Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft No Longer a 'Laughingstock' of Security?

Zonk posted more than 6 years ago | from the set-the-bar-high-guys dept.

282

Toreo asesino writes "In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable. He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. 'The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we'll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, "So the [Security Development Lifecycle (SDL)] is a failure right?" No it isn't. It was our aspirational goal that the SDL will get rid of every bug.'"

cancel ×

282 comments

the bar is set so high. (4, Interesting)

yagu (721525) | more than 6 years ago | (#20696347)

I have to sometimes wonder how, when security is considered so important, how Microsoft has been allowed to take so long. It's also a bit funny to consider how high the bar is set that they get credit for achieving "no longer the laughingstock..." status.

It kind of reminds me of the cell phone industry and their "high" standard where they get away with advertising braggadocio like "the provider with the fewest dropped calls". It's funny, I grew up with a phone infrastructure where I never experienced a dropped call -- granted, a less complex (wired) achievement, but had "wired" phone service been invented today, I suspect the standard would have been "less dropped calls", too... because maximized profit dominates the industries' collective motivations, not quality products.

(Case in point... if you'd ever owned the amazing Harmony() remote controls before they were bought by Logitech, they were wonderful devices -- rock solid, great feel to them... now, they're sexied up with cheap buttons, lousy feel, and questionable reliability. And get ready, Logitech just bought Slimline devices. Thought the Squeezebox was a great gadget? Better get the remaining quality ones before profit-think forges it into a cheap crappy imitation of it's former self.)

And, to save you all a little time.... mod(self, -1, offtopic);

rear-view mirror (5, Interesting)

Anonymous Coward | more than 6 years ago | (#20696435)

Inasmuch as this constitutes any sort of admission that Microsoft products were not always exemplars of good security, it should not be forgotten that Microsoft has always insisted that they were.

So really, they are not saying anything different than they have always said. "Back then" when their products were insecure, they insisted that their products were secure. Now, they are admitting that "back then" their products were not secure, and are continuing to insist that their products are secure.

Why should we believe them? Once bitten, twice shy, and with good reason.

May we be... (0, Insightful)

Anonymous Coward | more than 6 years ago | (#20697079)

...the first to admit then that all other operating systems and vendors have said the same thing time and time again, including yours truly "Linux". Don't get cocky.

Re:the bar is set so high. (2, Insightful)

nine-times (778537) | more than 6 years ago | (#20696583)

It's also a bit funny to consider how high the bar is set that they get credit for achieving "no longer the laughingstock..." status.?

Do you mean how low the bar is set? It seems kind of funny to me to hear someone from Microsoft admit that they were a laughingstock, and that they're looking for kudos for not being a laughingstock. It reminds me of Chris Rock's bit about people who brag, "I've never been to jail!" What do you want, a cookie?

Anyway, I guess it's true that Microsoft has gotten more secure and therefore isn't as much of a security laughing stock. There's still something to make fun of in how annoying UAC is, but I guess it's better than what they had before. So... yeah, I guess I'll give it to him. Microsoft is no longer a security laughingstock. They're just a marketing laughingstock for producing the disaster that is Windows Vista.

Re:the bar is set so high. (1)

Captain Splendid (673276) | more than 6 years ago | (#20697235)

And get ready, Logitech just bought Slimline devices.

Fucking hell. I just went 10 rounds with a Logitech Quikcam and lost. Better splurge on that Squeezebox, I suppose...

Says who? (3, Insightful)

A beautiful mind (821714) | more than 6 years ago | (#20696357)

I'm sorry, respect in security is like with all kinds of respect. It is earned, not demanded or bought.

Old, coroded, closed, insecure "standards" (1)

0p7imu5_P2im3 (973979) | more than 6 years ago | (#20696481)

I'm just surprised that the various governments of the world have let so many state secrets get locked up in Microshaft's closed, insecure standards. If Microshaft ever folds, the only people that will be able to access those old documents that tell you how to turn off that automated attack system of yestercentury are the Chinese hackers.

Re:Says who? (4, Funny)

morgan_greywolf (835522) | more than 6 years ago | (#20696525)

I'm sorry, respect in security is like with all kinds of respect. It is earned, not demanded or bought.
But look [Allow | Cancel] "Allow" at how much more [Allow | Cancel] "Allow" secure Microsoft's [Allow | Cancel] "Allow" products are [Allow | Cancel] "Allow" today!

How can you [Allow | Cancel] "Allow" say that they [Allow | Cancel] "Allow" are still a [Allow | Cancel] "Allow" laughingstock?

Re:Says who? (1)

HartDev (1155203) | more than 6 years ago | (#20696593)

Hahahahaha I bet that was very frustrating to write out, let alone have to deal with!

Re:Says who? (3, Funny)

somersault (912633) | more than 6 years ago | (#20697119)

I wonder if anyone's ever tried 'cancel'.. I'm guessing that doing so would cause the machine to hang.

Re:Says who? (1)

cepayne (998850) | more than 6 years ago | (#20696541)

Apparently you aren't listening hard enough.....they are a security company now (cough, gag)

Re:Says who? (0)

Anonymous Coward | more than 6 years ago | (#20696547)

When was the last time we've seen a Code Red or Nimda? Nowadays Windows 2003 servers are rock solid and very secure. It's not perfect, but MS made a lot of progress in securing the OS.

Re:Says who? (3, Interesting)

mpapet (761907) | more than 6 years ago | (#20696679)

You've never noticed the Microsoft public relations jugernaut then.

I admin a combination of 2000/2003/2003r2 boxes and there are still things that make a security-minded sysadmin's head spin.

-The boxes *still* advertise and have a great number of open ports.
-Root is *still* is allowed remote access by default. System root, under a domain controller still advertises itself as ready and waiting for you to login.
-Did I mention root remote control is still enabled by default?
-I doubt most win32 sysadmins have any idea the number of undocumented systems logging in and doing who-knows-what to the system. If they configured and read their logs the way I do, at least a few of them would wonder what the heck is going on.
-Don't get me started with their Rube Goldberg security objects system. Complex and extremely difficult to use, yet exceptions abound when trying to simultaneously harden a system and keep the undocumented features from throwing errors.

Their security reputation has been purchased and PHB's everywhere are lulled into another false sense of security. The good news is I'll never run out of work because they require so much baby sitting compared to a Linux server.

Re:Says who? (1, Informative)

Anonymous Coward | more than 6 years ago | (#20696849)

-Root is *still* is allowed remote access by default. System root, under a domain controller still advertises itself as ready and waiting for you to login.

What exactly do you mean by remote access? Are you talking about Remote Desktop being enabled by default? AFAIK it is disabled by default in Windows Server 2003. If you aren't talking about RDP, can you please elaborate what you mean by "remote access"?

And what about a domain controller advertising itself? First of all, Windows Servers are not domain controllers by default. You either have to create a domain or promote a server to be a domain controller. Second of all, I don't know what you mean by advertising itself, other than some type of NetBIOS broadcasts on the network? As far as the server "waiting for you to login", thats the point of a domain controller. And it's not like anyone can just randomly log into the domain controller without proper authentication. Workstations/servers are required to join the domain using an account with proper credentials (at least "server operator" group I believe). If a computer is trying to access domain resources without being on the domain, they are still required to be authenticated.

Re:Says who? (1)

The Faywood Assassin (542375) | more than 6 years ago | (#20696929)

You are so right.

Besides, this upgraded security will only be seen on the "next" version of its OS. Screw the millions of security vulnerabilities out there right now!

Riggghhhht! (3, Funny)

Mikkeles (698461) | more than 6 years ago | (#20696367)

Now we just snicker and giggle!

Translation (1)

symbolset (646467) | more than 6 years ago | (#20696555)

It's not funny any more.

Was it ever?

It's SO right nobody on /. proves otherwise (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20696737)

See this URL where over 30++ /.'ers ran from a challenge regarding Windows vs. Linux security, in a thread post here on /., regarding "Hardening Linux" no less:

SLASHDOT POST ABOUT "HARDENING LINUX":

http://it.slashdot.org/comments.pl?sid=267599&threshold=-1&commentsort=0&mode=thread&cid=20203061 [slashdot.org]

(That's where no *NIX person here on this site, & others, could do a better job on a multiplatform test of security based on best practices for each OS platform than a Windows Server 2003 user could!)

The *NIX folks were challenged on this site, who stated things along the lines of:

"(Insert *NIX variant here) is more secure OR securable than Windows"

& then, this image which backs it:

http://img.techpowerup.org/070828/APK_AToutLeMonde_85.185CISToolScorePhotoProof.jpg [techpowerup.org]

Which proves the test results on a multiplatform test of security called "CIS TOOL" (by the center for internet security) which has been noted as a tool to help secure yourself by BOTH Computerworld & SANS (sites often cited here on /. no less, regarding security data):

Here is the outline for achieving that 85.185 score on CIS TOOL, for Windows users:

http://forums.techpowerup.com/showthread.php?p=375355#post375355 [techpowerup.com]

It works & so much so, it tends to "silence the F.U.D." spreaders here on /. about Windows vs. Linux (even SeLinux &/or BSD variants as well) regarding securability of them all, since nobody from /. has exceeded that score a Windows Server 2003 user achieves on it, despite their constant "Windows is not secure as *NIX" fud.

Seems the only person able to do what you stated here:

Now we just snicker and giggle! - by Mikkeles (698461) on Friday September 21, @10:53AM (#20696367)
Is the person who made the FUD spreaders @ /., look extremely foolish & unable to back up their b.s....

my opinion of MS security (0)

Anonymous Coward | more than 6 years ago | (#20696393)

As a $1000 per hour Foundstone security consultant (you'd know my name, I'm extremely famous - ok I'll give you a hint, my name rhymes with Fan Darmer), I am inclined to agree. MS products are now completely secure. I know, because *I* can't hack them.

Re:my opinion of MS security (5, Insightful)

BUL2294 (1081735) | more than 6 years ago | (#20696641)

Unfortunately, Microsoft's security problems are masked, not fixed. Seriously, software firewalls should not need to exist. All software firewalls do is cripple other code running on the OS (drivers, services, programs, etc). Fix the underlying code and don't default to running services that home users will never need and, presto, no need for a firewall...

Someone at M$: "XP with IE is full of 'critical' security holes."
Someone's manager: "Let's write a firewall and we can get away with calling those security holes 'important' and not fix them."

Re:my opinion of MS security (1)

deftcoder (1090261) | more than 6 years ago | (#20697133)

Really?

I use netfilter on my laptop running Debian Linux for various things, and it seems to do the job acceptable.

Of course, I don't run any day-to-day programs as a user (read: root) who can actually use iptables to change my rules either.

Oh well.

Get that man a dictionary! (4, Funny)

navygeek (1044768) | more than 6 years ago | (#20696421)

No Longer a 'Laughingstock' of Security

He keeps saying those words... I do not think they mean what the thinks they mean...

Re:Get that man a dictionary! (3, Funny)

provigilman (1044114) | more than 6 years ago | (#20696571)

My name is Scott Charney, you laugh at my company, prepare to die.

Re:Get that man a dictionary! (0)

Anonymous Coward | more than 6 years ago | (#20696605)

Yes, but he too is lefthanded!

STILL the Laughing Stock! (0)

tjstork (137384) | more than 6 years ago | (#20696429)

Now, Microsoft has Windows and IE asking so many security messages, that the users automatically say yes, once again, reducing all of their efforts to ashes. And you still can't run IE under a separate user account.

Re:STILL the Laughing Stock! (5, Informative)

Bill Wong (583178) | more than 6 years ago | (#20696539)

And you still can't run IE under a separate user account.
Uh, sure you can?
Shift-Right-Click -> Run-As -> The-Following-User?
I do it all the time...

Use "Runas" in a command prompt (1)

0p7imu5_P2im3 (973979) | more than 6 years ago | (#20696553)

Yeah, you can. Right-click and choose "Run as..." or pull up a command prompt and use the "Runas" command specifying a separate user and pointing to "C:\Program Files\Internet Explorer\iexplore.exe"

It may not be exactly like that in Vista but it works perfectly in XP even if explorer has been blocked for alternate users.

Re:STILL the Laughing Stock! (2, Insightful)

alexhs (877055) | more than 6 years ago | (#20696639)

Now, Microsoft has Windows and IE asking so many security messages, that the users automatically say yes, once again, reducing all of their efforts to ashes.
When a program ask the user to "confirm" (without even authentification) for each byte it receives from the network (without much clue about the signification of that byte), you can't say the user is reducing their security efforts to ashes. Asking the user to be the IP stack is not the solution.

I'm exagerating of course, but I hope you get the point, asking an uneducated user is not a security measure.

And you still can't run IE under a separate user account.
I think you're wrong on that point, there's no reason runas wouldn't work.

Re:STILL the Laughing Stock! (1)

MyLongNickName (822545) | more than 6 years ago | (#20696685)

I'm exagerating of course, but I hope you get the point, asking an uneducated user is not a security measure.

You are severely exaggerating this. I get them message a lot, only because I do a lot of configuration. But overall, the average user will only get questioned on things that are really important. If you are saying the average user cannot even be trusted to do this, then you may as well have Microsoft hold the administrator account, and you need to call them to install anything (at a small fee).

Overall I hate Vista with a passion. See my prior comment in the history for evidence of this. However, I believe they have made great strides in the security realm.

Re:STILL the Laughing Stock! (0)

Anonymous Coward | more than 6 years ago | (#20697299)

asking an uneducated user is not a security measure.

But combined with appropriate phrasing in the EULA, it can create the perception that any legal responsibility for security breaches is shifted squarely to the user. Security thus becomes a simple matter of user training (ooh, that's SMUT!)

That clear shift in responsibility helps secure Microsoft's continued profits and market dominance. In general, smutty security practices are a good thing for they advance the core stuff Microsoft is all about.

Re:STILL the Laughing Stock! (0)

Anonymous Coward | more than 6 years ago | (#20696743)

Now, Microsoft has Windows and IE asking so many security messages, that the users automatically say yes, once again, reducing all of their efforts to ashes. And you still can't run IE under a separate user account.
Moderators are on crack again? Why is this modded "insightful"? It's full of false information.

First, have you ever run IE7? The only security warnings you get are for Radioactive-X controls (which nowadays no major site has any). And those who have em, are probably malware anyways. So you are better off with a warning. And second, the other warning you get from IE are for SSL certificates the browser can't validate properly (fake, self signed, whatever...). The same stuff Firefox will also warn about. So what are these "many" security warnings? Every fricking browser will warn you about SSL stuff and executables. Not saying IE7 is perfect, but let's not spread FUD ... oh wait, it's ./. My bad.

Then there is IE running under separate user account. Hit the start menu. Hit execute. Type in cmd.exe and hit enter. You will see a command prompt appear. Now in that window type runas /user:(username) iexplore. Tada! Done. You can also simply create a shortcut and right click and select run as option.

I wish people like you would start actually using IE and Windows before spreading FUD...

Re:STILL the Laughing Stock! (1)

0p7imu5_P2im3 (973979) | more than 6 years ago | (#20696885)

Now in that window type runas /user:(username) iexplore.
I don't know about Vista, but that wouldn't work in XP. You have to specify the entire path to iexplore because the IE directory is not in the PATH environment variable.

Re:STILL the Laughing Stock! (4, Funny)

GreyPoopon (411036) | more than 6 years ago | (#20696809)

Now, Microsoft has Windows and IE asking so many security messages, that the users automatically say yes, once again, reducing all of their efforts to ashes. And you still can't run IE under a separate user account.

You are considering becoming complacent and answering yes to all security pop-ups. Accept or Deny?

not there yet (2, Interesting)

Reader X (906979) | more than 6 years ago | (#20696441)

I concede that MS is not the laughingstock that it once was, but they are a ways from the respect that some of their competitors of similar scale (cough*IBM*cough) have long since earned. Eliminating the repeat vulnerabilities such as the recent ANI vuln might be a good place to start.

Re:not there yet (0)

Anonymous Coward | more than 6 years ago | (#20697187)

Ah, but it is worthy to note that in Vista it was not possible to exploit the ANI vulnerability through a malformed animated cursor on a web site using Internet Explorer 7.0 with default security settings. Well, technically, yes, it was possible to exploit, but because the process was sandboxed the malicious payload would not be capable of causing any damage to the system, even to the current user's own profile.

Vulnerabilities will pretty much always exist. Good programming practices will help to reduce them considerably but all it takes is a little mistake, or a third party plugin, and you're back in the same situation. This is not a situation unique to Windows. The best we can really do is to reduce the attack surface for directed attacks and attempt to mitigate the damages for user initiated malware. Jail the browsers, as Vista is doing, so if the user does happen to visit a site that contains a payload, even in a third party plugin, the malware can't do anything.

I say, set a standard (5, Interesting)

downix (84795) | more than 6 years ago | (#20696443)

I'm thinking (in part to stroke Theo's ego a bit) set OpenBSD as the security standard out there. Every OS, compare it security-wise to OpenBSD. Put a "percentage" for how secure, then we can see hard numbers for how securly an OS is out of the box.

Re:I say, set a standard (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20696687)

The only thing OpenBSD sets a standard for is having a complete cockshiner in charge of the project.

If you want a project with a world class cock wallet in charge, look to OpenBSD.

Re:I say, set a standard (0, Troll)

0p7imu5_P2im3 (973979) | more than 6 years ago | (#20696951)

The only thing OpenBSD sets a standard for is having a complete cockshiner in charge of the project.

If you want a project with a world class cock wallet in charge, look to OpenBSD.
... or look to Microsoft...

Re:I say, set a standard (1)

Barny (103770) | more than 6 years ago | (#20696759)

Hey, that could be good, since it would be an "out of the box" test, it might even stop MS from having IE as part of the OS.

"where would you like to go tod..."

"ahh shit, its got smitfraud again"

Re:I say, set a standard (1)

forrestt (267374) | more than 6 years ago | (#20697377)

I say do it the other way around. Make Windows the standard and measure every other OS in Window Security Units. Then you can have a measurement on the box sort of like how Scoville Units [wikipedia.org] are used for hot sauce.

Yeah, unrealistic (1)

hotfireball (948064) | more than 6 years ago | (#20696449)

The challenge is really quite often in dealing with unrealistic expectations.
Rather unrealistic results... Windows is really wonderful: full of things to wonder about.

Of COURSE they're not the laughing stock... (5, Funny)

15973 (861573) | more than 6 years ago | (#20696457)

...now if you'll excuse me, I have to go delete the spam that was sent from a botnet of computers that are running a series of a particular OS that shall remain nameless...

Re:Of COURSE they're not the laughing stock... (1)

MyLongNickName (822545) | more than 6 years ago | (#20696519)

If a user becomes a part of a botnet because the user just must download the cool new toolbar, is it the fault of the OS? If the user chooses to use administrator privileges? What stops a linux box from being the victim of a similar program?

Re:Of COURSE they're not the laughing stock... (2, Insightful)

Spy der Mann (805235) | more than 6 years ago | (#20696667)

Not all botnets are spread with a browser toolbar. Most of them infect unpatched machines via insecure open ports. Linux is safe from these, while Windows is not. My specific concern is pirated machines which CANNOT be patched due to Microsoft's policies (see my nearby post).

Re:Of COURSE they're not the laughing stock... (4, Insightful)

mattpalmer1086 (707360) | more than 6 years ago | (#20697161)

Yes, it is the fault of the OS. No, linux isn't any better in this regard. They all essentially use the multi-user (on a single box), non-networked security models devised in the late 60s and early 70s.

Why should downloaded (i.e. tainted / potentially unsafe) code have any rights at all except to its own files by default? Should it be able to read your documents, open a network connection and send them out? Should it be able to format your disk? Hell, why even have a globally accessible file system at all?

We can't improve the users much, so we're going to have to improve the OS. Actually, some of the early security models were much better than the ones we use now, but carried too much overhead for the machines of the day.

Mod parent insightful! (1)

Spy der Mann (805235) | more than 6 years ago | (#20696625)

I had asked Microsoft's Security VP, Mike Nash, about the problem of infected pirated machines [slashdot.org] . And what did he say?

"It's hard for me to feel too bad for the person who you know who doesn't have a licensed copy of Windows and is infected. They are using stolen software."

In other words, we ALL are suffering spam, viruses and worms because Mike Nash got picky about not providing security to "stolen software".

It $hould be clear now that Micro$oft got their prioritie$ $traight. Right?

Re:Mod parent insightful! (2, Insightful)

geeknado (1117395) | more than 6 years ago | (#20697177)

I agree with you principally on one point-- this is everybody's problem-- but realistically, how is Microsoft going to support owners of pirated software? Let's assume for a moment that they don't just download a version of the OS that's already rooted by something nasty...By the very nature of the thing, these OSs aren't going to be consuming automated updates and thus maintaining a current patch level.

There also seems to be a disconnect here-- if pirated Windows machines are presenting a problem that everyone has to face, why do we blast Microsoft for its desire to see these machines taken offline? Moreover, why are we putting "stolen software" in quotes when we're talking about people who're actually willfully using unlicensed software?

Is the idea here that pirates are "good" because they're not playing the "evil" Microsoft's game? Is Microsoft still more "evil" because they aren't improving the security of machines that are already well out of the bounds of their support model?

Re:Mod parent insightful! (1)

MotorBheaded (1156281) | more than 6 years ago | (#20697201)

Why should a company be bothered to provide support not to their clients, but to users who pirated /stole the product? OK, one may argue it's MS themselves who fostered piracy to establish their monopoly...

Botnets (3, Insightful)

Megane (129182) | more than 6 years ago | (#20696463)

So Microsoft is so secure that those botnets with hundreds of thousands of zombie computers running Windows will disappear overnight? Great!

A good example - IIS (5, Insightful)

duplicate-nickname (87112) | more than 6 years ago | (#20696467)

I think a good example of this is how many security problems have been found in IIS in recent years. For example, go to the MS Security Bulletin site and look up bulletins for IIS 6.0 compared to IIS 5.0 -- http://www.microsoft.com/technet/security/current.aspx [microsoft.com] .

There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.

Re:A good example - IIS (1)

porkThreeWays (895269) | more than 6 years ago | (#20696657)

IIS and SQL server were the biggest laughing stocks. The slammer worm (I think that was it anyway) was the fastest spreading worm ever at the time. It may still hold this record. It spread around the world in just a few minutes. While I would still only say their security is average and many times they don't take it seriously, they had a responsibility to their shareholders to clean up their act after the many embarrassing SQL server and IIS worms. It's not nearly as bad as it was at its crest.

Re:A good example - IIS (2, Insightful)

masdog (794316) | more than 6 years ago | (#20697021)

Slammer was embarassing, but that one was hardly Microsoft's fault (although they do share some blame). They had released a patch for that vulnerability six months before the attack occurred.

Security isn't just something you can pin on the software vendor and expect them to solve all your problems. It takes good system admins to keep the systems up-to-date with security patches and have them on a network that is designed for security.

They left the port open. (3, Insightful)

khasim (1285) | more than 6 years ago | (#20697293)

Slammer was embarassing, but that one was hardly Microsoft's fault (although they do share some blame). They had released a patch for that vulnerability six months before the attack occurred.

Yes, they had.

But the problem was that that port was left OPEN on machines that DID NOT NEED IT OPEN.

With security, you CANNOT rely upon the end user to keep current on patches. Your system HAS to be able to defend itself WITHOUT those patches.

And the simple way to do that is to not have ANY open ports by default.

Security isn't just something you can pin on the software vendor and expect them to solve all your problems. It takes good system admins to keep the systems up-to-date with security patches and have them on a network that is designed for security.

Security is a process. You are arguing about the high end, theoretical levels ... meanwhile Microsoft systems are still at the very lowest end and every day more zombies are added.

Re:A good example - IIS (2, Insightful)

UncleTogie (1004853) | more than 6 years ago | (#20696661)

...and Microsoft doesn't play down threats? Hark to the ol' l0pht website:

Microsoft - ""That vulnerability is completely theoretical."
l0pht - "Making the theoretical practical since 1992."
...and thanks for the laugh!

Re:A good example - IIS (5, Interesting)

asuffield (111848) | more than 6 years ago | (#20696873)

There are only two "Important" bulletins for IIS 6, while IIS 5 has almost 30 bulletins over the same inital time period. It is amazing how far IIS has come since that nightmare that was IIS 4.


You do realise that you are measuring the "quality" of IIS by counting the number of security flaws that Microsoft will admit to having fixed?

You're not counting the number of known flaws. You're not counting the number of flaws that Microsoft knows about. You're not even counting the number of flaws that they've actually fixed. You're interpreting this change in the numbers as indicating an improvement, when it might just as easily indicate that they fix less flaws than they used to.

And don't forget that Microsoft has a long history of not bothering to fix security flaws until significant numbers of exploits have been noticed in the wild. We can only guess at how many unfixed flaws there are in IIS today.

Re:A good example - IIS (1)

duplicate-nickname (87112) | more than 6 years ago | (#20697171)

No doubt you are correct about counting bulletins, but that doesn't invalidate my point that IIS has become much more secure over the years. Maybe you could point out to us how IIS 6 contains many more unpatched vulnerabilites compared to IIS 5 or IIS 4?

Also, take into consideration how IIS 6 finally installs with most features/filters/add-ins disabled by default, where as previous versions enabled rarely used features and dropped insecure .vbs scripts into your site by default.

Fewer logical fallacies, please. (0, Troll)

mattgreen (701203) | more than 6 years ago | (#20697219)

All I see is hand-waving "I bet there are tons of unpatched holes in IIS" sentiments in your post. I'd like to see proof that there exist unpatched IIS holes, not vacuous appeals to emotion.

You're perfectly aware if you'd said the same thing about Apache you'd be flamed to hell and back around here. I'm just keeping you intellectually honest.

Aim higher? (1)

GigaHurtsMyRobot (1143329) | more than 6 years ago | (#20696503)

They should really set their goals a little higher... You could as least aspire to fix everything, even though you probably won't.

Re:Aim higher? (0)

Anonymous Coward | more than 6 years ago | (#20697047)

They should really set their goals a little higher... You could as least aspire to fix everything, even though you probably won't.

I think what Microsoft has done is genius. They created a multi billion dollar security industry who's sole purpose is to plug holes in software and all they had to do was nothing. The less they do.. the bigger the industry gets. Now they can slowly begin to squeeze the other companies out of this sector and make even more money.

UAC is nothing more to Microsoft than an excuse, a way to shift blame to the user. Now when a machine is compromised, they can blame it on the user clicking Allow.

Moved on... (0)

Anonymous Coward | more than 6 years ago | (#20696507)

moved on from being the 'laughing stock' of the IT industry to something more respectable
Yeah, now it's the giggling stock of the IT industry.

Serious computing indeed (1)

Dystopian Rebel (714995) | more than 6 years ago | (#20696521)

There's no question that Microsoft is responsible for some of the most powerful [slashdot.org] computing initiatives in the world today.

Redmond's other bots will want to set the record [wikipedia.org] straight.

MIcrosoft guy says MS's security is ok? (3, Insightful)

jcr (53032) | more than 6 years ago | (#20696607)

Sorry, I don't see why this story is even here. Microsoft has been telling bald-faced lies about their security for at least a decade. What's different this time?

-jcr

Re:MIcrosoft guy says MS's security is ok? (1)

jimicus (737525) | more than 6 years ago | (#20696761)

So has every other commercial vendor. Oracle are a particularly good (bad?) example but SunOS was famously insecure, as was Irix.

Re:MIcrosoft guy says MS's security is ok? (2, Informative)

Toreo asesino (951231) | more than 6 years ago | (#20696771)

See for yourself:

SQL Server 2005 - http://secunia.com/product/6782/?task=advisories [secunia.com]

IIS6 - http://secunia.com/product/1438/?task=advisories [secunia.com]

Vista too is looking good so far too, but it's very new, and only time will tell - http://secunia.com/product/13223/?task=advisories [secunia.com] .

Re:MIcrosoft guy says MS's security is ok? (1)

OffTheLip (636691) | more than 6 years ago | (#20696839)

I think the analogy being made here is they now suck less. That's not to say MS security is okay.

Re:MIcrosoft guy says MS's security is ok? (1)

Krazy_in_Normal (589743) | more than 6 years ago | (#20696881)

Ummm...this time around the lies are true? Wait...that didn't come out quite right.

Re:MIcrosoft guy says MS's security is ok? (1)

AusIV (950840) | more than 6 years ago | (#20696997)

Sorry, I don't see why this story is even here. Microsoft has been telling bald-faced lies about their security for at least a decade. What's different this time?
This time they started out by admitting that their security used to be lacking. Clearly they started out being honest, they're going to be honest throughout the entire statement.

Pardon? (2, Insightful)

kaiwai (765866) | more than 6 years ago | (#20696609)

No longer a laughing stock?

Mate, people have stopped laughing, not because Microsoft has changed but because we've become so desensitised to the security issues it no longer brings the same attention it used to; its expected.

If Microsoft do want to correct their security issue, they need to start at the bottom and work their way up; they need to go through their product, they need to document, clean up, remove parts that are security risks, replace parts which are added because they're nice rather than needed. They need to stop the lie that 'computers are easy to use' when in reality, they're complex machines that actually might require a bit of book reading and learning (to the screams of the ignorant out there).

They also start needing to stop re-inventing the wheel and start working in groups; yes, groups are inefficient but like any brain storming, issues are raised which the original author might not have thought about - when you're an organisation all thinking along the same line, you can't adequately scrutinise the specification for every possible scenario - that is why standardisation is desirable. Issues of compatibility and security can be raised, and addressed. Microsoft on the other hand thinks because it has the cash and are a big organisation, it can address all the concerns internally.

Re:Pardon? (1)

truesaer (135079) | more than 6 years ago | (#20696799)

Mate, people have stopped laughing, not because Microsoft has changed but because we've become so desensitised to the security issues it no longer brings the same attention it used to; its expected.


Despite all the bleating about how security is as bad as ever, it simply isn't true. A current version of XP is pretty secure, comes with a firewall, recommends anti-virus software to users, the browser has anti-phishing technology, etc. You would almost have to try to get infected on an up to date version of windows. If it were as bad as it was before why haven't there been any more iloveyou or other crippling vulnerabilities since SP2?

Re:Pardon? (2, Insightful)

businessnerd (1009815) | more than 6 years ago | (#20697231)

why haven't there been any more iloveyou or other crippling vulnerabilities since SP2?
Partly due to the maturation of the criminal population. Today's criminal population is now computer literate and have discovered how much money is to be made in taking advantage of Window's vulnerabilities. The iloveyou virus was both brilliant and retarded. It was brilliant in that it could replicate itself in so many ways and so quickly, which is what caused all of the destruction. Most of the damage was not from what the code does to your machine itself, it's what it does to a mail server when it becomes overloaded. To date it is still the most destructive (in terms of money lost by companies) virus ever written. But there was one little piece of code in there that people don't really hear much about. It had the ability to search for credit card numbers and dial-up internet account numbers/usernames/passwords and save them to a remote server. Unfortunately, the brilliance of its replication was why it was also retarded. The thing spread so fast, that within hours, everyone knew it was out there and authorities had already located the remote server it was logging this information to and shut it down. If it hadn't been so destructive, the writer could have made a lot of money selling all of that information. However, not only did he not collect any sellable information, he got caught. If the guy had designed the virus to be very discreet and slowly replicate itself. Users would be infiltrated and their information would be stolen without the user every knowing it.

Today we don't see as many of those super destructive e-mail viruses because they are pointless. You can't make any money with them because they are like walking into a bank with a black mask and a gun during normal business hours. Everyone knows you're there and what you're up to. Good luck making it out of the building with a sack of cash, cause the cops already have the place surrounded. Now if you were to exploit a hole in that banks security and sneak in and out undetected, now you're talking. Even better, use "zombie" employees to do your dirty work for you. And that's what we see today. Huge botnets full of zombie computers, whose users are completely unaware. All were infected by security holes in Windows XP (yep SP1 and 2). These guys aren't hackers, they're crackers. They make a profit (illegally) by hacking. The reason they make a profit, is because you don't know they were ever there.

Not a laughing stock? (1)

boudie2 (1134233) | more than 6 years ago | (#20696615)

I think they'll be a laughing stock until they find a way to make all those funny videos of Steve Ballmer go away. Jeez, that guy cracks me up!

Well, I don't know about you... (1)

RobertM1968 (951074) | more than 6 years ago | (#20696633)

...but I'm still laughing. :-)

*points* (2, Funny)

ThreeDeadTrolls (944446) | more than 6 years ago | (#20696669)

hahahahaahahahahah! *falls over* hahaha haa lmao lol hahahahahahahahahahahahahahahahahaahahahahahaahaha ha... *breath* haha... ha ahhhhhhhh Nope, still works.

unchecked buffers (0)

Anonymous Coward | more than 6 years ago | (#20696691)

Still finding 'em.
Need I say more?

Source (1)

BloodyIron (939359) | more than 6 years ago | (#20696705)

So, we are supposed to trust a group INSIDE Microsoft, who comment on Microsoft products?

Sorry, tits or GTFO.

Consider the Source (1)

LifesABeach (234436) | more than 6 years ago | (#20696713)

Microsoft Security in its software has never been funny to its victims. From my perspective; Scott Charney's observations are like observing a battered wife rationalize the need to live using wires, and tubes.

Never had a problem myself... (1)

Bullfish (858648) | more than 6 years ago | (#20696721)

I have to say I have used many OS's and really have never had a security problem with any of them. That includes Windows in most iterations. Most of the security stories I have heard have been from other people on the net. The odd time I have attended to a friend or relative's machine, it has almost always been because of something they themselves have done. I still maintain that the main source of computer (including security) problems is with the users themselves. Not saying the others are liars but if the expectation is that you can protect users from themselves, then that is an unrealistic expectation.

Its all marketing and FUD (1)

mlwmohawk (801821) | more than 6 years ago | (#20696723)

Windows is still a disaster, and I think I know why people don't care. It is the "Big target" rational nonsense.

Microsoft has been successful in seeding in people's minds that "all computers are insecure and the only reason why Windows *LOOKS* so bad is that they are so many of them, and if [apple][linux][foo] were as popular, there would be just as many security holes."

It is a plausible argument when one is ignorant, as most are, of the basics of security. Unfortunately, the argument is getting traction and letting them off the hook.

We're just catching our breath (1)

genner (694963) | more than 6 years ago | (#20696733)

They're still funny. We just needed to catch our breath and rest our aching sides.

You can't declare your own respect (1)

Maxo-Texas (864189) | more than 6 years ago | (#20696739)

In line with microsoft's pronouncement,

I want to recognize how much respect and admiration everyone at Slashdot now has for all my posts.

---

Cool-- did that change anything? No. The fact is, that compared to the AS/400, microsoft operating systems are festering mounds of viruses that crash without warning at 10 times the rate. Compared to linux, microsoft O/S are boxers with glass jaws.

Instead of adding all of these new features in Vista (which sucked a ton of performance) they needed to shut down all the buffer overflow exposures (which have been avoided because they cause a 1-3% performance hit).

When we stop getting major Trojans, worms, email viruses, IM viruses, etc. then microsoft will get the respect they are proclaiming unilaterally they are getting.

Feh! (2, Funny)

r3b00tm0nk3y (806499) | more than 6 years ago | (#20696751)

All modern operating systems are still struggling to catch up to the Atari 800.
Even now it sits impenetrable with layer one security from both the Internet and power grid in my closet!

Is this a confession ? (1)

unity100 (970058) | more than 6 years ago | (#20696755)

"we were the laughing stock of security" - so it was like that. So then, you were serving faulty, lacking products to customers ?

Windows APIs are inherently insecure. (5, Informative)

argent (18001) | more than 6 years ago | (#20696769)

The biggest problem is, of course, the HTML control.

Until Microsoft abandons the entire "security zone" model and makes the HTML control default to a secure or "closed" state completely under the management of the calling application Windows security will never be anything but a joke. The recent hole in Yahoo Instant Messenger, for example, is primarily Microsoft's fault... because the "security zones" should not be able to "fail open". Blaming Yahoo for not 'sanitizing' the input is nuts.

No other HTML rendering library works this way. The two leading alternatives... Mozilla's Gecko and KDE's KHTML (and thus Apple's Webcore)... both implement a closed sandbox. If an application wants the page to have more capability, it must explicitly install hooks to grant it that capability. This way when an application renders a page using Gecko or KHTML there's no possibility of there being prepared holes to attack. In addition, when they DO install a controlled hole in the sandbox, they know that they're the only agency doing so... there's no concerns about some insecure ActiveX control in the system becoming an avenue of attack.

Until Microsoft completely changes the API for the HTML control they won't solve their image problem, and they shouldn't expect to... because until they do this, they have a problem and the image only reflects that.

ActiveX use in the HTML control, of course, is completely insane. Given all the layers of bandaids and patches and dialogs and settings and security levels wrapped around them, it's actually less effort to explicitly install a plugin than to open IE up to the point where you can use a "trusted" ActiveX control. They need to deprecate and eventually eliminate this.

There are other problems, too. Applications have to parse command lines completely, using their own code to break them up into arguments and perform wildcard expansion. Both OS X and Linux use the UNIX "exec" call, which doesn't require the application to add this additional evaluation step. Many of the "URI" related holes found in applications on Windows... including several recent ones involving IE, Firefox, and Second Life... are due to this flaw in Microsoft's APIs.

There's a second flaw in their URI handlers, and that is the inability to separate internal handlers that may expose more powerful capabilities than a sandboxed object should have access to with the ones that are designed for use by untrusted documents. The 'patch' to fix this is to try and sanitise the list of URI handlers that each application will use. This, like any other "sanitization-based" approach, is inherently flawed. They need to create a second registry that only supposedly secure applications will use... and then they won't need to worry about web pages containing links to ".CHM" files.

(Apple, by the way, has copied this flaw from Microsoft. But at least they don't share the rest of the burden)

The lack of a standard mechanism to bind network services to specific interfaces is a third problem. In UNIX most network services have traditionally been run from inetd, so if you replace inetd with something like xinetd or tcp wrappers you can prevent services from listening to anything but the local interface "localhost". This means that a firewall on UNIX is an extra defense, where on Windows it's the only way to keep insecure protocols from accepting connections from external sources.

For Microsoft to get the same reputation for security that UNIX based systems have earned, it will have to correct these flaws. The easiest way, perhaps, would be for it to BECOME a UNIX-based system. It wouldn't take much, so much of the API is already inherited from Microsoft's one-time infatuation with UNIX, and they ship a subset of teh UNIX API with Windows in the POSIX subsystem.

Or, though it would be less desirable from the point of view of people who have to write portable code, they could implement their own secure APIs and make the existing ones a deprecated and eventually optional add-in.

But so long as they keep the current API unchanged in all details, though, they can not solve these problems they're faced with.

Bridges not falling down is unrealistic? (3, Insightful)

Vellmont (569020) | more than 6 years ago | (#20696831)

I love this comment. It's such an interesting insight into the mind of a Microsoft guy:

Look, that bridge in Minnesota just collapsed. How long have we been building bridges? We know how to build bridges, right? Sometimes people just have unrealistic expectations of what we can do.

I don't know anyone who thinks a major bridge in major US city in the richest country in the world not collapsing is an "unrealistic expectation". I actually DO agree that having zero security holes in any software as large as Windows (or Linux) is an unrealistic goal. Comparing that to a major bridge disaster that never should have happened is kind of a strange comparison though.

Scott Charney, let me say this to your assertion (1)

1shooter (185361) | more than 6 years ago | (#20696835)

Ha ha.
Ha ha ha.
Ha ha ha ha ha ha.
Ha ha ha ha ha ha ha ha ha ha ha.
Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha.

Nope, you're still the laughing stock.

Who's laughing now? (0)

Anonymous Coward | more than 6 years ago | (#20696847)

Charney suggests that security in Microsoft products has moved on from being the 'laughing stock' of the IT industry to something more respectable.
HAHAHHAHAHA!!!!

Now *that* was funny!

just ask them (1)

wardk (3037) | more than 6 years ago | (#20696879)

they will tell you.

"stop laughing, please. We're secure, really, why are you laughing harder, stop that."

I guess they just need to say it 9 more times for it to stick

cause saying means more than doing.

Somewhere, I hear... You... Will.. Be... (1)

davidsyes (765062) | more than 6 years ago | (#20696919)

Ass-immo-lated...

On the offensive again. (0)

Anonymous Coward | more than 6 years ago | (#20696927)

I'll concede, in the last six years, some improvements were made. They did, it's true.

So they're trying. Therefore, they are not on the bottom rung anymore. Is this true? Can we think of anyone with a worse reputation?

They're fighting against "unrealistic expectations". I disagree: Had they applied forethought and design to their devices, they would have had less of a fight, and with them all of their users.

So, we jaded cynics all immediately noticed the crux here: this is a marketing offensive. "C'mon, we're not all bad".

This begs th question: Why now? What are they up to?

Heh (2, Funny)

gammygator (820041) | more than 6 years ago | (#20696943)

They aren't a laughing stock because it just isn't funny anymore.

microsoft logic (1)

pdunning (1159915) | more than 6 years ago | (#20696945)

M$ are saying they are no longer the laughing stock of security.
This must mean that M$ admits that they used to be (that's a big jump for them).

Furthermore why should we believe them as anyone who cares about security (well almost everyone) has jumped ship and uses something else (linux/mac/BSD/solaris/whatever). No one is likely to be tempted back because we know vista already has more holes than other OSes and M$ is now the laughing stiock of DRM.

A larger view of the whole problem (link) (0)

Anonymous Coward | more than 6 years ago | (#20696981)

A great writeup about the "boiling frog" problem we have. Don't miss the followup article either!

Security Absurdity: The Complete, Unquestionable,
And Total Failure of Information Security.

http://www.securityabsurdity.com/failure.php [securityabsurdity.com]

haHa HA HA ha! tee-hee! (0)

Anonymous Coward | more than 6 years ago | (#20696983)

Thank you for brightening my otherwise dreary Friday morning!

Microsoft not a laughingstock of security... (wipes tears of laughter from eyes)

And there aren't millions of zombies and botnets pumping out spam and phishing teasers to all us good little Windows users...

The good news (4, Funny)

Cro Magnon (467622) | more than 6 years ago | (#20696989)

is that MS is no longer a laughingstock. The bad news is, now we're crying instead.

Microsoft (1)

WhiteWolf666 (145211) | more than 6 years ago | (#20697015)

It is not for you to determine when you are, or are not, a laughing stock.

The subject of a joke does not get to determine whether or not it is funny. ;)

Ha! Microsoft's Internal Security (1)

c0d3r (156687) | more than 6 years ago | (#20697087)

I was once inside of Microsoft and called for tech support 2 times. Both times i was directed to a support person in india on the other side of the world from hp. The asked me to do an application sharing session with netmeeting and both times ASKED ME TO CHECK AUTOMATICALLY ACCEPT REMOTE CONNECTIONS. I can't imagine how many people actually did this, but i refused. HAS MICROSOFT'S SECURITY BEEN REDUCED TO ONE CHECKBOX?

Assuming true, then good for /., bad for Linux/OSX (1)

WindBourne (631190) | more than 6 years ago | (#20697337)

The reason is that u get the window idiot here who claim that virus etc. attack Windows BECAUSE there are so many, Even with the virus writers saying that they attack windows because of the ease of doing it. But if Windows becomes more secure than Linux and OSX, then they will retarget weaker systems. The good news for /., is that finally we can put to rest that piece of FUD.

It Takes A long Time To Forget (1)

curmudgeon99 (1040054) | more than 6 years ago | (#20697367)

Do you remember that guy in 6th grade who farted in all-school assembly? I sure do. That has been a long time. You don't forget it when somebody--a person or an organization--does something really stupid. We won't forget about Microsoft's security screw ups for decades.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...