Security optimize

Security consciousness, and its opposite: Calling out Microsoft

Can we lay to rest the notion that Microsoft Windows' poor track record for security is nothing more than the inevitable result of popularity? Chad Perrin makes clear what he thinks of the Windows OS.

Can we lay to rest the notion that Microsoft Windows' poor track record for security is nothing more than the inevitable result of popularity?


Let's set aside any formality and objectivity for a moment. Let's make this personal.

It's easy to say that the debate over the reason for MS Windows' poor security track record rages on, but the truth is that there is no debate. There are two camps, and they do disagree with each other, but it's not really a debate. Debate implies that both sides engage in some kind of discussion. When one side tries to discuss matters of security principles, including the rationale for those principles, while the other repeats oft-heard refrains that have no basis in logic and refuses to examine the matter in any further depth, "discussion" is not the result.

The security-conscious

The first camp (because I tend to like them more) is made up of people who understand technical principles of security, and think deeply enough to realize that correlation does not imply causation. They know that a number of key factors contribute to better security. Attention to some of these factors looks something like this:

  1. Employ diligent, responsible, and transparent development.
  2. Employ layered defense strategies.
  3. Empower and protect responsible users.
  4. Monitor key resources.
  5. Reap the benefits of public review.
  6. Respond quickly, effectively, and transparently to vulnerability discovery.
  7. Respond responsibly to new security challenges with innovation and honesty.
  8. Test solutions for correctness.
  9. Treat diseases rather than mere symptoms.
  10. Use least privilege authorization schemes by default.

Many people in this first camp regard Microsoft Windows as a wart on the face of software security. Those who do not have that harsh a view of MS Windows tend to simply regard the poor security of the operating system as something to be worked around to gain the benefits of using the same OS as much of the rest of the world -- dubious though those benefits might be, at times.

The security-unconscious

The second camp includes the people who adopt axiomatic notions about security that support their biases. The extent to which these notions turn out to be meaningful and effective as principles of security is essentially a matter of luck. Sometimes some point or two from the above list might sneak into their own ad-hoc lists of principles, but other ideas about what works for security usually pollute the field as well:

  1. Better products are what we need to provide better security.
  2. Doing it right means you don't have to test it.
  3. I don't have anything on my computer worth a security cracker's time.
  4. Keeping the design of the system secret keeps it secure.
  5. More popular software is always less secure.
  6. More security features and security applications always means more security.
  7. Only bad people with something to hide care about privacy.
  8. Only professionals need to think about security.
  9. Security is incompatible with usability.
  10. Vulnerability counts are reliable measures of security.

Many people in this second camp regard Microsoft Windows as equivalent, or even superior, to any and all competitors and alternatives. They will often defend it to the bitter end, though their defenses typically devolve quickly into logical fallacies and simple attempts to shut up those who disagree with them. There is probably a connection between accepting fallacious principles of security, whether implicitly or explicitly, and engaging in fallacious argument in defense of a largely indefensible OS.

The MS Windows security picture

The implications of these ideas about what constitutes good security design -- both the good ideas, and the bad -- should mostly be fairly obvious. In many cases, links to articles that help further explain or illustrate each point are provided.

Many of the good points are quite contrary to the design principles of Microsoft Windows, if we can even call them "design principles" with a straight face. Many of the bad notions pertain to Microsoft policy, the implicit reliance of MS Windows security on third-party software, and the reasons people choose MS Windows over more secure alternatives.

I find it likely that this will spark some debate. Most of my readers are likely to be unsurprised to discover that I am unimpressed with the security characteristics and record of Microsoft Windows, the flagship operating system for a company that ignored an important security vulnerability for eight years. Still, even I have been called a Microsoft shill once or twice in TechRepublic discussions, just because I dared to suggest some other software providers might also have less than perfect records and motives.

Lest my thoughts on the matter of MS Windows security -- developed over years of experience and analysis, both personal and professional -- should be less than clear to some readers, I thought it time to lay it out in plain English:

I believe that using MS Windows for almost any purpose is a mistake. It is an incredibly badly designed OS buttressed with layer upon layer of poorly designed features that are, in many cases, intended to place band-aids on gushing neck wounds, with any security functionality only bolted on after the fact as a largely ineffective afterthought. To imply a positive relationship between MS Windows and security is to lie, perhaps primarily to yourself.

Call it bias if you must, but it is bias born of deep familiarity on both a personal level and a professional level with both MS Windows and a fair number of alternatives.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

74 comments
jfreedle2
jfreedle2

Logic would dictate that using any computer based on Linux or any other Open Source software where 10,000 idiots look at and modify code on an hourly basis with no clue about software design is most definitely a bad idea, not to mention that there is only junk software available for those systems.

aman2304
aman2304

I think such grossly biased posts will not serve the purpose. The thinly veiled sarcasm, evident in the whole article, on the other group, is seriously not funny. Thumbs down to this post.

mmetcalfe
mmetcalfe

The Security Community and this article are generally over the top. The mention of an 8 year vulnerability in Microsoft's SMB is an example. Is it bad to have a vulnerability? Yes. Is it abyssmal to have it for 8 years? Certainly. Was it relevant to the IT community? No. For 8 years it sat and nothing happened. The big impact was that we all had to read about it when it WAS finally addressed. Nitpicking every bug, flaw, and issue with an OS (or any program) may make for good reading. It might even spark discussion. But to those who don't make a living exposing (or writing about) those issues they really don't have much of an impact. The patches come out, they get applied, life moves on. I read recently (on this site i believe) where 1% of internet routers were shut down due to a Cisco bug. Now THAT had an impact. Even then, it really didn't apply to a majority of people (even those with Cisco routers). All this Microsoft Windows bashing is *yawn* so 1990. You have plenty of OS choices. Pick one you like and move on. If you remain in the minority then stand proudly on your throne. Most of us don't care to hear about it.

Jaqui
Jaqui

oddly, there is not chosing involved, they get a system with windows on it rammed down their throats.

Tony Hopkinson
Tony Hopkinson

Haven't seen one softie rip you up on Security vs popularity yet. Still you've been a bit more 'in yer face' with this one, so one can hope for some name calling, flames and tired old FUD to leap into play.

Tony Hopkinson
Tony Hopkinson

Nope illinformed opinion at best, most likely that you are merely a troll though eh?

Neon Samurai
Neon Samurai

It's clear that you don't know much about software development or how many paid professional developers are really involved. Let's look at Debian for an example since the distribution is the consumer product not the parts assembled into it. On the "10,000 idiots" side, which I'll refer to as the "developer" side; you don't just get to stuff code into any old package. One must prove themselves in a meritocracy. You start by reporting bugs and including small bits of bug fix code. You have to demonstrate competence and credability. Slowly, you submit larger bits of code as you find previous submittions accepted. After a significant time of proving yourself, you may be offered direct access to the source code tree and eventually direct access to uploading packages to the repository. Many of the developers are professionals with day jobs or sponsored to work on Debian code. This is a well run FOSS non-profit distro/project with a proven track record. (but don't let history and facts get in the way of your opinion) We could also look at retail distributions like Red Hat where professional developer's day job is working on FOSS code. Red Hat is a huge contributor to the Linux source (the kernel) because they happen to sell a distribution based on that kernel. Similarily, they and other retail outfits will have developers working on any other commodity component of the distribution that benefits them. Novell put professional developers on Samba because it benefited Novell to have compatibility with SMB/CIFS. "10,000 idiots".. no, that's not the sound of ten thousand idiots footsteps, that's your credability running like rats from a sinking ship. But, let's continue with the product since we've had a short look at the producer. Sticking with the Debian example: Debian has three development branches; Stable, Testing, Unstable. These are the names rather than just the status descriptors. Stable is production ready. It gets updates for buts in existing apps; security or otherwise. It does not get new major versions of programs or simply add patches to increase functionality. It's package list is frozen and it is being maintained for stability and security. If your not using BSD for your server and you don't buy Red Hat, your probably using Debian Stable. (currently Debian version 5) Testing is beta and release candidate versions in one. It starts as the beta area collecting packages into a fully formed distribution. Closer to completion, it becomes what I would call RC; the package list is frozen and considered complete. At this time, the frozen package list continues to mature through vetting, nightly rebuilds and developer efforts. The work goes toward it becoming the new production ready Debian version. Bugs are expected. (Currently Debian version 6) Unstable is a melting pot of the newest packages. Bugs are the normal state of affairs as this is the earliest entry point for new packages. "but, how does a package get into Testing or Stable" I hear you asking enthusiastically. Let's look at that now that we have an overview of the three stages/branches of Debian. A package starts in Unstable. It must survive ten days of vetting and nightly builds with no significant bugs found. It must have builds for all supported processor architectures and other packages it relies on (dependencies; ".dll" if you like) must be ready to move up from Unstable along with it unless they already exist in Testing. Testing must not be frozen or there must be a post-freeze exception for that package (ex. Bastille, Evolution-imapi as of this post). A package and/or directly related packages can move from Unstable to Testing as a single or small cluster. Unstable is the shelves full of parts that supply the folks building the next major version of the distribution. So, now we have our package approved by the initial vetting of Unstable and it's moved into Testing. The package will now remain in Testing; it's done moving as an individual object. It continues to be improved by it's developers along side other packages maturing under there own respective developer teams. Eventually, the package list will be filled out and Testing becomes "frozen"; no new packages are added except the specific post-freeze exceptions that are due to be in Testing but not yet able to move from Unstable. Testing remains frozen as the release candidate until meeting a benchmark. Rather than a marketing calendar date, it must live up to an engineering quality metric. It could be a week or six months between Testing freeze and reaching that QA metric. Only when the core engineers behind Debian find it meets the criteria do we get a new version of Debian Stable. Packages move as a whole distribution to the Stable branch; there is no "say, FF4 was just released.. add it to Stable".. nonono.. FF4 goes to Unstable and starts it's journey through the process while FF3 that is in Debian Stable receives stability and security bug updates. (your FF3.5.? may not be supported by Mozilla any longer but my FF3.5.? remains supported by Debian) Last, that pesky "maintenance" thing.. it's interesting that those "10,000 idiots" have consistently had shorter patch turn around times than, what I gather is your treasured "10,000 proprietary developer generous" (if development model can somehow be an indication of coder skill level). Watch patch times between report and patch in the original project then time to updated package in relevant distributions. All software platforms have had serious bugs pop up; I know which platforms I've seen patches appear for before others. Let's consider some specific examples; OpenSSH, you claim it's simply the product of "10,000 idiots" who know nothing about programming or cryptography.. naturally.. Tor.. what development model is that produced under again? How many people rely on that in life threatening situations? Apache.. just another product of "10,000 idiots" and surely not better or more popular than any proprietary competitor right? Now, please enlighten us about your "10,000 idiots" claim and how it fits into this given example. Show how development method directly relates to developer skill level. After, since no person in there right mind would want to trust the product of "10,000 idiots", please go home and destroy anything based on or designed using FOSS; music, movies, mobile phones, TVs, your car's computer, your routers and cable/isdn modems...

HAL 9000
HAL 9000

Doesn't matter that it's so wildly incorrect or blatantly wrong you believe it and as you have read it on the Internet [b]doesn't matter that you wrote what you read either here[/b] it must be correct. Just a few questions here [i]software where 10,000 idiots look at and modify code on an hourly basis with no clue about software design is most definitely a bad idea,[/i] Who do you think these people are and how do you think they edit code? Probably more importantly how do you think any Open Source Code is Changed? [i]not to mention that there is only junk software available for those systems.[/i] Never looked at anything designed as a Closed Source Product to run on a Windows System have you? The people who are charged with developing Windows Platforms only work on their own little areas and are not interested if their bit of code works with the other bits of code that are assembled to make any form of Windows Software. In the case of Windows Vista the most recent Stella Performer from M$ the fact that they where still finding 5,000 serious error per day on the day when Vista was RTM'd couldn't possibly be correct so the M$ People who where boasting about this to people like me at a Partners Meeting must have been lieing mustn't they? :D Why is it necessary for M$ to develop a new product spend years developing it and then scrap the entire thing? Vista was a more or less complete recode of XP and judging by the way it was received by the masses it didn't work anywhere near as well as was expected of it. Probably much more importantly because it is developed as a Modular System where the bits are bolted together and expected to work even though the different departments have no direct contact with the others or have any idea of what it is that they are doing doesn't matter at all does it? Yes it is the same way that Nix is developed but at least with the Overall Nix System there is someone who understands how the entire system works unlike M$ who have no one in this position they all go about improving their individual subsystems at the expense of the entire system which no one understands. This results in poor function even worse design and probably more importantly no one understanding how anything works. Ideal Windows Developers and Users. :^0 But just ignore this and go back to using your SCO Unix which sort of works as well as a modern Linux and much better than anything designed to work on Windows. As for all the crap you claim about Nix Software just remember that places like Industrial Light & Magic adapted software for their needs and as yet there is no possibility of doing the same thing for another platform that is anywhere near as cost effective or for that matter possible. Those great CG Water scenes would not exist in movies if the Wizards behind the Scenes only had Windows Platforms to work with. :0 Not to mention places like the Big Financial Institutions, Governments, and so on who do not have any form of Windows in the Back End where Real Security is maintained and important. Windows and Products to run on Windows is OK for the Desktop and lower end servers but the moment you need to crunch any serious numbers it runs into problems. Expecting something never designed to have any security at all to be secure brings into question the thought processes of those who believe that Windows is Secure. The reality is that even Vista Mark 2 which was re badged as 7 leaks like a Sieve and that is as M$ describe it [b]The Most Secure Windows Ever.[/b] Doesn't say much for just how good it is and much more importantly there is no sane person who wants it controlling a system keeping them alive as it's way too prone to falling over. There is a reason why heavy Duty Medical Equipment, Commercial Aircraft Fly By Wire Control Systems and so on doesn't Run Windows in any form and why all High End Routers do not have Windows as their Base OS and it's nothing to do with initial cost. Col

HAL 9000
HAL 9000

He knows not what he is rabbiting on about.

seanferd
seanferd

What are you? Some sort of tone-troll? The facts are not biased. Are you?

apotheon
apotheon

Thank you for your input.

santeewelding
santeewelding

May I be so bold to call you colleague, I hear what you are saying.

apotheon
apotheon

I read recently (on this site i believe) where 1% of internet routers were shut down due to a Cisco bug. Now THAT had an impact. Even then, it really didn't apply to a majority of people (even those with Cisco routers). I guess that when SQL Slammer shut down huge sections of the Internet you must have just yawned. "No impact for most of us," I imagine you saying.

slam5
slam5

it is all about $$. people go into staples and bestbuy and so forth and grab the least expensive pc they can get their hands on. they figure, they will upgrade their system with the next iteration of Windows so why get something that's better and a little more expensive. they don't understand that the machines at big boxes store have to cut the quality of their PC's because they have to pay the big box store. Well, I always tell my customer to stay away from the big box stores. If they need a desktop, go for the local computer store (which have to give you better service or they don't survive). Yes, it will cost them a few $$ more but it's worth it. For laptops, get one not from somebody like Lenovo or Dell(I think they improved their quality a lot nowadays) whom don't need to cut corners to pay the big box stores. Well, enough of my diatribe!

apotheon
apotheon

Let me know if rickk shows up again. I wish I could recall the usernames of the couple people who called me Microsoft shills for addressing Google-related news.

j-mart
j-mart

If they were a serious IT pro there is no hope for this proffesion

Tony Hopkinson
Tony Hopkinson

involved in the design decisions in closed source software, and that's not even counting developers. :(

lastchip
lastchip

What input? There is nothing in that post that argues the case either for or against your proposition. It's typical of users who when confronted with a well thought out and reasoned post, cannot find any reasonable argument against. Although I admit at this point in time, I haven't read all the posts on this thread, I haven't yet found one post that offers a coherent argument as to why Windows security is the equal of the Unix like operating systems. Could that just be, because it isn't?

apotheon
apotheon

That's pretty funny, given your typical modus operandi.

mmetcalfe
mmetcalfe

I said MOST of the security issues that get hyped. To be quite honest, SQL Slammer didn't affect our operations at all. Neither did the Cisco bug. I don't attribute that to some superior network security we have in place, we just applied the patches that we were supposed to apply. Remember, the patch for Slammer came out long before the attack. yes.... *yawn*

CharlieSpencer
CharlieSpencer

I was once accused of being an Apple shill, a paid MS troll, and a Penguinista (!) all in the same week.

Sterling chip Camden
Sterling chip Camden

The comments so far that object to the article all read to me like "stop barbecuing our sacred cow" without giving any reasons why it should be exempt from grilling. If someone wants to lay out some evidence to contradict what Chad says here, let them (if they can).

apotheon
apotheon

Could that just be, because it isn't? I believe you may be on to something.

santeewelding
santeewelding

Introductory first paragraph: [i]"Let's set aside any formality and objectivity for a moment. Let's make this personal."[/i] Fair enough. Your problem?

HAL 9000
HAL 9000

Security by Design and it was all the rage at the time. M$ even handed us [i]Partners[/i] Security Books telling us how to design better software for the Windows Platform. But never once did they address Privilege Separation or any ways of preventing processes from running weather they where needed or not. The entire Security By Design seemed to revolve around preventing Buffer Overflows in DLL's. That is hardly Security By Design, it's nothing more than hoping for the best with what we know now and to hell with what we may learn latter it's not important now. But even with that thinking they still do not separate things anywhere near well enough. So much for [b]Security By Design[/b] it was a joke then and a very bad joke now. When I suggested better Separation to the Developers all those years ago I was told that we make Windows we don't want something as complicated as Unix. So they just accepted that they could have no real security, just push the idea of Having Security when actually they had none. [b]It's the same old story tell a Lie often Enough and Long Enough and people will start to believe you.[/b] Yea I know Windows is Secure, [u]Welcome to ########## the Most Secure Windows Yet.[/u] [b]##########[/b] = The current version of Windows just insert that and you don't even need to change the script. Says a lot actually doesn't it? No matter what changes they make it's still Windows and it's Insecure. :D Col

apotheon
apotheon

Managerial and Organizational incompetence? I doubt very seriously that any historian looking at Microsoft is going to share your point of view. Try asking a software engineer -- someone who actually knows something about the organization's (nominal) raison d'etre -- rather than someone whose job it is to interpret events in favor of the victors. The fact that you keep replacing better technologies with worse is not a testament to the quality of Microsoft technologies; it's a testament to more organizational incompetence (and not Microsoft's, this time). If the solutions didn't work Microsoft wouldn't be where it is. Correction: If the "solutions" couldn't be made to work -- though not necessarily well -- Microsoft wouldn't be where it is. Market dominance in a mixed-economy market is not the same as successful development of technical quality. Any economist can tell you that, in excruciating detail. It's a free country though so you are entitled. I wouldn't hire a consultant with such an ingrained bias as yours and I hire consultants to compare Open-Source solutions to Microsoft on a fairly frequent basis. Do any of them know anything about open source software that doesn't come from Microsoft marketing? Don't bother answering that. I know how you'll answer. I just want you to think about it on your own some time. Many consultants I've met who are familiar with Microsoft technologies always put on a big show of non-partisanship and unbiased analysis, then inevitably recommend some Microsoft tool because that's how they'll make the most money (regardless of the fit for the client). By contrast, I'll recommend whatever works best for the client. Period. A lot of the time, even if the software itself is crap, sticking with Microsoft's crap is the better option for a given company, at least for now -- and in such cases, that's the recommendation I make. Frankly, though, I wouldn't want you to contract my services. I don't like working for people who base their technical knowledge on BusinessWeek ads. The Ridiculous Fallacy was an attempt to carry on the humor of your original article. Poppycock.

mmetcalfe
mmetcalfe

Managerial and Organizational incompetence? I doubt very seriously that any historian looking at Microsoft is going to share your point of view. I don't buy everything Microsoft Marketing says. I even *gasp* am prone to use open source from time to time. In real-world corporate IT operations however my experience has been VERY positive with Microsoft products on the whole. My experience is probably of a similar length to yours. About 25 years. Over those 25 years I've watched my base of Unix servers (SCO, DG, AIX, HP-UX, Solaris) shrink and be replaced by Microsoft technologies, possibly attributed to Microsoft's managerial and organizational incompetence. I've seen our Oracle servers move to SQLServer. I've seen some implementations of MySQL introduced but eventually roll back to SQLServer. If the solutions didn't work Microsoft wouldn't be where it is. Which brings me back to my original point. The security holes in the software certainly exist It's a fact of life and I think your position is over the top. It's a free country though so you are entitled. I wouldn't hire a consultant with such an ingrained bias as yours and I hire consultants to compare Open-Source solutions to Microsoft on a fairly frequent basis. The Ridiculous Fallacy was an attempt to carry on the humor of your original article.

seanferd
seanferd

The point is that there is no real privilege separation in the OS - it is all bolted on. MS had their chance when they flipped to the NT kernel, and they darn well had the freely available common knowledge provided by Unix and other systems regarding proper privilege separation architecture. Hell, MS was even a Unix vendor at one time. Yes, MS is making progress: The newly installed windows are locked by default, but the foundation was defective since the house was built.

seanferd
seanferd

First Energy can't operate their way out of a wet paper bag. And Davis-Besse has a horrific history, pre-dating First Energy, to be sure. (But Perry isn't quite so scary.) The parallels make my head hurt.

Tony Hopkinson
Tony Hopkinson

they are usually linked with the ability to lose convincingly at golf....

apotheon
apotheon

* CxO job titles * usernames that fit patterns like (first initial) + (last name) * substituting the content of full-page ads in BusinessWeek for actual technical knowledge. What is it with those three things so often going together?

Tony Hopkinson
Tony Hopkinson

"Nothing is perfect out of the box". Do you know what architectural privilege separation is? You can't bolt it on, it's fundamental to the design. Well if it had been modular I suppose they might have stood a small chance, but of course MS embraced a monolithic philosophy as well, so any hope of that went directly in the bin. Both of these were commercial decisions. Highly successful ones too. No way to back out of them though except at huge cost and risk. Please cease with the FUD, ad hominem and straw man debating tactics, it's embarrassing. The business case for doing it is effectively inarguable, the technical case for doing it properly is as well. I understand the why of it as a propeller, head the fact that you as a CIO apparently don't is I must admit something of a concern...

apotheon
apotheon

Microsoft released patches and because a sysadmin didn't apply them in order it's Microsoft's fault? Are you really going to blame the sysadmin for the fact the patches aren't labeled "apply this first", "apply this second"? Again, you are completely off-base if you say that Microsoft has a Complete lack of responsibility for the security of it's Customer Base. They've made a very large commitment of time and money to improving the security of their software. I see you buy everything Microsoft sells in its marketing materials. there are a lot of people working at Microsoft and you should realize it's a plural as opposed to the Singular "Great Satan". Alas, I don't know all their names, and corporate bureaucratic structure is surely part of the problem -- so I refer to them collectively as "Microsoft", which is a singular corporation. I can find plenty of faults with the companies products without making the broad comments that make it look like a conspiracy every time a bug is found. I don't do that. I believe that the vast majority of the bugs are a result of managerial and organizational incompetence. Many -- though a minority, I believe -- are a result of depraved indifference on the part of decision makers (such as the particular privilege separation violation I mentioned). I'm pretty sure quite few of them could reasonably be described as conspiratorial in nature. I'm surprised you haven't released the bonus structure their employees get for injecting security flaws in the software that get's past testers and requires a patch post release. Let me know when your "argument" relies on something more substantive than blatant appeal to ridicule fallacies.

mmetcalfe
mmetcalfe

That was a good article on the Nuclear Plant. However I don't think I would blame the entire issue on Slammer. It sounds as if there were numerous issues in place including an un-firewalled connection to the production network for the reactor. I wouldn't say it "took down" a plant. The article clearly states that the plant was already offline because of a gaping hole in the roof of the reactor. Could Slammer have taken it down? It quite possibly could have. How much of the blame lies in the lack of a firewall and the unpatched (or patched in the incorrect order) SQLServers? While it may appear otherwise, I'm not drinking the Microsoft Kool-Aid. I'm just saying things need to be taken in context.

mmetcalfe
mmetcalfe

Microsoft released patches and because a sysadmin didn't apply them in order it's Microsoft's fault? Again, you are completely off-base if you say that Microsoft has a Complete lack of responsibility for the security of it's Customer Base. They've made a very large commitment of time and money to improving the security of their software. Was it necessary? Obviously the answer is yes. Do they deserve credit for making the commitment? Some say yes, others (and you MAY be one of them) say no and that they should have done it up front. Step back into reality and realize that nothing is perfect out of the box. Also ground yourself in the reality that there are a lot of people working at Microsoft and you should realize it's a plural as opposed to the Singular "Great Satan". You've made your position very clear on what you think about Microsoft. I can find plenty of faults with the companies products without making the broad comments that make it look like a conspiracy every time a bug is found. I'm surprised you haven't released the bonus structure their employees get for injecting security flaws in the software that get's past testers and requires a patch post release.

robo_dev
robo_dev

I do realize that Microsoft security and getting punched/stabbed simultaneously are not entirely dissimilar :) My point is not that Microsoft products are secure, but rather to at least give them partial credit for making some progress. To compare, for example, the default security configuration of Windows 2003 versus Windows 2000, you would see that somebody there understands the concept of least privilege. What I want to know is what are the root causes of their security woes. Is it that their products are over-complex? Do they do adequate testing of new features/releases? Is there more management focus on new product development than there is on producing secure software? I am not convinced that that Microsoft purposely makes their products 'security challenged', but rather their focus on ease-of-use versus security and their willingness to pass-the-buck on security to the end-user has made security a lower priority. In terms of building a secure OS, I agree that it is a flaw that Windows has too many ways to easily escalate privilege, but users are not blameless here...how many people run their workstation logged on as Administrator? No need to run a privilege-escalation exploit if you are already there! Similarly, the flexibility and ease-of use of Microsoft Windows Terminal Server makes it easy for a newbie admin to configure it to use unencrypted logins, and allow any and all login users to have god-like privileges on the system. Does this mean that the product is inherently insecure? Not necessarily, it's just not idiot-proof. If I go into the OS on a Nokia firewall, for example, and try to enable telnet or do some other stupid thing, it just won't let me do it.

apotheon
apotheon

The problem is that for every relatively secure Windows 2008 server there are a dozen unpatched Windows 2003 servers, so their reputation for security will not recover anytime soon. The practice of saying things like "relatively secure Windows 2008 server" is basically a way to hand-wave away the continuing deep problems with MS Windows security. Sure, it's relatively secure compared to older systems that are no longer fully supported. Sure, it's relatively secure compared to older systems that malicious security crackers have had more time to pick apart. No, it's not really more secure in a meaningful way if Microsoft has not implemented real fixes for MS Windows security issues, such as by adding real architectural privilege separation that is not violable even by the OS itself. Instead, Microsoft has seen to it that even DRM software can violate privilege separation on MS Windows -- intentionally. Yeah, getting punched in the face is probably relatively painless, when compared with getting punched in the testicles and simultaneously stabbed in the kidney, but that doesn't make it actually painless.

robo_dev
robo_dev

At the time I worked at a fortune 100 company when slammer hit, and it was a huge issue. It pretty much put the whole IT organization into crisis-mode for about a week. In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. In late January 2003, the Slammer worm knocked out 911 emergency telephone service in Bellevue, Wash. It also took down a nuclear power plant: http://www.theregister.co.uk/2003/08/20/slammer_worm_crashed_ohio_nuke/ My only comment about Microsoft's approach to security is that they did have some very big issues, but they DO deserve some credit for getting better at addressing these issues. The problem is that for every relatively secure Windows 2008 server there are a dozen unpatched Windows 2003 servers, so their reputation for security will not recover anytime soon.

apotheon
apotheon

Maybe you were so dismissive of vulnerability news that you just don't read the interesting stuff when it happens. Here's how it played out: 1. Three patches were produced that had something to do with SQL Slammer. 2. SQL Slammer hit. 3. Microsoft blamed sysadmins for failing to apply patches. 4. A bunch of sysadmins lost their jobs. 5. It turned out that many of those sysadmins were doing their jobs -- because they were rolling out patches in stages, testing them before putting them into production. They had applied the patches. At first, people didn't understand why the SQL Slammer worm still affected the systems in their areas of responsibilities. 6. Oh, wait -- because the testing tended to focus on whether the operation of systems was affected, and not on whether the effects of earlier patches were affected, they hadn't noticed (until after SQL Slammer hit) that if those three patches (two of which fixed what SQL Slammer exploited, and one of which was supposedly unrelated) weren't applied in the order in which Microsoft pushed them out, the fix for the vulnerability in question could actually end up being undone by the patching process. . . . but I guess you don't care. Microsoft can't possibly be involved in one of the most ridiculous comedies of errors in IT history. That doesn't fit into your worldview. edit: By the way, if you ask me, the eight year campaign to ignore a critical security vulnerability isn't "overhyped". It's a perfect example of the complete lack of responsibility Microsoft obviously feels for the security of its customer base. Microsoft will ignore a vulnerability if it feels it can get away with it, it will launch smear campaigns against security researchers who refuse to let Microsoft get away with such campaigns of ignorance, and it will placate credulous Microsoft admins with superficial security "features" that only pretend to provide real security. It's a long-standing pattern that has yet to produce much in the way of actual progress on the security front for Microsoft, despite all its marketing propaganda BS to the contrary.

seanferd
seanferd

Came with DOS for a while. A tiny, unimpressive thing. I don't think there were definition updates of any sort.

apotheon
apotheon

I guess they treated virus signatures the same way they treat a lot of vulnerability patching, then.

boomchuck1
boomchuck1

They included a very basic anti-virus software in Windows 3.1 I believe. It was basically a port from Central Points PC Tools. But I don't think they provided regular updates for it.

apotheon
apotheon

. . . I don't really recall the specifics of what happened with Microsoft's talk about doing its own AV in the '90s. edit: specificity

Sterling chip Camden
Sterling chip Camden

... you refuse to be an extremest, and you recognize the strong and weak points in all camps. To the zealots in each one, you're preaching heresy -- so you're obviously in the other camp.

wizard57m-cnet
wizard57m-cnet

Don't know if it is a badge, but I've been called a "DOSasaur" because I still play around on the WWW and internet in DOS...glutten for punishment I guess! BTW, Chad...didn't MS have to remove their antivirus back in the 90's due to pressure and posturing by such notables as McAfee,Symantec, etc? MS has released Microsoft Security Essentials for home users for free.

seanferd
seanferd

Maybe it is a distinction without a difference, though. edit: Or maybe it's "Badger".

apotheon
apotheon

Far be it from me to malign the memory of those who have moved on (to ZDNet, I think), but you misspelled "ill-informed opinion".