Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft vs. Computer Security

Zonk posted more than 8 years ago | from the looking-for-the-right-tactic dept.

Windows 439

ArieKremen writes "The Slate has a piece written for the average user attempting to explain why Windows is `still` grappling with security issues. Although Gates made security and privacy top priority four years ago, not much progress has been made." From the article: "Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed 'critical' have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer." An interesting look at the whole issue.

cancel ×

439 comments

Sorry! There are no comments related to the filter you selected.

No Progress? (1, Insightful)

mymaxx (924704) | more than 8 years ago | (#14441507)

Although Gates made security and privacy top priority four years ago, not much progress has been made. Excuse me? No Progress? Including a firewall with Windows is no progress?

Re:No Progress? (4, Insightful)

fortunatus (445210) | more than 8 years ago | (#14441536)

i must agree: the very "constant stream of patches" is in fact great progress; to have that kind of rapid support, delivered by an automated update system that for me at least works seamlessly, is incredibly good!

Re:No Progress? (4, Insightful)

Philip K Dickhead (906971) | more than 8 years ago | (#14441974)

The whole article is a troll.

Its filled with 'feelings' and 'impressions' by people cited as experts, without examination of their claims - nor an inquiry to factual matters. It describes a dislike, without addressing the basis of the problem, nor posing any other solution beyond disliking Microsoft.

The fact is, you still have millions of Win9x and NT boxes, hanging their gut out on the 'Net. This is and has been the principal problem. Slammer worm? Christ, I blame the crappy network border management, that allowed a local service-discovery broadcast protocol to come in from the Internet without being blocked.

I trust Rich Forno on Unix security. To use him as a source on Windows secuity is ridiculous. He is anti-Microsoft in bias - irrationally so. Microsoft could buy OpenBSD tomorrow, stick IIS6 on it, and Forno would still rant about the thing.

The WMF problem is a legacy file format. Let's not give MS a free pass on this, but seriously. It's like the zlib problem we had across distributions, a couple years back.

There are some other gross inaccuracies claimed by 'experts' and 'analysts' in this piece. "It is still built on the same legacy code, it is still written without adhering to secure coding practices, it is still thrown to the masses without adequate security testing." That's an assertion without supporting evidence. It doesn't have a factual basis. The MS SDL is a very good security development and testing process, implemented company-wide in 2003. Don't take my word fo it. Read the damned thing. This is how to do it in commercial software.
http://msdn.microsoft.com/library/?url=/library/en -us/dnsecure/html/sdl.asp [microsoft.com]

I wish I saw similar efforts from Oracle, or any of the other major commercial software vendors.

It remains to be seen if this methodology is well-executed. Server 2003 is the first full-blown OS released thouh a full SDL cycle. So far, it has been a reasonably secure system, with limited exposure of default "attack surface", and intelligent choices about vunerable service and connectivity configurations.

Vista will be the first full SDL derived client. While I may not like the policy enforcement of "Digital Rights" and whatnot in userland, as a system I expect that it will be difficult to exploit or escalate privileges - and that attacks will be localized at isolated in effect. Let's hope so.

Re:No Progress? (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14441545)

Well.. it's the WINDOWS FIREWALL, so it's worse than no progress!!!

Re:No Progress? (5, Insightful)

houstonbofh (602064) | more than 8 years ago | (#14441596)

Considering where they started, just getting to BAD is a tenfold increase! And to be honest, they have come a long way. They just have a VERY long way to go.

Re:No Progress? (1, Funny)

Anonymous Coward | more than 8 years ago | (#14441617)

That is a very true point. Windows has made enormous strides with their approach to security compared to only a few years ago. Granted, their software has a ways to go, but almost any kind of software you can think of is going to have security flaws or bugs at some point.

Err wait.. forgot I'm on /.

Get the hell out of here with your pro-Microsoft trash!

Re:No Progress? (4, Funny)

jmp_nyc (895404) | more than 8 years ago | (#14441636)

That ought to teach Microsoft not to get rid of a publication they owned for a while...
-JMP

Oh, THAT explains it... (1)

Hosiah (849792) | more than 8 years ago | (#14441715)

I read to the bottom of the page, reflected that it was a pretty well-argued article, and then my eyes bugged when I got to the "Slate" box at the bottom. I damn near fainted! Imagine finding a pithy article on quantum physics in a back issue of "Vogue". I even checked out "The End of Moore's Law" and *it* seemed too high-quality to be on the old Slate.

Re:No Progress? (5, Insightful)

vezult (926058) | more than 8 years ago | (#14441640)

Perhaps more accurately, users of windows have made no progress. Quite a few of the worms that have made big headlines over the last few years are ones that make use of exploits for which patches were already available. It's long been said that people are the greatest security problem. And I believe that applies to Microsoft's security problems as well. As long as the education of Microsoft's user base is neglected (or actively refused by some), MS's efforts (feeble as they may seem at times) will have limited success.

Re:No Progress? (4, Insightful)

Breaker_1 (688170) | more than 8 years ago | (#14441689)

Well, some may call that progress, it's really a band-aid solution to a much larger problem Microsoft appears to be addressing already. Their codebase is OLD, not to mention poorly designed. NT was written as kind of a test bed for new technology. It wasn't originally designed to be a production system. Now, you've got a million people doing a billion different things to who the hell knows how much code. It's hard to make much in the way of progress if you're trying to swim up a waterfall. I think the only way they're going to make progress is to change directions.

Re:No Progress? (1)

Dionysus (12737) | more than 8 years ago | (#14441744)

NT was written as kind of a test bed for new technology. It wasn't originally designed to be a production system.

News to me. You of course has sources to back that up.

Re:No Progress? (3, Informative)

Philip K Dickhead (906971) | more than 8 years ago | (#14442006)

NT was designed to replace VMS at DEC.

It was written to be "OS/2 v3", once Gates poached Cutler's development team.

It was grafted onto the Windows shell as a long-shot, after tensions between MS and IBM began to manifest themselves over the success of Windows 3.0, the failure of Presentation Manager and the differing visions for the future of OS/2.

Drivers for NT were still alot like drivers for VMS, from the API point-of-view.

Re:No Progress? (1)

whoever57 (658626) | more than 8 years ago | (#14441708)

Including a firewall with Windows is no progress?

Doesn't Win2K have a firewall? What was lacking was a GUI that normal users could use. So, yes, progress, but not really very much.

Re:No Progress? (2, Insightful)

jasontheking (124650) | more than 8 years ago | (#14441901)

putting a nappy on a baby can't be thought of as "progress" in stopping it from shitting itself.

Re:No Progress? (0)

Anonymous Coward | more than 8 years ago | (#14441985)

A baby shitting is a good thing; Window's problem is getting the backlogged shit OUT of itself.

Re:No Progress? (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14442073)

How about basic security capabilities like the ability to not fucking bind RPC to 0.0.0.0. The default for non-enterprise installations should be 127.0.0.1... Get a clue Microsoft!

What is this? (5, Funny)

Anonymous Coward | more than 8 years ago | (#14441514)

Some kind of anti-microsoft site?

digg (1)

queef_latina (847562) | more than 8 years ago | (#14441516)

*cough* http://www.digg.com/ [digg.com] *cough*

Re:digg (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14441682)

Hey baby, why you keep coughing?

You got some cum stuck in your throat again? My bad girl, just swallow and it'll be all good.

It's no secret... (3, Interesting)

gbulmash (688770) | more than 8 years ago | (#14441523)

Their conclusion about why it's plagued with problems: Too many Microsoft programs that have too many direct hooks into the OS to make them play well together (i.e. Media Player, IE, Word, Outlook, MSN messenger, etc.).

Their solution about how to shore it up: don't use IE, Media Player, Outlook, etc.

I hate to sound like a kid, but DUH!

Given, I use Firefox, Thunderbird, and other non-Microsoft programs because I like them better and they tend to work better, but the fact that they're less likely to compromise my system is also a consideration.

Note, though, that I say less likely. We have had bug/security fix releases of Firefox and there was a brouhaha with the GreaseMonkey extension inducing a vulnerability, BUT for the most part it seems the fixes were less frequent than with IE-related patches, plus they usually only compromised the browser, not your whole PC.

That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC.

- Greg

Re:It's no secret... (5, Informative)

toadlife (301863) | more than 8 years ago | (#14441595)

"That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC."

I would like to know where everyone heard this crap, and why they keep repeating it vebatim., because it's a bunch of bullshit. Flaws in Microsoft products have no greater danger than equivalent flaws in any other Windows application.

A remote code execution flaw in IE executes code with the users rights, and therefore gets access to what the user has access too.

A remote code execution flaw in Firefox executes code with the users rights, and therefore gets access to what the user has access too

There is no special conduit that Microsoft apps have to the windows kernel or any other windows system object.

If you browse the web using firefox while running as administrator and you get hit with an exploit that exploit will have full access to your system.

Re:It's no secret... (1, Informative)

drinkypoo (153816) | more than 8 years ago | (#14441674)

Hey, at least this guy wasn't claiming that IE was in the kernel, like the last slashbot that decided to argue with me about how Windows is put together...

Re:It's no secret... (0, Troll)

shanen (462549) | more than 8 years ago | (#14441864)

That's not the point, though he didn't say it very clearly. The way I see the problem is sort of philosophical. Microsoft sees the OS as a weapon, and the philosophy of building weapons is that of course you want to make them as big and powerful as possible. Metaphorically, Windows has become something like a swiss army trench mortar that little old ladies drive to church on Sundays, a bit of email, and occasionally use for killing flies. Accidents will happen. Lots of those spam-zombies are 'owned' by such grannies. Power gets abused, and Windows is abosolutely way too powerful.

Having identified the problem, I wish I had a good solution. The philosophy of the minimal OS is superior, but it doesn't make money.

By the way, if you're looking for 'the truth' on /., you'll need a pretty big lantern to see past the fog of moderation. Yes, I just got troll modded again. If I was a gamester, I'd be interested in the gaming strategies the trolls use to get mod points. After all, Taco admitted the moderation system is a game.

Do I have an axe to grind? Yeah, it's called 'the truth'. If every liar on /. would designate me as a foe, I'd be delighted--and have a really large freak list, too.

Re:It's no secret... (1)

temojen (678985) | more than 8 years ago | (#14441795)

Yes, it seems that the biggest problems with desktop security seem to be:
  1. Defaulting to run as administrator, and the defective programs that require this behaviour.
  2. Lack of user eucation.
  3. Lack of testing of software to verify behaviour when passed unexpected input.
  4. The ability to include arbitrary code (not just sandboxed code) in file types that shouldn't.

Re:It's no secret... (1)

temojen (678985) | more than 8 years ago | (#14441865)

2. Lack of user eucation.

A prime example! oops!

Re:It's no secret... (1)

sconeu (64226) | more than 8 years ago | (#14441870)

Add another dumb program to the list: The "Friends Trivia Game". The box specifies only Win2K or WinXP, which would lead one to think that it wouldn't require Admin.

WRONG!

I sent their tech support a nasty email pointing out that only sloppy coding practices would cause a game to need this.

Re:It's no secret... (1)

Moofie (22272) | more than 8 years ago | (#14442040)

How'd that work for you?

Re:It's no secret... (1)

MaXiMiUS (923393) | more than 8 years ago | (#14441944)

Results 1 - 10 of about 14,300,000 for Working Internet Explorer Exploit. (0.23 seconds)
Results 1 - 10 of about 785,000 for Working Opera Exploit. (0.31 seconds)
Results 1 - 10 of about 531,000 for Working Firefox Exploit. (0.29 seconds)
Results 1 - 10 of about 448,000 for Working Mozilla Exploit. (0.28 seconds)
Results 1 - 10 of about 434,000 for Working Netscape Exploit. (0.25 seconds)
Results 1 - 10 of about 234,000 for Working Mosaic Exploit. (0.22 seconds)
Results 1 - 10 of about 206,000 for Working Safari Exploit. (0.36 seconds)
Results 1 - 10 of about 34,500 for Working Konqueror Exploit. (0.27 seconds)
Results 1 - 10 of about 71,000 for Working Camino Exploit. (0.23 seconds)
Results 1 - 10 of about 685 for Working Omniweb Exploit. (0.18 seconds)

I haven't even heard of some of those but apparently they're browsers.
http://browsers.evolt.org/ [evolt.org]

Re:It's no secret... (1)

sparkz (146432) | more than 8 years ago | (#14441992)

This isn't exactly representative - given flaws in IE and FireFox, assuming equal severity, the IE flaw would (and must) get more coverage as over 90% of internet users use IE.

Re:It's no secret... (5, Informative)

pete-classic (75983) | more than 8 years ago | (#14442059)

Microsoft has a long history of secret APIs used only by their applications. I remember some sort of hubbub about this around '94 when they were taking over the office suite market.

More recently the DOJ at least accused Microsoft of using secret APIs in support of IE, Messenger, Media Player, and Outlook Express.

I don't necessarily think that you are wrong, but the situation is certainly not as cut-and-dried as you seem to think it is.

-Peter

Whoa! Waiddaminute there! (0)

Anonymous Coward | more than 8 years ago | (#14442084)

>>>> "That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC."

>> I would like to know where everyone heard this crap, and why they keep repeating it vebatim., because it's a bunch of bullshit. Flaws in Microsoft products have no greater danger than equivalent flaws in any other Windows application.

And I would like to know where you have been living. Mars?

Everybody, his wife and the dog knows there are lots of undocumented APIs, registry variables and other animals inside Windows. Everyone knows Office is promiscuously integrated with Windows, so as to start quicker, so as to look leaner, so that Windows erm "appreciators" can say M$-apps can work better, of course, because the OS is also from M$.

Now don't come you, Sir, with your agenda. It's their fault! Their fault, can you hear me now? (a pity there's no emoticon for frothing...)

And what's more? A corollary: if unknown secrets are dangerous, people get scared like the guy from the parent post. Then people start using non-M$ apps on purpose... to avoid M$ apps which _are_ dangerous. Have you ever read Gartner recommending IIS to be avoided? What about everyone being phished with IE?

Therefore undocumented features become a liability. IOW, people want to know -- or want to be assured by those in-the-know -- that the application is secure. I guess open source mentality is becoming mainstream, huh? Who'd say that? If you have your source closed, pray no other company comes up with a free/open alternative, lest you'll eat dust and become history -- or do you think life at M$ has been easy? For starters, I predict they'll need more chairs.

People can be lazy, irresponsible and make Firefox insecure, but it requires a lot more effort than IE.

Re:It's no secret... (1)

The NPS (899303) | more than 8 years ago | (#14442112)

You can get pop-ups from internet explorer even if you haven't opened the program, due to spyware on the system. I had a friend with this problem. This was a fews years back when I didn't know as much about computers (today, we would have just reformatted) and we tried to fix it by uninstalling internet explorer and running netscape instead. but even with internet explorer "uninstalled" and "not running" we were getting internet explorer pop-up ads.

Re:It's no secret... (4, Funny)

StikyPad (445176) | more than 8 years ago | (#14441692)

I hate to sound like a kid, but DUH!

Don't worry, we stopped saying that years ago. Now it just makes you sound old.

-Kids

Re:It's no secret... (0)

Anonymous Coward | more than 8 years ago | (#14441703)

It's one thing that a blurb in a non-tech e-rag doesn't know better than to repeat fud myths, but we should know better. These vague "integrated into OS" tales have no actual technical merit - other than lawyerspeak, but forget that, we should care about the facts. Ignorance is not your friend (even if it's just pretending, as an excuse to spread fud).

Re:It's no secret... (2, Insightful)

LOTHAR, of the Hill (14645) | more than 8 years ago | (#14441763)

The real problem is that MS has a billion trillion gazililon lines of code to maintain and retrofit with "secure" code. Much of this code was written in the days when security was an afterthought and bugs were treated as an annoyance, rather than a threat.

Whats even more amazing... (1)

MSFanBoi2 (930319) | more than 8 years ago | (#14441529)

Is all three of those worms/trojans flaws were fixed by patches that were out, in some cases months, before the release of the attack vector.

Whats even more amazing...Security through age. (0)

Anonymous Coward | more than 8 years ago | (#14441624)

I'd like to see a market breakdown by Windows version. How many of these security issues are with earlier versions?

Re:Whats even more amazing... (4, Insightful)

KiltedKnight (171132) | more than 8 years ago | (#14441687)

Yep. That's what happened with the SQL Server bug that took down a large chunk of Bank of America's ATM network. Six months prior, IIRC, is what my friend told me when the patch was released.

I don't know if I'd chalk this all up to lazy sysadmins. While that's a factor, there's also the IT director at whatever firm who wants "stability." Sure, some of it is sysadmins not paying attention. But some of it is also sysadmins at war with the suits because, "that system cannot go down... not even for maintenance. I don't care if nobody uses it between 1 and 4am or on the weekends." (Yes, I've seen shops like that... those are VERY costly errors on management's part.)

Critical patches should ALWAYS be installed as soon as it is feasible. You should have a test system available where you can install them and run your regression testing, if you're in software development. If all you do is use your computers for word processing, data entry, specific applications, etc, you should, for the most part, be installing those critical patches as they come out. I tell family and friends to do that. My seldom-used windows box here at work gets done by corporate IT, and they seem to stay on top of a lot of that.

Re:Whats even more amazing... (1)

Nom du Keyboard (633989) | more than 8 years ago | (#14441719)

fixed by patches that were out, in some cases months, before the release of the attack vector.

People don't patch. More news at eleven.

The what? (0)

Anonymous Coward | more than 8 years ago | (#14441535)

The Slate .. ?

  The Slashdot seems to have similar problems too, not just your fault

Security is damn hard.. (5, Informative)

Ckwop (707653) | more than 8 years ago | (#14441549)

Computer security will get worse before it gets better. It's the second hardest problem in computing, coming second only to DRM; which is provely impossible to do properly.

The problem comes from many quaters: some theortical, some practical, some managerial. For example:

  1. We know that it is possible to write secure code in any language and we also know it is possible to write insecure code in any language.
  2. We know that people are generally more prepared to pay for features than security but features are the enemy of security. The more features you have, the more code-paths you have and the more chance that you have a defect in any one of those paths.
  3. We know that schedule pressure leads to crappy code and crappy code breeds insecurity.
  4. We know that the attacker only needs to find one attack that works. We have to defend against all attacks..

I could go on for quite sometime.. the point to appreciate here is that it isn't all Microsoft's fault but they could do a whole lot more. If we could just get rid of the overflows that would be a good start!

Simon

Re:Security is damn hard.. (4, Insightful)

pHatidic (163975) | more than 8 years ago | (#14441695)

the point to appreciate here is that it isn't all Microsoft's fault but they could do a whole lot more.

Actually it is all Microsoft's fault. Whether or not they deserve to be villified for it is another issue. But consider the following:

1) They don't fix bugs they know about so they don't break compatability with programs that rely on the bugs.

2) They don't submit their code for review by the public.

3) They don't follow security best practices, like turning off services by default.

4) They make their OS less secure by obfuscating design to make it difficult for competitors.

5) They use propriety data formats.

6) They alter the OS to make it work with their programs instead of designing a solid OS so that anyone can make programs run with it.

etc.

Re:Security is damn hard.. (2, Interesting)

dedazo (737510) | more than 8 years ago | (#14441891)

They don't fix bugs they know about so they don't break compatability with programs that rely on the bugs.

Unless the bugs are vulnerability vectors this is called 'doing business'. Unlike FLOSSies, software companies write code for profit and part of that means finding workarounds for stupid design mistakes (like using undocumented internals) made by other companies that write software for your platform. Breaking some shareware author's tray icon is not the same as killing Photoshop or Lotus Notes. Read Raymond Chen's blog, you'll be surprised at what lengths they go to to cater to the likes of Symantec, Corel, etc.

They don't submit their code for review by the public.

That's a nice philosophical point, but philosophical nonetheless. If I follow your logic then Firefox would have had zero vulnerabilities the day it was released, and that's not the case now, is it? The "many eyes no bugs" mantra goes south in a hurry when you have a 10-million line codebase and a few hundred actually qualified people looking at it.

They don't follow security best practices, like turning off services by default.

They didn't, but they do now. Server 2003 ships seriously locked down.

They make their OS less secure by obfuscating design to make it difficult for competitors.

Yes... no one writes applications for Windows because its design is "obfuscated". Yes.

They use propriety data formats.

There you go again with the philosophy.

They alter the OS to make it work with their programs instead of designing a solid OS so that anyone can make programs run with it.

First you complain on (1) that they don't fix bugs to avoid breaking applications and now you postulate that they break compatibility whenever they feel like it so that it works only with theirs. Which is it?

None of those would be problems (1)

jd (1658) | more than 8 years ago | (#14441898)

If there had been a provably correct design from which the coders operated, OR if Microsoft had elected to spend the time reverse-engineering a design, then getting it into a provably correct form, then re-implemented Windows from that design.


You can create bullet-proof software in a totally proprietary fashion. The problem is that bullet-proof code requires far more designers and coders than most companies can throw at the problem. Open Source is good, from that perspective, in that a single company doesn't need to find huge armies of coders.


It would be possible to formally prove Fedora Core, and get it 99.99% bug-free, but Red Hat can't afford to hire the hundreds of thousands of brilliant engineers it would require. However, there probably ARE a few hundred thousand brilliant engineers who have access to the Internet who could perform a complete re-designing and re-implementation on the scale you'd need, who would be willing to volunteer at least a little time to do so.


I've shown elsewhere that this is not true of Microsoft, who really could afford to hire the extra staff needed to completely re-engineer Windows in a provably correct form that would also run at a decent speed. They don't have any of the usual excuses. They burn 6 billion a year on R&D they don't do anything useful with, they have offices in virtually every country so can draw directly on the manpower of every single one of those countries without any work authorization issues. And they could do it all without having to sacrifice their egos or a single line of source.


Theirs is not a fate caused by the limitations of human beings. Theirs is a fate entirely created and sustained by choice alone.

Re:Security is damn hard.. (1)

shanen (462549) | more than 8 years ago | (#14441934)

You're running around the edges of the problem. Why does Microsoft do these things? Because they make more money that way. If they actually had to absorb the costs for their security mistakes, they would have taken a VERY different approach to security.

As current law stands, all Microsoft needs is a cutesy disclaimer in their shrinkwrap/click-through EULA and we're all screwed. They take the money up front, and if there's any problems (and hoo boy, are there problems), we pay to fix them.

Then the punchline. Microsoft will gladly charge us MORE money to 'support' their own mistakes.

  1. Create LOTS of features, and give low priority to non-features like security.
  2. Advertise features aggressively.
  3. ...
  4. Profit!
The invisible Step 3 in this case is obviously "Ignore the costs of the resulting security disasters."

True enough (4, Interesting)

jd (1658) | more than 8 years ago | (#14441791)

However, there are usually solutions. At least, to parts of the problem. The use of formal methods will mean that you can eliminate (almost) all bugs caused through design and makes it easier to validate code for bugs caused through implementation. Unless you also write the compiler (or have access to a formally-written compiler), it is much harder to validate that the binary is correct.


It was noted elsewhere that Microsoft spends six billion a year on R&D. If they hired mathematically-inclined software engineers at 100,000 a go, they'd be able to keep a small army of 10,000 such programmers. You can probably reverse-engineer a specification, prove, then re-engineer the code for about 10 lines an hour. Assuming a 40 hour week, that means they could formally re-engineer 208 million lines of Windows per year. Even with all of the standard applications, libraries and utilities, the team should have an iron-clad damn-near-bugproof Windows within 2-3 years. It wouldn't cost them any more than they're already burning on patents for stuff nobody else cares about, and would save three times the total cost of the bugs to the country within a single year.


The overflows are easier. You compile all the applications with something like ElectricFence, dmalloc, or some other debugging malloc. A few tests at Microsoft should then collect a lot of the overflows. You then recompile such that the debugs won't cause fatal errors but will still generate alerts. You have the Windows error reporting tool collect all those alerts and either notify the user at the time & allow them to send, or send in bulk on the next major error. Microsoft can then fix the overflows BEFORE someone exploits them, because the odds are high that they'll be accidentally triggered long before any black hat learns about them. If only because there are several hundred million users, and most will be trying to do things that are impossible or - at the very least - seriously warped.


Of course, they could also get a copy of the Stanford Code Validator, or even just download a copy of splint off the Internet. Both would pick up the majority of coding errors and allow Microsoft to fix them.


Regardless of which of these solutions is used, a company the size of Microsoft should be able to completely and utterly clean their software of 98%-99% of its defects within three to four years. As the article noted, it has now been over four years since the proclamation of taking security seriously, but yet there is no sign of any kind of rigorous campaign to really erradicate faults. Rather, there seems to be much more of a campaign to make users more accepting of the fact that there are faults.


Not everyone can guarantee 99% fault-free software within a reasonable timeframe. There aren't the mathematician/software engineers, for a start. However, maybe it would be possible to have a standards authority that could certify a software product as "mid-grade" (50% bug-free), "high-grade" (75% bug-free) or "mission-critical" (99.99% bug-free). Software providers could elect whether or not to be certified and consumers would then be free to decide how much quality they want to pay for, because they'd know how much quality was there. Consumers would also be in a stronger position to interpret the lack of such certification.


Thoughts?

What can you do to protect yourself? (2, Informative)

biocute (936687) | more than 8 years ago | (#14441552)

The article is advising people: "Besides avoiding Microsoft products, one way would be to use substitutes whenever possible. If you run Windows or the upcoming Vista, use a different e-mail program, browser, and/or media player than the ones that come in the box. Stay up to date on patches and anti-virus software."

I thought most importantly users should be responsible enough not to simply click on or open anything in front of them.

Re:What can you do to protect yourself? (3, Informative)

Soko (17987) | more than 8 years ago | (#14441653)

I thought most importantly users should be responsible enough not to simply click on or open anything in front of them.

Ummm... the recent WMF vulerability needed no user interaction, other than visiting a web page or getting an e-mail with a "specially crafted" WMF file disguised as a .JPEG or .GIF file. It wouldn't matter which program accessed the file either - the OS would bypass the extension based MIME type and treat the file as a .WMF anyway, complete with being able to execute code, as WMF files are able to do by design. IOW, there was very little defense for an end user, unless you knew what sites had these files in advance. Users are usually the weakest link in the chain, but not always.

Your first bit of advice was correct - security is a process, not a product, and as such needs to be maintained and thought out in advance. I'd add "Educate users why people want into thier machine and here's how they get in" to the list too.

Soko

Re:What can you do to protect yourself? (1)

mallardtheduck (760315) | more than 8 years ago | (#14441799)

Actually, Windows does very little in the way of handling MIME types, so it really does depend on the application. If your image viewer uses the file extension, then a WMF disgused as a GIF or JPEG would just produce an error along the lines of "Bad GIF file."
The WMF vulnerability only affected applications that used the Windows GDI built in WMF rendering API. Other WMF renderers (there are a few) were not affected (at least not in the same way.)

And since when did CAD programs use WMF format?! I've never seen it used for anything other than clip-art.

Re:What can you do to protect yourself? (1)

Soko (17987) | more than 8 years ago | (#14441888)

Quite a lot, actually. I'm going back to AuoCAD 13, but it would save a .DWG as a WMF for you so you could paste your drawing into Word. IIRC, the .WMF format was essentially a dump of what was on the clipboard, and the clipboard in Windows 3.11 and 95 couldn't handle some larger CAD files as metadata, hence .WMF files.

And thanks for the clarification regarding MIME types, though the effect is still the same.

Soko

Whomever Geeks and Nerds Find Evil... (2, Insightful)

moore.dustin (942289) | more than 8 years ago | (#14441564)

will be under these kind of attacks all the time. Geeks, like everyone else, wants to stick it to the man. The man in this case is Gates and Windows. While this does not excuse the flaws and lack of attention at times, it does present another angle. To make a OS as robust as windows without things like this happening is hard to imagine honestly. If Macs were what windows is today, the story would be the complete opposite I assure you. You see the SAME thing in popular games as well. The most hacked games are the biggest and best, not because it is easier, but there are far more people attempting to exploit the system.

Re:Whomever Geeks and Nerds Find Evil... (1)

Hosiah (849792) | more than 8 years ago | (#14441792)

And of course, you have an explanation for the fact that before Microsoft had such enormous market share (check here: http://www.osdata.com/kind/history.htm [osdata.com] : computer history DID NOT begin with MS-DOS), security holes were virtually unknown?

Re:Whomever Geeks and Nerds Find Evil... (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14441858)

And of course, you have an explanation for the fact that before Microsoft had such enormous market share (check here: http://www.osdata.com/kind/history.htm [osdata.com] [osdata.com] : computer history DID NOT begin with MS-DOS), security holes were virtually unknown?

Hint 1: While you were'nt looking something called the Internet happened.

Hint 2: Read up on fx Unix security history (worms, rootkits, etc.), just for a start.

Re:Whomever Geeks and Nerds Find Evil... (1)

YU Nicks NE Way (129084) | more than 8 years ago | (#14442012)

Two Words: Morris Worm Two more words: Cuckoo's Egg

So where are the Apache worms? (1)

Lifewish (724999) | more than 8 years ago | (#14441915)

If popularity were truly what dictated worminess, Apache would have been overrun long ago.

Re:So where are the Apache worms? (1)

stubear (130454) | more than 8 years ago | (#14441968)

It's not popularity per se, it's really a desire to do harm to something geeks believe did not earn its popularity honestly. I think it's also a sort of "not invented here" syndrome as well. Geeks want their creations to succeed at the cost of all others.

Re:So where are the Apache worms? (2, Insightful)

Lifewish (724999) | more than 8 years ago | (#14442075)

It's not popularity per se, it's really a desire to do harm to something geeks believe did not earn its popularity honestly.
I'd point out that the majority of geeks who code Windows viruses are Windows geeks, and the majority of geeks who genuinely loathe Microsoft mostly use a UNIX variant - either Linux or one of the BSDs. Are you seriously suggesting that there's a large number of Linux geeks who are buying Windows, investigating the grisly depths of the Windows API at painful length and wasting their time producing viruses, all just to piss Bill off? This seems a little implausible...

Apart from anything else, most Linux geeks I know see contributing to open source as a more than sufficient two fingers to Microsoft.

Funny, Free Software Does Not Fail This Way. (4, Insightful)

twitter (104583) | more than 8 years ago | (#14441940)

Geeks and Nerds sticking it to the man, is that what's wrong with Windoze? Is that who's running all of these porn and pill advertising spam serving botnets? I don't think so. Wouldn't a better way to stick it to Bill Gates be to cripple M$ corporate or it's "Partners" like CompUSA? Wouldn't people who really want to stick it to the "man" be attacking banks and institutions, you know, the one's who run LAMP without problems but get creamed running IIS.

The popularity argument is pure bullshit. Non Microsoft runs most of the web and anything that's mission critical. Those foolish enough to try making M$ do things live to regret it and it has nothing to do with popularity, Geeks and Nerds but everything to do with marketing and crappy software. Apple, Sun, Linux and every other kind of software works better and non have had the kind of automated worm problems M$ has.

From the above, you can imagine that the functionality and features excuse is also bogus. Operating systems robust enough to provide services over the network can also be made with pretty GUIs that are equally robust. There is nothing a Windoze user can do that I can't do better with free software and many things that I can do that they can't without lots of effort and money. I share my classwork with anyone who's interested and I share my music and movies with myself without any of the problems Windoze users suffer just connecting to a network, reading their email or browsing the web.

When is the big Linux worm coming? Never, thanks to the diversity of excellence that a truly free market for software provides. Free software writers also don't make the mistake of mixing content with executable code, unless they are copying someone else's bad implementation for compatibility sake. Still everyone makes mistakes but that still won't do to free software what it does to M$. As an example, imagine Firefox had a problem. It would get about 1/3 of GNU/Linux users. Why? because the rest of them are using other browsers and all of them can stop using the browser with a problem until it's resolved one or two days later. Because Free Software is all about code, binary problems don't automatically propagate across distributions. A Red Hat exploit might not work on Debian and probably won't on Gentoo and won't do anything to a BSD box. The Free Software fix is always easier too. When things go wrong on a free software box, the user downloads the latest and greatest to fix it. The worst case is a rebuild, which preserves all user data and takes less than 20 minutes. In the Windoze world, the user takes out their "original CDs" or blows a few hundred bucks at the computer store for software that's at least two years old and probably has the same problems. Things are much much more difficult for crackers outside of the M$ monoculture of binary crap.

Re:Whomever Geeks and Nerds Find Evil... (1)

sootman (158191) | more than 8 years ago | (#14441969)

Yeah, same way that Apache, various open-source operating systems, and various open-source databases have had so many more widely-exploited bugs in the last 5 years... you know, because Linux, Apache, and MySQL (for example) drive so many more websites than IIS, Windows, and MS-SQL... oh, wait, THAT'S COMPLETELY WRONG. Windows has LESS market share and MORE exploits. Hmm, I wonder why... You know, maybe, juuust maybe, is it possible that Windows is not designed that well from a security standpoint? And UNIX variants really, truly are better in that department?

Yeah, yeah, yeah, no software is perfect, and I expect a flood of responses talking about this PHPBB exploit and that MT exploit... but count up the REAL, WIDESPREAD, COSTLY viruses, folks. A couple years ago, my company shut down its entire network--I mean, they cut the power to the switches--TWICE, in one year. Why? Because of REAL, ACTIVE, IN-USE Windows viruses.

You know what's cool? (-1, Offtopic)

wicka_wicka (679279) | more than 8 years ago | (#14441565)

If you've ever seen the movie Shattered Glass, the writer who was played by Steve Zahn (Saving Silverman) is the guy who wrote this story.

saying != doing (5, Insightful)

sczimme (603413) | more than 8 years ago | (#14441574)


Gates urged that new design approaches must "dramatically reduce" the number of security-related issues as well as make fixes easier to administer. "Eventually," he added, "our software should be so fundamentally secure that customers never even worry about it."

Fair enough, but regardless of what is happening in the way of "new design approaches", the current installed base is the problem. The best ways to show dedication to the reduction of security issues would be a) rigorous code review + pre-emptive bugfixes and b) more rapid response to issues that are found elsewhere. There have been improvements, but the sum of the successes will not outweigh the sum of the failures.

Re:saying != doing (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14441749)

I'd argue that Microsoft are at least doing something about security, which is the real reason behind the emphasis on .NET and the resulting integration of it into Vista. When Microsoft can get managed code under so many peoples noses at once, they can start to rewrite whole segments of their operating system to run in a more secure environment that is essentially free from the risks associated with buffer overflows. If they did this outright with Vista, there'd be uproar, but keep an eye on the roadmap and the plans for future service packs. More and more of the new features of Windows are built on the .NET rebrand that is WinFX. This is a good thing (tm) for most scenarios, because anything that shows you a GUI and isn't a game is essentially user-bound in terms of performance. Any time your PC is doing nothing, which is the vast majority of the time for the vast majority of users.

Mark my words. .NET isn't about vendor lockin, it's about overflow lockout and reducing the footprint of the NT Kernel's C++ code. Other languages are finally a real option, especially with the growth in hardware specifications, and managed code for many will be the horse that the sales of faster hardware will ride on.

Re:saying != doing (1)

sparkz (146432) | more than 8 years ago | (#14442037)

Oh great, so more untested code (.NET in this case) is the new panacea?

When have I heard this before? Oh yeah, Win95, Win98, Win98SE, WinNT, WinNT4, Win2k, WinXP, Win2k3

(I would have gone further back, but Win3.1 was the original problem; 3.11 seemed to manage to add features without adding serious security problems, somehow)

Re:saying != doing (1)

sparkz (146432) | more than 8 years ago | (#14442021)

Gates urged that new design approaches must "dramatically reduce" the number of security-related issues as well as make fixes easier to administer. "Eventually," he added, "our software should be so fundamentally secure that customers never even worry about it."

So, all technical arguments aside, Gates has failed to the achieve the managerial decision he has made.

We geeks can worry all we like about the minutiae; Gates, as a manager and businessman, has failed to deliver.

It's like water & fire (-1, Offtopic)

baylanger (780885) | more than 8 years ago | (#14441579)

Don't you get it, I have nothing else to say.

Extending tendrils? (3, Funny)

rts008 (812749) | more than 8 years ago | (#14441620)

FTA:"With the company's security problems still monopolizing the news, you might have expected that Bill Gates would address the vulnerability at the Consumer Electronics Show in Las Vegas. Instead, he boasted how Microsoft's new operating system, Vista, would extend the company's tendrils into your living room. Sure, it might be nice to connect your computer and your television set. But is it worth it to give hackers access to your television?" LOL!!! My prediction? One week after "tendrils" are extended, we have Goatse pics on all of the network's broadcasts- gaping across screens all over America...IN HDTV!!!!!LOL!!!!I can't wait, then maybe will start to wake up about security after getting "spammed" with Goatse on their tv's! HaHaHaHaHA!

Re:Extending tendrils? (0)

Anonymous Coward | more than 8 years ago | (#14442018)

HahahAHahaHaHAHA LOL ROFFLE! *snort*

An interesting look at the whole issue (4, Funny)

ENOENT (25325) | more than 8 years ago | (#14441623)

From TFA: "...Microsoft is still the dominatrix of the desktop..."

Yeah, baby. Tie me to your platform and make me pay.

SHOW ME THE MONEY (4, Insightful)

halo8 (445515) | more than 8 years ago | (#14441637)

tens of billions of dollars to clean up

you know we as a tech community lambast the **AA whenever they (and the media) say a "hacker" did millions of dollars pirating

why do we not do the same when crap like this gets printed?

tens of billions? prove it, thats our job, thats what we do

Re:SHOW ME THE MONEY (5, Insightful)

StikyPad (445176) | more than 8 years ago | (#14441742)

Yeah, I started to make a similar post, but then I decided it wasn't so absurd. Probably on the high side, but it's not as much as it sounds like. 10M IT workers, even if they only averaged a salary of $100/day would be $1B. And that doesn't even factor in possible data loss which would result in users redoing their work.

Re:SHOW ME THE MONEY (1)

oGMo (379) | more than 8 years ago | (#14441838)

And this is vs the claims of the RIAA/MPAA, who seem to do things like multiply the entire cost of making the movie by the number of copies that were distributed, or something equally absurd.

Re:SHOW ME THE MONEY (1)

StikyPad (445176) | more than 8 years ago | (#14441881)

Right, but redoing work is certainly a loss, as is preventing work from being done. That's an actual damage, not a "potential loss" like piracy. Arguably, IT workers are already paid to maintain systems, so you could factor them out entirely.

Unending stream of patches helped MS it seems (0, Interesting)

Anonymous Coward | more than 8 years ago | (#14441639)

That "unending stream of patches" seemed to have made Windows & Win32 API based programs less bug-prone/filled than Unix (and its derivants/offshoots like MacOS X (via BSD) & Linux (via MINIX))!

See here:

http://www.us-cert.gov/cas/bulletins/SB2005.html [us-cert.gov]

As of the year ending of 2005...

(And, yes, guys (specifically the Pro-Linux/Unix/Mac crowd here @ slashdot (you KNOW WHO YOU ARE, lol, the guys that endlessly blast on windows here)) :)

* That's an IMPARTIAL 3rd party that wasn't sponsored by Microsoft, & a gov't. agency that specializes in the area - security!

APK

P.S.=> Considering also that Windows based OS nowadays are the most used out there overall, on the most utilized hardware platform (x86) between personal computers/laptops & servers? That's QUITE an achievement on Microsoft's part imo... (Ducks as the Penguins prepare to flame the hell out of me) apk

The Only Thing... (2, Informative)

Mad Ogre (564694) | more than 8 years ago | (#14441668)

The only thing worse that "Windows" in the common OS versions in use... is the orphaned version of XP called "XP 64 bit edition" that doesn't work with all the tools normally used to resolve security issues. Many applications that we use here in the shop just flat dont work with 64. It looks like MS just took Server 2003 slapped an XP theme on it, and then broke all the strengths of both OS's. As a result, I've got a number of issues over here that I can't get resolved. As soon as I get a decent copy of the latest Vista Beta, I'm just going to make that switch. XP x64 is just about useless because of the security issues. This box is getting hit left and right, and is constantly stumbling. I'm not looking forward to all the new issues with Vista, but at least I won't still be using XP64 any more. (Yes, I've got a Linux partition... but that's not the point)

Re:The Only Thing... (0)

Anonymous Coward | more than 8 years ago | (#14441824)

Maybe you found some, but I havent found a single app that doesnt run in x64, that isnt a driver. What the hell do you expect them to do?

Microsoft Software Bad (2, Funny)

Nom du Keyboard (633989) | more than 8 years ago | (#14441700)

Microsoft software bad.

There, I've just saved you from having to RTFA.

Re:Microsoft Software Bad (1)

ranolen (581431) | more than 8 years ago | (#14441837)

I'm glad to see that you took the time to qualify your statement. Try giving a good reason next time, and don't follow everyone else by saying there are so many viruses, exploits, etc. as it's has been established and everyone knows that it's all cause there are so many more people trying to exploit MS stuff.

Re:Microsoft Software Bad (1)

drinkypoo (153816) | more than 8 years ago | (#14441928)

it's has been established and everyone knows that it's all cause there are so many more people trying to exploit MS stuff.

First: "[...]it has long been established and thus is well-known that this is because there are so many more people attempting to locate exploits in Microsoft software."

Second: That's a bunch of bullshit. There really are more holes in Windows, and it really is because Microsoft is fucking lame, doing things wrong at every potential opportunity.

Maybe you were just making some kind of joke, in which case you're not funny, or you're being too obscure.

failzors... (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14441716)

anything can escapE them by

Subject is dead on... (0)

Anonymous Coward | more than 8 years ago | (#14441720)

You know when you see something that's right, you just feel it. "Versus" is the only word that appears natural between "Microsoft" and "Computer Security", something inside me just knows...

Easy fix not (1)

Nom du Keyboard (633989) | more than 8 years ago | (#14441747)

So we should all switch to FireFox and Thunderbird because IE/Outlook are the most common browser/e-mail clients, and hence the biggest target. And besides, Microsoft can't write secure code.

Except if we all do switch then FF and TB will become the most common browser/e-mail clients, and there's no reason to believe that Mozilla's coders are that much better than MS's. FF has gone through how many versions these last 12 months?

Re:Easy fix not (4, Insightful)

drinkypoo (153816) | more than 8 years ago | (#14441946)

Except if we all do switch then FF and TB will become the most common browser/e-mail clients, and there's no reason to believe that Mozilla's coders are that much better than MS's. FF has gone through how many versions these last 12 months?

There IS reason to believe that Mozilla's coders are that much better; The most serious hole found in Firefox in some time actually ended up being a hole in Windows.

FF has gone through more versions because they don't release incremental security patches, and because their code is subject to public review. Microsoft does release patches, meaning there are less versions, and their code is not subject to public review, meaning they fix problems only when someone finds one accidentally.

Your arguments are universally specious.

Re:Easy fix not (1)

Sathias (884801) | more than 8 years ago | (#14442118)

It goes to show that the only sure protection is a healthy dose of technological elitism. If you are using a program the plebs aren't then you will be safer from the net nasties!

My Favorite Part of TFA (2, Insightful)

Chabil Ha' (875116) | more than 8 years ago | (#14441780)

I have never read a more scathing remark of Bill outside of /. :

And the next time Bill G. promises to make software that is so fundamentally secure that customers never have to worry about it, ask him what decade he plans to release it.

unfair.. (2, Insightful)

fireiceviperhotmail. (944265) | more than 8 years ago | (#14441790)

this article seems to me a bit on the unfair side off things... i personaly have even
stopped caring that much about the many security flaws.. i know there are just too many
found because the os wasnt designed with security in mind.

i'm just gonna wait and see how vista does.


Julien. http://free.hostdepartment.com/8/81fortune/ [hostdepartment.com]

billions (0, Offtopic)

ebooborg (935299) | more than 8 years ago | (#14441810)

where are they getting "10s of billions" from??

i hate these "lets take a large figure out of thin air" articles!

lol (0)

Anonymous Coward | more than 8 years ago | (#14441816)

While i am no MS fanboy, I stick with OS X/Kubuntu and FreeBSD I think MS are making progress, Since the os was writen years ago (alot of the origional NT shit is still in XP/2k3) there is bound to be security issues, Releasing patches is the best they can do short of releasing a new OS (which theyre doing, which is writen mostly in dotnet where all memory is managed for you, aka little to no buffer overflows) I cant stand MS, I dont like the way they do things, but to say things like theyre making no progress? But ultimatley it isnt about firewalls and antivirius and patches and anti this anti that, Educating people will do a far better job than giving them some shitty tool

The article is piece of crap (2, Insightful)

GPFCharlie (98543) | more than 8 years ago | (#14441823)

It makes no comments as to why Microsoft stuff is any better or worse than anything else. There's no mention, let alone a comparison between Microsoft and Linux, Apple, or anything else beyond just a mere fluff sentence.

But beyond that, my biggest issue is there are no FACTS in the damn piece. Everything is anecdotal. How are Microsoft product's better/worse? Why? By what measurement?

All this article does is pick on Microsoft because it's the biggest and easiest target, so any flaws make the news. It's like saying Wal-Mart still offers only low wages and busts up unions. Duh - so do a lot of other companies, but Wal-Mart gets the attention because they are the biggest.

Explain how they are better/worse/the same as the mean, or average, or some kind of realistic comparison. This is just a rant, nothing more.

Microsoft's Fundamental Choices Are At Fault. (2, Insightful)

Kozar_The_Malignant (738483) | more than 8 years ago | (#14441833)

Microsoft made the choice to tie things closely to the OS. In particular, their Netscape killing plan was to essentially make IE part of the OS. Outlook also requires the presence of IE to render html mail, or at least it used to. Similar decisions were made regarding hooks to the OS for other Office programs. These decisions were made for reasons of competitive advantage over competing software such as WordPerfect and Lotus.

The consequences of these decisions is an OS with fundamental security issues. Microsoft has an opportunity to change this with Vista, but I'm betting that they haven't.

Re:Microsoft's Fundamental Choices Are At Fault. (1)

drinkypoo (153816) | more than 8 years ago | (#14441971)

Eh, not really. Their plan for killing netscape was to bundle IE. Their plan for avoiding getting nailed for antitrust by the DOJ was to basically make it a part of the OS. It didn't work, but their backup plan of [insert skullduggery here] seems to have paid off.

Massive progress has been made (4, Insightful)

Anonymous Coward | more than 8 years ago | (#14441839)

An insane amount of progress has been made on Windows security. Automatic updates ensure even the most retarded of end users has a chance of being patched, built in firewall has resulted in a significant chance of end users having a firewall, the security added to IE in SP2 has given a whole lot of protection.

It doesn't matter who the dominant OS / company is, the biggest threat to security on anyones computers is the person sitting in front of it.

You can't win a fight against ignorance, misunderstanding or plain stupidity. Microsoft has made some pretty damaging blows and that is commendable.

I think it's time the end users' took just a little bit of responsibility for their security issues. It's callous to assume (and blame) Microsoft when so many 'issues' are avoidable with a little common sense.

God help the *nix world if they ever get bundled with the masses of ill-informed, ill-prepared and irresponsible people who use Microsoft software.

I like this whole "vs" thing. (2, Insightful)

Anonymous Coward | more than 8 years ago | (#14441841)

I like this whole "versus" thing. It encourages the idea that Microsoft is against or competing with the idea of Computer Security in general.

Re:I like this whole "vs" thing. (3, Funny)

markana (152984) | more than 8 years ago | (#14441923)

Microsoft is apparently winning.... :-)

At least it's got Security on the run.

Penenberg is an Assistant Professor (1, Interesting)

awitod (453754) | more than 8 years ago | (#14442000)

And I shudder at the realization that this person has students.

Anyone who takes the time to become informed and check facts can clearly tell that many improvements arose from the security initiatives. Patching is far easier and less expensive, the new architecture of IIS is very secure, the new development platform, .Net, is sand-boxed and includes declarative security, and all you need do is go to CERT to see that the number of Windows vulnerabilities is lower than that of *nix.

If I were grading this diatribe disguised as an article I'd give it an F based on the discussion of buffer overflow exploits alone.

He fails not only in his technical analysis, but in the basic tenants of journalism as well.

In short, Mr. Penenberg, what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

a word from a joe six-pack (1)

louden obscure (766926) | more than 8 years ago | (#14442002)

might as well tell me ford is grappling with their SUVs blowing tires and tipping over at speed. i don't think i could be convinced to BUY anything as effed up as windows or an explorer (whoa, a naming coincidence or what. hey, both CEOs are named bill too)
i don't buy fisher-price tools to use for my trade (roofing), and i don't use windows on my PCs. i like to think i can logically choose the right tool for the job.

Linux and less headache (1)

MindPrison (864299) | more than 8 years ago | (#14442028)

You know what?

Ive noticed that the time I spend learning about my Linux system is far less than the time I wasted when I was using Windows. On windows I got my "near-daily" "windowsupdater-needs-to-restart-computer" that annoyed me beyond belief because it was usually very unconvinient. And sometimes these updates would completely screw up my installations or drivers.

When I switched to Linux for a year ago...permanently, I had a lot of troubles too - mostly learning how to do stuff differently from windows and entirely new ways of thinking, that was hard and sometimes very annoying too.

But Ive come to notice something that I take for granted with Linux... Theres no more worms...viruses...silly attacks from script-kiddies. Wonderful! My computer has finally been left alone from all of those daily plagues. I dreadfully remember at work when all the computers went down due to some kind of sober virus and how worried everyone where about losing their work. And not to mention the hassle of waiting until the network administrator finished the servicing because of these incidents.

I dont even see this stuff on Linux.

So for all its worth, all the hassle learning and maintaining Linux - its actually a better world (at least for now).
No wonder Microsoft is worried - imagine if the truth leaks out and people find out on their own? ;) Im a happy camper.

Not really that accurate (2, Insightful)

KeithIrwin (243301) | more than 8 years ago | (#14442061)

Their overall conclusion that MS products are still vulnerable to security problems is correct, but it is not accurate to suggest that Microsoft has done nothing to address buffer overflows. Now it is clear that they have not done all they could. Specifically, they have not started writing their applications in type-safe languages, and they have only recently starting trying to apply automated static analysis to detect buffer overflows in existing code (A technical report about their efforts can be found
here ). And of course, they haven't even vaguely considered requiring that drivers carry safety proofs (using the proof-carrying code stuff from Peter Lee and George Necula, for instance).

However, they have added support for computer architecture features which guard against this sort of attack, such as flagging data memory as non-executable and requiring jumps into code be word-aligned, features which is available in most new processors. They've also begun loading libraries to random addresses making it much harder for worms to know what address to jump to. Although none of these is a silver bullet which prevents all buffer overflows, they have definitely made it significantly more difficult to exploit buffer overflow errors in both operating system and application code. These features even have benefits to third-party applications.

So although the battle is certainly far from won, suggesting that Microsoft is doing nothing is ridiculous. These sort of features are not going to be visible to the user in any obvious way, but they are very good steps in the right direction. I'm certainly no Microsoft lover (I have a Mac and a Linux box and tend to avoid MS products), but if you actually keep up on Microsoft's security research and what from that is making it into the operating systems, it's obvious that they're taking buffer overflow attacks very seriously and making progress. The simple fact of the matter is that the reporter has not done his research.

Keith

Yeah they have... (5, Insightful)

jofi (908156) | more than 8 years ago | (#14442088)

As someone said, security is a process and not a product. But for those who bothered to look or care to notice, upgrade from 2000 to XP SP2 is more than eye candy. It is just that the hidden features are ignored by Slashbots and ignorant users alike.

One thing to help would be a default account type in the Users group, and if currently an admin, switch your group to Users. Third parties need to fix their programs that requires more privileges (not necessarily admin) after the program is installed because of write access to system folders and HKEY_LOCAL_MACHINE. Vista fixes this, but if you ask me I think MS is only encouraging the bad behavior of alot of third party programs by providing this method of keeping non-compliant applications compatible with least privilege. (Keep in mind, there are a$$holes like Even Balance who purposely wrote their anti-cheat to require true admin privileges)

Sure they have a firewall... you're screwed as admin because the code that launched can also create an exception for itself via netsh command or damn it all to hell and disable the firewall via "net stop". Malware does do this today, and sad how easy it was stopped.

Don't want to run as non-admin? XP can run specified apps automatically with User privileges even if you are admin (and I am not talking about Run As with a lower privileged account). And for fuck's sake, don't take the default of "SYSTEM" for your apache or whatever server software services.

My Opinion.... (0, Redundant)

MickDownUnder (627418) | more than 8 years ago | (#14442106)

I just think there's some people out there you, that no matter how much you may try, you just can't help, and you can be absolutely sure that these people are using Windows.

In short I think the most critical security issue with Windows is the poeple that use it.

Failzorhs (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14442107)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>