1446445
story
Rantastic writes
"In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline." He also reveals that he runs Firefox."
Honesy (Score:2, Insightful)
Interesting... (Score:2, Insightful)
Missing: Interview (Score:5, Insightful)
WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?
In other words: So, when will you stop beating your wife?
Meanwhile, Firefox and Opera look awfully appealing.
Ok, the guy really stepped in it here when he plugged Firefox (though I'm an Opera fan [opera.com], myself).
What about removing capabilities from IE to beef up security?
You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?
Seems like you're fighting a losing battle.
Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."
I security really that important? (Score:2, Insightful)
He runs Firefox, duh!? (Score:5, Insightful)
If you were working in the X divison of a company wouldn't YOU be using a competitors program so that you could know what they were doing to make their side better? I know I would.
In fact, I would be completely disappointed if he DIDN'T run Firefox.
Four Questions (Score:3, Insightful)
Totally (Score:3, Insightful)
Yeah, who wants to bet that Stephen Toulouse gets a pink slip? It wasn't long after Salon suggested people switch to Firefox or Mozilla until IE was patched, before we learned that MS was selling the magazine.
Security Update (Score:5, Insightful)
But that's just it, at least he had an update to install, MS doesn't release security updates as quickly as it needs too, as the first question mentioned.
Re:Honesy (Score:5, Insightful)
It's not a switch that can be flipped. Software written by humans will always contain errors. We're fundamentally changing the way things operate, to help to make software more resistant to attacks. We're two and a half years down a much longer road; it's more of a 10-year timeline.
What me meant is that Microsoft is completely reworking the way their browser operates -- not just toughening a few system calls here and there. A total reconsideration of how a browser should be designed.
The Slashdot editors took that and spit out "AHAHA M$IE INSEKURE UNTIL 2011! LOL@GATES"
Hardly seems fair.
Bash away... (Score:2, Insightful)
Let's think about this for a moment: ALL SOFTWARE IS INSECURE. Microsoft is just the biggest player, so they are targeted the most often. There have been 'proof-of-concept' viruses written for Linux, Macintosh, even cellphones via BlueTooth.
Compare Microsoft to automobile makers. When they started, they were unsafe. So they added a 'fix' like seatbelts. Then they added crumple zones, an enhancement to make them safe. Airbags, side impact curtains, rear-sensors for backing up, and so on, and so on.
If the stupid driver of the car wants to get drunk and drive backwards 100mph down the freeway with no lights on, do we blame the automobile manufacturer?
No... so, maybe we should just START to take a little blame for windows security problems. Stop running that cute screensaver your Aunt Matilda sent you. Don't go to webpages that advertise 'warez' and 'free 3leet mp3z!'
Microsoft is partly to blame, but they're the biggest fish in the sea. Every 'fisherman' is out to get them. When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure... They may get fixed quicker because of the relative smallness and open source attributes, but the bugs are there. Just no one is looking/caring too much. Yet.
(I fully expect to be modded down a bajillion points for making a case for Microsoft here. Go ahead, then)
What?? 100% known secure isn't possible. (Score:5, Insightful)
The 100% secure line is an asymptote. You can get fractionally closer to it, but never ever actually achieve it.
To be fair... (Score:5, Insightful)
I would hope that as a program manager he would have a copy of each of the competing browsers on his system, so that he can steal... ah, borrow, ideas from them.
Re:Missing: Interview (Score:5, Insightful)
Except that to make the analogy complete, you should add that in this case the question is put to somebody who is actually busy beating his wife...
Objection: counsel is badgering the witness
Overruled, Wired reporters are not counsel but more like prosecution, and this guy is not a witness but a suspect.
In case you're wondering... why? (Score:5, Insightful)
Second, the idea that an MS head is using firefox is hardly surprising, it's much more at issue that he's willing to admit it to Wired, and doesn't even seem to mind that open source is a better alternative.
Microsoft has had a history of using open source projects, most famously with qmail+unix on their hotmail, but even branching to the MSN gaming zone, etc. It's really not too surprising, considering a lot of the unix foundation implemented in their NT-XP series.
Among other browsers, I'm sure! (Score:5, Insightful)
Indeed, parent post is correct. Besides, the article doesn't say that he uses FireFox exclusively by any means. In fact he only mentions FireFox to prove that all browsers are susceptible to attacks.. Here's hoping he also uses NS, Opera, Safari, and whatever browser he can to do testing and research.
Yet more spin by
Sad (Score:5, Insightful)
Having someone say "it's more of a 10-year timeline" does not equate to "MS not expected secure until 2011"...much less "MS says" 2011. The phrase "more of a..." connotes a generality. The headline is pure, conjured specificity.
Crap like this makes me become seriously disenchanted with Slashdot.
Meaningless (Score:3, Insightful)
Re:I dont know if he really *uses* firefox... (Score:5, Insightful)
Re:Honesy (Score:5, Insightful)
It is likely that this is spin. When someone has a job that depends on the future security of a product that is likely next to impossible to make secure without a complete rewrite, what can he do? He has limited budjet, and unrealistic goals. So he makes a 10 year plan, saying that they will be secure in 10 years. He shows progress to his boss, and his boss is happy. He gets to keep his job.
Then, 2 years down the line, he revises his 10 year plan to expire in another 10 years - as long as the deadline is far enough away, he keeps his job, he puts food on the table, and the PR bunnies have something to hop about. This happens all the time in business, particularly publicly held companies. I would be very sceptical about any future Microsoft promises about security.
Re:Bash away... (Score:5, Insightful)
Linux is already one of the biggest players in the server department, and that's where a majority of viruses and exploits are aimed at... I still don't see announcements for all these business running Linux servers being compromised.... The fact is, Linux is theoretically and in actual practice more stable and secure. Windows isn't.. A virus won't JUST affect your user account files in Windows... I think they're mostly to blame...
" No... so, maybe we should just START to take a little blame for windows security problems. Stop running that cute screensaver your Aunt Matilda sent you. Don't go to webpages that advertise 'warez' and 'free 3leet mp3z!'"
People aren't that smart.
What the...? (Score:5, Insightful)
It's something you always need to keep an eye open for, and combat exploits whenever necessary. How can Microsoft say "it's more of a 10-year timeline". That statement alone makes me wonder how sane Microsoft's security program manager is. So Microsoft are going to dismantle their security team in 2011?
What would the Linux community think if Linus went out claiming that "we expect the Linux kernel to be secure in version 3.0"??
Anyone who takes software security seriously should understand that you can never expect a product to be secure after some period of time.
"Secure" is also relative and not at all an absolute term.
Re:I security really that important? (Score:5, Insightful)
Non-security is a thing we don't like, so of course we want to get rid of it.
-----
yeah, my englisk sucks
Re:Download.Ject (Score:5, Insightful)
Regardless of what Microsoft and their fans may think, the browser wars are all started up again. Anyone who designs their site to be IE-only nowadays is just asking for trouble. Unfortunately, it's not exactly uncommon.
Re:I security really that important? (Score:5, Insightful)
By that logic, we should view terrorism as good for the economy since it creates jobs for the folks employed at the office of Homeland Security.
Think, real hard. What other effects came from from security flaws (in either case)? Anything bad? Anything at all?
Perhaps this is just crazy talk, but I submit that there are better ways to stimulate the economy.
-kev
Re:I security really that important? (Score:5, Insightful)
Re:Longhorn (Score:3, Insightful)
Unlike most MSFT software, MySQL installs just fine without root privileges.
Re:Bash away... (Score:3, Insightful)
I hear about Linux exploits just as often as Windows exploits. There's kernel exploits that can get a remote user root. But it always gets brushed off as not a big deal, because hey, there's gonna be a patch out in a few days, right?
Sure, but the serious Windows exploits usually have a patch out in a few days too. It's just a matter of the responsible persons getting it installed.
Linux or Windows, if you don't take steps to be secure, you're gonna get 0wn3d. And that's the problem-- most Windows users don't even understand the fundamental problem, much less why they should install these updates. This is why I think SP2 is a move in the right direction with Windows Update automatically downloading and updating by default. I just fear the day someone cracks Windows Update and has it distribute their new l33t worm...
Re:I'm surprised (Score:1, Insightful)
Microsoft's greatest strength is and alwasy has been that it recognised that time-to-market is more important than bugs or security. Engineers will still continue on the incredibly successful strategy they used before.
Re:What?? 100% known secure isn't possible. (Score:3, Insightful)
Re:Firing offense? (Score:3, Insightful)
Somebody didn't read the article...
No, somebody did read the article, but filtered out anything remotely resembing (a) a slight against OSS and (b) any vindication, however slight, of Microsoft and their products. Typical Slashdot behavior. Everything bad about Microsoft must be emphasized, and anything good must be squelched. At the same time, anything good about FOSS must be emphasized, and anything bad must be buried with Jimmy Hoffa.
Where's the "-1 Michael-Moore-style selective editing" mod point when you need one, eh? That's what I love about Slashdot, the fair and balanced perspective everyone has here. Makes me so proud to be a Linux user. Not.
respun (Score:3, Insightful)
Re:Firing offense? (Score:5, Insightful)
All I found in the article was:
"Meanwhile, Firefox and Opera look awfully appealing.
Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
That sounds more to me like he's trying to point out that other browsers can have vulnerabilities as well. He doesn't say anything about exclusively using Firefox. Maybe he just installed Firefox just to see what the competition is like.
Re:Bash away... (Score:2, Insightful)
I think a big difference here is that car manufacturers REDESIGNED cars to add those things, we don't have airbags in our Model-T's. MS has not done a good job of redesigning Windows, so the insecurities remain.
Re:Missing: Interview (Score:5, Insightful)
In other words: So, when will you stop beating your wife?
Not really, no. The question was about a specific hole who's existance is not in dispute. It makes no unwarranted assumptions and doesn't ask him to make any new admissions in answering. Unless you mean to imply that the question might cause him to accidentally admit to doing his job?
You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?
Perhaps not, but it's a fair question. Many people are of the opinion that the feature shouldn't have been there in the first place (for security reasons). It wouldn't be the first time MS has given customers a choice between break feature X or be insecure.
Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."
Perhaps, but since MS has a history of being less than forthcoming on the witness stand (literally as well as fuguratively), additional lattitude in questioning may be given.
Re:Longhorn (Score:4, Insightful)
Simple to me means 'double click the installer, then type your password when it asks for it'.
Comment removed (Score:5, Insightful)
Correction: (Score:3, Insightful)
From the article:
Software written by humans will always contain errors.Should read:
Software written by Microsoft will always contain errors.
I write software that doesn't contain errors, every day, on systems which deal with far more data than the average MS app. It seems to me that Microsoft's has no idea what constitutes professionalism:
I understand why the majority of the world runs windows. Most people don't want to complicate things any more than necessary. But the inability of users to grasp technical details does not justify releasing a product, which in any other industry, would be a prime lawsuit candidate under fraud and lemon laws.
Re:Download.Ject (Score:4, Insightful)
As for you statement about the browser wars, hopefully your right. Ideally all browsers will approach the standards correctly and then end users will be able to choose the browser they like without worrying that some web pages will not display correctly.
Stupid criticism (Score:2, Insightful)
To a software engineer, the much-publicised "Microsoft focus on security" seems actually to have been more of an internal awareness drive. Microsoft just wanted to educate all its programmers so they stopped writing buffer overflows and absurd permissions holes. At the same time, I imagine some existing code was reviewed with an eye toward identifying security holes. All commendable stuff (although it's mindboggling that this sort of thing should even be necessary).
But even with that part supposedly accomplished, security is never "done". Once you start paying attention to it, you're now doing the right thing. You don't stop. The focus on security education may be over. The focus on security as an important part of software engineering should continue as long as, and to the degree that, consumers need secure software.
Re:Bash away... (Score:5, Insightful)
But what excuse does the biggest software company in the world have to not fix the gaping security holes in their two most used and probably most sensitive applications, explorer and outlook?
We are watching this weekly windows exploit drama not for months but for years now. It's getting really old and its not funny at all anymore.
The worms we have seen were pretty harmless in my book, I'm still waiting for the one that carries some more serious payload. Like wiping out all accessible drives (network volumes), saturating all network cards with malicious packets, stuff like that. MS probably needs that kind of wake up call but are they really that bone-headed to not see it coming?
Re:Missing: Interview (Score:2, Insightful)
Repeat after me: "I am a loser. I fill the void that social retardation has left in my personality with stupid shit that nobody else gives a flying fuck about. My opinion does not matter to anyone but me. My continued insistence on software-as-religion is fucking stupid, and I need to go out and get laid or at LEAST interact with other humans in some way."
Doubledge sword (Score:5, Insightful)
MS will always be 1 step ahead in features.
Guess what, features sell. Maybe in the year 3000 things might be different.
Re:Firing offense? (Score:3, Insightful)
I am willing to give him the benefit of the doubt and assume that Firefox is but one of many browsers he runs, as would be prudent for someone working on software security. It's quite possible for even third-party browsers to expose flaws in the OS itself, so it's in Microsoft's best interests to keep tabs on how other browsers interact with its platform.
Actually (Score:1, Insightful)
He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such.
What really happened is some L00nux d00d fanboy caught wind of this Wired sidebar "interview," drew conclusions that had nothing to do with the content of it, wrote up a Slashdot summary with a completely biased headline with the knowledge that Slashdot's editors would jump on it, then just kicked back and waited. Viola, instant typical Microsoft Slashdot article.
I don't like Microsoft's tactics any more than the next guy, but honestly this website has degenerated into complete biased silliness with regards to its Microsoft coverage. No Microsoft-owned "tech news" site would be able to get away with this if they did this to Linux, but when an OSTG-owned "tech news" site does it, it's all right...interesting, seeing as how OSTG sells and makes money off of OSS products and all.
Re:Doubledge sword (Score:4, Insightful)
MS is one step ahead in having off the shelf applications written for it. That's the reason why most people stick with it. The applications that they already have, and the applications that they forsee themselves wanting to run run on Windows. It's not because of features.
Matter of proportion (Score:5, Insightful)
The objection is not that Microsoft's software is insecure, but rather that their closest competition has at least two orders of magnitude fewer exploits and viruses than they.
If hundreds of exploits per month were discovered for Macs or Linux, your point would be valid. Problem is, the number of exploits available for all computers systems since the 50's is easily less than the number discovered in Windows in one year.
To make matters worse the rate at which exploits are being discovered is increasing, not decreasing, or even remaining stable. And this from a company making three billion dollars a month. How is it then, that a bunch of ragtag volunteers put together a more secure OS than a company which can spend a billion dollars a month on development?
Microsoft Windows, and the attendant problems it has experienced has brought shame on the entire profession. It isn't a matter of a few human errors here and there - Microsoft releases code with wanton disregard for the effects it will have on the user. You would expect more from a such a successful company, but apparently, Microsoft believes the professional standards followed by the rest of the industry simply do not apply to them.
And that, is why they get bashed. They dismiss the wisdom gained by years of computer science, and when their systems run rampant with bugs and security holes, they claim that such lofty goals as security and reliability are unattainable - in spite of the fact that their peers who did heed the lessons of computers science have managed to build such systems.
Re:Firing offense? (Score:2, Insightful)
If so, that makes it worse - the OS is broken.
Re:Longhorn (Score:2, Insightful)
Re:Bash away... (Score:3, Insightful)
Funny, I don't. I wouldn't be horribly upset if I did, I don't care for Linux all that much and I use other systems more often myself. But I don't.
I hear about exploits in third party applications that run on both Windows and Linux get called "Linux Exploits". I hear about exploits in interfaces that both Windows and Linux used called "Linux Exploits". I hear about exploits in some proprietary package Red Hat added called "Linux Exploits". I don't hear about exploits in Mozilla or Opera called "Windows Exploits". I don't hear about flaws in encryption algorithms called "Windows Exploits". And I definitely don't hear bugs in software HP or DEC added to their laptop installs called "Windows Exploits".
the serious Windows exploits usually have a patch out in a few days too
Microsoft has refused to fix a fundamental security flaw in IE for seven years now, and even fought a lawsuit that could have forced them to fix it or be split into multiple companies if they lost, and it's still there.
Linux or Windows, if you don't take steps to be secure, you're gonna get 0wn3d
Windows is the only one where, by default, every user is root on their own machine, all the time, so EVERY remote exploit is a root exploit.
Windows is the only one where, by default, all the exploitable services are turned on after you've installed it.
Windows is the only one where you can get exploited just opening an email message. That one still boggles me... back before Melissa, the idea of a mail virus or worm that could do that was a JOKE. You at least had to explicitly run something before you could get attacked, so the "Good Times" virus hoax was hilarious. Nobody would ever build a mail program that would do that, or if they did they'd fix it for good, right away, by removing the ability to run software from a text window...
That Microsoft not only did it, but has refused to back out of the design that *still* allows it to happen whenever someone comes up with a new combination of file names and types to trick it into running something in the wrong zone, is just incomprehensible...
Re:Longhorn (Score:3, Insightful)
cd
make install
Done!
Re:Even XP SP2 is easy to tamper with (Score:3, Insightful)
This is not how you should set up a domain, by the way. There shouldn't BE any local users other than the local administrator. Domain user accounts are managed from the domain controller.
Usually we only have one user on each machine, and so they get the admin rights locally on it.
And why are you expecting this to be secure? Do you give everyone root on their own linux boxes as well? Any domain admin with a clue sets things up so that the domain users are "User" or "Power User" at best, and a lot of places lock things down even further using group policy. You can reduce XP to kiosk mode if necessary. I've actually deployed SP2 in a domain and the XP firewall can be configured using domain policy such that local admin can't mess with it.
Jon.
Does it really matter? (Score:3, Insightful)
Re:Longhorn (Score:3, Insightful)
# apt-get install mysql-server
Then ... oh, you're done.
Re:Longhorn (Score:3, Insightful)
A large format camera is easy to use for someone with experience using it.
MySQL is easy to install for someone with experience doing it.
If you don't know how to do it, learn how before attempting to either use a large format camera or installing/configuring MySQL. Where exactly is the problem?
I agree that some Linux applications need to be easier to install for ordinary users, but something as complex as a database installed with Next->Next->Next->Finished can only create problems.
Signed,
Unix-head.
Re:Doubledge sword (Score:4, Insightful)
Us OS/2 guys always said the same thing about Windows - why wait for Windows95 when OS/2 had all its features, and stability as well? Obviously MS doesn't even need features to continue selling.
Re:Correction: (Score:5, Insightful)
I find this hard to believe. Are you saying that you write software that is as complex as the usual MS app, and that it contains no errors whatsoever and has never had to be debugged? It seems like everyone from Knuth on down has written bugs in software when working on an application of non-trivial complexity, so I'm a little skeptical if that's your claim.
And the amount of data that an app processes is not the only measure of a program's complexity: does your program interoperate with a dozen others in a standard cut-and-paste manner; does it hide the complexity of operation from the end user so he or she can point and click and get things done; does it use an API so that software writers outside of your company can can write apps that interact with it; does your software run on multiple different hardware platforms; do you add new features to it when marketing surveys show people want it?
I'm not saying that all of those criteria are necessarily the best or most desirable (e.g., sometimes you want software that's only usable by industry professionals), but those are the constraints that Microsoft operates within, and they all increase the complexity of even the simplest-seeming of applications.
Re:Doubledge sword (Score:5, Insightful)
Linux has more functionality than Windows. No question about it.
Answer these:
how many ports (cpu architectures) does windows run on?
is windows tcpip more featureful and flexible than windows?
which version of windows has more GUI features than the latest KDE or GNOME?
does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)
how many different ways can you install windows?
is windows' threads implementation the best in the market?
is windows memory management the best in the market?
show me the most secure windows, I'll show you 10 more oses more secure than that.
by a WIDE margin.
Comment removed (Score:3, Insightful)
are apples the same as oranges? (Score:5, Insightful)
can your car go as fast as my bicycle?
can my sister pee farther than my uncle?
how many different programs can you burn dvd's with in linux?
how many linux computers can play doom 3?
I'm not playing favorites, just objecting to your biased list.
Re:Doubledge sword (Score:1, Insightful)
MS is ahead in features (according to the great unwashed) with their OS from 2002 - and plan to stay that way with it until 2006.
Our Linux from like last week is STILL less user friendly than a few year old version of Windows.
Re:Doubledge sword (Score:3, Insightful)
Alpha blending [microsoft.com]
Filling paths [microsoft.com]
Fill gradients [microsoft.com]
Draw lines [microsoft.com]
Move [microsoft.com], set [microsoft.com] the mouse cursor
Scale bitmaps [microsoft.com]
Render text [microsoft.com]
Render transparencies [microsoft.com]
Stretch with raster op [microsoft.com]
Set arbitrary surface transformations [microsoft.com] including translation, scaling, rotation and shearing
Outline [microsoft.com] a path [microsoft.com]
Note that all the linked functions are implemented by the video driver, not GDI. If a video driver doesn't support a feature, GDI breaks it down in software into the most complex format supported.
What can Quartz Extreme do that Windows NT couldn't since 3.1? There are a few small things but nothing major.
Re:Matter of proportion (Score:1, Insightful)
How is this possible, when the former category is a superset of the latter?
Re:Doubledge sword (Score:5, Insightful)
how many ports (cpu architectures) does windows run on?
One, the system I own. I don't care about the others. I have no need to, this is not a hobby, this is my computer.
is windows tcpip more featureful and flexible than windows?
It works with everything I have.
which version of windows has more GUI features than the latest KDE or GNOME?
Without editing files and getting complicated? 95/98/Me/2000/XP/NT 4
does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)
Your hardware is broken, you should fix it.
how many different ways can you install windows?
One, the way it installs on my system.
is windows' threads implementation the best in the market?
As far as I'm concerned it is.
is windows memory management the best in the market?
As far as I'm concerned it is.
show me the most secure windows, I'll show you 10 more oses more secure than that.
Strange, they all have BSD in their name.
Re:Doubledge sword (Score:3, Insightful)
Re:Doubledge sword (Score:2, Insightful)