Forgot your password?
typodupeerror
Windows Operating Systems Software Security IT

Windows Not Expected Secure Until 2011, Says MS 627

Posted by CmdrTaco
from the you-can-do-it dept.
Rantastic writes "In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline." He also reveals that he runs Firefox."
This discussion has been archived. No new comments can be posted.

Windows Not Expected Secure Until 2011, Says MS

Comments Filter:
  • Download.Ject (Score:3, Informative)

    by romper (47937) * on Monday August 30, 2004 @03:25PM (#10111254)
    From TFA:

    WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?

    In case anyone is wondering about Download.Ject, check this link [www.mikx.de] out. It's only a matter of time until a high-volume site gets compromised with this exploit. Scary stuff.

    Sadly, Firefox isn't affected.

    • by romper (47937) * on Monday August 30, 2004 @03:29PM (#10111300)
      Sorry to reply to my own post, but figured I should before the flamethrowers start in.

      Download.Ject information is actually here [microsoft.com]. The exploit referred to above is actually the "what a drag" exploit. Still pretty scary if you ask me.

      Anyway, the editor (me) regrets this error. =)

    • by daeley (126313) * on Monday August 30, 2004 @03:30PM (#10111311) Homepage
      Sadly, Firefox isn't affected.

      When will Open Source advocates realize that it's just this sort of behind-the-times technological gaffe that will keep Linux in single-digit marketshare forever? ;)
      • Doubledge sword (Score:5, Insightful)

        by superpulpsicle (533373) on Monday August 30, 2004 @04:40PM (#10111971)
        Linux will always be 1 step ahead in security.

        MS will always be 1 step ahead in features.

        Guess what, features sell. Maybe in the year 3000 things might be different.

        • Re:Doubledge sword (Score:4, Insightful)

          by BasilBrush (643681) on Monday August 30, 2004 @05:03PM (#10112188)
          How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X? How can MS be 1 step ahead in features when I.E. does less than Firefox?

          MS is one step ahead in having off the shelf applications written for it. That's the reason why most people stick with it. The applications that they already have, and the applications that they forsee themselves wanting to run run on Windows. It's not because of features.
          • Re:Doubledge sword (Score:4, Interesting)

            by Anonymous Coward on Monday August 30, 2004 @06:09PM (#10112741)
            How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X?

            They aren't.

            The only thing I can think of that you might be referring to is Avalon. And that is considerably more advanced than Quartz Extreme. Quartz Extreme is like the current Windows rendering engine on steroids - it does more in hardware, it does more fancy stuff, but at heart it's still 2D bitmap-based software rendering with some fancy anti-aliasing, alpha compositing, and Expose bolted on top. Avalon is fully vector-based and done entirely in hardware. You simply can't compare the two directly.
          • Re:Doubledge sword (Score:4, Insightful)

            by Tanktalus (794810) on Monday August 30, 2004 @06:19PM (#10112807) Journal
            How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X? How can MS be 1 step ahead in features when I.E. does less than Firefox?

            Us OS/2 guys always said the same thing about Windows - why wait for Windows95 when OS/2 had all its features, and stability as well? Obviously MS doesn't even need features to continue selling.

        • Re:Doubledge sword (Score:5, Insightful)

          by mnmn (145599) on Monday August 30, 2004 @07:47PM (#10113311) Homepage
          I just cant bear NOT to reply to this.

          Linux has more functionality than Windows. No question about it.

          Answer these:

          how many ports (cpu architectures) does windows run on?

          is windows tcpip more featureful and flexible than windows?

          which version of windows has more GUI features than the latest KDE or GNOME?

          does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)

          how many different ways can you install windows?

          is windows' threads implementation the best in the market?

          is windows memory management the best in the market?

          show me the most secure windows, I'll show you 10 more oses more secure than that.

          by a WIDE margin.
          • by way2trivial (601132) on Monday August 30, 2004 @09:46PM (#10114100) Homepage Journal
            I've got an idea, lets make a list pitting product A's strengths against Product B's weaknesses..

            can your car go as fast as my bicycle?

            can my sister pee farther than my uncle?

            how many different programs can you burn dvd's with in linux?

            how many linux computers can play doom 3?

            I'm not playing favorites, just objecting to your biased list.

          • Re:Doubledge sword (Score:5, Interesting)

            by PocketPick (798123) on Monday August 30, 2004 @10:02PM (#10114216)
            Those are all nice features for some, but not features that will sell an operating system to Joe User. When a user boots up thier computer, they want three things:

            -To Read Email
            -To Use Office (or other word processing/spreadsheet/presentation application)
            -To Surf the internet.

            That's all. My grandmother doesn't care if KDE provides quick access to the console terminal, nice configuration of profiles or quick ways to make system level modifications. And she definitetly wouldn't care about ports or tcp-ip (even if she had a vague idea of what they were). In short, she would have no intention of touching these features in the first place even if they were present in Windows.

            Your case of installation is another excellent example. Windows install methods are kept basic for the simple reason that even your most average user has to be able to perform it (and Microsoft knows it). Having a variety of installation methods and added complexity tends to scare people away from any product in general. Whether it's simply choosing 1 application from hundreds that you want to install or telling someone to setup partitions and swap space, they'll be terrified if you put too much in thier face.

            Linux Distribution companies realize this, and are working hard to simplyfy thier installation methods. Based on what i've seen when I picked up SuSE 9.0 a while back, this is certainly true.

            In time, people will come to become more computer literate, and perhaps these features will have some meaning. Till then though, it's not going to be all the fancy under-the-hood features that sell a product. It's going to be simplicty.
          • Re:Doubledge sword (Score:5, Insightful)

            by Joe U (443617) on Monday August 30, 2004 @11:43PM (#10114811) Homepage Journal
            And now I'll answer as the average Joe User.

            how many ports (cpu architectures) does windows run on?

            One, the system I own. I don't care about the others. I have no need to, this is not a hobby, this is my computer.

            is windows tcpip more featureful and flexible than windows?

            It works with everything I have.

            which version of windows has more GUI features than the latest KDE or GNOME?

            Without editing files and getting complicated? 95/98/Me/2000/XP/NT 4

            does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)

            Your hardware is broken, you should fix it.

            how many different ways can you install windows?

            One, the way it installs on my system.

            is windows' threads implementation the best in the market?

            As far as I'm concerned it is.

            is windows memory management the best in the market?

            As far as I'm concerned it is.

            show me the most secure windows, I'll show you 10 more oses more secure than that.

            Strange, they all have BSD in their name.
  • by ReidMaynard (161608) on Monday August 30, 2004 @03:26PM (#10111268) Homepage
    Stephen Toulouse also admitted he is retiring in 2010...
  • Missing: Interview (Score:5, Insightful)

    by RobertB-DC (622190) * on Monday August 30, 2004 @03:27PM (#10111274) Homepage Journal
    What sort of "interview" only includes four loaded questions? Wired gets hold of the Microsoft "security program manager", and these are all the questions they ask? I'm no M$ fanboy (though I must admit I make a living writing programs for Windows), but surely they can do better than this obvious hatchet job:

    WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?

    In other words: So, when will you stop beating your wife?

    Meanwhile, Firefox and Opera look awfully appealing.

    Ok, the guy really stepped in it here when he plugged Firefox (though I'm an Opera fan [opera.com], myself).

    What about removing capabilities from IE to beef up security?

    You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?

    Seems like you're fighting a losing battle.

    Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."
    • when will you stop beating your wife?

      Mu
    • by MrMr (219533) on Monday August 30, 2004 @03:37PM (#10111381)
      In other words: So, when will you stop beating your wife?
      Except that to make the analogy complete, you should add that in this case the question is put to somebody who is actually busy beating his wife...

      Objection: counsel is badgering the witness
      Overruled, Wired reporters are not counsel but more like prosecution, and this guy is not a witness but a suspect.
    • by BrynM (217883) *
      What sort of "interview" only includes four loaded questions?
      In the print version of the September issue, it's just a sidebar. Wired does this a lot. There are often little tidbits in sidebars throughout the magazine. This was one of them. Go look at a copy at your local newsstand. I don't remember what page it's on, but it was never meant to be a full blown article/interview. I'm actually impressed that they include their content in the web version so completely.
    • by Tet (2721) * <[slashdot] [at] [astradyne.co.uk]> on Monday August 30, 2004 @03:39PM (#10111407) Homepage Journal
      Ok, the guy really stepped in it here when he plugged Firefox

      But he didn't even do that! All he said was that he needed to upgrade Firefox to fix a security problem. Not that he used it as his main browser, and certainly not that he didn't use IE every day like all good Microsoft employees. Merely that he had it installed on his machine, and patched it as appropriate. In his job, I'd expect him to have a copy of alternative browsers on his system. I'd be surprised if he doesn't have Opera installed, too.

    • by sjames (1099) on Monday August 30, 2004 @04:05PM (#10111656) Homepage

      In other words: So, when will you stop beating your wife?

      Not really, no. The question was about a specific hole who's existance is not in dispute. It makes no unwarranted assumptions and doesn't ask him to make any new admissions in answering. Unless you mean to imply that the question might cause him to accidentally admit to doing his job?

      You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?

      Perhaps not, but it's a fair question. Many people are of the opinion that the feature shouldn't have been there in the first place (for security reasons). It wouldn't be the first time MS has given customers a choice between break feature X or be insecure.

      Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."

      Perhaps, but since MS has a history of being less than forthcoming on the witness stand (literally as well as fuguratively), additional lattitude in questioning may be given.

  • Palladium? (Score:5, Interesting)

    by onree (680951) on Monday August 30, 2004 @03:27PM (#10111279)
    Sounds like an acknowledgment of the extended timeline for something like Palladium/Trusted Computing. I've been curious to hear more about when and where that's actually going to show up.
  • by garcia (6573) * on Monday August 30, 2004 @03:28PM (#10111286) Homepage
    He also reveals that he runs Firefox.

    If you were working in the X divison of a company wouldn't YOU be using a competitors program so that you could know what they were doing to make their side better? I know I would.

    In fact, I would be completely disappointed if he DIDN'T run Firefox.
    • by addie (470476) on Monday August 30, 2004 @03:37PM (#10111385)
      He also reveals that he runs Firefox

      Indeed, parent post is correct. Besides, the article doesn't say that he uses FireFox exclusively by any means. In fact he only mentions FireFox to prove that all browsers are susceptible to attacks.. Here's hoping he also uses NS, Opera, Safari, and whatever browser he can to do testing and research.

      Yet more spin by /. zealots who don't take the article at face value.
  • by El (94934) on Monday August 30, 2004 @03:28PM (#10111291)
    "it's more of a 10-year timeline... but my stock options will be fully vested in 5 years, so I'll be long gone before the shit hits the fan on security still not being fixed!"
  • by angst7 (62954) on Monday August 30, 2004 @03:28PM (#10111294) Homepage
    The context made it seem more like he saw an opportunity to mention a flaw in the competing product.
  • Four Questions (Score:3, Insightful)

    by AKAImBatman (238306) <akaimbatmanNO@SPAMgmail.com> on Monday August 30, 2004 @03:28PM (#10111295) Homepage Journal
    Only four questions? Yikes! That's not much of an article!
  • by MooseByte (751829) on Monday August 30, 2004 @03:30PM (#10111307)

    ... So please refrain from computing for the next 7 years. Just go about your lives. Pay no attention to the penguin and cute little red daemon over there. Hey look! Over here! Have this complimentary Plush Clippy!

  • by mishehu (712452) on Monday August 30, 2004 @03:30PM (#10111310)
    And gee, I thought that service pack 2 with a firewall that can be controlled by ActiveX was going to fix all of those holes!

    Oh, wait, actually service pack 2 renders some computer unbootable, so that must be the real trick!
  • by darth_MALL (657218) on Monday August 30, 2004 @03:31PM (#10111321)
    According to the Mayan Calendar [levity.com] We'll only get a year to enjoy it!
  • by Anonymous Coward on Monday August 30, 2004 @03:31PM (#10111332)
    If everyone is spreading viruses, it ceases to be a stigma, and becomes the accepted norm. Think of it this way:

    If everyone had AIDS, you wouldn't have to be all that concerned about STDs now, would you?

    New Apple add:
    iMac, its like a computer with a condom!
  • Security Update (Score:5, Insightful)

    by MikeMacK (788889) on Monday August 30, 2004 @03:32PM (#10111334)
    Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system.

    But that's just it, at least he had an update to install, MS doesn't release security updates as quickly as it needs too, as the first question mentioned.

  • by tie_guy_matt (176397) on Monday August 30, 2004 @03:33PM (#10111340)
    Yes buy a car from me today. Look at all the great features! The controls are so easy to use! Any idiot can drive one!

    Of course we won't perfect the brakes or the air bags for another 10 years or so, but hey the seat belts work most of the time. So buy my car version "XP" now so you can get a taste of what a safe car of the future will be like
  • by Animats (122034) on Monday August 30, 2004 @03:34PM (#10111361) Homepage
    This Slashdot page is being served with a Microsoft ad boasting about their security. Really.
  • Migrations... (Score:5, Interesting)

    by Alaren (682568) on Monday August 30, 2004 @03:35PM (#10111363)

    Well, when a similar announcement was made about the insecurity of IE, we managed to migrate an entire university library (1000+ machines) to FireFox. I know the migration was significant across the country.

    Maybe this will provide some impetus to get us converted to Linux?

  • by DunbarTheInept (764) on Monday August 30, 2004 @03:35PM (#10111366) Homepage
    What in the blazes does it mean for something to finally be "secure"?? It's not as if it's actually an achievable goal, and it's not as if you'd have a way to detect when you'd achieved it even if it was achievable.

    The 100% secure line is an asymptote. You can get fractionally closer to it, but never ever actually achieve it.
  • To be fair... (Score:5, Insightful)

    by artemis67 (93453) on Monday August 30, 2004 @03:36PM (#10111372)
    he didn't say that FireFox was his primary browser, he just said that he had to patch it because of a vulnerability.

    I would hope that as a program manager he would have a copy of each of the competing browsers on his system, so that he can steal... ah, borrow, ideas from them.
    • he didn't say that FireFox was his primary browser, he just said that he had to patch it because of a vulnerability.

      I would hope that as a program manager he would have a copy of each of the competing browsers on his system, so that he can steal... ah, borrow, ideas from them.


      What made this quote so striking isn't that he uses a competitor's product (he *should* be using their product). The point is that he *must* use a competing product because IE isn't secure in this case. To underline the matter bot
  • by Penguinoflight (517245) on Monday August 30, 2004 @03:37PM (#10111382) Homepage Journal
    First, someone posted above, the analogy between windows security fix, and Slashdot's terrible "IT" theme.

    Second, the idea that an MS head is using firefox is hardly surprising, it's much more at issue that he's willing to admit it to Wired, and doesn't even seem to mind that open source is a better alternative.

    Microsoft has had a history of using open source projects, most famously with qmail+unix on their hotmail, but even branching to the MSN gaming zone, etc. It's really not too surprising, considering a lot of the unix foundation implemented in their NT-XP series.
  • Sad (Score:5, Insightful)

    by apoplectic (711437) on Monday August 30, 2004 @03:38PM (#10111394)
    What kind of pathetic headline is that? When did MS say "MS not expected secure until 2011"?!?! This is called sensationalist GARBAGE, people! Stop putting this swill up as headline material.

    Having someone say "it's more of a 10-year timeline" does not equate to "MS not expected secure until 2011"...much less "MS says" 2011. The phrase "more of a..." connotes a generality. The headline is pure, conjured specificity.

    Crap like this makes me become seriously disenchanted with Slashdot.
    • Re:Sad (Score:5, Funny)

      by Sponge Bath (413667) on Monday August 30, 2004 @04:07PM (#10111670)
      Crap like this makes me become seriously disenchanted with Slashdot.

      Really?

      It keeps me coming back for more...
      just like Big Macs and nicotine.

  • by mslinux (570958) on Monday August 30, 2004 @03:38PM (#10111403)
    Change the following registry value to 4 and the new "Windows Security Center" will stop working upon reboot... it runs as a service that any admin user can kill. Did I mention that by default all XP users are admin ;)

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\w scsvc\Start

    Also, here's a Python script [vt.edu] that will automatically kill the new "Windows Firewall" in to XP Service Pack 2. You can bet your ass that hackers are already tampering with this. Click a URL and bam... the firewall goes down.

    This is just two example of what MS does to "secure" their systems. God help us all.
  • Meaningless (Score:3, Insightful)

    by Lord_Dweomer (648696) on Monday August 30, 2004 @03:40PM (#10111423) Homepage
    In that much time, there will be new vulnerabilities discovered in new software that is created. There will ALWAYS be a way, and there is no way they can guarantee this. Will computers be a little more secure? Sure, in many ways. But they will also be a lot more insecure in others. Remember, we're dealing with the same idiots who install Bonzi Buddy because he seems friendly, or Weatherbug because it sounds so convenient that they don't care abou the EULA.

  • 2011, huh? (Score:4, Funny)

    by faqmaster (172770) <jones.tm@gma i l . com> on Monday August 30, 2004 @03:41PM (#10111434) Homepage Journal
    Great. Linux should be ready for the desktop by then!
  • What the...? (Score:5, Insightful)

    by Jugalator (259273) on Monday August 30, 2004 @03:46PM (#10111475) Journal
    Since when did security become a goal you can achieve after a certain amount of time?

    It's something you always need to keep an eye open for, and combat exploits whenever necessary. How can Microsoft say "it's more of a 10-year timeline". That statement alone makes me wonder how sane Microsoft's security program manager is. So Microsoft are going to dismantle their security team in 2011?

    What would the Linux community think if Linus went out claiming that "we expect the Linux kernel to be secure in version 3.0"??

    Anyone who takes software security seriously should understand that you can never expect a product to be secure after some period of time.

    "Secure" is also relative and not at all an absolute term.
  • by Master of Transhuman (597628) on Monday August 30, 2004 @03:58PM (#10111603) Homepage
    It doesn't get better than this!

    Microsoft will take TEN YEARS to get secure?

    After pissing away thirty billion in R&D money for a one-time stock prop scheme?

    And their head of security uses Firefox?

    This is like discovering Bush prays to Allah!

    BWAHAHAHAHAHA!!!

    Hey, how about this theory?! Gates is secretly a hacker like the guy in the Sandra Bullock movie and really wants everybody to be insecure so he can take over the world!

    BWAHAHAHAHAHAHA!!!

    Mod this troll, mod this flamebait! Is that all you got, huh? Are you nuts? Come at me!

    • Re:BWAHAHAHAHAHA!!! (Score:4, Informative)

      by Quill_28 (553921) on Monday August 30, 2004 @04:06PM (#10111659) Journal
      > This is like discovering Bush prays to Allah!

      He does.

      The Jews, Christians, and Muslims are pray to the same God, the God of Abraham.

      The Jews come from the line of Issac(Abram's son with Sarah) the Muslims from Ishmael(Abram's son with Hagar).

      The Jews are still waiting for the Messiah, while the Christians believe the Messiah has come(Jesus Christ).
  • respun (Score:3, Insightful)

    by Doc Ruby (173196) on Monday August 30, 2004 @04:03PM (#10111650) Homepage Journal
    In other words "Windows Expected Insecure Until At Least 2011, Says MS".
  • Poor guy is really having to struggle to say something that'll make his job look less hopeless. The "patch to Firefox" that he's talking about is actually a patch to a PNG library used by a lot of applications, not just Firefox.

    On the other hand, he didn't say "Windows not secure until 2011", and I think his "10 year plan" is more of an acknowledgement of the magnitude of the problem than a hint as to Microsoft's timeline.

    I wonder if he's even got the authority to deal with the real problems buried deep in the design of IE. If not, they can take 10 years or 100 years and still not get rid of "cross zone" attacks. I suspect only hope is that other browser developers will suddenly agree with microsoft that security zones based on the current location of a file is a much better idea than limiting the potential targets for an attack to just the application that's responsible for downloading and displaying an untrusted document. If that happens, then they'll REALLY be able to argue "everyone else has the same problem" and mean it.
  • by pileated (53605) on Monday August 30, 2004 @04:15PM (#10111721)
    Oddly enough I happened to read both the WSJ article and the Toulouse mini-article during my lunch a few minutes ago and came back to find this on slashdot.

    I also have to commend the graphic that accompanies the WSJ article. The article says that for the first time ever IE share dropped, presumably because of the virus threat. Also a few words about the Mozilla developers.

  • er... (Score:5, Funny)

    by ColonBlow (120356) on Monday August 30, 2004 @05:09PM (#10112257) Journal
    when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline."

    I didn't read the article. This was Bush talking about Iraq, right?
  • by halfabee (685633) on Monday August 30, 2004 @05:11PM (#10112264) Homepage

    From the article:
    "Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."

    I presume that Toulouse was referring to the update that fixed the "shell:" exploit.... this was only a problem with Firefox on Windows machines, because the flaw is inherit in the OS, not in the Firefox browser.

    True, security is an issue about which everyone in the industry should be concerned. Call a spade a spade, though... Microsoft is well behind the curve.

I have not yet begun to byte!

Working...