Microsoft to Clean Up Code

the_pooh_experience writes "Microsoft has decided to beef up their security group by adding a code cleaning group according to Infoworld. As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'" The new group is called Security Engineering Strategy and while it may seem long overdue to many, it's still a step in the right direction for the folks in Redmond.

more of the same

[malus]

more of the same lip service from our friends at Redmond. is this the 3rd, or 4th 'security' initiative?

Re:more of the same

[DShard]

Lip service or not, these developers have in their job description to be scapegoats. That is not an enviable position.

A good thing

[DrTentacle]

Obviously, MS bashing abounds, but I view this as a good thing.

Working in an environment that is purely MS based on the desktop, with significant MS server infrastructure, I can only applaud any efforts they are making to clear up the mess that is obviously present. No, it's not going to happen overnight - Just as the company I work for is not going to replace all it's investment in MS tech overnight.

Unfortunately, being a developer does not make you a security expert. Some are, others will continue to allow simple flaws, such as buffer overruns, into their code. Having a group of people who focus on security review that code is without a doubt a good thing. While this may not be the potentially rigorous code review that OSS gets, it's better what presently happens at MS.

As for the issue of scapegoats...from an external point of view, getting MS to recognise bugs can be a difficult job at the best of times. Internally, if a group of security "experts" fail to recognise security flaws in a piece of code...then surely they are failing at their job?

Finally, there's been a lot of flaming about the fact that this is yet-another-initiative from MS in the security field. I welcome all of them, in parallel, as moving towards sorting out some of the many issues they have. The less time I have to spend working on patching buggy MS software, the happier I will be.

Re:A good thing

[Alsee]

Obviously, MS bashing abounds, but I view this as a good thing.

The problem is that as far as Microsoft is concerned "security" is a synonym for "DRM".

Whenever Microsoft talks about security, one always has to wonder how much of what they are doing actually means securing the machine against outside attackers (a good thing), and how much of it means securing the machine against it's owner (a bad thing).

The article makes refferences to things like "Trustworthy Computing" and "Next Generation Security". Both of which actually mean "DRM enforcment".

"Normal" computers cannot be adaquately secured against their owners. As far as Microsoft is concerned this is a "security flaw". Microsoft intends to "fix" this "flaw" by introducing new and crippled computers.

The article says Microsoft's "ultimate goal being that customers will take security for granted". Do you really think they mean that people will take it for granted that Microsoft software is bug free?? Or do they mean that their DRM mechanisms will be an "invisible", integrated, and omni-present part of using a computer?

They want you to take it for granted that the computer is invisibly and seamlessly enforcing DRM restrictions when you read your E-mail or surf the web. People are not supposed to notice that the option to "save image" has dissapeared from the menu when you right-click an image in the browser. Not only is that option gone, but the computer is phyically incapable of saving that image. The image is copyrighted of course, and wrapped in DRM. If people never see the DRM, they will just take it for granted when various options vanish, or other things become mandatory.

If Microsoft is cleaning up their code, then yes, this is a good thing. But a careful reading of the article suggest that this is at best a mixed project. And that is not a good thing.

-

Re:A good thing

[dthable]

The concept pre-dates open source development. They did have peer reviews in the days of the mainframe.

Re:A good thing

[jpmorgan]

Potentially is such a weasler. Let's face it, how many projects actually get any sort of in depth review from a lot of people?

The small projects aren't usually popular enough to attract sufficient attention. The big ones are too large an undertaking for anything but a cursory inspection which will only reveal the most blatant of security flaws; consider how long it's taken to find all the ptrace flaws in the linux kernel.

Re:OH come on now

[DrTentacle]

I see no real incentive for them to change

Security is one of the main areas that MS gets blasted for. While the security in their server products has some merits, it's undermined by the bugs that continuously appear and the total lack of lockdown in out-of-the-box config. Their push on security would have to address all these issues - Removing issues from the code prior to shipping, improving their response to the bugs that still appear, locking down products and educating users to unlock them as appropriate, and most importantly of all, concentrating on designing their systems to incorporate security from the start, rather than trying to tack it on later. There's been some movement in some of these areas...but nowhere near enough yet.

So will they do it? You're right in that there is little evidence so far. Given the constant slating they receive in this area, there is certainly a motive to improve it. But given the apparent lifetime of legacy code in Windows, it's not going to show significant results any time soon in that arena. I would suspect it would be more evident in "new" products such as .NET, etc.

Trustworthy computing was launched in Jan 2002, there's some info on what they claim to have achieved on their site [microsoft.com].

I do agree with you about Clippy tho :)

Re:more of the same

[Martigan80]

Actually this was in itself a security leak, the matter is being looked into.

Re:more of the same

[JayJay.br]

Might be the 6th initiative. But don't worry, they're goin to get back to the source, and Zion will be destroyed again.

Credit Where Due

[k0de]

If the 3r33t community hated other software/platforms as much as they hated Microsoft I'm sure the level of bugs exposed/viruses would be equally as high. I'm not saying Microsoft throws all beautiful software around, but if you devote time to finding holes in software, you'll find it no matter who the maker. As a fair example, look at what happens [zdnet.com] Larry Ellison tries to make grand claims about the stability of Oracle software. Many of you have valid opinions, and that's respectable, but how so many people can blindly hate Microsoft because of the hate trend makes me want them to succeed.

Re:Credit Where Due

[BadDoggie]

Larry Ellison begged the world to break Oracle. They spent millions buying up the backs of every business magazine and full pages in serious and financial newspapers claiming it was "unbreakable". They specifically said that no hacker could get into it. Real hackers and crackers have always said they do it for the challenge. What better way to provide a challenge than to spend tens of millions in order to yell, "C'mon, you weenies! I dare you!"

Microsoft also got hit a lot harder every time they claimed some semblance of security. They've learned their lesson, albeit slowly. Now they only claim to be working on improving security, considerably different than Larry's claims.

woof.

Re:Credit Where Due

[k0de]

Now they only claim to be working on improving security, considerably different than Larry's claims

Yes, considerably more humble. At least Microsoft knows better. That's a lesson Larry hasn't been able to learn from Microsoft's mistakes, so now he's learning the hard way.

The bottom line is that staying under the radar doesn't mean your software is stable. Any company with Microsoft's faithful hate troop would be humiliated by their own software. Oracle is just one example.

Re:Credit Where Due

[deranged unix nut]

Check out Windows Server 2003 - Microsoft was really trying to focus on security, and even got bashed by customers because they made it so secure that some of the applications wouldn't work anymore.

You don't "fix" 50 million lines of code overnight, especially not when it has taken 10 years (or more) to write. However, all of the developers really did take a few days to go through a set of classes on how to write secure code, and then spent the next month reviewing their code for security problems. All of the program managers really did go to classes to learn about security vulerabilities and how to find security weaknesses in their designs, and then went back and updated designs where needed. All of the testers really did go to classes to learn how to find security bugs and then created security test plans and spent a month doing nothing but looking for security bugs.

It probably isn't perfect, if Microsoft went for perfect you would be paying ten to twenty times more for the software, but for the first stab at really fixing the server operating system so that it is secure out of the box, I would say that 6 months of effort went into making Windows Server 2003 secure that wasn't in the plan prior to the trustworthy computing initiative.

Re:more of the same

[JimDabell]

It's certainly not the first. [slashdot.org]

Re:more of the same

[SkArcher]

Basically, this news story ammounts to 'M$ are doing what they are paid to do and making their software secure'?

Why is this considered newsworthy?

On second thoughts...

No kidding!

[ackthpt]

more of the same lip service from our friends at Redmond. is this the 3rd, or 4th 'security' initiative?

NEWSFLASH!: Microsoft invents quality control! source code reveiw measures, internal cooperation among units, standardized enterprise wide security measures! Patents soon to follow!

It certainly makes me wonder what the hell they've been doing all these years, besides making gigantic amounts of profit...

Oh... right, less money on development costs == more profits. Now I see why Steve Ballmer and Bill have been selling off so much stock.

Re:No kidding!

[dthable]

I don't think it's as simple as the amount of money on development costs. Microsoft is going through the transformation from a programming shop (with loose standards and shoot from the hip developers) to a true software engineering shop (many standards, well thought out ideas and calculated coding). It's a tough transformation, but the code will be better in the end.

Re:No kidding!

[dthable]

What other industry, besides perhaps tobacco, could get away with something as audacious as that?

Not to mention the frequent crashing, loss of data, forced upgrade cycles, etc.

Last, the staggeringly amazing thing is, people seem fine with that. Cripes!

Exactly. No one wants a single thing to go wrong with their car or telephone, but the software we use is acceptable. It's funny/scary to see how many people actually accept and think it's fine to reboot their PC every hour.

Re:more of the same

[tomhudson]

and putting it in the hands of a review group, rather than educating their coders (who are, after all, the ones who wrote the bugs in the first place) on how not to write buffer overflows, etc, is the WORST way to go about it.

So, here's a rather obvious 1-2-3-profit list

1. patent the buffer overrun
2. sue microsoft for every infringement
3. profit!

Poppycock.

[Anonymous Coward]

This "emphasis on security" crap is just a PR screen for TCPA^WPalladium^WNext Generation Secure Computing Base.

Insightful?

[Anonymous Coward]

Try (-1, Tinfoil).

Re:Poppycock.

[Anonymous Coward]

TCPA^WPalladium^WNext Generation Secure Computing Base.

vi commands are not known by your browser. Please use backspace.

Fat Chance

[OmniVector]

If you've learned anything by now, it's not important that Microsoft fix the majority of their security flaws, but that they imply they will.

The OSS model of peer review on a large scale is the sole reason for such reliable security.

Proprietary companies still have an edge. If people programmed according to a planned set of pre/post conditions, and tested their modules with black box testing, then a large portion of the controllable errors can be caught. Whether or not Microsoft does this is questionable since we can't see their code.

Oh, and BOUNDS CHECK EVERYTHING. Buffer overflow errors should have been non-existant for a half a decade by now.

Re:Fat Chance

[jkrise]

"it's not important that Microsoft fix the majority of their security flaws, but that they imply they will."

Let's have a debate at Ask Slashdot. Is it EVER possible to make Windows secure? Not maybe in the same league as Linux or Unix, but even marginally better than what entails now?

The challenges:
1. An integrated all-in-one tightly coupled design - anything breaks, everything compromised.
2. Proprietary standards (if that isn't an oxmoron)
3. Newer OS releases atleast once a year, to break competing code.
4. Newer releases to support existing apps (3 and 4 directly contradict)
5. Code size and complexity - I doubt anyone, even at MS has access, let alone modification rights to the variuos code bases.

Put simply, Mission Impossible.

Re:Fat Chance

[PhxBlue]

I agree - and that's why Microsoft would be best off, for their long-term interests, with a team of software engineers who would redesign the Windows codebase from scratch. I'd bet a lot of the "millions of lines" of code in Windows XP is legacy Windows NT code--in which case MS should take a fresh look at what the code does, if it could be designed more efficiently and securely, and (more importantly) if any other parts of the Windows code actually use it. Of course, such measures would take years and wo

Re:Fat Chance

[clary]

What you suggest would be the end of Windows (maybe not a bad thing). An ex-Microsoftie says it well here: Why you should never rewrite from scratch. [joelonsoftware.com]

Re:Fat Chance

[IWantMoreSpamPlease]

Bullshit. Writing code from scratch is the *only* way to go if your existing code base is too hosed. Look at, for example, the Be Operating System. Written from scratch, from the ground up, and it shows just how much a computer can really accomplish if you start with a clean slate.

Re:Fat Chance

[walt-sjc]

Just read that drivel, and there ARE some valid points, but it is NOT universally true.

Case in point, I was on a team that redesigned an entire large-scale system from scratch. The old system was built in lots of little parts using various languages (shell, perl, java, c++, c, python, lisp), multiple databases from various vendors, had virtually no internal documentation on how anything worked, etc. They system was quite unstable crashing multiple times a day, and very difficult to enhance without breaking shit. Kinda like Windows...

We re-built the entire system in about a year (about 750K lines of code which was about half the size of the original code.) The result was amazing. After the initial deployment period where the bugs were worked out, the system was rock solid being able to stay up for months at a time, was Very easy to enhance, had tones more features and flexability. We had a great team, and a solid commitment from senior management providing the needed resources.

Netscape's biggest problem was not starting over from scratch, but poor project management (not keeping people within original design constraints) and a lack serious commitment from senior managment. Rather than having a very tight set of requirements and design goals, things were very nebulous and got out of control very quickly. No longer were they building a new browser, but a cross-platform framework for any kind of application they could think of. When you look at projects such as Galeon, most of that bloat is ripped out.

Rather than folling a bad example of how to run a re-design project (mozilla) MS could EASILY afford a new team to start Windows from scratch, leaving the existing team in place to continue to enhance / maintain the existing code base. This is the step that Netscape missed. They only used a small fraction of their people to maintain (and NOT enhance) the old code.

Joel is making his claim by using the worst case example. Kinda like if I claimed that you should never put the gas tank in the back of a car pointing to the Pinto as my evidence, ignoring the thousands of other car designs that worked.

Re:Fat Chance

[Daniel Phillips]

...that's why Microsoft would be best off, for their long-term interests, with a team of software engineers who would redesign the Windows codebase from scratch.

They already tried that, it's called "NT". Things got better for a while, then the application mafia got their fingers in and it degenerated back to the current mess.

So they could start that process over again, and be finished in 5 years, just in time to see their stock make the final dive into the subbasements. Or they could learn from Apple once again, and switch to BSD, it's free :-)

Re:Fat Chance

[Junta]

I think his first point is valid. Even if the implementation is well partitioned and easy to apply updates to segments of the OS atomically, the problem remains that the *architecture* is designed to be too tight-knit. They are forced to honor this as earlier programs utilized this interconnectedness to do what they did (just as a lot of programs that *should* be usable by a common user only work for Administrator class users). Having to work around their backwards compatibility is biting them in the ass

About damned time

[rgoer]

Now, if only they would incorporate a business ethics cleaning group, maybe we'll see some progress.

And, yes, please somebody respond to the oxymoronic notion of "business ethics," I'm just begging for it.

I'm suprised...

[DJPenguin]

... that this group didn't exist before. Surely a company the size of MSFT would already have a team or group just doing code auditing?

Oh well. as they said - it's a step in the right direction.

Re:I'm suprised...

[Lord_Slepnir]

They do, but some times a clean compile just isn't enough of a code audit.

Incorrect

[The-Bus]

If you RTFA, it shows that this is entirely security-oriented, not performance oriented. It seems that "cleaning the code" means "patching makeshift holes over problems" not "making code athletic, slim, and fit"...

Pity.

Re:Incorrect

[gbjbaanb]

not necessarily - 'cleaning the code' IMHO means going though looking for bits written by less-competant programmers, or written in a hurry to meet the deadline, or just hacked as no-one thought it'd be shipped as product.

sceptic

[Ashish Kulkarni]

I'm highly sceptical of this. In my experience, security and features are always on two opposites sides of the spectrum, and Microsoft is too much on the features and ease-of-use mindset to have something really significant coming from this effort.

Re:sceptic

[Shalda]

Perhaps you haven't looked too closely at Windows Server 2003. I've been kicking it around for about 2 weeks now and let me give you some highlights.

1. Stuff works. It's the easiest time I've ever had configuring a server. It's like flipping a switch.
2. Stuff is locked down. Everything out of the box is turned off. When you do turn it on, it's locked down by default. Everything runs with the lowest privelege possible to get the job done.
3. Reliable. Nearly anything can be done without restarting the machine. The only exception I've had so far is making it a domain controller.

Frankly, I'm looking forward to working with it in a production environment.

in a nutshell

[nounderscores]

Microsoft is going to hire testing programmers?

Re:in a nutshell

[override11]

No word on what the summer interns will do. :-)

But we do know it will involve cigars....

Re:in a nutshell

[walt-sjc]

You're thinking of the OTHER Bill.

It could work..

[Mr2cents]

.. but only if they clean up the bugs, and not the patches.. (Hey? what's this if-clause doing here? There is no such thing as a negative packet size!)

Hiring Somebody to Do the Dirty Work

[Davak]

Seems like that a "code cleaning group" would be the most poorly efficient way of accomplishing this.

Now I do not write the cleanest code in the world... but when writing with a group, I can take the time and effort to make ultra clean code--especially if my paycheck depended on it!

Why hire somebody else to do _your_ job?

I've never programmed in a huge group before... so maybe I missing the experience to understand.

Davak

Re:Hiring Somebody to Do the Dirty Work

[archeopterix]

Now I do not write the cleanest code in the world... but when writing with a group, I can take the time and effort to make ultra clean code--especially if my paycheck depended on it!

Heh, heh.

"Hey, why waste time on those sanity checks, let's use gets(), the security monkeys will clean it up anyway!"

Re:Hiring Somebody to Do the Dirty Work

[gbjbaanb]

"Hey, why waste time on those sanity checks, let's use gets(), the security monkeys will clean it up anyway!" ... and then publish your name as producing the worst, security-poor code in the company and everyone can laugh at you, and the bosses can cancel your bonus.

Re:Hiring Somebody to Do the Dirty Work

[Jasin Natael]

It's notoriously difficult to read other people's code. It would take more programmers to fix a project than it took to write it in the first place. Shouldn't there be a "Clean Code" peering/mentoring group instead, or a "Clean Code" review body? I'd be much more confident if someone was keeping up with the code as it was written, and going back to the programmers before the program ships, asking "What exactly does this do for the program?", or "You do realize that you should decrement this length coun

Where have I seen this before...

[geesus]

OpenBSD have done this. They set up a team of dev's who went through the entire code fixing up buffer overflows\underflows, and all that jazz. I hope for the worlds sake (because it seems that the whole world is using Microsoft products) that they do a good job, but in my mind it wont make me feel like Windows or IIS or any other networkable piece of Microsoft written software is secure.

For the world's sake

[truthsearch]

I hope for the world's sake they do a terrible job and most people realize it. If their software remains marginally good enough in most people's minds, as it is now, it'll continue to be used. Their walking a thin line right now. If their software is seen as more expensive, buggier, or more insecure than it is now, even by just a little, they'll hurt. Anything that keeps them above that line keeps them in business. I'd much rather see them fail so there's a much quicker transition to FOSS.

More Innovation from MS! PeerReview.Net++(R)TM

[HighOrbit]

In it's newest patented process, MS has just invented PeerReview.Net++.

Yeah, I can clean it too:

[Skweetis]

# dd if=/dev/zero of=/dev/hda bs=512

Seriously, though, this is a good step for them, and I hope other software companies follow their good example.

This must be a joke

[El Cubano]

Microsoft is a long way from its ultimate goal where users can take security for granted in its products

This is precisely the problem we have now. People already take security for granted (they don't think about it). Their goal should be to beef up security and to educate everyone about the features so that they become more security concious, rather than just take it for granted.

Re:This must be a joke

[Wolfier]

Problem is, Open any magazine and you'll learn that Microsoft is on a rampage advertising campaign to preach that its products are secure.

When in fact it is far from the truth.

This false sense of security is exactly what makes their product very vulnerable.

MS needs to admit the security flaws publicly, loudly, and stop preaching bullshit.

hope this works...

[feepcreature]

I hope this works better than trustworthy computing has done so far. It's going to need real commitment from the company to allow it to make a difference. It could even mean delays to product launches (or service packs), which some parts of M$ may not be so keen on (though after recent debacles, other parts of the company would probably like fewer, better, security fixes).

And I can't imaging their top coders rushing to join this team.

Still, it could work...

Taking security for granted

[Neophytus]

I would never want to take my security for granted, in any product. Not windows, not open source, not even goddamn openbsd that proclaims proudly 'only one remote hole in the default install, in more than 7 years' on its front page [openbsd.org]. Only one hole that has been found. The chances are that, somewhere, there is an obscure security hole that nobody has discovered. It would become the second.

Re:Taking security for granted

[Sentry21]

not even goddamn openbsd that proclaims proudly 'only one remote hole in the default install, in more than 7 years' on its front page. Only one hole that has been found. The chances are that, somewhere, there is an obscure security hole that nobody has discovered. It would become the second.

I dunno, two remote holes in 7 years is pretty good. If you want to use slashdot as a forum for anti-OpenBSD trolling, point out that the default install does pretty much nothing, and it's the services that people install anyway that are usually abused (telnet, ftp, etc.). That's more of a point than 'Only one? They probably have two!' which is just blatant trolling.

--Dan

Blimey, they gotta be careful...

[Boss, Pointy Haired]

Especially if the clean-up group are not working closely with the original developers.

Fix 1 security hole.

Introduce 100 bugs.

Hmmm.

Slashdot's Microsoft Obsession

[Pave Low]

Recently it seems not a day goes by on slashdot without a few Microsoft stories. This supposedly linux, open-source focused site seems awfully preoccupied with Microsoft for some reason, and it's not good.

The trolling editors seem desperate to generate pageviews and posting a Microsoft piece almost guarantees to inflame and troll enough users to accomplish this.

Look at this story...what's really that new or interesting here? This looks like just another opportunity for slashbots and "M$" haters to get their kicks.

The more reasonable readers don't get off on that kind of stuff. Please editors, this is getting old and boring.

Re:Slashdot's Microsoft Obsession

[Anonymous Coward]

> Recently it seems not a day goes by on slashdot without a few Microsoft stories.
You must be new around here...

Here's a tip for you: go to your Preferences and filter out what you don't want to see.

Re:Slashdot's Microsoft Obsession

[krystal_blade]

Look at this story...what's really that new or interesting here? This looks like just another opportunity for slashbots and "M$" haters to get their kicks.

You're new here, aren't you?

krystal_blade

But it IS important

[Obiwan Kenobi]

Firstly, filter it if you don't like it.

Secondly, I believe it's very important to keep track of any and all movments of the biggest, richest, most powerful company in the world.

Of the company that controls 95% of the desktop market that Linux might, hopefully, break into.

If they're looking into new strategies, even ones that are years behind their time, we should know about it. When you only look at yourself, you'll sometimes see innovation or monopolism take over while you're busy staring at your shoes.

A company with such terrible operating practices [lindows.com] should be watched closer than any other company, and I'm all for it.

Despite your obvious trolling, I will agree that it might seem a bit much, but I'll tell you, I'm glad we're looking too hard, than not looking hard enough.

I wait for these same comments about the SCO case in a few days.

Re:Slashdot's Microsoft Obsession

[Mr_Dyqik]

I like way I saw this story with a big advert under the story for Visual Studio .Net.

Hmm.
1. Get adverts from Microsoft,
2. Run lots of Microsoft stories,
3. Get more adverts from Microsoft
4. Profit
5. Switch Slashdot to IIS
6. Lose profit.

Re:Mod Parent Up - 5: Right On!

[stinky wizzleteats]

I thought this site is supposed to be about the promotion of open source software, and educating the public on its benefits over closed source commercial software.

Uh, no. It's news for nerds. RTFWS

I thought I would come to this site finding compelling information that would convince me to switch to open source software.

Oh, I am aquiver at the very thought of proselytizing you!

Instead, we rarely see anything but attacks on the competition, and hypocritical attacks at that.

Dude, I see everythi

Code audits will help, but...

[Zigg]

What is really needed from Microsoft is flat-out redesign, and that means breaking a few eggshells.

The most telling bit from this article: "...the majority of viruses written attack Microsoft products..." Yes, it is certainly true that some of them exploit real bugs, but the majority of viruses target Microsoft software design, not buffer overflows.

I'm willing to bet the code audit team members don't have redesign authority; nor should they. Hopefully, they do have easy access to people who can make the design decisions and can raise issues quickly. Necessary design changes are going to break things.

You can audit the code all day and all night and you will end up with a more secure product in the end. But to solve the real problems with Microsoft security, the product needs to be designed with that security in mind.

Some name suggestions..

[jkrise]

"The new group is called Security Engineering Strategy"

A weak name, I suppose. Some suggestions:

1. Next Generation Secure Computing Strategy.
2. Social Engineering Strategy.
3. Brainwashing Services (BS, for short).
4. Severe Acute Repair Services Group (SARS group)
5. Purity Enhancing Networked Information Services. (figure it out)

You Cannot Clean The Code..

[Gaggme]

..you can only realize the truth, that the Windows codes is the virus.

The only thing that will save MSFT's code..

[xtermz]

...is peer review by knowledgable people within the security community. And how do they have peer review of their code?..... open the source, of course.

ok, i did not mean for that to rhyme, but you get my point. Microsoft is a big self reliant entity that hires like minded people. Thats not who they need reviewing their code. They need objective 3rd parties with real world experience in security and systems. I'm not saying they need to put the code to WinNT on an FTP server for all to see, but loosening their grip a little.

Once MSFT realizes that they dont have to be nazi-esque with their firm grips around their code base, and they can succeed by opening up a little, they will do great things, imho. They havent quite learned that yet..

Re:The only thing that will save MSFT's code..

[_Swank]

open source is certainly one way to potentially increase code quality with respect to security. but there are others, including introducing a group within the company to audit exactly that.

there are obvious drawbacks to microsoft opening their source, including a large collapse of their main revenue streams and huge impact on their existence as a company. at least, as microsoft is structured now, opening their source is not a good business decision (no matter your feelings on microsoft as a company).

open source is not the software savior it's often made out to be. all software will not be open source. ever. demanding that every software company do just that is both unreasonable and generally unhelpful. we should be demanding that software companies produce more secure, stable, and user-centered software. however each company chooses to do that shouldn't matter, as long as that end goal is reached.

Doesn't look like they'll fix existing code

[shayborg]

First, this isn't a code cleaning initiative, as someone above noted -- the article says that the new group will "establish new software development processes and create tools for its programmers so that future Microsoft products will have fewer security flaws." So it looks like their job is to just improve the programming methodology at our favorite software company.

Second, there are only ten people on this task force. Will they have enough time to fix the programming methodology for all Microsoft software? Somehow, I doubt it -- and it doesn't take much imagination to guess that the Mac products, for example, aren't likely to be the primary targets, as well as any spyware that Microsoft finds convenient (*cough*WMP ;-)*cough*).

So it's a step in the right direction but I think they need to use more manpower to solve this problem. God knows they have plenty of it. Until they do, across the board, I don't think many of us will ever trust Microsoft's security. (I'll leave the question of trusting Microsoft itself to another discussion.)

-- shayborg

Manpower? More MS myth tossing

[djupedal]

MS employs a staff that roughly equals 20% of GE. And the bulk is either in marketing or legal. Factor out these yocals, mid-level managers doing nothing but CYA and all the air-head interns and there's not much left. There's your 'task force,' working on this whitewashing.

What is Microsoft's full-time worldwide headcount? Current employment headcount as of 6/30/02: Worldwide: 50, 030

GE operates in more than 100 countries and employs 313,000 people worldwide. Now, that's manpower. Anything under 250,000 is just an excuse to have vending machines in the lobby.

That's pretty funny

[krystal_blade]

'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...

The way I hear it, most people already take security for granted with MS products.

And are proven idiots.

krystal_blade

Open it up

[Midajo]

Nobody in their right mind is going to simply take it for granted that any given operating system is secure. Considering Microsoft's track record of programming, they are the last people anyone should blindly trust. The only way to deliver security on a project of this magnitude is to open the source to peer review.

Code Review ?

[jalilv]

Are they saying that they will start doing the code review from now on ? Does it mean that they were not doing it before and not following the procedure that is standard in most of the software development firms ?

- Jalil Vaidya

The fearless leader

[nob]

The article failed to mention the individual [bettsiv.com] who will be heading the group. I wish Mr. Pen and the rest of his team the best of luck for this endeavor. They'll need it.

In other news,

[Sevn]

Farmer John has decided to close the gate after all
the horses have run away.

Is that a new mission statement I hear?

[krystal_blade]

its ultimate goal where users can take security

And here I always thought Microsoft's "ultimate" goal was world domination...

I mean, that's what I've read here on slashdot...
(cognitive dissonance takes over...)

They must have gotten that statement screwed up...

krystal_blade

Don't be dismissive

[pchown]

It's tempting to dismiss this sort of announcement as "more of the same", "PR spin", and so on. Perhaps it is, but I don't want to get caught when the security spending starts to produce real fruit.

Think about the success of OpenBSD [openbsd.org]. In terms of security holes it's probably an order of magnitude better than other free operating systems, and Windows. This result was largely obtained through code auditing. If we aren't careful, in a few years, Microsoft will turn the tables on us. The code auditing they've done will have paid off, and we'll have it all still to do (for the typical Linux distribution, OpenBSD is different).

Laughing at your competitors is a risky strategy.

Re:Don't be dismissive

[Ashish Kulkarni]

Yeah, but OpenBSD tries to avoid adding too many features during its code audits ... and OpenBSD already has gone through multiple, LONG audits (recall that Theo did a year-plus audit soon after forking from NetBSD). Also, OpenBSD tends to be very conservative and behind the cutting edge for this very reason (not that it's a bad strategy, mind you). However, this does not sit very well with Microsoft's strategy of adding more and more features in every new product release....

Security is not a methodology which you can apply like any other tool -- it is a mindset which has to be cultivated in the original coders AND carried over to the ones who bugfix/test the code.

I am part of this group..

[cOdEgUru]

But my Project Manager wasnt amused when I sent him empty source files after cleaning up!

hmmm...

[stinky wizzleteats]

Microsoft is a long way from its ultimate goal where users can take security for granted in its products

Oh, yeah - that dude is so fired. This is sort of like that moment during the 98 demo that the scanner blue screened the computer while Bill Gates himself was doing a presentation. He had the gall to say "I guess that's why it hasn't been released yet."

I couldn't get over the feeling of how surreal it was to imagine Bill Gates having a single thought about product quality, much less expressing that

I'm telling you again - Hire Theo.

[TerryAtWork]

What Bill should do is contract Theo de Raadt of OpenBSD. He has to be one of the lord high masters of code cleanup in the whole world.

Pay boffo bucks, send a Gulfstream to get him and give him some Bill face time.

He'll give you a seminar on code cleaning you'll never forget.

Re:I'm telling you again - Hire Theo.

[Daniel Phillips]

What Bill should do is contract Theo de Raadt of OpenBSD. He has to be one of the lord high masters of code cleanup in the whole world. Pay boffo bucks, send a Gulfstream to get him and give him some Bill face time.

Knowing Theo, he'd tell billg to get stuffed.

Suddenly it all makes sense now

[TheConfusedOne]

1) UNIX IP License.
2) Plan to clean up code.

All they have to do is start swapping files. :-D

April Fools?

[allism]

This is a delayed April Fools joke, right? Someone forgot to check a date on a submission or something? When would the director of MS security actually admit something like "Microsoft has bunches of bugs"?

Can you spell political?

[borkus]

Let's see - You're a code reviewer for the M$ Code Cleanup crew. Windows 2005 is rolling through developement and you find a security issue that'll add a man-month to the project. What kind of pressure will you encounter from Microsoft's marketing department?

Taking Secuirty for Granted.

[Inverarity]

As the director of MS security engineering says: 'Microsoft is a long way from its ultimate goal where users can take security for granted in its products...the majority of viruses written attack Microsoft products.'"

Personally, I do not think that security should ever be taken for granted. I think it has been proven that this lax security awareness leads to problems independent of the software (e.g. stolen credit card numbers and identity theft from insecure websites and to a lesser extent the proliferation of spam). Most people do not take the locks on their front dor for granted, why should the computer be any different. Especially now that many individuals use the computer as the primary portal to the outside world.

What was that name again?

[janda]

According to the article, the new group will be called outa'sync (um, no, wrong article. Hang on. Ok). The new group will called the (drum roll, please):

Security Engineering Strategy Team

Anything group that has the word "strategy" in it will spend their time writing memos about how this piece of already written code could be better.

These memos will then be ignored by everybody so they can meet their deadlines.

odd timing.

[s4m7]

Here's something to worry about. Does the timing, that the U.S. Gov just instituted a new position for this (the cyber-security chief) which I have already commented on here [slashdot.org], seem odd to anyone else?

This looks remarkably like the same type of handwaving smoke and mirror show that the government is trying to put on. "look at us, we're doing something(tm) about security!

makes me wonder if this is microsoft's way of making sure it has a chance to influence what the gov. considers secure.

Microsoft will get it right one day...

[ayjay29]

... bad news for Linux etc. when it does.

Windows 3 was crap. ...95 was a big improvement.

Windows 95 is unstable. ...Windows 2000 was a huge improvement.

Windows 2000 Server is insecure. ...The 2003 servers ARE a big step in the right direction.

If they progress as far in the next decade as in the past decade, they will be delivering stable, relyable and secure servers. If that happens I dont see Linux based systems able to offer too much competition.

its easy

[azoidx]

cat bad_code.c |grep -v getchar > good_code.c

Re:Port to Java!

[DShard]

They have. It's called J#. It's microsofts answer to a question nobody asked.

Re:Port to Java!

[dimer0]

Yea, it really sucks that I can develop and test code on my Windows laptop and just copy the compiled files over to an AIX box, or Intel/Linux box, and everything works perfectly.

Methinks you're a disgruntled C programmer feeling the world's leaving you behind.

Get with it - there's tools for every job - pick the one that works best.

My original point was made in humor partly - but the main point was that normal security exploits attacking buffer overflows, for example, are a non-issue in my 'interpereted

Re:Port to Java!

[GigsVT]

I think you forgot to add this:

and everything works perfectly*.

*Perfectly is taken to mean "Works about right as long as that system has the same brand and minor revision of the JRE"

Seriously though, every Java based piece of software we have looked at has been total crap. Many of them require a certain runtime, such as one web service from a major company we looked at, that only works with Apple's runtime. Other's only work with MS Java runtimes. The list goes on.

Re:Port to Java!

[buckinm]

*Perfectly is taken to mean "Works about right as long as that system has the same brand and minor revision of the JRE"

Nope, don't think so... I develop on 1.4.1, and my stuff runs fine on 1.2.2 and up.

Re:Port to Java!

[dimer0]

I have still refused all projects that call for Java programming.

Did you stomp your feet when doing so?

If it cannot be programmed with a real language, I don't wanna do it.

Oh, that's brilliant. Do you tell your management that? .. Or, hmm, maybe you're a school-boy.

Re:Port to Java!

[Anonymous Coward]

some of the largest software capitalists in the world believe in all the above technologies

Coorporations believe in a lot of things, and miss a lot of other things in doing so.

In the early 90's, everyone expected Unix to collapse and NT to take over the server market. A decade later, Unix market share has grown via. Linux and NT is in the minority on the web.

Microsoft believed in MSN and almost completely missed the Internet revolution.

Sun believed in NeWs and X stomped it into the ground.

Sun al

Re:Clean Code?

[superdan2k]

And probably more new ones, too. Let's face it, something, somewhere, is going to be calling the code they're "cleaning" and if it doesn't work right, it's going to break shit. Bigtime.

Re:This proves it!

[ackthpt]

"Microsoft has decided to _beef_ up their security group by adding a code cleaning group "

As close to their admitting the code is full of bullshit!

Fool me once, shame one you

Fool me twice, shame on me

Fool me over and over and I must be the IT selection manager/commitee/group at a fortune 500 firm.

Anyone remember Douglas Adams' concept of the SEP field generator? It generates a sense that something is Someone Else's Problem and people's natural predisposition to overlook it makes the something in

Of course you know....

[interactive_civilian]

The name of the game is simply Duke Nukem and is just an upgrade to the previous game w/ the same title (they will change the version number and include new maps).

Forever is the release date.

;-)

Re:Linux

[arvindn]

And many people have pointed out that while the majority of exploits have been directed at Windows machines, there are a lot more Windows users than anything else.

Oh c'mon. This is one horse that's been flogged on /. a million times already. Most attacks aren't directed at desktop users (though those are the ones that get the most publicity) but at servers. And that's one market which MS certainly doesn't dominate. Why are there still far more attacks directed at MS products? Do you really think the frequ

Re:Linux

[PhxBlue]

On the other hand, most servers on the 'Net run Apache; but most servers that are compromised via software bugs are Microsoft IIS servers. Go figure.

Re:Don't Stow Thrones in Grass Houses

[ctid]

Multics didn't operate in today's environment, however. How would it have done if it was attached to the Internet? This isn't to knock Multics, about which I know precisely nothing. But a large part of the security landscape these days is the fact that J Random Hacker has the means to access your computer from a remote location all the time. Of course universities and the military were on the forerunner of the Internet in those days, but the number of people with access to a connection was miniscule compare