) | more than 3 years ago | (#33409206)

Ahh yes, I can see it now:
  • Never check your input, no matter where it comes from
  • Make sure to make your algorithms as complex as possible so you don't run out race conditions and other non-trivial bugs, preferably in security critical areas
  • Embed your security flaws in specifications you'll have to honor forever to maintain backwards compatibility
  • Most importantly: When (not if) somebody finds a bug and reports it to you, don't fix it at once. Only when an exploit is out in the wild you can even start thinking about how to fix the bug.

Re:MS Security... (1)

Murdoch5 (1563847) | more than 3 years ago | (#33409234)

Love the post!!! It's true.

So someone in Redmond decided... (3, Funny)

Dracos (107777) | more than 3 years ago | (#33409212)

That the world needed a free lesson in how not to develop secure software?

Ugh, doc (3, Funny)

diegocg (1680514) | more than 3 years ago | (#33409262)

Unless someone converts it to PDF I'm not downloading that....

Re:Ugh, doc (1)

devent (1627873) | more than 3 years ago | (#33409582)

Unless someone converts it to PDF I'm not downloading that....

Maybe you are suppose to modify and extend it.

Secure from *what*? (1, Interesting)

DoofusOfDeath (636671) | more than 3 years ago | (#33409408)

Secure from cracking, or secure from competition?

Because, at least prior to Bush's Justice Department dropping all charges against Microsoft, the secound would be a pretty long list of felonies.

Re:Secure from *what*? (2, Informative)

John Hasler (414242) | more than 3 years ago | (#33409612)

The antitrust suit against Microsoft was not dropped and did not ever involve any criminal charges.

The Problem is... (1, Interesting)

Greyfox (87712) | more than 3 years ago | (#33409560)

No software can truly be secure. You have to assume that your security will eventually be breached and you have to make an effort to mitigate the damage when a breach occurs. If Microsoft and others want to help, they should be working to make the mitigation side of the equation easier.

Companies that run these operating systems and other software do not think of security at all. They just assume that everything's fine. Home users are even worse. That attitude will also have to change for things to get better.

Re:The Problem is... (1)

ScrewMaster (602015) | more than 3 years ago | (#33409772)

That attitude will also have to change for things to get better.

It won't. Security is a process, not a condition, but people don't think naturally in those terms because it requires continuous effort (and ongoing expense.) Most people prefer to just make an initial investment in security and forget about it. Now, that works when you're talking about a bank vault, maybe, but not computer security.

I beg to differ (1)

melted (227442) | more than 3 years ago | (#33409980)

I see no reason why software can't be 100% secure. I just think it's unrealistic to expect this from commercial software written by people who don't really care.

Re:I beg to differ (0)

Anonymous Coward | more than 3 years ago | (#33410298)

I see no reason why software can't be 100% secure.

Then you're clearly not a developer, or at least not a good one. There is no way to completely secure anything that has to accept external input. Anything you can do on your computer, someone else can write a program to do as well. You can delete files, that means someone else can write a program to delete your files. We can make it difficult for such a program to run without alerting you, but unless you want to be notified every time anything makes changes to the system (trust me, you don't- you'd never get anything done), there's always going to be ways around it.

When will we get sued for reading that? (1)

Torp (199297) | more than 3 years ago | (#33409724)

Besides the obvious jokes about Microsoft and security, the very serious question is what patents of theirs you could infringe by following their process and when they will sue you for it?

Re:When will we get sued for reading that? (1)

ScrewMaster (602015) | more than 3 years ago | (#33409796)

Besides the obvious jokes about Microsoft and security, the very serious question is what patents of theirs you could infringe by following their process and when they will sue you for it?

Probably never. Other operating system vendors could maybe learn from this, sure, but since most of them are already much farther along the security curve than Redmond has ever been, it won't matter. What this might do (assuming that it's sensible, and I've not read it so I don't know) is help Windows application developers write more-secure code, better avail themselves of Windows' existing security features. That's the real benefit to Microsoft, and there's no point in suing people coding for your platform.

Important point: it's a CCSA license (2, Insightful)

FoolishOwl (1698506) | more than 3 years ago | (#33409780)

Can we please get past the cheap shots about Microsoft's security, and pay attention to the trend wherein Microsoft, practically founded on opposition to sharing code, has been experimenting with open source licenses and making overtures to the FLOSS community?

Microsoft Introduces Free and Open Software System (1)

symbolset (646467) | more than 3 years ago | (#33410248)

Dateline: Redmond, August 29, 2010.

In a sudden break from tradition Microsoft has announced a new strategy: Open Systems. A keystone of this system will be the idea that for progress to occur in the information processing space of the future, separate and independent entities must be able to work together cooperatively. By publishing some components of their systems they hope to create a new field: a Free and Open Software System. For now some trivial portions of their proprietary works will remain a company secret, but they hope the rest of the world will join them in adopting this new model.

Speaking at a Redmond press conference, Microsoft Open Systems spokesman Muhammed Saeed al-Sahaf said: "Although Microsoft's software has always had fully open specifications, independent software vendors have been respond in kind. This makes it difficult to integrate our offerrings with things like Google Docs and Facebook. By making more information available under free software licenses we hope to create a groundswell of support for this new model. Microsoft will leverage our innovation in this field to bring about a new era of cooperation and rapid innovation."

Is this guide helpful or not? (2, Informative)

echnaton192 (1118591) | more than 3 years ago | (#33409788)

So could someone with some knowledge please actually READ the darned document and say something relevant about it?

To me it looks like common sense practices:

- Make the software so it could work without administration priviledges except for certain actions. It should work under UAC with a non administrative account. To me this makes sense. 90 % of all security problems in Windows > XP are gone once you don't work with administrative priviledges, IIRC.

- Software is not allowed to make the system more insecure without the users consent. No Firewallchanges, no new ports or services, no enabling of services without the users consent

- don't use code which is already proven to be insecure

- etc.

About the rants securitywise: It is not like everything M$ made in the last decade was a step in the wrong direction.

- starting with XP, the whole enduser system was 32 bit and used a real security model with different types of priviledges. It was a real hell to work as a user without administrative rights, but it was possible.

- starting with XP SP2, they implemented a tool to watch if the system has some basic secure settings, the firewall was activated by default and M$ nagged every user to use an AV-product, which makes sense (as a last line of defense).

- starting with Vista, the user still has administrative rights by default, but UAC tries to minimize the threat. The side effect: In order to work under UAC, the software must ask nicely for adminnistrative rights for certain tasks. Thus software generally is more fit to work without administrative rights.

- M$ made MSE available, which *is* a good free AV-product according to different tests. Avira might be as good, but its Nagscreen every day is really annoying...

- With Win 7, UAC works better and new users are non-admin by default

I completely see your point about the insecure bullshit they did before XP SP2 to all end users or the ways in how they tried to maintain their monopoly. But to me a Windows system is not per se insecure provided someone uses some basic precautions:

- Keep software and OS up to date (PSI?)

OKOK, it is far more easy to keep a standard Linux up to date than the standard Windows because every company uses it's own update mechanism. But it is possible...

- Don't work with administrative rights

No Linux user would work with administrative rights permanently, so...

- Use strong passwords in all sensitive areas

NAT, Adminpasswort, Serverpasswords,...

- Use your brain before installing software or typing in your administrator's user credentials

Helps...

- Use your brain on links

Helps..

- As a last line of defense (not he only one) use an AV-product

And yes, I know that linux is more secure for a lot of reasons. But ignoring free guidelines like the one from M$ to develop more secure code for Windows sounds strange to me. It might be that there are better recommendations, but isn't it worth a read until someone comes up with arguments why this document is stupid and not worth reading?

Microsoft preaching security? (0)

Anonymous Coward | more than 3 years ago | (#33409902)

That's like going to a Satanic priest (if there was such a thing) for advice on how to get to heaven! Maybe they want to demonstrate what NOT to do. The only worse company to put out such a document is Adobe.

NonCommercial? (1)

zotz (3951) | more than 3 years ago | (#33409904)

Attribution-NonCommercial-ShareAlike 3.0 Unported

Under some takes on this license, no for profit corporation (the idea is that everything such an entity does is by definition for profit) would be allowed to make use of the licensed work. And who will trust MS not to take such a view, now or at some point in the future once the damage is done...

all the best,

drew

Just PR (1)

HalAtWork (926717) | more than 3 years ago | (#33409956)

This is not meant to be taken seriously, it's just PR so that non-technical folk see headlines like this in the news and think to themselves "Hmm, MS is leading an outreach to help others with security, they sure must know a lot if they're giving away all of this help and information and they must have a lot of confidence if they believe they can help their competition and it won't affect them!"

How sweet the irony... (1)

crovira (10242) | more than 3 years ago | (#33409996)

As Mahatma Gandhi said "First they ignore you, then they laugh at you, then they fight you, then you win."

Balmer, and one comp-sci teacher, must be rueing the day that Linus questioned the accepted wisdom and stated is little OS project.

Re:How sweet the irony... (0)

Anonymous Coward | more than 3 years ago | (#33410136)

Linus questioned the accepted wisdom and stated is little OS project.

Yeah, the FOSS community is extremely good at copying existing successful proprietary software & operating systems.

Who Cares? Anyone read what the MS SDL is? (1)

RobertM1968 (951074) | more than 3 years ago | (#33410232)

I know that RTA is not commonplace, so I guess I don't expect many to go even further and go to the MS SDL page, and then go even further to the "What is the Microsoft Security Development Lifecycle (SDL)?" page, but I was bored, so I did.

What is the Microsoft Security Development Lifecycle (SDL)? [microsoft.com]

The Microsoft SDL is a security assurance process that is focused on software development. It is a collection of mandatory security activities, grouped by the phases of the traditional software development life cycle (SDLC). Many of these security activities would provide some degree of security benefit if implemented on a standalone basis.

Ooooh, wow!!!! Microsoft is open sourcing a list of methods that developers should follow to ensure security of their applications!!!! Wow!!!

Inotherwords, (at least from their "What is") this isnt about code. This isn't about APIs. This is about methodology to write secure software.

Think about this... isn't this:
(1) The type of stuff programmers should be taught in college, or self learn from reputable places?
(2) Something Microsoft's track record proves they have limited or no knowledge about?
(3) Something somewhat irrelevant to the Linux and Open Source world?
(4) Something that is more likely simply a publicity stunt? (look how many people think this has to do with actual APIs and such)

So, whoop-de-do!!!! One could already learn this stuff from better sources, implement it in better ways, and gain more knowledge from other companies who are quicker with security updates and better at designing programs with security in mind.

Perhaps developers that use Microsoft's development tools, and Microsoft's frameworks MAY gain some advantage from this, but even that advantage is limited by what security holes there are in those frameworks (.NET and so on) and Windows as a whole.

"Utilising" (1)

Undead Waffle (1447615) | more than 3 years ago | (#33410386)

That is very noble of them to make this available in hopes of "more developers utilising the Microsoft process for developing software".

Unfortunately without an explanation this will go over most people's heads. It's one thing my boss likes to poke fun at...

To "utilise" something is to use it for something other than its intended purpose.

While searching for a good reference, I found this one to be appropriate [msn.com] .

Re:"Utilising" (1)

shaitand (626655) | more than 3 years ago | (#33410630)

What's a "utilise"? I've never heard anyone utilize that term before.

Microsoft hopes that... (0)

Anonymous Coward | more than 3 years ago | (#33410752)

Microsoft hopes that any licence but the GPL will take hold. They're desperate. They don't want you sharing your effort with each other and preventing them from stealing it right back.

Go ahead, use cc, use BSD licence. Microsoft wants you to.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>