Solve real business challenges on Google Cloud and run workloads for free. For Slashdot users: Get $300 in free credits to fully explore Google Cloud. Get started for free today.
Rantastic writes "In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline." He also reveals that he runs Firefox."
This discussion has been archived.
No new comments can be posted.
WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?
In case anyone is wondering about Download.Ject, check this link [www.mikx.de] out. It's only a matter of time until a high-volume site gets compromised with this exploit. Scary stuff.
Sorry to reply to my own post, but figured I should before the flamethrowers start in.
Download.Ject information is actually here [microsoft.com]. The exploit referred to above is actually the "what a drag" exploit. Still pretty scary if you ask me.
Oddly, the site you linked [www.mikx.de] says that SP2 users are affected, but Microsoft [microsoft.com]'s page says they're not. Clearly someone must be wrong, or the page you linked is about a completely different bug (it does not mention Download.Ject in its body). What gives?
I recall years ago working for the RAID manufacturing division of Conner (the hard drive/tape drive company, which was bought out by Seagate). The building right down the street from ours was responsible for tech support of their tape drives and backup software.
What did our facility use for backup software? Not Backup Exec! We used Legato Networker. I recall some tours the corporate big wigs were given every now and then. Their expressions were funny to see if they peeked in the server room!
Actually, the exploit only worked on Windows Machines. Firefox for Linux, MacOS etc was not affected. It had more to do with native Windows security than it had to do with Firefox.
If I'm not mistaken, XP SP2 includes the work around which changes a registry entry related to the exploit. XP SP2 doesn't really fix this particular problem but disables the functionality that is being exploited. In a way, users aren't at risk, but if you rely on that functionality, well your out of luck for now or you must run with the risk.
What sort of "interview" only includes four loaded questions?
In the print version of the September issue, it's just a sidebar. Wired does this a lot. There are often little tidbits in sidebars throughout the magazine. This was one of them. Go look at a copy at your local newsstand. I don't remember what page it's on, but it was never meant to be a full blown article/interview. I'm actually impressed that they include their content in the web version so completely.
Change the following registry value to 4 and the new "Windows Security Center" will stop working upon reboot... it runs as a service that any admin user can kill. Did I mention that by default all XP users are admin;)
Also, here's a Python script [vt.edu] that will automatically kill the new "Windows Firewall" in to XP Service Pack 2. You can bet your ass that hackers are already tampering with this. Click a URL and bam... the firewall goes down.
This is just two example of what MS does to "secure" their systems. God help us all.
A) A Microsoft representative said that it will take an estimated 11 years to fully secure Windows
B) Slashdot reports this
What spinning or unfair editing took place here? Your pullquote doesn't seem to show anything unfair. Yes, they are reworking key system components. But that still doesn't change the fact that Windows is so insecure that it will, by their own admission, take over 10 years to fix it. That's pretty important.
Ok, the guy really stepped in it here when he plugged Firefox
But he didn't even do that! All he said was that
he needed to upgrade Firefox to fix a security
problem. Not that he used it as his main browser,
and certainly not that he didn't use IE every day
like all good Microsoft employees. Merely that he
had it installed on his machine, and patched it
as appropriate. In his job, I'd expect him to have
a copy of alternative browsers on his system. I'd
be surprised if he doesn't have Opera installed,
too.
This really needs to be modded down, as it's not only not insightful, it demonstrates a total lack of comprehension of Toulouse's response.
He did not say he didn't use IE. He simply mentioned needing to install a security update of Firefox. Yes, Virginia, there are other browsers that have security flaws other than IE. That doesn't make them better or worse, it just illustrates that the problem isn't isolated to Microsoft.
And I suspect that in performing his job duties, he needs to be familiar with a wide array of browser technologies, not just IE.
Not certain what the big deal is about him running firefox. It seems to me the only statement he made was that he has to download patches for that program too not that he exclusively used Firefox as his browser because of secruity problems with IE.
The only secure computer is one that is turned off and encased in six cubic feet of concrete surrounded by a faraday cage.
He doesn't say he doesn't use IE because it is insecure. What he said is he recently had to a patch a Firefox installation because it (also) suffered from an exploit.
I couldn't open the sample exploit listed in the parent, but I could open he one in the link I provided. The proof is safe and scary.
If they are not going to fix these errors, Microsoft should at least give us a naming system! It's hard to discuss the exploits when we don't know how to name them correctly.:)
Microsoft never said "it's a 10 year plan". Sure, I'm picking nits here...but the crux of the quote is that there is no quick fix in, say, 2 to 3 years..."it's more of a 10-year timeline". In otherwords, less than a sprint and more like a marathon. Is that a 5 year marathon? Ten years? Fifteen years? Who knows? Microsoft might know for certain, but they're only throwing out generalizations here.
But this quote does NOT read "it's a 10 year plan". Read into it what you will; embrace self-delusion.
Poor guy is really having to struggle to say something that'll make his job look less hopeless. The "patch to Firefox" that he's talking about is actually a patch to a PNG library used by a lot of applications, not just Firefox.
On the other hand, he didn't say "Windows not secure until 2011", and I think his "10 year plan" is more of an acknowledgement of the magnitude of the problem than a hint as to Microsoft's timeline.
I wonder if he's even got the authority to deal with the real problems buried deep in the design of IE. If not, they can take 10 years or 100 years and still not get rid of "cross zone" attacks. I suspect only hope is that other browser developers will suddenly agree with microsoft that security zones based on the current location of a file is a much better idea than limiting the potential targets for an attack to just the application that's responsible for downloading and displaying an untrusted document. If that happens, then they'll REALLY be able to argue "everyone else has the same problem" and mean it.
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
That would probably be the shell:// vulnerability, which if I recall the Mozilla dev's removed the functionality because windows handeled the call in an insecure way. BTW to the best of my kwowledge IE still accepts shell:// URLs.
From the article: "Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
I presume that Toulouse was referring to the update that fixed the "shell:" exploit.... this was only a problem with Firefox on Windows machines, because the flaw is inherit in the OS, not in the Firefox browser.
True, security is an issue about which everyone in the industry should be concerned. Call a spade a spade, though... Microsoft is well behind the curve.
/moo/ The correct answer to the classic trick question "Have you stopped beating your wife yet?". Assuming that you have no wife or you have never beaten your wife, the answer "yes" is wrong because it implies that you used to beat your wife and then stopped, but "no" is worse because it suggests that you have one and are still beating her. According to various Discordians and Douglas Hofstadter the correct answer is usually "mu", a Japanese word alleged to mean "Your question cannot be answered because it depends on incorrect assumptions". Hackers tend to be sensitive to logical inadequacies in language, and many have adopted this suggestion with enthusiasm. The word `mu' is actually from Chinese, meaning `nothing'; it is used in mainstream Japanese in that sense, but native speakers do not recognize the Discordian question-denying use. It almost certainly derives from overgeneralization of the answer in the following well-known Rinzei Zen
That was from the original creators of hotmail. MS bought out hotmail... It took several years, but Hotmail was finally moved over to an NT base, which it now runs on.
Just tried it on a fresh SP2 install and it works. The kicker is even after I've closed IE I still can't delete the boom.exe file from startup because its being used by a different program. Oh well, might as well disarm it (yeah I know its a 0kb exe but what the hey) with msconfig.
The handful of sites that don't work well with Firefox/Moz is really a small price to pay for the added security especially in regards to drive-by spyware installs.
"He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such."
To quote TFA:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
Please RTFA before posting corrections to the comments of others. Thank you.
Try this to get round sites that check for the user agent and blcok non-IE browsers (it works a treat for me with Firefox 0.9.3)...
*User Agent Switcher Extension*
"The User Agent Switcher extension for Mozilla Firefox and Mozilla adds a menu to switch the user agent of the browser. It is designed to provide functionality similar to the 'Browser Identification' feature of Opera and allows configuration of the list of user agents to display in the menu."
http://www.chrispederick.com/work/firefox/userag en tswitcher/
While it maybe bitmap based Quartz itself is based on the adobe PDF engine, which renders both vector and bitmap via the computers 3d card.
While it is all just eye candy the new imageunits or coregrahpic and corevideo are the really exciting things in tiger and which has no equal on the windows side. I am looking forward to Tiger for these features which should make any other platform for video look slow and clumsy. Catch the keynote video at the Apple quicktime site. This is truly amazing stuff. I expect a windows knock-off around 2007-2008.
1) into Windows by 2006 what is already in OS X 2) I.E. does less than Firefox
No, no, he's actually correct. Check the features in Panther (and Jaguar) from the Apple site (ignore Tiger, since we are talking about the present). Admittedly, Longhorn will feature some things not currently in OS X, but that's if they don't shave them off also [slashdot.org].
Then go to the Mozilla site and download Firefox. It's free! You have an excuse for not trying OS X, but there is no excuse for not trying Firefox. (And yet, I still prefer Safari.)
You will be surprised by how the herd mentality that ties you to MS's products is making you miss. Now. Not in two years.
Wow, you must really lack some real-world experience to make such a cocky declaration. 1. You are right, it isn't hard to write bug-free code, it is nearly impossible for all but the simplest of projects. It is possible to acheive an at least apparently bug-free state, but only in relatively simple applications dealing with a relatively well controlled data set. 2. Point taken that well architected code lends itself well to problem isolation and debug. Most MS software is written in C/C++ still, and those languages can be used well or poorly with respect to modularity. The price to pay for flexibility is that developers can bypass the mechanisms that encourage modular design. Regardless of language a developer can always fail to modularize a design properly, particularly if the application encounters new functional requirements in the middle of a development cycle. 3. Testing an application can be very very hard for even not so complex software. You can of course test a good representative sample of normal operation and likely problematic circumstances, but there are many many variations and those corner cases which they can't know in advance (if so, secure software would be easy...) are where >98% of field problems customers see come out of. 4. Basically the same exact point as 3, of course they do, but, as you say, not all branches of execution are realistically testable, and it is even worse for a commercial entity with limited resource, the problem space is simply too large.
You don't know what you are talking about. Quartz Extreme bears no relation to the current Windows rendering system. Windows XP is based on the old technique of having a list of redraw areas on the screen, and whenever you move a window, an application is requested to redraw the area underneath it. Quartz Extreme doesn't work like that. It composites the desktop from individual windows who have an off screen bitmap. This is also how Avalon will work. This gives things like flicker free display, true translucency through an arbitrary number of levels, power to do arbitrary transformations etc.
Quartz Extreme is Vector based, and 3D as well as 2D - PDF and OpenGL.
Avalon is very much playing catchup to Quartz Extreme. But a year or so before Avalon is released, Apple will have already raised the bar again with Core Image, which does far more.
OS X will also have Spotlight a full year before Microsoft fails to get WinFS into Longhorn.
Microsoft are not catching up, because OS X not only started in 2000 ahead of where XP was in 2002, but is progressing faster than Windows.
So where's Expose in Windows? This alone is one feature of Panther (and future OS X and above releases) that makes OS X worth having. Having one button press to either make all open windows scale down and show on the desktop so you can get what you want, or another button press to bring all open windows of one application to the front, scaled down (and tab between apps) so you can choose the window you want, or yet another button to make every window get off the desktop to get to something on the desktop; and hit corresponding button again to go back to how you were, is simply wonderful. I don't recall this feature in any current version of Windows. I expect something similar to be copiedH^H^H^H^H^H^innovated into Longhorn.
What about the advanced graphics engine of OS X that allows you to scale windows without losing much quality when going bigger, or keeping the same quality when going smaller?
What about a scalable tool bar (dock in OS X) that can be modified to make icons scale up when moved over so you know what you are over if the tool bar is very full? Oh, wait, that goes with the advanced graphics engine.
What about incredibly fast user switching without logging off another user to accomplish? Well, this may be in Windows, but I haven't really used any Windows beyond 98 SE.
2) I.E. does less than Firefox
Tabbed browsing? It is in Firefox, not IE.
IE finally got a built in popup blocker, but only if you have Windows XP with Service Pack 2, and there's still a ton of people running Windows 98-2000 and not XP.
CSS support? It's much better and standards compliant in Firefox than in IE.
Fully W3C HTML standard compliant? Firefox, not IE.
Download.Ject (Score:3, Informative)
WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?
In case anyone is wondering about Download.Ject, check this link [www.mikx.de] out. It's only a matter of time until a high-volume site gets compromised with this exploit. Scary stuff.
Sadly, Firefox isn't affected.
Re:Download.Ject -- CORRECTION (Score:5, Informative)
Download.Ject information is actually here [microsoft.com]. The exploit referred to above is actually the "what a drag" exploit. Still pretty scary if you ask me.
Anyway, the editor (me) regrets this error. =)
Re:Download.Ject (Score:2, Informative)
Oddly, the site you linked [www.mikx.de] says that SP2 users are affected, but Microsoft [microsoft.com]'s page says they're not. Clearly someone must be wrong, or the page you linked is about a completely different bug (it does not mention Download.Ject in its body). What gives?
Re:Firing offense? (Score:4, Informative)
Re:Totally (Score:2, Informative)
Re:Security Update (Score:5, Informative)
Re:Download.Ject (Score:5, Informative)
Re:Missing: Interview (Score:3, Informative)
Even XP SP2 is easy to tamper with (Score:5, Informative)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
Also, here's a Python script [vt.edu] that will automatically kill the new "Windows Firewall" in to XP Service Pack 2. You can bet your ass that hackers are already tampering with this. Click a URL and bam... the firewall goes down.
This is just two example of what MS does to "secure" their systems. God help us all.
What is unfair here? (Score:5, Informative)
A) A Microsoft representative said that it will take an estimated 11 years to fully secure Windows
B) Slashdot reports this
What spinning or unfair editing took place here? Your pullquote doesn't seem to show anything unfair. Yes, they are reworking key system components. But that still doesn't change the fact that Windows is so insecure that it will, by their own admission, take over 10 years to fix it. That's pretty important.
Re:Missing: Interview (Score:4, Informative)
But he didn't even do that! All he said was that he needed to upgrade Firefox to fix a security problem. Not that he used it as his main browser, and certainly not that he didn't use IE every day like all good Microsoft employees. Merely that he had it installed on his machine, and patched it as appropriate. In his job, I'd expect him to have a copy of alternative browsers on his system. I'd be surprised if he doesn't have Opera installed, too.
Re:Firing offense? (Score:5, Informative)
He did not say he didn't use IE. He simply mentioned needing to install a security update of Firefox. Yes, Virginia, there are other browsers that have security flaws other than IE. That doesn't make them better or worse, it just illustrates that the problem isn't isolated to Microsoft.
And I suspect that in performing his job duties, he needs to be familiar with a wide array of browser technologies, not just IE.
So, please mod the parent down -1, Needs a Clue.
Firefox has bugs (Score:2, Informative)
The only secure computer is one that is turned off and encased in six cubic feet of concrete surrounded by a faraday cage.
Re:Firing offense? (Score:3, Informative)
Somebody didn't read the article...
Re:Missing: Interview (Score:2, Informative)
Hot Seat sidebar: "Microsoft's War on Bugs" page 098
Re:Download.Ject -- CORRECTION (Score:4, Informative)
I couldn't open the sample exploit listed in the parent, but I could open he one in the link I provided. The proof is safe and scary.
If they are not going to fix these errors, Microsoft should at least give us a naming system! It's hard to discuss the exploits when we don't know how to name them correctly.
Should we call this one "how to skin a windows box" [tech-recipes.com]?
Re:Download.Ject (Score:5, Informative)
Re:Sad (Score:3, Informative)
But this quote does NOT read "it's a 10 year plan". Read into it what you will; embrace self-delusion.
Re:BWAHAHAHAHAHA!!! (Score:4, Informative)
He does.
The Jews, Christians, and Muslims are pray to the same God, the God of Abraham.
The Jews come from the line of Issac(Abram's son with Sarah) the Muslims from Ishmael(Abram's son with Hagar).
The Jews are still waiting for the Messiah, while the Christians believe the Messiah has come(Jesus Christ).
Poor guy is really having to struggle... (Score:5, Informative)
On the other hand, he didn't say "Windows not secure until 2011", and I think his "10 year plan" is more of an acknowledgement of the magnitude of the problem than a hint as to Microsoft's timeline.
I wonder if he's even got the authority to deal with the real problems buried deep in the design of IE. If not, they can take 10 years or 100 years and still not get rid of "cross zone" attacks. I suspect only hope is that other browser developers will suddenly agree with microsoft that security zones based on the current location of a file is a much better idea than limiting the potential targets for an attack to just the application that's responsible for downloading and displaying an untrusted document. If that happens, then they'll REALLY be able to argue "everyone else has the same problem" and mean it.
Re:Firing offense? (Score:3, Informative)
Misleading statement. (Score:5, Informative)
From the article:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
I presume that Toulouse was referring to the update that fixed the "shell:" exploit.... this was only a problem with Firefox on Windows machines, because the flaw is inherit in the OS, not in the Firefox browser.
True, security is an issue about which everyone in the industry should be concerned. Call a spade a spade, though... Microsoft is well behind the curve.
spoiler (Score:1, Informative)
Re:In case you're wondering... why? (Score:4, Informative)
That was from the original creators of hotmail. MS bought out hotmail... It took several years, but Hotmail was finally moved over to an NT base, which it now runs on.
Re:Download.Ject (Score:5, Informative)
The handful of sites that don't work well with Firefox/Moz is really a small price to pay for the added security especially in regards to drive-by spyware installs.
Re:Actually (Score:2, Informative)
From article:
Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system.
So yes, it's possible that he only ever installs patches/upgrades to Firefox, and never actually "uses" it. But FAIAP, he uses Firefox.
Actually, you're wrong. (Score:5, Informative)
Your comment was:
"He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such."
To quote TFA:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
Please RTFA before posting corrections to the comments of others. Thank you.
Re:What is unfair here? (Score:1, Informative)
Re:It's the fundamental APIs (Score:2, Informative)
Don't you mean that Microsoft Windows has been around almost excatly as long as GNU.org???
Microsoft started ca 1976, MS-Windows 1.0 announced late 1983, GNU manifesto published in Dr Dobbs in 1984.
Re:Download.Ject (Score:2, Informative)
*User Agent Switcher Extension*
"The User Agent Switcher extension for Mozilla Firefox and Mozilla adds a menu to switch the user agent of the browser. It is designed to provide functionality similar to the 'Browser Identification' feature of Opera and allows configuration of the list of user agents to display in the menu."
http://www.chrispederick.com/work/firefox/usera
Re:Doubledge sword (Score:3, Informative)
While it is all just eye candy the new imageunits or coregrahpic and corevideo are the really exciting things in tiger and which has no equal on the windows side. I am looking forward to Tiger for these features which should make any other platform for video look slow and clumsy. Catch the keynote video at the Apple quicktime site. This is truly amazing stuff. I expect a windows knock-off around 2007-2008.
Re:Doubledge sword (Score:2, Informative)
No, no, he's actually correct. Check the features in Panther (and Jaguar) from the Apple site (ignore Tiger, since we are talking about the present). Admittedly, Longhorn will feature some things not currently in OS X, but that's if they don't shave them off also [slashdot.org].
Then go to the Mozilla site and download Firefox. It's free! You have an excuse for not trying OS X, but there is no excuse for not trying Firefox. (And yet, I still prefer Safari.)
You will be surprised by how the herd mentality that ties you to MS's products is making you miss. Now. Not in two years.
Re:Correction: (Score:3, Informative)
1. You are right, it isn't hard to write bug-free code, it is nearly impossible for all but the simplest of projects. It is possible to acheive an at least apparently bug-free state, but only in relatively simple applications dealing with a relatively well controlled data set.
2. Point taken that well architected code lends itself well to problem isolation and debug. Most MS software is written in C/C++ still, and those languages can be used well or poorly with respect to modularity. The price to pay for flexibility is that developers can bypass the mechanisms that encourage modular design. Regardless of language a developer can always fail to modularize a design properly, particularly if the application encounters new functional requirements in the middle of a development cycle.
3. Testing an application can be very very hard for even not so complex software. You can of course test a good representative sample of normal operation and likely problematic circumstances, but there are many many variations and those corner cases which they can't know in advance (if so, secure software would be easy...) are where >98% of field problems customers see come out of.
4. Basically the same exact point as 3, of course they do, but, as you say, not all branches of execution are realistically testable, and it is even worse for a commercial entity with limited resource, the problem space is simply too large.
Re:Doubledge sword (Score:2, Informative)
Quartz Extreme is Vector based, and 3D as well as 2D - PDF and OpenGL.
http://www.apple.com/macosx/features/quartzextreme
Avalon is very much playing catchup to Quartz Extreme. But a year or so before Avalon is released, Apple will have already raised the bar again with Core Image, which does far more.
OS X will also have Spotlight a full year before Microsoft fails to get WinFS into Longhorn.
Microsoft are not catching up, because OS X not only started in 2000 ahead of where XP was in 2002, but is progressing faster than Windows.
They should just dump Windows... (Score:2, Informative)
Windows needs a redesign.
Re:Download.Ject (Score:3, Informative)
Re:are apples the same as oranges? (Score:3, Informative)
Just off the top of my head, four. There are also two major (and free) dvd movie authoring packages. Look them up.
how many linux computers can play doom 3?
In a few weeks, all of them [linuxgames.com].
Re:Doubledge sword (Score:3, Informative)
1) into Windows by 2006 what is already in OS X
So where's Expose in Windows? This alone is one feature of Panther (and future OS X and above releases) that makes OS X worth having. Having one button press to either make all open windows scale down and show on the desktop so you can get what you want, or another button press to bring all open windows of one application to the front, scaled down (and tab between apps) so you can choose the window you want, or yet another button to make every window get off the desktop to get to something on the desktop; and hit corresponding button again to go back to how you were, is simply wonderful. I don't recall this feature in any current version of Windows. I expect something similar to be copiedH^H^H^H^H^H^innovated into Longhorn.
What about the advanced graphics engine of OS X that allows you to scale windows without losing much quality when going bigger, or keeping the same quality when going smaller?
What about a scalable tool bar (dock in OS X) that can be modified to make icons scale up when moved over so you know what you are over if the tool bar is very full? Oh, wait, that goes with the advanced graphics engine.
What about incredibly fast user switching without logging off another user to accomplish? Well, this may be in Windows, but I haven't really used any Windows beyond 98 SE.
2) I.E. does less than Firefox
Tabbed browsing? It is in Firefox, not IE.
IE finally got a built in popup blocker, but only if you have Windows XP with Service Pack 2, and there's still a ton of people running Windows 98-2000 and not XP.
CSS support? It's much better and standards compliant in Firefox than in IE.
Fully W3C HTML standard compliant? Firefox, not IE.
So, how exacly was he lying?
I'd really like to know.