There's an expression I heard many times in my navy career that seems appropriate right about now:
"Sympathy can be found in the dictionary between shit and syphilis."
That's a good one.
Your current problems with security are a problem of your own making.
Security issues, hacking etc have been around a long time. So why does Microsoft bury its head in the sand for so long and we all end up with this mess we have today?
The bottom line is that security issues simply weren't of interest to Microsoft until it starts to hurt your share price. It's a bit late to expect sympathy now, when you could have avoided these problems LONG ago if you'd started addressing them sooner!
When I worked at Digital (DEC) we were hacked by the CHAOS computer club of Holland. We learnt from that one then, and that was long before Windows came to dominance.
What was that saying? Those who don't learn from history are bound to make the same mistakes?
Not to excuse away security flaws in any OS, but the context in which they're judged continues to border upon absurdity.
If you could magically give some or all flavors of linux Windows' market share for a couple months (and mind you this would require nothing short of actual unfettered magic--we're talking Siegfried and Roy pulling all-nighters here), you'd get used to regular Linux exploits on the front page.
Part of it stems from focus. Microsoft has copped to that and appears to be addressing it in a bonafide fashion. When my grandmother's using a VAX in her den to map our family tree, then you can claim to have a similar aggregate attack surface.
You can whinge about openness until the cows come home, you can talk about superior platforms until the lights are back on in Motown. But the simple fact is market position has as much to do with where the exploits show up as anything else.
Thanks for at least not blaming the users for failing to download the latest patches...
There are exploits for linux, but not like there are for microsoft. They are not "email worms" they are "outlook worms". Mutt / pine / evolution / mozilla mailer simply won't do things like executing random code that is sent to them, much less executing it as root. Part of the problem with Microsoft code is that in the aims of making everything so incrediably easy for the user they make it incrediably easy for bad code to sneak in.
I have a great quote on my wall at work on how to help stop stuff like this.... will post when I get in.
"It's time for us to stop admiring virus writers and start dishing out heaping spoonfuls of shame to stupid users."
Ahmen.
The other point that many miss is one of best practices. It's all well and good to say that programs on *nix don't allow execution as root, but that's largely true because running as root (admin) is not as prevalent in the *nix world.
In the PC/Windows world, *most* people run as admin on their local machine, and this is a *major* problem, and one of the problems Microsoft needs to continue working to address. Yes, as with *nix, it's possible to use Run As to temporarily elevate privileges to install software, change settings, etc. But running as a non-admin can be very challenging nonetheless. For example, it's quite difficult to get Windows Explorer running using an admin account (can't use Run As with Explorer.exe), so I work around that using IExplore.exe in folder view instead. Also, try installing ActiveSync using a separate admin account. It just doesn't work. These are things that Microsoft can and should address, as well as educating users that running as admin on a daily basis is a BAD idea.
Yes, I realize that this particular exploit did not require any elevated privileges (I was responding to the previous comment about the supposed superiority of *nix software on this score), but there are a whole host of exploits that would just never get off the ground if people weren't running with elevated privileges.
So is there more Microsoft can do? Sure. But it's not necessarily just a question of eliminating security holes. It's also a matter of creating a user culture that understands and values security. *nix is fortunate enough to have that. But as others have pointed out, if *nix was in use in the mainstream, similar problems would likely exist on *nix as well.
G. Andrew Duthis says:
"For example, it's quite difficult to get Windows Explorer running using an admin account (can't use Run As with Explorer.exe), so I work around that using IExplore.exe in folder view instead."
I believe this is by design actually. Iexplore.exe is the wrapper to allow such access. You can easily make a link on your desktop such as:
"C:\Program Files\Internet Explorer\iexplore.exe" c:
And set the "Run with Different Credentials" box. The problem is Microsoft doesn't take into account the fact that using elevated privileges of single apps screws up inter-message processing. What do I mean? Using the above as an example, if you try to right-click and add a new file you don't actually see it until you refresh (F5). You cannot intercommuicate between processes of the same credential (ie: Try running Spy++ as admin and catch messages to ANOTHER admin ran app. No go). These significantly reduce the strength running with least privilege allows when simple things can not be accomplished easily.
I have my own beefs about the weakenesses in runas, but the dynamics in Microsoft's efforts are much better than they were before. Don't kid yourself, Microsoft has on their payroll some really security-minded individuals like Michael Howard over in the Secure Windows Initative. The problem is that this is more a CULTURE issue at the Microsoft campus. Developers just want to do their job, security is an after effect. It will take years to weed out this thinking, and guys like Michael fight with this on a day to day basis.
They are getting better (look at the attack surface of Windows Server 2003 compared to Windows 2000, or even Windows XP and you can see this), but this will not happen over night. The reality though is that strong security will always be trumped by weak implementation.
Personally, I have no sympathy for Robert getting nailed by the worm. (No offense Scob.) If he would follow the doctrine of layered defense on his machine (Run with least privilege, use a personal firewall restricted to only allow him access to what he NEEDS to do and keep up with the patches to the OS are good starts) he simply would have repelled the attack.
Security is not a technology problem alone, its a human one. The weakest link is the human factor when it comes to security, and the latest worm is a proof of that. The security mindset should be to deploy policies and procedures to deal with these unknown threats. This isn't the first worm that has been out. Yet we get hit time and time again when the SAME procedures on dealing with malicious code could have prevented this. This is what I mean by weak implementations. Those who ignore history are deemed to repeat it and all that.
Security is also a process, not a product. Microsoft can not take the blame alone. Here is my v
(Continued from before... damn comment limit)
Microsoft can not take the blame alone. Here is my view on this. My network is secured, clean and we repelled all attacks. Yet because of weak implementations on other networks, those of us who have fortified our defenses still have to deal with this issue. Security has come to a point where it is a community effort and process, and we need to properly talk to each other.
Where can we start? Well, a better notification system for patch management would be a great way to start. Something to clean up the confusion and not be so generic. You see some of the notifications Microsoft sends out? They basically send a raw message with a link to their website... which most people don't read. I think there needs to be a better way.
Why not use something like RSS, and FEED customers with the information, with severity and complete information so they can make a more informed decision. I know there are lots of people like myself that already get these notices via email, but they seem to be confusing, lost in the plethora of other emails, or are down right ignored. RSS aggregators could better keep people informed, and could be done in a common format so other vendors could do the same.
It's just an idea, and it's definitely not flushed out. But this could go a long way to make sure more people are notified of whats REALLY going on. Personally I think notifications such as the RPC Overflow ((MS03-026)
are just too damn confusing for people who don't deal with security on a day to day basis. Although I fully understood it and immediately took action, the reality was that I had other policies and procedures in place that already took care to mitigate this risk. I already restricted RPC coms and the worm couldn't walk through the firewalls. If it did the firewalls on the servers and workstations would have repelled it. But thats not the point. The point is Joe-MCSE WON'T get it.. and it needs to get dumbed down in some way that makes sense. With real-world instructions on how to fix the immediate issues.. AND THEN go further and explain policies and procedures to approach the entire security methodology with a different mindset.
Do that and you truely take steps to educate the masses, while fixing the risks exposed in said software.
One thing Microsoft could do is have a way to "inoculate" machines against worms (not viruses though). It's not rocket science. A worm attacks port X with packet with signature Y, you send out a counter-worm that blocks it. There is NO REASON why this could not be done, why the counter-worm can't spread as fast or faster than the worm. Of course the OS would have to be modified to process counter-worms, but that's a one-time change.
Someone else: [purported reason why this wouldn't work]
Adam: No, that isn't a valid reason. [Explanation]
- adam
Also, you wrote
"Anyone who says they are 100% sure that their system has no security flaws is lying. Flat out lying."
I believe Jim Allchin actually did make this (foolish) claim after the security scrub of the Windows codebase.
Also you said that maybe half of MS employees write code...it's more like 10%.
- adam
A comment I saw recently in a mailing list suggested at a solution to this problem.
Make companies that provide proven faulty products responsible for security ( and other faults) and liable financally for those faults. Prevent them from selling products unwarranted and "as is". If Microsoft, Cisco and other companies that distribute faulty products had the same liability as producers of most comsumer products and could be sued for financial losses I think they would pay more attention.
Solving the problem *is* hard but it seems the like a bigger stick is needed.
You wrote:
That means that one guy made a mistake in his code.
No. That means several people made the mistake. It means that the guy who wrote the code made a mistake. The guy(s) who reviewed the code made mistakes. The team that did security testing made mistakes by missing this one. At least, I'm assuming those roles exist. If they don't, I'm not sure how you can claim that "Security is job #1". While your complaints about all the schadenfreude are justified, and your point that securing an application as large and complex as Windows is as unbelievably large task is valid, it's hard to feel too much sympathy for a company sitting on as much cash as Microsoft. An issue such as this worm seems to indicate that far more of it should be spent on security.
David, I know that Microsoft isn't very sympathetic, but at the end of the day, we're just regular people up here. We make mistakes. We're working hard on making sure we make as few as possible.
"Security is job #1 here (our stock price goes down everytime there's a security flaw found -- you think we're not motivated to fix these things?)."
I hope that Microsoft and its employees are motiviated by more than just MSFT's price to fix security flaws. What about your responsibility to your customers' businesses? What about pride in writing reliable software? What about the potential physical harm that could be done if a 911 call center is affected by a security flaw in your software?
I'm sure that at least some of Microsoft's employees are concerned about these things. But I find it interesting that you only mentioned your stock price as a motivator. It is an increasingly common meme in your blog (see your recent posting about how "most of us want to be Bill Gates," for example).
It's comments like this one that give the reader the impression that it's all about the buck, and everything else (e.g., customer satisfaction, pride in doing a good job, the welfare of others) is simply a means to an end (i.e., a higher stock price).
Drew, there are a lot of motivations. I'm sure you'll find 55,000 different ones. But, stock price is a major one. It's not the only one in my book.
Of course we want to do a good job, and have happy customers, and all that. But, those are "softer" rewards and not easy to talk about on the blog.
I think the 'less things running by default' montra in W2K3 will help this situation a lot. Hopefully, Longhorn will take that practice
Why does every home user [OS] need to have windows smb/rpc services exposed/enabled to anything outside of 127.0.0.1 by default? Same goes for the spam via messenger service issues.
That's most of the problem with these worms. Most people don't need file sharing out of the box, and most people could probably stand to have firewalling on by default on the network interfaces.
While I think we all can agree that all OSes have security issues, I think Windows has a worse time with it all because of the ease-of-use-let's-turn-every-service-on by default practices.
Please tell me that 911 systems don't actually run Windows. Please, that scares the crap out of me. I don't think I'd trust them to run windows or linux, but some nice propriatory RTOS that is completely and totally disconnected from the outside world, and with independant power, pbx, etc.
Robert, I can't imagine why "softer" rewards aren't easy to talk about on your weblog.
If they are, I would hazard a guess it's because, in fact, they simply aren't that rewarding, and the main reward is a monetary one.
Further, I would submit that Microsoft's track record as a no-holds-barred, often underhanded, sometimes illegal business competitor, together with the reports of the $40B cash hoard, and Bill Gates being the RICHEST MAN IN THE WORLD boldly underscore the perception by many, myself certainly, that money is the ONLY motivating value of your company.
I believe the "vision" in the MS mythos is something like "MS software on every desktop," though that seems to have expanded to PDA, mobile phone, game box, server, and probably any other device that requires software to operate. Conspicuously absent in that vision is any reason why anyone should _want_ MS software operating everywhere. Is it because they build the "best" software?
Apple's reputation is for innovation, style and ease of use. People do buy Macs because they like Apple's brand, which has to do with those intangible, though very real qualities that make Apple a great "brand." Doesn't matter if it's wholly true, it's true enough that the image sticks, and it's at least my impression that that image is what motivates many people who work for Apple, who could probably be making more money working for MS or Dell or someone else.
BMW builds great cars, the BMW "brand" is about bulletproof engineering and mechanical performance. One gets the impression there's a certain amount of pride built into every Beemer. Honda and Toyota and their prestige brands are mostly perceived as "quality" cars, with excellent fit and finish and no defects. The Volvo brand is noted for its safety and reliability, and the fact that it's probably built by little gnomes who magically appear in your driveway overnight to fix whatever's wrong with your Volvo. I had a used 240 with over 140k miles and I loved that car. I swear it would fix itself parked in the driveway, and it was built like a tank.
What's MS's rep? What do people think about when they think about MS software? Mostly, if they're like me, they think about not being able to type a bullet list the way you want to in Word. Or cursing it as it takes 45 minutes to install a new NIC and get the OS to recognize it.
It's not so much that MS products suck, damn near everyone uses them so they must be doing something right, but what's exciting about them? What's cool about MS?
According to you, what's cool is how many really, really smart, (albeit recently acknowledged as very fallible) people work there. Well, what are they doing? What great thing is MS responsible for? They've certainly achieved their vision of ubiquity, but what's "cool" about MS? What's "cool" about the work you and the 55,000 other softies are doing there? What's your vision? What's your culture? What are yo
What are your core values? If you can't write about them, it's because you haven't thought about them. And if you haven't thought about them, chances are they really are little more than money. The evidence certainly suggests it's all about the money, and no amount of breathless Steve Balmer's sweaty armpits prancing around on a stage is going to change that. (In 26 years in uniform, 22 as a commissioned officer, I've never seen an exhibition like that from anyone in a leadership position. It wasn't even cheerleading, it was just bizarre. It's what people do when they don't know what else to say because there's no "there" there.)
Don't tell me it's "Longhorn." You've got to do better than that. What vision is Longhorn supposed to realize? The problem seems to be there is no corporate value beyond getting and retaining marketshare at almost any cost.
Tell me I'm wrong. Tell me what MS's real vision and core values are and how it's reflected in your products. Tell me what you get out of bed in the morning for besides stock price. What does MS believe in besides returning shareholder value? Maybe in a capitalistic system, that's enough, but what a dull, dull world that would be.
No every MS employee think about the stock price. I, for once, dont really think about it except every 6 month when my employee stock purachase plan comes back. As a programmer my main motivation is to write software that's used by millions of people. That's what it all comes down to for me and why I want to continue working at Microsoft. Getting a lot of these people to think: "wow! cool software" is definitly the second best motivation.
I definitely give MS credit for working hard to improve their products in the area of security. I'd say they've gone from a D+ (barely more than mouthing the right things) to about a C+ (true improvement and true intentions). Now they need to continue. Not let up.
In that regard, how about something like an IE7? Yeah yeah, I know it's blind hope. But since they've implied the next IE release is really Longhorn, and that Longhorn will require my 82 year old mom to purchase new hardware.... Get my point Robert? 
In a more serious vein, I've come across two things that make much sense to me.
(1) XP has a free firewall feature. No no, I'm not asking for it to be turned on as default. That's genie is already out of the bottle. But how about a FREE release of a similar product for Win2k? MS obviously has the feature written already.
(2) betanews.com just wrote that XP SP2 is not being released until Q3 2004. Wow. Is MS putting so many resources on these product bits they are releasing at this PDC that they can't even give us that? Let me understand this: No IE7, no OE7 and now no XP SP2. That's a serious void here. Now you're forcing my 82 year old mother to use fast-becoming-obsolete products with well-known security holes and her best bet is to run Windows Update over her 56k phone line connection. Does this really sound like actions speaking louder than words to you Robert?
I agree on your point as a whole, but you should watch more carefully what you say:
Lots of people write me and gloat "heh, I won't get hit with a virus cause I use a Mac" or "open source has fewer viruses." If you look at Cert's critical incidents, you'll see that neither statement is true (although, because those two OS's have far less market share than we do, it makes it look like they are completely secure in comparison -- the article above shows that to be false on its face).
There isn't a single virus in the wild that attacks Mac OS X. Actually, such a virus could not reproduce because of your argument on market share. So people using Mac OS X are more protected from Virus (at least from the time being). It isn't an intrinsic virtue of Mac OS X, but it is a statistical consequence of your argument. The same goes to Open Source, except if you are running a web server on Intel that's a big chunk of the market for servers and you could be hit.
Most of the attacks on my Mac OS X server are directed to Windows, so, yes, I feel safe.
I like how a few guys can create an Operating System that is secure, with minimal resources, yet the richest company in the world cannot. Microsoft should be honest, security is not as important as revenue and controlling the market (or as microsoft so succinctly puts it - cutting off the competetors air.)
This Security is important is true, I've seen them respond better, but they are not fixing problems unless it is politically important for keeping the market and generating resources.
As long as people keep buying Microsoft software, especially corporate IT, Microsoft will keep developing insecure systems. Once they start losing market share and profits, it will catch their attention.
I have moved all of my systems I can off of windows. I cannot play the patch of the day game, I have work to do. I recomend non microsoft solutions to most folks out there, I don't know of any other OS vendor that makes it so terribly difficult to understand how to maintain a secure system.
OpenBSD's kernel has historically suffered from some vulnerabilities. Search for OpenBSD at www.cert.org.
Services such as Apache, BIND and Sendmail running on top of OpenBSD are typically as vulnerable on that OS as on any other system.
Linux distributions are now tending to come with a great deal more services installed and enabled by default.
When I searched for Mac at cert, most results come back with:
Mac OS X and Mac OS X Server do not have this vulnerability.
This was closely associated with the rebirth of http://findaudio.freewebpage.org/
ummmmmmmmm whats this mummy?? http://www.phind.net/ecommerce/r...omain-
name.html
Het begint op een vendetta te lijken, dat geeft niet hoor maar Dr. Phil zou zeggen http://www.phind.net/ecommerce/f...eb-
hosting.html
freaking BS, I enjoyed the IP http://www.myremed.com/asthma/ch...ith-
asthma.html
In your free time, check some information about free slots free slots http://www.alleghenydist.net/free-slots.html ...
Telefonsex Fetisch - Telefonsex Anal - Telefonsex mit Bild
mll
Commenting by HaloScan
