Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Microsoft's Security VP

Roblimo posted more than 8 years ago | from the My-OS-is-better-than-yours dept.

Windows 543

There's always lots of discussion on Slashdot about Microsoft's security problems, and whether Windows is or isn't more secure than other popular operating systems. In a "Let's clear the air" move, Mike Nash, Microsoft Corporate Vice President, Security Technology Unit, has agreed to answer 12 of the highest-moderated questions you submit here. (You can skip the "Microsoft and security in the same sentence?" comments we've all heard 1000 times, and ask actual questions, since Mike is answering for himself instead of having PR do it for him.) We'll post his answers next week.

cancel ×

543 comments

What has changed? (5, Interesting)

suso (153703) | more than 8 years ago | (#14500849)

Besides the same old PR scripted answers that corporations like to give in order to obscure or downplay what is really going on. What assurance can you give us that Microsoft is more focused on security and that Vista is going to be any different from the previous incarnations of Windows? What proof can you give us? Information like "We have a new team doing X" or "our process for reviewing changes has gone to X" are helpful pieces of information to answer this question. What else have you seen in the way MS is developing Vista that is different from how you've developed previous products?

From what I've heard, even though most of Vista is being rewritten from the ground up with more scrutiny on what code goes into it, it will still have major flaws generated by the way Microsoft works internally as a company.

Re:What has changed? (1, Informative)

Libor Vanek (248963) | more than 8 years ago | (#14500968)

Please mod parent up - it's been 4 years since Bill Gates' statement "Security is priority" and we've all seen WMF bug in Vista beta...

Comments we've all heard 1000 times (0, Offtopic)

Anonymous Coward | more than 8 years ago | (#14500868)

Well you editors keep posting the same story 1000 times, so what do you expect?

You guys are in no position to lecture commenters when you live for the page churners.

Are you afraid? (5, Funny)

no_pets (881013) | more than 8 years ago | (#14500874)

Are you afraid that if Microsoft Security isn't greatly improved in Vista that a chair will be thrown at you?

Re:Are you afraid? (0, Troll)

Anonymous Coward | more than 8 years ago | (#14500907)

Thats assuming that anyone in the slashdot crowd would have the physical strength to lift a chair. ;)

Re:Are you afraid? (1)

frodo from middle ea (602941) | more than 8 years ago | (#14501073)

with steve vowing to fucking kill you (TM).

Question #1 (0, Flamebait)

SpaceCadetTrav (641261) | more than 8 years ago | (#14500884)

Do you ever sneak onto Slashdot late at night and laugh at all of the whiney anti-Microsofters?

Differences Between Windows & Other Employers? (5, Interesting)

eldavojohn (898314) | more than 8 years ago | (#14500888)

Mr. Nash, what are the greatest differences and similarities between Microsoft Corp. and Data General Corp., your two most recent employers? Most importantly, how drastic were the changes you saw (not necessarily changes due to job function but changes in general)? What do you like the most and what do you hate the most?

Why does windows security suck so much? (0, Flamebait)

RouterSlayer (229806) | more than 8 years ago | (#14500891)

No, seriously, why?

And do you really expect us to "buy" the BS DRM crapola in Vista?

Surely, you can't be serious!

How will Microsoft feel when Vista comes out and flops and Linux wipes the floor with it?

WIndows OneCare status? (4, Informative)

winkydink (650484) | more than 8 years ago | (#14500892)

What is the status of the Windows OneCare program? Is a released product expected soon?

Re:WIndows OneCare status? (2)

Epicyon (777863) | more than 8 years ago | (#14500936)

Looks like there's a beta available: http://www.windowsonecare.com/ [windowsonecare.com]

Most regretted design decision (5, Interesting)

VitaminB52 (550802) | more than 8 years ago | (#14500897)

What is the Windows / Internet Explorer design decision that MS does, from a security point of view, regret most?

ActiveX? (0)

Anonymous Coward | more than 8 years ago | (#14501043)

Probably

MS Security (0, Troll)

boogahboogah (310475) | more than 8 years ago | (#14500899)

How are we to know that there are not more back doors built into Windows like the GDI back door ? How are we supposed to trust an operating system that has such obvious flaws built-in ?

How much longer can we hold on... (0, Flamebait)

iotashan (761097) | more than 8 years ago | (#14500904)

About how long can we expect XP to have security patches before we're forced to migrate to Vista?

I have a question for you (1, Insightful)

FidelCatsro (861135) | more than 8 years ago | (#14500905)

Mr Nash , How in the world do you still have a job ?
I would of fire my Security VP if we had a track record like MS.

Let's Rephrase That (2, Interesting)

eldavojohn (898314) | more than 8 years ago | (#14501014)

Mr. Nash, you used to work on Microsoft's marketing team and now you're in charge of security technologies, have you ever been to a conference or held a press release where every single person seems to be convinced Microsoft is evil or makes non-secure products (like this parent's author)? How do you deal with something like this? Do you try as hard as possible to convince them otherwise or do you instead try to focus on the better points of Microsoft's products?

Re:I have a question for you (0)

Anonymous Coward | more than 8 years ago | (#14501086)

That's "would have", you insensitive clod!

behold (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14500909)

Let the astroturfing begin. My bet - at least 6 approved questions will be insipid, drooling, MS fanboyism.

Re:behold (2, Funny)

Anonymous Coward | more than 8 years ago | (#14501016)

Let the astroturfing begin. My bet - at least 6 approved questions will be insipid, drooling, MS fanboyism.

Dear President Nash, how are yuo SO AWESOME?!!`1 Can I offer myself to you for free schexx0rings? CAN WE NAEM OUR BABY XBOX 360?!?211!

Patch Release Cycle (5, Interesting)

skywalker107 (220077) | more than 8 years ago | (#14500919)

Did the WMF Patch now set a standard that severly high risk problems will be patched out of the standard patch Cycle? How did Microsoft come to the conclusion that is was important enough to go against what it promised it's corporate customers?

Security versus Quantity? (5, Interesting)

dada21 (163177) | more than 8 years ago | (#14500922)

As a Microsoft product user, it has always made me wonder what the User:Bug ratio might be. Do we see more bugs found BECAUSE more users are using a product?

Has Microsoft tracked the "security bug" to user ratio on their products and found that products with fewer users seem to have fewer bugs? If that is the case, I wonder if it is the normal process of higher supply leading to more people spending time looking for bugs.

It is like the population:innovation ratio -- as a population goes up, the amount of innovators being born goes up, too, leading to more innovations.

New Browser? (0, Flamebait)

gasmonso (929871) | more than 8 years ago | (#14500924)

Will Microsoft ship Firefox with Windows Vista in place of Internet Explorer to provide a more secure environment?

http://religiousfreaks.com/ [religiousfreaks.com]

Sure (1)

Shawn is an Asshole (845769) | more than 8 years ago | (#14501076)

Also to be included in Vista: OpenOffice.org

Hell will freeze over before Microsoft includes Firefox. Where's the lock-in in that?

Re:New Browser? (1)

Bogtha (906264) | more than 8 years ago | (#14501118)

Of course they won't. Firefox doesn't support a lot of proprietary things that lots of intranet applications depend on. Can Firefox run HTAs? Does Firefox support VBScript? If Microsoft were to drop Internet Explorer for Firefox, they'd be leaving a lot of customers high and dry, requiring them to rewrite applications before upgrading to Vista.

Personally, I'd like to have an explanation as to why, despite the fact that it hasn't been in active development for ~4.5 years, people are still finding vulnerabilities in Internet Explorer 6 on a regular basis.

Vista (2, Interesting)

gcnaddict (841664) | more than 8 years ago | (#14500926)

I am in the Vista beta program, and the latest build has UAP implemented in a rather annoying way. Seeing as to how 5270 was nearly code-complete, will there be any change in how the UAP is implemented so as to not bug the user? I know many people in the beta besides me are bugged about this issue. (It takes 5+ steps to delete a shortcut on a desktop! Come on!)

Security/user friendly tradeoff (5, Interesting)

qwijibo (101731) | more than 8 years ago | (#14500927)

Is there a general policy within Microsoft to help product teams make consistent security decisions? There are frequently issues where the decision has to be made between being more secure or more user friendly.

For example, file and printer sharing defaulting to off prevents people from unknowingly sharing their resources, but requires non-technical users who do wish to set up a small network to know more about the process than in previous versions.

Re:Security/user friendly tradeoff (2, Informative)

ettlz (639203) | more than 8 years ago | (#14501206)

Furthermore, as Windows is (for better or worse) the most widely-deployed operating system, why doesn't it make a better job of educating users about security? (That is, why does it pester me when the AV or update is out of date, or the firewall is off, but doesn't remind me of the destructive potential of doing ordinary stuff as Administrator?)

Can I have a Job? (-1, Offtopic)

drewzhrodague (606182) | more than 8 years ago | (#14500931)

I am looking for work, are you in need of a UNIX Systems Administrator? Seriously! I could, y'know, keep at the back, and not say much.

WMF bug in Vista (1)

Libor Vanek (248963) | more than 8 years ago | (#14500933)

Hi,
after happening WMF bug, which is (according to Microsoft own statement) from Windows 3.1 (!!!) - even if it was hardly-happening in Windows 9x - what exactly you changed in your security process to prevent these happening?

Re:WMF bug in Vista (3, Interesting)

TimTheFoolMan (656432) | more than 8 years ago | (#14501198)

To elaborate, what does the security review process look like from the inside (such that other development teams might learn from it)? How does it differ from a code review? Why would this process *not* catch something like the WMF hole, given that this appears to be blatantly erroneous programming (assuming it wasn't intentional at the corporate level)?

My biggest concerns about MS today surround this process, which is completely invisible to the world, but which we rely on for having greater confidence in MS products. Understanding how MS approaches these reviews might make us feel better (or might depress us beyond reason).

Tim

Top priority for security in 2006 (5, Interesting)

Anonymous Coward | more than 8 years ago | (#14500941)

Given that security is a major topic on IT manager's minds these days with security flaws and patches practically making front page news of some publications, What do you feel is going to be the main focus for security in 2006 for yourself and the industry as a whole?

security && usability (1)

Russ Nelson (33911) | more than 8 years ago | (#14500949)

Security and usability often conflict. Microsoft has always erred in the side of usability, and, well, you can see the results for yourself. Do you have any magic wand to wave, or do you plan to give up usability?
-russ

flaws (1)

TCFOO (876339) | more than 8 years ago | (#14500951)

Is Microsoft going to look for and fix any critical security flaws before releasing Vista?

Proof (1)

gid13 (620803) | more than 8 years ago | (#14500958)

Those that have been paying attention have repeatedly heard the same old arguments. "More eyes make more security", "Popularity increases the likelihood of being targeted", and so forth. My question is this: If Windows' undeniable popularity increases its odds of being targeted, how can one make a fair comparison of security between it and less popular OS's?

The Credibility gap (2, Insightful)

skyryder12 (677216) | more than 8 years ago | (#14500961)

MS "bundled" it's web browser as part of the OS. This decision was in part brought about by legal challenges facing the company at the time. In my view, this was a very poor engineering decision, and the resultant "marraige" of browser and OS have led to repeated security nightmares for admins, companies and individual users. To my mind, the obvious solution would be to unbundle the two. But if MS did that, they would be admitting to perjury in court. I find this lack of judgement and integrity greatly disturbing, and this is a major reason I believe that Microsoft cannot be trusted to make the right, correct or best decision. This is not a hppy thought when it comes to my business. My question is, given this past behavior, why should we give ANY credibility to statements concerning security from Redmond?

How is that perjury? (0)

Anonymous Coward | more than 8 years ago | (#14501051)

Microsoft said that the browser was an integrated part of the Windows 98 Operating System. Un-bundling the two in a totally new OS built from the ground up has nothing to do with the anti-trust case. I fail to see, however, what the whole bundling problem is in the first place. EVERY OTHER OS does this, Linux, Mac OS. Who cares if it hurts companies that are trying to sell free things?

Re:How is that perjury? (1)

dc29A (636871) | more than 8 years ago | (#14501157)

IIRC, Microsoft said (in court) that if they had to remove IE from the OS it would break the OS and render it unusable.

Patch Schedule (3, Interesting)

jtdennis (77869) | more than 8 years ago | (#14500969)

Microsoft recently deviated from their normal patch schedule to release the WMF patch. What is Microsoft's reasoning on trying to hold critical patches until a specified date every month instead of releasing it as soon as its ready?

Will Vista Require DRM/TC Based Motherboards??? (1, Flamebait)

ferrellcat (691126) | more than 8 years ago | (#14500973)

What about future versions after that? Hong long until you make billions of PCs obsolete overnight?

Post questions question (3, Funny)

nizo (81281) | more than 8 years ago | (#14500974)

Have you started drinking or taking drugs since seeing the questions sent to you by Slashdot? Are you emotionally scarred and bitter now?

Speed factor (2, Interesting)

FortKnox (169099) | more than 8 years ago | (#14500975)

Are many security flaws are due to features in windows that were under a time crunch and needed to be released? Perhaps due to bad testing or some other quality issue.

As an aside, great job Roblimo! What a catch for an interviewee! Not going through a PR person, either. Can't wait to see his replies.

Outside influences on security (5, Interesting)

kalpol (714519) | more than 8 years ago | (#14500976)

Has open-source software such as Linux influenced the way you think about security in Windows, and if so, how?

Question (5, Funny)

specialbrad (884393) | more than 8 years ago | (#14500981)

Did you honestly expect to get 12 serious questions from a group like slashdot?

What is the basic approach to Microsoft security? (5, Interesting)

kickabear (173514) | more than 8 years ago | (#14501003)

Does Microsoft lean more towards rigidly enforced coding standards as a way to prevent exploitable bugs, or does the company focus more on brute-force bug detection during testing?

I know the easy answer is to say "both, of course" but a 50/50 split is unlikely. So, does testing take the backseat, or does the code?

SP vs Vista (2, Interesting)

sinucus (85222) | more than 8 years ago | (#14501006)

If security is really a prime concern of Microsoft, why is it that new OS's are now getting the main focus of the dev teams? I don't know the exact number of coders in Microsoft, but it must be above 300,000. Why not have dev teams specific to each OS performing their roles? Why push back SP 3 for XP to develop Vista? Any person who has ever worked in an company knows that most companies lag behind when it comes to OS deployment. Isn't supporting and fixing bugs/exploits just as important to security as releasing the newest incarnation of MS Windows, which just brings on a new onslaught of bugs/exploits of their own?

Re:SP vs Vista (0)

Anonymous Coward | more than 8 years ago | (#14501141)

I don't know the exact number of coders in Microsoft, but it must be above 300,000

At first, I thought you were just exaggerating, but then I realized you were including all the unpaid coders whose ideas are sto-- er, embraced by Microsoft.

Microsoft DOES NOT have 300,000 coders. (4, Informative)

Caspian (99221) | more than 8 years ago | (#14501205)

I don't know the exact number of coders in Microsoft, but it must be above 300,000.

Yeesh. This sort of quote reminds me of when I was a naive little proto-geek, wondering what sort of supercomputer my favorite MU* ran on.

Microsoft has only 60,000 employees [wikipedia.org] TOTAL.

Of that count, surely no more than 50% (and probably much less than that) are programmers. Remember, that count includes not only the veritable hordes of management types and marketroids, but the guys who clean the toilets and the ladies who answer the phones. (And the ladies who clean the toilets, and the guys who answer the phones. And the guys who clean the phones, and the ladies who answer the toilets...)

So you're off by at least a factor of ten.

Question from China (5, Funny)

Anonymous Coward | more than 8 years ago | (#14501010)

Hello, Mr. Nash.

I'm from China and I was wondering [remainder of message censored by People's Center For Internet Enhancement - Powered by Microsoft]

Your Favorite Worm?? (0)

Anonymous Coward | more than 8 years ago | (#14501011)

Whats your favorite worm that has affected XP and propagated with little to no user interaction?

MSBlast was real cute, Sasser was also pretty sweet, the myspace WMF was pretty clever, Obviously CODERED should be honored for its technical masterpiece and effectiveness?

Do you have any personal favorites?

Are you aware... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14501015)

Are you aware that holes found in Windows are as big as your mothers pussy?

Flamebait I guess (1, Flamebait)

hackstraw (262471) | more than 8 years ago | (#14501017)


Simple.

When are you going to start doing your job?

I hate to be so blunt but WTF?

A simple Google search of windows internet explorer [google.com] has as the first two links from Microsoft's website about the product. Seems to make sense.

The next two links are government warnings about the security of their products.

So, what are your plans for doing something about Microsoft products?

(I'm not affected, I don't use them, but many others do).

Re:Flamebait I guess (1)

sinucus (85222) | more than 8 years ago | (#14501081)

Also funny is how all the AdSense ads are how to fix/repair Internet Explorer and yet none of them lead to mozilla.com. Google is slacking in their relative ad department.

Pre-installed (4, Interesting)

schlichte (885306) | more than 8 years ago | (#14501018)

This seems to be more of a problem on pre-installed systems. You get it home, set it up, and it basically boots the OS with its pants down as far as security is concerned.

I know when I bought my Gateway laptop it came with a default login as Administrator and to identify itself on the network, it used the OEM key as its name. I knew enough to change these options and many others myself, but many users do not.

Why is it that Windows offered pre-installed on machines doesnt at least come with some sort of brochure or pamphlet explaining the least a user can do to add any level of security?

Defaults (1)

Cro Magnon (467622) | more than 8 years ago | (#14501035)

Will Vista default to an Admin account with no password?

Legacy Security Issues (2, Interesting)

kortex (590172) | more than 8 years ago | (#14501045)

Some in the industry believe that part of the problem with security gaps in MS operating systems stems from the fact that each new OS release has been entirely built on existing technology. The recent WMF scare seems to amplify the truth in that statement. Apple seems to have had a great deal of success rearchitecting OSX - will Microsoft ever be willing to start from the ground up on a new OS with security being a primary strategy from the outset?

Binary/Backward Compatibilty (1)

CockMonster (886033) | more than 8 years ago | (#14501055)

How does MS manage the backward/binary compatibility issues when fixing defects?

Audit of Software (5, Interesting)

WebHostingGuy (825421) | more than 8 years ago | (#14501062)

Certain open source projects such as OpenBSD have routine audits of the software to search and remove potential security problems. While I understand Microsoft Operating Systems are very complex Microsoft does have an enormous amount of talent and resources at its disposal. Is it possible that Microsoft will review all new operating systems in the future with the same sort of audit performed by others? Wouldn't you think this would be worth it to prevent mistakes which could be costly to end users?

Home vs Pro (3, Interesting)

Cro Magnon (467622) | more than 8 years ago | (#14501074)

Will Vista have a watered-down Home version that has fewer security options than the Corporate version?

WinFS (0)

Anonymous Coward | more than 8 years ago | (#14501082)

What kind of better security over NTFS will WinFS have? any new features etc.?

Question... (0)

Anonymous Coward | more than 8 years ago | (#14501084)

If you were a tree, what kind of tree would you be?

Do you ever spend time with "average users"? (4, Interesting)

Caspian (99221) | more than 8 years ago | (#14501087)

Time and again, I've seen average end-users-- grandmothers, "soccer mom" types, businessmen-- whose computers are positively clogged to the gills with spyware, viruses, and other sorts of malware, the overwhelming majority of which they were infected with via the exploitation of security flaws in Microsoft software. I'm often tasked with disinfecting their computers.

How often do you (and the members of your team) spend time with average end-users-- not just in large corporate settings but in small businesses and (just as importantly) in real-world home settings? I believe that if you would spend time with Joe Average and see just how badly his computer's performance (not to mention his personal privacy and the integrity of his data) is suffering from the exploitation of certain bugs and design decisions (e.g. the fact that most end-users run with Administrator privileges) in Microsoft software, it would cause a significant shift in Microsoft's security strategy.

No matter how often $LATEST_WINDOWS_VERSION is touted as more secure than its predecessors, I still keep getting called to average homes to remove countless items of spyware which infected Windows systems via holes (and/or poor design decisions, e.g. the handling of ActiveX controls and the abilities they can have to alter files on the system) in Internet Explorer, and to this day (despite the wide use of antivirus software) most end-user systems I examine do contain at least a few viruses (which entered the system via Microsoft Outlook).

What are you doing to secure Joe Average's PC? Do you have any interaction with average end-users? And if not, why not?

Re:Do you ever spend time with "average users"? (1)

sinucus (85222) | more than 8 years ago | (#14501147)

I think one of the quickest and easiest solutions to this problem is to NOT setup the operating user account to Administrative rights. Sheesh! How hard is it to give it "user" rights by default and force them to use /runas?!

Industry Standards, CMM? (1)

lmsig (110148) | more than 8 years ago | (#14501089)

Does Microsoft employ industry standard software development best practices such as the CMM system? I work for a level 5 CMM software house and while most of the audit process is a joke there really are some good lessons to be learned from having explicit practices and for using an organization such as CMM to externally audit your practices.

Security vs. Useability (2, Interesting)

EvilEddie (243404) | more than 8 years ago | (#14501090)

Does Microsoft forgo security in order to increase useability or vice versa?

Will you ever sort and modularize Windows? (5, Insightful)

tz (130773) | more than 8 years ago | (#14501094)

The XP Embedded version can be created with or without IE or WMP, but I don't know how many DLLs have chunks of code designed to launch or provide IE or other MS product functionality (designed to give Netscape Users "a jarring experience" in the words of a Microsoft person). Is Microsoft ever going to sort and layer things so that there will be an isolated kernel, application layer, GUI, device drivers, (and if so, when), or is "Windows" going to continue to integrate things, e.g. "The Spreadsheet and Editor are now 'part of the operating system'"?

Rationale: Many security problems are due to everything running as Administrator, with privileges, or as part of the OS. One thing I like about GNU/Linux is that each part is separate, so Firefox runs on X which runs using services, which runs using the kernel, with only the kernel having privileges. Generally a buffer overflow problem in X, or Apache doesn't let someone format my hard drive. Also you can put something to analyze or intercept things between such layers - even things like ltrace or strace.

Windows updates to unregistered machines? (5, Interesting)

Spy der Mann (805235) | more than 8 years ago | (#14501095)

Dear Microsoft Security VP:

I know a person who doesn't have his copy of Windows registered. His PC got infested by spyware, so my deduction is that his computer was probably used to send SPAM, spread viruses and whatnot. When He called me for tech support, I told him to download the Microsoft Anti-spyware from Windows update, but his answer was that it required a registered copy.

My question is this: If Windows updates make the Internet SAFER from hackers, spyware and viruses, why limit them to registered copies of Windows? (IMHO this is analogous to not giving the vaccine of the bird flu to illegal aliens)

What do you plan to do about this?

Did MS culture change as promised in 2002? (5, Interesting)

dpbsmith (263124) | more than 8 years ago | (#14501106)

On January 17, 2002, p. 1, the New York Times reported, "Stung by Security Flaws, Microsoft Makes Software Safety a Top Goal" and quoted Jim Allchin said "Every developer is going to be told not to write any new line of code until they have thought out the security implications for the product" and that "the company was trying to change the culture of its software developers, who have been putting their emphasis on adding features to the company's software to increase its value."

In your opinion, has Microsoft succeeded in changing its culture so that every developer now considers security first, features second?

security through obscurity & the many eyes (2, Insightful)

largenumber (870199) | more than 8 years ago | (#14501116)

What are your thoughts on security through obscurity [wikipedia.org] ? Do you believe the technique works? In what ways do you think the closed nature of Windows prevents the corollary many eyes principle [wikipedia.org] from being used? Do you have any ideas on how Windows could utilize the many eyes principle?

WSUS Release Dates (5, Interesting)

Mr.Fork (633378) | more than 8 years ago | (#14501121)

As a Service Desk manager and network guru for my organization, I am responsible for ensuring that all workstation desktops are kept up-to-date and secure. Currently, Microsoft releases patches once a month, usually on the second Tuesday of the month.

With the current advances in smart viruses and malware, that release schedule seems unrealistic. OS security threats have been addressed with emergency patches, but that does not seem like a sustainable methodology.

What is Microsoft's long-range vision on OS patches to ensure that our Server and Workstation Operating Systems are secure, safe, and patched in a timely manner?

Security holes and MS image. (1)

Tibor the Hun (143056) | more than 8 years ago | (#14501129)

Lots of us on /. have "great" memories of coming in on weekends, staying overtime, or coming in early to deal with bugs, viruses and various problems caused by no fault of ours, but mainly due to holes we could not see or prevent.
This kind of business, in addition to Bill Gates' wildass (and often incorrect) speculation about future technologies and sweat-dancing, chair-throwing antics of Ballmer has jaded our image of MS.

How does MS plan on restoring a serious security image with Vista, which does not seem to offer near the functionality or security of OS X or Linux? Apart from having a firm grasp on the OS market, due to previous monopoly tactics, what is MS doing to give us a better system than these two competitors

Rewriting Internet Explorer (5, Interesting)

teklob (650327) | more than 8 years ago | (#14501131)

I'm honestly not trying to troll here, but wouldn't it be easier to rewrite IE from the ground up? Have you guys considered this and ruled it out, or have you just not contemplated it. Not to vaguely bash microsoft, but a large percentage of PC and/or Windows power users would probably consider Internet Explorer 6 a write-off. Any thoughts?

Application software (5, Interesting)

Cro Magnon (467622) | more than 8 years ago | (#14501132)

I realize that Microsoft cannot control what 3rd party software does, but will Microsoft's applications and games run under a limited account, or will they still need Admin access?

Beyond Bugs: User Interface? (3, Interesting)

timster (32400) | more than 8 years ago | (#14501133)

We all know that a very important part of system security is the lack of fatal security bugs. This is a problem that has been very large with Microsoft products in the past, and is reflective of code quality. Fixing these bugs is crucial.

However, even when a security system doesn't have any bugs, it can still be very insecure. We can define "security" in a more general sense as "the extent to which a system is doing what the owner or user expects". The problem is not that the system is capable of malice so much as that the system is capable of malice of which the user is unaware.

How is Microsoft in the future going to design their systems so that users know what is really going on?

Whatever (1, Insightful)

MightyMartian (840721) | more than 8 years ago | (#14501134)

Look, we all know the drill by now. Microsoft looks bad. The guys get somebody who they think we'll all trust, he comes and says "ask me some questions", but at the end of the day, it's all PR. No one from Microsoft is going to honestly answer any question. Not yesterday, not today, not ever. The purpose of all these idiotic "ten questions" or "twelve questions" is purely PR, to try to make Microsoft look good, and quite frankly I have to ask myself why any employee of Microsoft would so willingly whore themselves out for this exercise.

Just ask him when he stopped beating his wife.

With those many developers (0)

Anonymous Coward | more than 8 years ago | (#14501136)

There is something disturbing with security statements and the amount of developers.

With the amount of money and developers that are involved in Windows (or we are told to believe) how is possible that it has so many bugs (and _critical_ ones) ?. Don't tell us that "so large code base" and bla bla, because is hard to believe. May be is a safe bet to say, well we sell this, customers has to buy it, and we really ... don't care !. Can you make a statement about this ?

steps to instil confidence? (0)

Anonymous Coward | more than 8 years ago | (#14501140)

What steps have you taken/plan to take for Vista's release to clear the doubts people have started getting on Microsoft's vulnerability? One can see the shift in preference, from the admin to the grandma, away from windows, and the primary reason being the security risks people recently had (WMF, excel vulnerability, etc)

And where do you draw the line between security and userability? Windows still has good reputation for being user-friendly, but comes with a price of security, unlike OSX.

How do we inform users? (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14501144)

No matter how secure it is, users still want to install apps, games, and browser plugins. Most don't read or understand what they are doing. How can you protect the uninformed from themselves?

Internet Explorer W3C Support (1)

pingwin (656815) | more than 8 years ago | (#14501146)

I would like to ask Mr. Nash if he has any information about when IE will be supporting everything other browsers do that are compliance standards to W3C? If Micrsoft is to make a product that is used by the majority of the world wouldn't it be in Microsofts best interests to give these users everything that is available?

interactions with the corporate side of Microsoft (1)

PrvtBurrito (557287) | more than 8 years ago | (#14501149)

Donald Rumsfeld once said, "You go to war with the Army you have." What is your philosophy on how you work with a large organization such as Microsoft to balance security with the need to meet deadlines and to keep costs low? You know there are going to be exploitable holes (there always are) in an operating system, when do you and how do you know when to say, "OK, we are good to ship this." Does security of future Microsoft applications and operating systems correlate to costs spent on your team?

Oh come on, is this a joke? (1)

EllynGeek (824747) | more than 8 years ago | (#14501151)

Microsoft's abysmal security record speaks for itself, no matter how much PR blather they pour over the holes.

strncpy()/memcpy() & buffer overflows (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14501162)

How many calls to strcpy() are made in the OS?

How hard would it be to replace each and every one with a strncpy()?

Surely, you must have done this by now?

As a coward, I don't expect you'll ever see this, but I felt that I should ask anyway.

Be honest (1)

chord.wav (599850) | more than 8 years ago | (#14501163)

Be honest. Do you actually use IE to surf the Web?

Spyware (5, Interesting)

PetyrRahl (880843) | more than 8 years ago | (#14501168)

Mr. Nash,

In regards to spyware MS has already taken some steps to try and stem the flow (asking about running exe files, the Spyware Removal Tool, etc), however as a consultant I find many of my clients are still infested with the stuff. From my perspective it appears that many users are affected still by these programs and that they are either unaware of how to prevent them in the first place, or how to get rid of them. Many times it is significantly faster and easier (and in some cases, safer) to just format the machine in question and start from a clean slate. Does MS feel that spyware is still a major problem, and if so, what new measures MS doing in order to combat it?

Regards,
Petyr Rahl

Why not improve the default permissions? (1)

Colin Smith (2679) | more than 8 years ago | (#14501170)

The Windows security model really isn't bad in theory, in fact it's quite nice, I wish the standard Unix filesystem permissions were as flexible. However, the implementation of the permissions on default installs of Windows are absolutely terrible, it's a nightmare really tightening them up to make systems secure and useable.

So, my question... When is microsoft going to tighten up the default configuration of windows and make application vendors stick to good practice?

I'll make a wild guess at never, however until that's done, securing windows desktop systems is going to continue to be near to impossible.

 

switch back? (0)

Anonymous Coward | more than 8 years ago | (#14501176)

Give me top three reasons (from security point of view) why I should swich back my granny's PC from the "other OS" to Vista?

Marketplace (2, Interesting)

alfalfro (120490) | more than 8 years ago | (#14501179)

Mr. Nash,

Security decisions are usually dominated by economic and business considerations; it's often been said that Microsoft will stop making insecure software shortly after customers stop buying it.

Let's say I'm a shareholder, explain to me why you should be spending money on security. Where and how much is the return on investment?

You will also have to balance many considerations when determining what security to implement. What are the major security tradeoffs/decisions you anticipate making this year?

It's funny that /. has this article today... (1)

master_p (608214) | more than 8 years ago | (#14501180)

...when me and my company's sysadmin are trying all day long to get rid of a nasty new virus (nyxen.d) plus over 85 spyware programs installed on average on any pc on the network.

User privileges (5, Interesting)

azpenguin (589022) | more than 8 years ago | (#14501183)

Many users still don't understand the importance of creating user accounts instead of using the default administrator account. Will Vista work "out of the box" in a manner that will encourage those who are not technically savvy to work under a user account instead of an admin account?

ActiveX and user permissions (1)

Florian (2471) | more than 8 years ago | (#14501187)

Why does the default user account of Windows XP have administrator privileges? Why does it still include technology like ActiveX although Microsoft has developed safer technologies (such as .Net) that could replace it? Why do critical parts of Windows like Windows Update depend on ActiveX?

Industry best-practice out-of-the-box? (5, Interesting)

ZiZ (564727) | more than 8 years ago | (#14501188)

Mr. Nash,

There are a number of industry best-practices that any system administrator will tell you are vital for proper security. I will not claim to provide a complete list, but the two that seem to have the most frequent effect on an OS's percieved security are:

  • Minimizing the number of services and processes running (preferrably via a service opt-in rather than opt-out policy)
  • Performing all activities as an unpriviliged user, with some method of securely and briefly authenticating to higher permissions when required

Windows has been steadily improving on the first point, but the second point has long been a problem for administrators; there is no generally-used near-transparent way for a program to request higher privileges, for instance.

Worse, many third-party (and, for that matter, some Microsoft) programs will fail silently or with obtuse errors if you run them as less-privileged users because they demand the ability to, say, write to system areas - often without warning - and require heroic gymnastics by administrators to resolve (if a resolution is even possible).

Is this issue of least-privilige being difficult to acheive being addressed in future versions of Windows? What changes can we expect to come down the line soon and in the near future?

Biggest security threat? (1)

digitaldc (879047) | more than 8 years ago | (#14501189)

What do you feel is currently the biggest security threat to the Windows Operating System and what are you all doing about it?

Beta Testing (1)

Maximilianop (903017) | more than 8 years ago | (#14501190)

Is Microsoft applying a more serius and complete beta testing enviroment for newer products like Vista?
I mean the "all the users of the world testing it" didnt seem to work very much good.
In fact I think the most capable guys when talking about beta testing, dont bother to free ride an uncomplete product, so the real testing done by users is way uncomplete.

As a final question, just for fun really (1)

stunt_penguin (906223) | more than 8 years ago | (#14501191)

As a final question, not just for fun really as we are on the subject of security - this might make a fun closing question..

What's the worst security breach or virus infection that's ever happened to one of your machines at home or at work, and how long did it take you to resolve the problem? Did you lose any work, and did you need any help resolving the problem?

Comparisons with open-source (3, Insightful)

yamla (136560) | more than 8 years ago | (#14501192)

When counts are released showing the number of Windows security holes vs. the number of holes in Linux, the counts generally include software that can be installed from the original CD. With Windows, this includes MSIE, Windows Media Player, etc. On Linux, this includes thousands of end-user applications, programs that Microsoft does not include with Windows. Do you think these comparisons are fair? Would you rather see comparisons to minimal installs of Linux?

Product Activation (3, Insightful)

Shawn is an Asshole (845769) | more than 8 years ago | (#14501193)

Will Vista still have the same anoying Product Activation that only affects legitimate users of the software?

Did you expect anything posative to come of this? (1)

Roj Blake (931541) | more than 8 years ago | (#14501197)

Seriously, even the highest moderated questions will be inflammatory.

Do you actually expect to sway any minds on slashdot?

Current code base review/analysis (1)

Twillerror (536681) | more than 8 years ago | (#14501199)

Over the last few years almost all the big worms and security holes have come about due to the dreaded buffer overflow. What steps has Microsoft made to sweep through your expansive code base looking for such things?

Inhouse security auditing and patching (2, Interesting)

dtfinch (661405) | more than 8 years ago | (#14501203)

We see news all the time about Microsoft vulnerabilities discovered by third parties, and later patched by Microsoft, but I can't recall many being discovered by Microsoft. I often imagine that it's because releasing patches for vulnerabilities previously unknown to researchers and the public creates an unnecessary risk by disclosing the vulnerabilities to anyone willing to reverse engineer the patches, and so the patches are held back until they vulnerabilities are rediscovered outside of Microsoft or until the next major product release, but I'm basing this on nothing more than speculation. What does Microsoft do inhouse identify and patch vulnerabilities that have not yet been discovered by third parties?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...