Forgot your password?
typodupeerror
Microsoft Operating Systems Software Windows

Microsoft to Clean Up Code 466

Posted by CowboyNeal
from the throwing-out-the-cruft dept.
the_pooh_experience writes "Microsoft has decided to beef up their security group by adding a code cleaning group according to Infoworld. As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'" The new group is called Security Engineering Strategy and while it may seem long overdue to many, it's still a step in the right direction for the folks in Redmond.
This discussion has been archived. No new comments can be posted.

Microsoft to Clean Up Code

Comments Filter:
  • more of the same (Score:3, Insightful)

    by malus (6786) on Friday May 30, 2003 @08:15AM (#6075329) Journal
    more of the same lip service from our friends at Redmond. is this the 3rd, or 4th 'security' initiative?
    • by DShard (159067) on Friday May 30, 2003 @08:17AM (#6075344)
      Lip service or not, these developers have in their job description to be scapegoats. That is not an enviable position.
      • A good thing (Score:5, Insightful)

        by DrTentacle (469268) on Friday May 30, 2003 @09:15AM (#6075762)
        Obviously, MS bashing abounds, but I view this as a good thing.

        Working in an environment that is purely MS based on the desktop, with significant MS server infrastructure, I can only applaud any efforts they are making to clear up the mess that is obviously present. No, it's not going to happen overnight - Just as the company I work for is not going to replace all it's investment in MS tech overnight.

        Unfortunately, being a developer does not make you a security expert. Some are, others will continue to allow simple flaws, such as buffer overruns, into their code. Having a group of people who focus on security review that code is without a doubt a good thing. While this may not be the potentially rigorous code review that OSS gets, it's better what presently happens at MS.

        As for the issue of scapegoats...from an external point of view, getting MS to recognise bugs can be a difficult job at the best of times. Internally, if a group of security "experts" fail to recognise security flaws in a piece of code...then surely they are failing at their job?

        Finally, there's been a lot of flaming about the fact that this is yet-another-initiative from MS in the security field. I welcome all of them, in parallel, as moving towards sorting out some of the many issues they have. The less time I have to spend working on patching buggy MS software, the happier I will be.
        • Re:A good thing (Score:5, Insightful)

          by Alsee (515537) on Friday May 30, 2003 @03:43PM (#6079811) Homepage
          Obviously, MS bashing abounds, but I view this as a good thing.

          The problem is that as far as Microsoft is concerned "security" is a synonym for "DRM".

          Whenever Microsoft talks about security, one always has to wonder how much of what they are doing actually means securing the machine against outside attackers (a good thing), and how much of it means securing the machine against it's owner (a bad thing).

          The article makes refferences to things like "Trustworthy Computing" and "Next Generation Security". Both of which actually mean "DRM enforcment".

          "Normal" computers cannot be adaquately secured against their owners. As far as Microsoft is concerned this is a "security flaw". Microsoft intends to "fix" this "flaw" by introducing new and crippled computers.

          The article says Microsoft's "ultimate goal being that customers will take security for granted". Do you really think they mean that people will take it for granted that Microsoft software is bug free?? Or do they mean that their DRM mechanisms will be an "invisible", integrated, and omni-present part of using a computer?

          They want you to take it for granted that the computer is invisibly and seamlessly enforcing DRM restrictions when you read your E-mail or surf the web. People are not supposed to notice that the option to "save image" has dissapeared from the menu when you right-click an image in the browser. Not only is that option gone, but the computer is phyically incapable of saving that image. The image is copyrighted of course, and wrapped in DRM. If people never see the DRM, they will just take it for granted when various options vanish, or other things become mandatory.

          If Microsoft is cleaning up their code, then yes, this is a good thing. But a careful reading of the article suggest that this is at best a mixed project. And that is not a good thing.

          -
    • by Martigan80 (305400) on Friday May 30, 2003 @08:29AM (#6075442) Journal
      Actually this was in itself a security leak, the matter is being looked into.
    • by JayJay.br (206867) <<100jayto> <at> <gmail.com>> on Friday May 30, 2003 @08:35AM (#6075492)
      Might be the 6th initiative. But don't worry, they're goin to get back to the source, and Zion will be destroyed again.
    • Credit Where Due (Score:5, Interesting)

      by k0de (619918) on Friday May 30, 2003 @08:35AM (#6075494) Homepage
      If the 3r33t community hated other software/platforms as much as they hated Microsoft I'm sure the level of bugs exposed/viruses would be equally as high. I'm not saying Microsoft throws all beautiful software around, but if you devote time to finding holes in software, you'll find it no matter who the maker. As a fair example, look at what happens [zdnet.com] Larry Ellison tries to make grand claims about the stability of Oracle software. Many of you have valid opinions, and that's respectable, but how so many people can blindly hate Microsoft because of the hate trend makes me want them to succeed.
      • Re:Credit Where Due (Score:5, Informative)

        by BadDoggie (145310) on Friday May 30, 2003 @08:48AM (#6075571) Homepage Journal
        Larry Ellison begged the world to break Oracle. They spent millions buying up the backs of every business magazine and full pages in serious and financial newspapers claiming it was "unbreakable". They specifically said that no hacker could get into it. Real hackers and crackers have always said they do it for the challenge. What better way to provide a challenge than to spend tens of millions in order to yell, "C'mon, you weenies! I dare you!"

        Microsoft also got hit a lot harder every time they claimed some semblance of security. They've learned their lesson, albeit slowly. Now they only claim to be working on improving security, considerably different than Larry's claims.

        woof.

        • by k0de (619918)
          Now they only claim to be working on improving security, considerably different than Larry's claims

          Yes, considerably more humble. At least Microsoft knows better. That's a lesson Larry hasn't been able to learn from Microsoft's mistakes, so now he's learning the hard way.

          The bottom line is that staying under the radar doesn't mean your software is stable. Any company with Microsoft's faithful hate troop would be humiliated by their own software. Oracle is just one example.
    • by SkArcher (676201)
      Basically, this news story ammounts to 'M$ are doing what they are paid to do and making their software secure'?

      Why is this considered newsworthy?

      On second thoughts...
    • No kidding! (Score:5, Funny)

      by ackthpt (218170) * on Friday May 30, 2003 @08:42AM (#6075539) Homepage Journal
      more of the same lip service from our friends at Redmond. is this the 3rd, or 4th 'security' initiative?

      NEWSFLASH!: Microsoft invents quality control! source code reveiw measures, internal cooperation among units, standardized enterprise wide security measures! Patents soon to follow!

      It certainly makes me wonder what the hell they've been doing all these years, besides making gigantic amounts of profit...

      Oh... right, less money on development costs == more profits. Now I see why Steve Ballmer and Bill have been selling off so much stock.

      • Re:No kidding! (Score:3, Insightful)

        by dthable (163749)
        I don't think it's as simple as the amount of money on development costs. Microsoft is going through the transformation from a programming shop (with loose standards and shoot from the hip developers) to a true software engineering shop (many standards, well thought out ideas and calculated coding). It's a tough transformation, but the code will be better in the end.
    • Re:more of the same (Score:4, Interesting)

      by tomhudson (43916) <barbara.hudson@NoSPam.barbara-hudson.com> on Friday May 30, 2003 @10:44AM (#6076686) Journal
      and putting it in the hands of a review group, rather than educating their coders (who are, after all, the ones who wrote the bugs in the first place) on how not to write buffer overflows, etc, is the WORST way to go about it.

      So, here's a rather obvious 1-2-3-profit list

      1. patent the buffer overrun
      2. sue microsoft for every infringement
      3. profit!
  • Poppycock. (Score:2, Insightful)

    by Anonymous Coward
    This "emphasis on security" crap is just a PR screen for TCPA^WPalladium^WNext Generation Secure Computing Base.
  • Fat Chance (Score:5, Interesting)

    by OmniVector (569062) <see my homepage> on Friday May 30, 2003 @08:16AM (#6075342) Homepage
    If you've learned anything by now, it's not important that Microsoft fix the majority of their security flaws, but that they imply they will.

    The OSS model of peer review on a large scale is the sole reason for such reliable security.

    Proprietary companies still have an edge. If people programmed according to a planned set of pre/post conditions, and tested their modules with black box testing, then a large portion of the controllable errors can be caught. Whether or not Microsoft does this is questionable since we can't see their code.

    Oh, and BOUNDS CHECK EVERYTHING. Buffer overflow errors should have been non-existant for a half a decade by now.
    • Re:Fat Chance (Score:4, Interesting)

      by jkrise (535370) on Friday May 30, 2003 @08:32AM (#6075469) Journal
      "it's not important that Microsoft fix the majority of their security flaws, but that they imply they will."

      Let's have a debate at Ask Slashdot. Is it EVER possible to make Windows secure? Not maybe in the same league as Linux or Unix, but even marginally better than what entails now?

      The challenges:
      1. An integrated all-in-one tightly coupled design - anything breaks, everything compromised.
      2. Proprietary standards (if that isn't an oxmoron)
      3. Newer OS releases atleast once a year, to break competing code.
      4. Newer releases to support existing apps (3 and 4 directly contradict)
      5. Code size and complexity - I doubt anyone, even at MS has access, let alone modification rights to the variuos code bases.

      Put simply, Mission Impossible.
      • I agree - and that's why Microsoft would be best off, for their long-term interests, with a team of software engineers who would redesign the Windows codebase from scratch. I'd bet a lot of the "millions of lines" of code in Windows XP is legacy Windows NT code--in which case MS should take a fresh look at what the code does, if it could be designed more efficiently and securely, and (more importantly) if any other parts of the Windows code actually use it. Of course, such measures would take years and wo

        • Re:Fat Chance (Score:5, Informative)

          by clary (141424) on Friday May 30, 2003 @09:23AM (#6075842)
          What you suggest would be the end of Windows (maybe not a bad thing). An ex-Microsoftie says it well here: Why you should never rewrite from scratch. [joelonsoftware.com]
          • Bullshit. Writing code from scratch is the *only* way to go if your existing code base is too hosed. Look at, for example, the Be Operating System. Written from scratch, from the ground up, and it shows just how much a computer can really accomplish if you start with a clean slate.
          • Re:Fat Chance (Score:5, Interesting)

            by walt-sjc (145127) on Friday May 30, 2003 @11:40AM (#6077318)
            Just read that drivel, and there ARE some valid points, but it is NOT universally true.

            Case in point, I was on a team that redesigned an entire large-scale system from scratch. The old system was built in lots of little parts using various languages (shell, perl, java, c++, c, python, lisp), multiple databases from various vendors, had virtually no internal documentation on how anything worked, etc. They system was quite unstable crashing multiple times a day, and very difficult to enhance without breaking shit. Kinda like Windows...

            We re-built the entire system in about a year (about 750K lines of code which was about half the size of the original code.) The result was amazing. After the initial deployment period where the bugs were worked out, the system was rock solid being able to stay up for months at a time, was Very easy to enhance, had tones more features and flexability. We had a great team, and a solid commitment from senior management providing the needed resources.

            Netscape's biggest problem was not starting over from scratch, but poor project management (not keeping people within original design constraints) and a lack serious commitment from senior managment. Rather than having a very tight set of requirements and design goals, things were very nebulous and got out of control very quickly. No longer were they building a new browser, but a cross-platform framework for any kind of application they could think of. When you look at projects such as Galeon, most of that bloat is ripped out.

            Rather than folling a bad example of how to run a re-design project (mozilla) MS could EASILY afford a new team to start Windows from scratch, leaving the existing team in place to continue to enhance / maintain the existing code base. This is the step that Netscape missed. They only used a small fraction of their people to maintain (and NOT enhance) the old code.

            Joel is making his claim by using the worst case example. Kinda like if I claimed that you should never put the gas tank in the back of a car pointing to the Pinto as my evidence, ignoring the thousands of other car designs that worked.
        • Re:Fat Chance (Score:5, Interesting)

          by Daniel Phillips (238627) on Friday May 30, 2003 @09:38AM (#6075983)
          ...that's why Microsoft would be best off, for their long-term interests, with a team of software engineers who would redesign the Windows codebase from scratch.

          They already tried that, it's called "NT". Things got better for a while, then the application mafia got their fingers in and it degenerated back to the current mess.

          So they could start that process over again, and be finished in 5 years, just in time to see their stock make the final dive into the subbasements. Or they could learn from Apple once again, and switch to BSD, it's free :-)
  • About damned time (Score:5, Insightful)

    by rgoer (521471) on Friday May 30, 2003 @08:17AM (#6075346)
    Now, if only they would incorporate a business ethics cleaning group, maybe we'll see some progress.

    And, yes, please somebody respond to the oxymoronic notion of "business ethics," I'm just begging for it.
  • I'm suprised... (Score:5, Interesting)

    by DJPenguin (17736) on Friday May 30, 2003 @08:17AM (#6075348)
    ... that this group didn't exist before. Surely a company the size of MSFT would already have a team or group just doing code auditing?

    Oh well. as they said - it's a step in the right direction.
  • Incorrect (Score:5, Insightful)

    by The-Bus (138060) on Friday May 30, 2003 @08:17AM (#6075349)
    If you RTFA, it shows that this is entirely security-oriented, not performance oriented. It seems that "cleaning the code" means "patching makeshift holes over problems" not "making code athletic, slim, and fit"...

    Pity.
  • sceptic (Score:5, Insightful)

    by Ashish Kulkarni (454988) on Friday May 30, 2003 @08:17AM (#6075351) Homepage
    I'm highly sceptical of this. In my experience, security and features are always on two opposites sides of the spectrum, and Microsoft is too much on the features and ease-of-use mindset to have something really significant coming from this effort.
    • Re:sceptic (Score:5, Interesting)

      by Shalda (560388) on Friday May 30, 2003 @10:45AM (#6076688) Homepage Journal
      Perhaps you haven't looked too closely at Windows Server 2003. I've been kicking it around for about 2 weeks now and let me give you some highlights.

      1. Stuff works. It's the easiest time I've ever had configuring a server. It's like flipping a switch.
      2. Stuff is locked down. Everything out of the box is turned off. When you do turn it on, it's locked down by default. Everything runs with the lowest privelege possible to get the job done.
      3. Reliable. Nearly anything can be done without restarting the machine. The only exception I've had so far is making it a domain controller.

      Frankly, I'm looking forward to working with it in a production environment.
  • by nounderscores (246517) on Friday May 30, 2003 @08:17AM (#6075352)
    Microsoft is going to hire testing programmers?
  • by Mr2cents (323101) on Friday May 30, 2003 @08:18AM (#6075355)
    .. but only if they clean up the bugs, and not the patches.. (Hey? what's this if-clause doing here? There is no such thing as a negative packet size!)
  • by Davak (526912) on Friday May 30, 2003 @08:19AM (#6075364) Homepage
    Seems like that a "code cleaning group" would be the most poorly efficient way of accomplishing this.

    Now I do not write the cleanest code in the world... but when writing with a group, I can take the time and effort to make ultra clean code--especially if my paycheck depended on it!

    Why hire somebody else to do _your_ job?

    I've never programmed in a huge group before... so maybe I missing the experience to understand.

    Davak
    • Now I do not write the cleanest code in the world... but when writing with a group, I can take the time and effort to make ultra clean code--especially if my paycheck depended on it!
      Heh, heh.

      "Hey, why waste time on those sanity checks, let's use gets(), the security monkeys will clean it up anyway!"

      • "Hey, why waste time on those sanity checks, let's use gets(), the security monkeys will clean it up anyway!" ... and then publish your name as producing the worst, security-poor code in the company and everyone can laugh at you, and the bosses can cancel your bonus.
    • It's notoriously difficult to read other people's code. It would take more programmers to fix a project than it took to write it in the first place. Shouldn't there be a "Clean Code" peering/mentoring group instead, or a "Clean Code" review body? I'd be much more confident if someone was keeping up with the code as it was written, and going back to the programmers before the program ships, asking "What exactly does this do for the program?", or "You do realize that you should decrement this length coun
  • by geesus (545118) <paul@NOspam.crib.ath.cx> on Friday May 30, 2003 @08:19AM (#6075366) Homepage
    OpenBSD have done this. They set up a team of dev's who went through the entire code fixing up buffer overflows\underflows, and all that jazz. I hope for the worlds sake (because it seems that the whole world is using Microsoft products) that they do a good job, but in my mind it wont make me feel like Windows or IIS or any other networkable piece of Microsoft written software is secure.
    • For the world's sake (Score:3, Interesting)

      by truthsearch (249536)
      I hope for the world's sake they do a terrible job and most people realize it. If their software remains marginally good enough in most people's minds, as it is now, it'll continue to be used. Their walking a thin line right now. If their software is seen as more expensive, buggier, or more insecure than it is now, even by just a little, they'll hurt. Anything that keeps them above that line keeps them in business. I'd much rather see them fail so there's a much quicker transition to FOSS.
  • In it's newest patented process, MS has just invented PeerReview.Net++.
  • by Skweetis (46377) on Friday May 30, 2003 @08:19AM (#6075372) Homepage
    # dd if=/dev/zero of=/dev/hda bs=512

    Seriously, though, this is a good step for them, and I hope other software companies follow their good example.
  • by El Cubano (631386) <roberto.connexer@com> on Friday May 30, 2003 @08:20AM (#6075375) Homepage

    Microsoft is a long way from its ultimate goal where users can take security for granted in its products

    This is precisely the problem we have now. People already take security for granted (they don't think about it). Their goal should be to beef up security and to educate everyone about the features so that they become more security concious, rather than just take it for granted.

    • by Wolfier (94144)
      Problem is, Open any magazine and you'll learn that Microsoft is on a rampage advertising campaign to preach that its products are secure.

      When in fact it is far from the truth.

      This false sense of security is exactly what makes their product very vulnerable.

      MS needs to admit the security flaws publicly, loudly, and stop preaching bullshit.
  • I hope this works better than trustworthy computing has done so far. It's going to need real commitment from the company to allow it to make a difference. It could even mean delays to product launches (or service packs), which some parts of M$ may not be so keen on (though after recent debacles, other parts of the company would probably like fewer, better, security fixes).

    And I can't imaging their top coders rushing to join this team.

    Still, it could work...

  • by Neophytus (642863) * on Friday May 30, 2003 @08:21AM (#6075380)
    I would never want to take my security for granted, in any product. Not windows, not open source, not even goddamn openbsd that proclaims proudly 'only one remote hole in the default install, in more than 7 years' on its front page [openbsd.org]. Only one hole that has been found. The chances are that, somewhere, there is an obscure security hole that nobody has discovered. It would become the second.
    • by Sentry21 (8183) on Friday May 30, 2003 @09:15AM (#6075750) Journal
      not even goddamn openbsd that proclaims proudly 'only one remote hole in the default install, in more than 7 years' on its front page. Only one hole that has been found. The chances are that, somewhere, there is an obscure security hole that nobody has discovered. It would become the second.

      I dunno, two remote holes in 7 years is pretty good. If you want to use slashdot as a forum for anti-OpenBSD trolling, point out that the default install does pretty much nothing, and it's the services that people install anyway that are usually abused (telnet, ftp, etc.). That's more of a point than 'Only one? They probably have two!' which is just blatant trolling.

      --Dan
  • by Boss, Pointy Haired (537010) on Friday May 30, 2003 @08:22AM (#6075388)
    Especially if the clean-up group are not working closely with the original developers.

    Fix 1 security hole.

    Introduce 100 bugs.

    Hmmm.
  • by Pave Low (566880) on Friday May 30, 2003 @08:22AM (#6075392) Journal
    Recently it seems not a day goes by on slashdot without a few Microsoft stories. This supposedly linux, open-source focused site seems awfully preoccupied with Microsoft for some reason, and it's not good.

    The trolling editors seem desperate to generate pageviews and posting a Microsoft piece almost guarantees to inflame and troll enough users to accomplish this.

    Look at this story...what's really that new or interesting here? This looks like just another opportunity for slashbots and "M$" haters to get their kicks.

    The more reasonable readers don't get off on that kind of stuff. Please editors, this is getting old and boring.

    • by Anonymous Coward
      > Recently it seems not a day goes by on slashdot without a few Microsoft stories.
      You must be new around here...

      Here's a tip for you: go to your Preferences and filter out what you don't want to see.
    • by krystal_blade (188089) on Friday May 30, 2003 @08:45AM (#6075550)
      Look at this story...what's really that new or interesting here? This looks like just another opportunity for slashbots and "M$" haters to get their kicks.

      You're new here, aren't you?

      krystal_blade

    • by Obiwan Kenobi (32807) * <evan AT misterorange DOT com> on Friday May 30, 2003 @09:06AM (#6075661) Homepage
      Firstly, filter it if you don't like it.

      Secondly, I believe it's very important to keep track of any and all movments of the biggest, richest, most powerful company in the world.

      Of the company that controls 95% of the desktop market that Linux might, hopefully, break into.

      If they're looking into new strategies, even ones that are years behind their time, we should know about it. When you only look at yourself, you'll sometimes see innovation or monopolism take over while you're busy staring at your shoes.

      A company with such terrible operating practices [lindows.com] should be watched closer than any other company, and I'm all for it.

      Despite your obvious trolling, I will agree that it might seem a bit much, but I'll tell you, I'm glad we're looking too hard, than not looking hard enough.

      I wait for these same comments about the SCO case in a few days.
    • I like way I saw this story with a big advert under the story for Visual Studio .Net.

      Hmm.
      1. Get adverts from Microsoft,
      2. Run lots of Microsoft stories,
      3. Get more adverts from Microsoft
      4. Profit
      5. Switch Slashdot to IIS
      6. Lose profit.
  • by Zigg (64962) on Friday May 30, 2003 @08:23AM (#6075395)

    What is really needed from Microsoft is flat-out redesign, and that means breaking a few eggshells.

    The most telling bit from this article: "...the majority of viruses written attack Microsoft products..." Yes, it is certainly true that some of them exploit real bugs, but the majority of viruses target Microsoft software design, not buffer overflows.

    I'm willing to bet the code audit team members don't have redesign authority; nor should they. Hopefully, they do have easy access to people who can make the design decisions and can raise issues quickly. Necessary design changes are going to break things.

    You can audit the code all day and all night and you will end up with a more secure product in the end. But to solve the real problems with Microsoft security, the product needs to be designed with that security in mind.

  • by jkrise (535370) on Friday May 30, 2003 @08:25AM (#6075407) Journal
    "The new group is called Security Engineering Strategy"

    A weak name, I suppose. Some suggestions:

    1. Next Generation Secure Computing Strategy.
    2. Social Engineering Strategy.
    3. Brainwashing Services (BS, for short).
    4. Severe Acute Repair Services Group (SARS group)
    5. Purity Enhancing Networked Information Services. (figure it out)
  • by Gaggme (594298) on Friday May 30, 2003 @08:25AM (#6075415) Homepage Journal
    ..you can only realize the truth, that the Windows codes is the virus.
  • by xtermz (234073) on Friday May 30, 2003 @08:26AM (#6075421) Homepage Journal
    ...is peer review by knowledgable people within the security community. And how do they have peer review of their code?..... open the source, of course.

    ok, i did not mean for that to rhyme, but you get my point. Microsoft is a big self reliant entity that hires like minded people. Thats not who they need reviewing their code. They need objective 3rd parties with real world experience in security and systems. I'm not saying they need to put the code to WinNT on an FTP server for all to see, but loosening their grip a little.

    Once MSFT realizes that they dont have to be nazi-esque with their firm grips around their code base, and they can succeed by opening up a little, they will do great things, imho. They havent quite learned that yet..
    • by _Swank (118097) on Friday May 30, 2003 @09:44AM (#6076053)
      open source is certainly one way to potentially increase code quality with respect to security. but there are others, including introducing a group within the company to audit exactly that.

      there are obvious drawbacks to microsoft opening their source, including a large collapse of their main revenue streams and huge impact on their existence as a company. at least, as microsoft is structured now, opening their source is not a good business decision (no matter your feelings on microsoft as a company).

      open source is not the software savior it's often made out to be. all software will not be open source. ever. demanding that every software company do just that is both unreasonable and generally unhelpful. we should be demanding that software companies produce more secure, stable, and user-centered software. however each company chooses to do that shouldn't matter, as long as that end goal is reached.
  • by shayborg (650364) on Friday May 30, 2003 @08:26AM (#6075422)
    First, this isn't a code cleaning initiative, as someone above noted -- the article says that the new group will "establish new software development processes and create tools for its programmers so that future Microsoft products will have fewer security flaws." So it looks like their job is to just improve the programming methodology at our favorite software company.

    Second, there are only ten people on this task force. Will they have enough time to fix the programming methodology for all Microsoft software? Somehow, I doubt it -- and it doesn't take much imagination to guess that the Mac products, for example, aren't likely to be the primary targets, as well as any spyware that Microsoft finds convenient (*cough*WMP ;-)*cough*).

    So it's a step in the right direction but I think they need to use more manpower to solve this problem. God knows they have plenty of it. Until they do, across the board, I don't think many of us will ever trust Microsoft's security. (I'll leave the question of trusting Microsoft itself to another discussion.)

    -- shayborg
    • by djupedal (584558) on Friday May 30, 2003 @08:58AM (#6075616)
      MS employs a staff that roughly equals 20% of GE. And the bulk is either in marketing or legal. Factor out these yocals, mid-level managers doing nothing but CYA and all the air-head interns and there's not much left. There's your 'task force,' working on this whitewashing.

      What is Microsoft's full-time worldwide headcount? Current employment headcount as of 6/30/02: Worldwide: 50, 030

      GE operates in more than 100 countries and employs 313,000 people worldwide. Now, that's manpower. Anything under 250,000 is just an excuse to have vending machines in the lobby.
  • by krystal_blade (188089) on Friday May 30, 2003 @08:27AM (#6075426)
    'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...

    The way I hear it, most people already take security for granted with MS products.

    And are proven idiots.

    krystal_blade
  • Open it up (Score:2, Interesting)

    by Midajo (654520)
    Nobody in their right mind is going to simply take it for granted that any given operating system is secure. Considering Microsoft's track record of programming, they are the last people anyone should blindly trust. The only way to deliver security on a project of this magnitude is to open the source to peer review.
  • Are they saying that they will start doing the code review from now on ? Does it mean that they were not doing it before and not following the procedure that is standard in most of the software development firms ?

    - Jalil Vaidya
  • The article failed to mention the individual [bettsiv.com] who will be heading the group. I wish Mr. Pen and the rest of his team the best of luck for this endeavor. They'll need it.
  • by Sevn (12012)
    Farmer John has decided to close the gate after all
    the horses have run away.
  • its ultimate goal where users can take security

    And here I always thought Microsoft's "ultimate" goal was world domination...

    I mean, that's what I've read here on slashdot...
    (cognitive dissonance takes over...)

    They must have gotten that statement screwed up...

    krystal_blade
  • by pchown (90777) on Friday May 30, 2003 @08:34AM (#6075489)
    It's tempting to dismiss this sort of announcement as "more of the same", "PR spin", and so on. Perhaps it is, but I don't want to get caught when the security spending starts to produce real fruit.

    Think about the success of OpenBSD [openbsd.org]. In terms of security holes it's probably an order of magnitude better than other free operating systems, and Windows. This result was largely obtained through code auditing. If we aren't careful, in a few years, Microsoft will turn the tables on us. The code auditing they've done will have paid off, and we'll have it all still to do (for the typical Linux distribution, OpenBSD is different).

    Laughing at your competitors is a risky strategy.
    • by Ashish Kulkarni (454988) on Friday May 30, 2003 @09:18AM (#6075792) Homepage
      Yeah, but OpenBSD tries to avoid adding too many features during its code audits ... and OpenBSD already has gone through multiple, LONG audits (recall that Theo did a year-plus audit soon after forking from NetBSD). Also, OpenBSD tends to be very conservative and behind the cutting edge for this very reason (not that it's a bad strategy, mind you). However, this does not sit very well with Microsoft's strategy of adding more and more features in every new product release....

      Security is not a methodology which you can apply like any other tool -- it is a mindset which has to be cultivated in the original coders AND carried over to the ones who bugfix/test the code.
  • But my Project Manager wasnt amused when I sent him empty source files after cleaning up!

  • Microsoft is a long way from its ultimate goal where users can take security for granted in its products

    Oh, yeah - that dude is so fired. This is sort of like that moment during the 98 demo that the scanner blue screened the computer while Bill Gates himself was doing a presentation. He had the gall to say "I guess that's why it hasn't been released yet."

    I couldn't get over the feeling of how surreal it was to imagine Bill Gates having a single thought about product quality, much less expressing that

  • by TerryAtWork (598364) <research@aceretail.com> on Friday May 30, 2003 @08:46AM (#6075554)
    What Bill should do is contract Theo de Raadt of OpenBSD. He has to be one of the lord high masters of code cleanup in the whole world.

    Pay boffo bucks, send a Gulfstream to get him and give him some Bill face time.

    He'll give you a seminar on code cleaning you'll never forget.

  • 1) UNIX IP License.
    2) Plan to clean up code.

    All they have to do is start swapping files. :-D
  • This is a delayed April Fools joke, right? Someone forgot to check a date on a submission or something? When would the director of MS security actually admit something like "Microsoft has bunches of bugs"?
  • Let's see - You're a code reviewer for the M$ Code Cleanup crew. Windows 2005 is rolling through developement and you find a security issue that'll add a man-month to the project. What kind of pressure will you encounter from Microsoft's marketing department?
  • by Inverarity (674407) on Friday May 30, 2003 @09:56AM (#6076183)
    As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'"

    Personally, I do not think that security should ever be taken for granted. I think it has been proven that this lax security awareness leads to problems independent of the software (e.g. stolen credit card numbers and identity theft from insecure websites and to a lesser extent the proliferation of spam). Most people do not take the locks on their front dor for granted, why should the computer be any different. Especially now that many individuals use the computer as the primary portal to the outside world.
  • by janda (572221) <janda@kali-tai.net> on Friday May 30, 2003 @10:04AM (#6076270) Homepage

    According to the article, the new group will be called outa'sync (um, no, wrong article. Hang on. Ok). The new group will called the (drum roll, please):

    Security Engineering Strategy Team

    Anything group that has the word "strategy" in it will spend their time writing memos about how this piece of already written code could be better.

    These memos will then be ignored by everybody so they can meet their deadlines.

  • odd timing. (Score:5, Insightful)

    by s4m7 (519684) on Friday May 30, 2003 @10:05AM (#6076279) Homepage

    Here's something to worry about. Does the timing, that the U.S. Gov just instituted a new position for this (the cyber-security chief) which I have already commented on here [slashdot.org], seem odd to anyone else?

    This looks remarkably like the same type of handwaving smoke and mirror show that the government is trying to put on. "look at us, we're doing something(tm) about security!

    makes me wonder if this is microsoft's way of making sure it has a chance to influence what the gov. considers secure.

  • by ayjay29 (144994) on Friday May 30, 2003 @10:36AM (#6076583)
    ... bad news for Linux etc. when it does.

    Windows 3 was crap. ...95 was a big improvement.

    Windows 95 is unstable. ...Windows 2000 was a huge improvement.

    Windows 2000 Server is insecure. ...The 2003 servers ARE a big step in the right direction.

    If they progress as far in the next decade as in the past decade, they will be delivering stable, relyable and secure servers. If that happens I dont see Linux based systems able to offer too much competition.

  • its easy (Score:3, Funny)

    by azoidx (615249) on Friday May 30, 2003 @11:07AM (#6076919)
    cat bad_code.c |grep -v getchar > good_code.c

To thine own self be true. (If not that, at least make some money.)

Working...