Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Microsoft Operating Systems Software Windows IT

Richard Clarke on Microsoft security 491

hizzo writes "Richard Clarke, former White House cybersecurity and counterterrorism adviser, harshly critized Microsoft's security track record. 'Given their record in the security area, I don't know why anybody would buy from them.' He also called for some regulation of security for ISPs in addition to better industry self-regulation, such as disclosing QA practices and becoming more accountable for secure code. I wonder if anyone will finally start listening to him?"
This discussion has been archived. No new comments can be posted.

Richard Clarke on Microsoft security

Comments Filter:
  • not likely (Score:4, Funny)

    by pHatidic ( 163975 ) on Thursday February 17, 2005 @05:51PM (#11705739)
    With all the bribes Microsoft gives to politicians, it's no wonder why he is the former White House cybersecurity and counterterrorism adviser
    • Re:not likely (Score:5, Interesting)

      by ackthpt ( 218170 ) * on Thursday February 17, 2005 @05:59PM (#11705820) Homepage Journal
      With all the bribes Microsoft gives to politicians, it's no wonder why he is the former White House cybersecurity and counterterrorism adviser


      Microsoft's bribes had nothing to do with that. He was competent, professional and honest. He didn't realize the crap Wolfowitz was pushing into the president's head until it was too late. Sadly, Rice sat there and lied to the Senate and still has been confirmed as the SoS.


      As for Microsoft's bribing, they had a commendable record of trying to stay the heck out of politics for years, until it became evident that without greasing certain palms that Washington DC would turn on them. Now they make sure enough lucre is spread around Washington and they have many wagging tongues at their disposal and many ears to listen.

  • Hmm... (Score:4, Funny)

    by p373 ( 689997 ) on Thursday February 17, 2005 @05:52PM (#11705741) Homepage
    Gates might have a little trouble calling this guy a communist.
    • Gates might have a little trouble calling this guy a communist.

      Well it wouldn't surprise me if he did, Clarke is supposed to be quite pally with Clinton remember.
      • Re:Hmm... (Score:5, Funny)

        by commodoresloat ( 172735 ) on Thursday February 17, 2005 @06:39PM (#11706220)
        Yeah, right, because the Clinton Administration was communist. Remember how he nationalized the computer industry and sent millions of computer programmers to labor on the collective farm system? And how he used to speak eloquently about the noble plight of the lumpenproletariat? And don't get me started on Al Gore's poetic musings about the withering away of the state....

        </sarcasm>

        • Re:Hmm... (Score:3, Insightful)

          by dajak ( 662256 )
          And how he used to speak eloquently about the noble plight of the lumpenproletariat?

          Lumpenproletariat? That would centainly disqualify him as a communist. Marx introduced the concept 'lumpenproletariat' to refer to people of low class outside the productive wage-labor system. These people were considered a force hostile to the revolution of the proletariat. I don't think Marx considered these people 'noble'.
      • Re:Hmm... (Score:4, Insightful)

        by Doc Ruby ( 173196 ) on Thursday February 17, 2005 @07:03PM (#11706439) Homepage Journal
        Yes, Clinton, who presided over the biggest capital gains in history. Not Bush, who's got a $2.5T budget sending hundreds of billions to state-guaranteed corporate gigs like Halliburton and pharmacos. Yep, Clinton, the communist. Where do you get this stuff? Oh, right - the "news".
      • Re:Hmm... (Score:5, Interesting)

        by drsmithy ( 35869 ) <drsmithy@gm[ ].com ['ail' in gap]> on Thursday February 17, 2005 @08:39PM (#11707151)
        Well it wouldn't surprise me if he did, Clarke is supposed to be quite pally with Clinton remember.

        It's comments like this that remind us non-Americans just how far politics in the US is skewed to the right...

  • I'm shocked (Score:5, Funny)

    by novakane007 ( 154885 ) on Thursday February 17, 2005 @05:52PM (#11705743) Homepage Journal
    A politician I actually like? It's just not like them to tell the truth.
    It's amazing what will be said when people aren't afraid of being black-balled in the IT industry.
    • Re: not a politician (Score:5, Informative)

      by bracher ( 33965 ) on Thursday February 17, 2005 @06:06PM (#11705902)
      He's not a politician, he's a civil servant. There is a huge difference there.
  • Why? (Score:3, Insightful)

    by Telastyn ( 206146 ) on Thursday February 17, 2005 @05:52PM (#11705746)
    If people don't listen to their computers getting nuked or their info stolen or any other direct impact upon themselves, they're not going to listen to a pundit.
  • by Black Parrot ( 19622 ) on Thursday February 17, 2005 @05:52PM (#11705748)


    "none"

  • Why buy from MS... (Score:3, Insightful)

    by Joey Patterson ( 547891 ) on Thursday February 17, 2005 @05:52PM (#11705749)
    Given their record in the security area, I don't know why anybody would buy from them.

    Maybe because people aren't aware of the alternatives that are out there (Mac and Linux) or simply resist change.
    • Many people prefer their mother's home cooking, even if it is unhealthy and tastes terrible. Trying something new is scary, not everyone wants to do that.
  • Seriously (Score:2, Insightful)

    by Anonymous Coward
    Richard Clarke is some kind of expert on computer security? Where are his credentials on the subject?

    Just because a person is an expert in one area doesn't mean he knows jack about other areas.

    Look at most nerds here. They're pretty smart about computers, but idiots about politics.
    • Re:Seriously (Score:3, Insightful)

      by dameron ( 307970 )
      Richard Clarke was main counterterrorism expert in the U.S. government for 4 presidents. One of the criticisms, perhaps justifiable, of Clarke pre-9/11 is that he was too obsessed with cyber terrorism and computer security.

      I think he knows what he's talking about.

      -dameron
    • Re:Seriously (Score:5, Insightful)

      by TheWatchfulBabbler ( 859328 ) on Thursday February 17, 2005 @06:16PM (#11706002)
      Richard Clarke is some kind of expert on computer security? Where are his credentials on the subject?

      Well, he handled CIP during his time with NSC, and was cybersecurity czar after being shoved out of his counterterror role. 'Czars' of various sorts are, given their lack of power, perhaps the most ironically-named figures in Washington, but Clarke was certainly the best-informed computer security layman in the nation. So, yes, when the former Cybersecurity Czar specifically singles out Microsoft as a source of major vulnerabilities, I think he's qualified to pass judgment.

    • Re:Seriously (Score:5, Informative)

      by anactofgod ( 68756 ) on Thursday February 17, 2005 @06:23PM (#11706069)
      What are your credentials? Must lie in something other than computers and internet, since all of the nerds here can answer questions such as yours by doing a Google search. If you had bothered to so so, you'd have read that Clarke was chairman of Bush's Critical Infrastructure Protection (CIP) Board when he retired [computerworld.com] in 2003. He was also the first counter-terrorism coordinator. His office also released the US National Strategy to Secure Cyberspace [us-cert.gov], and he seems to be enough of an authority in the field to be interviewed by IEEE Security & Privacy [computer.org]. There is a lot more to his background, if one really cares to investigate.

      So, I'd say that he's pretty well credentialed to comment on threats to US cybersecurity. Perhaps not from the perspective as a bits-and-bytes technologist, but certainly as someone who has expertise in assessing systemic strengths/weaknesses from the perspective of counter-terrorism.

  • Humph (Score:4, Insightful)

    by Anonymous Coward on Thursday February 17, 2005 @05:53PM (#11705756)
    A story only a few hours ago on how Microsoft shines on security.

    Fact: any box is as secure at the admin makes it.

    Move along.
    • Re:Humph (Score:4, Insightful)

      by DickBreath ( 207180 ) on Thursday February 17, 2005 @06:28PM (#11706116) Homepage
      Fact: any box is as secure at the admin makes it.

      Fact: any box starts out as secure as the developer/packager makes it.

      For example, having a vulnerable IIS turned on by default on a plain jane workstation.

      An incompetent admin can make a secure system insecure.
      A competent admin can, with work, might be able to make an insecure system secure.
      (Depending upon the nature of the required fixes.)

      But a box can start out relatively more or less secure, and that is an important point worth comparing. How secure is a given system out of the box, before an admin gets hold of it?
    • any box is as secure at the admin makes it.

      You know, I think that, if I tried hard enough, I could build an OS that no admin could secure.

      Moving on from deliberate incompetence, we come to Microsoft. They didn't deliberately try to make an impossible-to-secure OS, they merely made so many bad architectural choices, and added so many features that are inherently insecure, that the effect was close to the same.

      Now, in fairness, they are getting better. Windows doesn't fight the admin who tries to secure

    • Re:Humph (Score:4, Insightful)

      by nihilogos ( 87025 ) on Thursday February 17, 2005 @07:27PM (#11706616)
      Fact: any box is as secure at the admin makes it

      I can't believe this got modded insightful. The vast majority of computer users aren't admins, and don't have an admin coming round to their house to 'secure' their system, or stand over their shoulder to tell them they shouldn't open that email attachment.

      The 'admins' need to be built into the software you tard.
      • Re:Humph (Score:3, Insightful)

        The 'admins' need to be built into the software you tard.

        That is what is slowely happening. Microsoft now offers a firewall, a spyware cleaner, and an update system for XP. The major thing it lacks is antivirus (probably because if Microsoft added that it would be seen as monopolistic).

        All of these tools are easy to use as well. I don't care because I don't use Windows, but I do appreciate the fact that MS is trying to simplify the administration of its desktop. Its easier to tell my non-nerd aunt how to d

  • but but but (Score:5, Funny)

    by SunFan ( 845761 ) on Thursday February 17, 2005 @05:53PM (#11705758)

    Windows is more secure than Linux! Right? No?!? It was all a sham? Oh, I see.
  • Listening? (Score:5, Funny)

    by ackthpt ( 218170 ) * on Thursday February 17, 2005 @05:54PM (#11705769) Homepage Journal
    I wonder if anyone will finally start listening to him?"

    I believe after his book that many people in Washington stopped listening to him.

    "the war is really hard, uh, you see and we, uh, we're trying to make them all free and ... Karl, what's the buzzing noise?"
    "Ignore it Mr. President, that's just a reporter refering to something Richard Clarke said."
    "Who?"

  • by Darth Maul ( 19860 ) on Thursday February 17, 2005 @05:56PM (#11705784)
    "I wonder if anyone will finally start listening to him?"

    No. With all the spyware and worms and virii out there, people just won't switch. I just don't get it. I suppose they are just stuck in their ways, and don't want to learn anything else. I suppose for most people, it was enough of a trial to "learn" how to use Windows, so they would rather put up with the crashes, spyware, and everything Microsoft, and just call it the norm.

    It's a shame. But people really are stupid and/or lazy. That's why they won't start listening to anyone about this stuff. If I were a customer of Microsoft, I'd be organizing class-action suits, writing letters, storming Redmond with torches in hand.... Why these people put up with it most likely can be put into two categories: 1) ignorance, and 2) laziness. Either they don't know there are viable options, or they are too lazy to actually pursue said options.

    Just something off the top of my head. Agree? Disagree? Discuss.
    • Why these people put up with it most likely can be put into two categories: 1) ignorance, and 2) laziness. Either they don't know there are viable options, or they are too lazy to actually pursue said options.

      My excuse for running Windows?

      Half Life 2 :-)
    • Lazy. When Linux (any flavor) is as easy to use as Windows (admittedly, Firefox and Open Office are installed on my boxes already), when Linux will run my games with the same "double-click the icon" ease, I'll switch - until then, I don't complain about windows because I know I chose it consciously.
      I admit being lazy. Linux needs to earn my respect by catering to my laziness.
    • by SuperficialRhyme ( 731757 ) on Thursday February 17, 2005 @06:11PM (#11705950) Homepage
      A friend here at college was having a spyware/virus problem that she wanted help with. I offered to help her if she'd use firefox afterwards to prevent this from happening again. She refused because she "likes using Internet Explorer." Even when I told her she could still use it for certain sites, but that it's best not to use it for web browsing.

      I guess some people are too set in their ways. She couldn't name anything she liked about IE, just that she did, in fact, like it.

      That's my experience trying to spread Firefox to some people who might be in your categories 1 or 2. The other people I've introduced to Firefox have all loved it.

      *shrugs* She found someone else to fix it without the condition that she try to use Firefox. I guess it would be interesting to find out if she gets reinfected.
      • by dustmite ( 667870 ) on Thursday February 17, 2005 @07:18PM (#11706531)

        She found someone else to fix it

        You've just hit on the real reason people don't switch ... it's because they always find some geek they can sucker into cleaning up the mess each time, for free! Most people don't even have to lift a finger to keep their systems free of malware - there are geeks running around everywhere literally doing free maintenance - it doesn't even so much as inconvenience them, why would they change?

        Why exactly are we all running around spending hours of our own weekends/evenings etc. cleaning up the mess Microsoft made for them for free? Is your time and expertise worth nothing? You feel "expected" to do it because it's a family member? Or some hot chick sweet-talked you into doing it by flirting a little? (We all know we've done that before). Utter nonsense ... start charging for it!

        People will start considering alternatives when they realise it's going to cost them a tidy little packet every time their systems get jammed up with the latest MS malware.

        I simply told my folks last time they bought a computer, if they buy Windows, I'm not supporting it for them, if they buy a Mac I'll support it for them. Don't expect me to spend my Saturday doing free support work for Microsoft.

        • Why exactly are we all running around spending hours of our own weekends/evenings etc. cleaning up the mess Microsoft made for them for free? Is your time and expertise worth nothing?

          Doing good works is part of living a good life, you capitalist asshole. Not everything must be driven by the dollar.

          People will either listen to reason, or they won't, but that's no excuse for me not to help them. (btw, This is coming from a geek who has pretty much run out of food and possibly money atm.)
    • by ScentCone ( 795499 ) on Thursday February 17, 2005 @06:21PM (#11706036)
      But people really are stupid and/or lazy

      I work hard, and I'm not (very) stupid. The disruption in daily operations for me to cut 40 live web and db servers, along with all of the code, over to Linux from Win2003/SQL/IIS/ASP/VB would be: total budget killer.

      Just changing my group's desktops (including the dev tools, custom apps, storage, file structures, user environments, etc) and ignoring the desktops: total budget killer.

      Much better off to talk about the suitability of the Linux stack for new business units, operations, or totally-clean-slate start-up companies. Of course, many new business units are spun off by too-busy growing companies, using people that are already hip-deep in their existing IT framework. This is NOT like deciding that, at home, this weekend, maybe it's time to switch. Any real change would occupy a typical department's people for man-months at least. Very few operations of any kind have that kind of slop in their budgets, as we're coming out of a recession and an only just now loosening IT cost clamp down.

      I'd be organizing class-action suits, writing letters, storming Redmond with torches in hand

      Maybe I would, but... I've had a busy day doing things for which I collect money, and which help my customers to make money. And I spent that whole day using MS products, none of which crashed, none of which picked up any worms, and none of which required a busy team of people to totally grok a new operating system or try to guess where they'd ever come up with time to do that.

      Why these people put up with it most likely can be put into two categories: 1) ignorance, and 2) laziness. Either they don't know there are viable options, or they are too lazy to actually pursue said options.

      Don't work in a very competitive, time-stressed, low-margin business environment, do you? Or are you 1) too ignorant or 2) too intellectually lazy to imagine that there might be actual, practical barriers to the quick adoption of something that's completely different and which would require hiring, consultants, and substantial risks? It's called inertia, and in tight economic circumstances, bosses and investors don't like to hear: "It's OK, it's completely different, and no one that works here has ever needed to compile code in order to patch something, but we'll figure it out before anything bad happens! Plus, it's free, other than the huge disruption, support costs, and unknown impact on all of our software! Relax, boss - don't be ignorant and lazy. Certain people on Slashdot have a magic Linux wand that they can wave to make this totally painless, instant, and more or less free."
      • I work hard, and I'm not (very) stupid. The disruption in daily operations for me to cut 40 live web and db servers, along with all of the code, over to Linux from Win2003/SQL/IIS/ASP/VB would be: total budget killer.

        Ok, lesson in best practices:

        1) Migrate gradually and without downtime. Start by migrating the applications to PHP or Perl with a database abstraction layer. This may be slow. Then you can switch out the OS for Linux with no downtime if you already have load balancing (and very little d
    • No, I think it's just that people don't understand computer enough to make informed decisions about them on so many fronts that i'ts all they can do to just stick with what is most popular. I mean, to get people to switch to Linux, we have to start with explaining to most people what Linux is, and given how many times people told me their web browser was something like Word, Windows, or Google back when I was working tech support, I think you're going to find that to be difficult.

      Much easier to suggest pe
      • by Cyno ( 85911 ) on Thursday February 17, 2005 @06:59PM (#11706403) Journal
        Viruses are a serious problem for all computers.

        No, just some OSs. Never had a Linux virus.

        Spyware is a serious problem for all computers.

        Same thing here. What is this Spyware you talk about? Never seen it on Linux.

        Crashing is a serious problem for all computers.

        Okay, yes, my computers crash too. Sometimes more than once a year.

        Constant headaches with system failures, bit rot, and software/hardware installation is a serious problem for all computers.

        Bits can rot? System failures? Is that like crashes? Software/hardware installation is not a problem for my Linux systems. I once replaced a motherboard with a whole different motherboard in my RAID server and the system automaticly detected and configured my software RAID when I put the drives on different controllers and in a different order without me needing to edit a single file. It simply works. I plug in a new firewire card or whatever, chances are I have drivers for it already. Except those open source DRI drivers for some video equipment. But 2D always seems to work , sometimes with minor tweaks.

        Macs are too expensive. - cf.) "I need a fast CPU"

        Macs are too expensive. I need a fast CPU, too. I need a dual-core 3+ Ghz CPU today for under $200. *sigh*

        But I think it all boils down to laziness for most people. I mean, who really wants to learn how these things work, besides me? But at least I offer my services for free to early Linux adopters.
  • another interview (Score:5, Informative)

    by r84x ( 650348 ) <r84x@yahPASCALoo.com minus language> on Thursday February 17, 2005 @05:56PM (#11705790) Homepage Journal
    Clarke has talked about cyber security before. To the IEEE, in fact. Read it here. [computer.org]
  • Apologia (Score:5, Insightful)

    by Stanistani ( 808333 ) on Thursday February 17, 2005 @05:59PM (#11705824) Homepage Journal
    Clarke does deserve some kudos as the only responsible government official to apologize to the 9-11 victims's families.
  • by HouseOfMisterE ( 659953 ) on Thursday February 17, 2005 @06:00PM (#11705842)
    Richard Clark is a smart guy, and his book, "Against All Enemies," is a very good read. Highly recommended by the HouseOfMisterE.
  • funny guy (Score:5, Interesting)

    by asoap ( 740625 ) on Thursday February 17, 2005 @06:01PM (#11705846)
    I've been reading his book, and there was one story that I found funny in it.

    Before the olympics in Atlanta, he went down there with his CSG group to asses the security for the games with the people responsible. They were standing in the olympic village and he said something along the lines of:

    "So, it appears that the Olympic village is simply the Atlanta Tech Campus"

    All people in charge of the security measures nodded their heads.

    "It is also true that there is a nuclear reactor on this campus"

    Half of the people nodded their heads.

    "I also bet that there are spent fuel rods for that reactor, and as I can see here, there is almost no security for this reactor"

    No body nodded their heads, and instead fummbled for their cellphones to make the proper arangements.

    I thought that was funny, and I thought you other geeks might also like it.
    • Re:funny guy (Score:4, Interesting)

      by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Thursday February 17, 2005 @07:26PM (#11706603) Homepage Journal
      Spent fuel rods would probably not have posed much of a threat. You can't exactly stuff them down your trouser legs.


      Someone mentioned that such reactors aren't used much. That means nobody would be likely to notice if it got switched on. Or notice if the coolant was leaking. Or noticed if someone had bashed the safeties so that the graphite rods couldn't drop...


      So, yes, he was certainly on the right track, but his imagination wasn't nearly up to scratch.

  • by GillBates0 ( 664202 ) on Thursday February 17, 2005 @06:01PM (#11705849) Homepage Journal
    Don't expect Richard Clarke to rely on Microsoft Corp.'s anti-virus or anti-spyware programs to protect his own computer.

    Yeah...buying an OS vulnerable to viruses and spyware and then buying anti-virus and anti-spyware programs is like shooting yourself in the foot and then running (limping) to the hospital for help.

    And what's more...the hospital profits from lending you a gun and encouraging to shoot yourself in the foot.

  • by 3Suns ( 250606 ) on Thursday February 17, 2005 @06:01PM (#11705850) Homepage
    I wonder if anyone will finally start listening to him?

    I watch his "Rockin' New Years Eve" program every year, and I expect lots of other people do too. I had no idea he was into computer security as well, though.
  • by Anonymous Coward on Thursday February 17, 2005 @06:02PM (#11705868)
    ...why should be listening to him? The call for government regulation of ISPs is scary. They will surely have to ask the ISP they want to regulate how to secure their own government systems that by their own accounting have shabby security.
  • by DARKFORCE123 ( 525408 ) on Thursday February 17, 2005 @06:03PM (#11705873)
    And this is from the same guy who must have done such a great job advising on security matters for the government that most of the government agenecies just recently received an awesome security grade.

    http://www.msnbc.msn.com/id/6981279/ [msn.com]

    Oh wait, that didn't happen!

    Whether he didn't have the power to make the necessary changes or he's incompetent the government obviously needs to take some serious steps to increase cyber security soon!
    • by Infonaut ( 96956 ) <infonaut@gmail.com> on Thursday February 17, 2005 @06:17PM (#11706012) Homepage Journal
      One of the central messages of Clarke's book Against All Enemies [amazon.com] is that for several years he and many other people worked hard to make the system work better, but institutional politics made it practically impossible. In particular, cooperation between US government agencies was atrocious. FBI/CIA coordination was horrible, for example.

      The framework established for the Cold War is not suited to the current realities. But knowint that is different than moving the huge icebergs that government agencies become as they expand and atrophy.

  • more sources (Score:5, Informative)

    by r84x ( 650348 ) <r84x@yahPASCALoo.com minus language> on Thursday February 17, 2005 @06:04PM (#11705880) Homepage Journal
    For you who doubt Clarke's credentials as a "cybersecurity" expert, here are a couple more interviews for you.

    From July 2003 [onlinesecurity.com]

    From Feb 2001 [thiemeworks.com]

  • This is a trap (Score:5, Insightful)

    by argoff ( 142580 ) on Thursday February 17, 2005 @06:08PM (#11705922)
    Security issues are a wonderfull way to convince people that the government should regulate IT, but ironically it will actually play to the favor of Microsoft most of all. As soon as regulations start out, it will start increasing the bariers to entry in the IT space.

    This has happened in every industry it's been attempted in. Plumbing, electricity, telephones, auto-repair. Hell, you can't even sell a hot-dog without going thru 10-20 thousand dollars worth of regulation for it to be legal. Yeah, I know, don't say it. There is always a good sounding reason for these .... yeah ..... right.
    • Re:This is a trap (Score:3, Insightful)

      by SunFan ( 845761 )

      All the heavily regulated industries are that way after lots of property damage and loss of life. Just like a fire inspector might say "all these codes are written in blood." The computer industry is definitely large enough, now, where huge damage is likely.

      For example, what was the value in proprietary information lost due to those worms that e-mail random documents off of PCs? Analogously, who would install a filing cabinet that has a door to the outside for the postman to pick up the files and put th
  • "Given their record in the security area, I don't know why anybody would buy from them.'"

    Because people have already laid down monetary investments in buying MS operating systems and the PCs that go along with them. Most people have a hard time going "well, let's just get rid of all this PC hardware and all the MS-related software we bought for it and switch to something better". It's sad but true. There are better options out there, but once you lay down the money (and time), people don't want to throw
  • by motorsabbath ( 243336 ) on Thursday February 17, 2005 @06:10PM (#11705940) Homepage
    "In a statement responding to Clarke's comments, Microsoft said it has formalized its internal security efforts by adopting an official life cycle that it uses to develop secure software,[...]"

    Just what the hell is that supposed to mean?
  • by MOBE2001 ( 263700 ) on Thursday February 17, 2005 @06:10PM (#11705943) Homepage Journal
    The security problem really has to do with flaws in software. Most viruses and trojans take advantage of defects in operating systems and applications such as email and browser programs. Microsoft is being targeted because they have a monopoly but all software is at fault.

    Software is bad, period. And, contrary to what Frederick Brooks and others continue to claim, unreliability is not an essential property of complex software systems. Unreliability stems from a custom that is as old as the computer: the practice of using the algorithm as the basis of software construction. Switch to a synchronous, signal-based approach and the problem will disappear. For an alternative approach to software construction, see link below.
  • by DickBreath ( 207180 ) on Thursday February 17, 2005 @06:24PM (#11706080) Homepage
    People will not switch from Microsoft until an alternative system is compatible with all of their favorite spyware, adware and worms.
  • Al Quaeda (Score:3, Funny)

    by oil ( 594341 ) on Thursday February 17, 2005 @06:39PM (#11706213)
    Well, no one in the Bush Whitehouse listened to him about the threat from Al Quaeda before the 9/11 attacks, so why would Microsoft bother to listen to him.
  • by flacco ( 324089 ) on Thursday February 17, 2005 @06:43PM (#11706256)
    richard clarke wrote a fictional piece in The Atlantic Monthly - "looking back" from the year 2011 at terrorist activity.

    one of the interesting parts was that, "looking back", much of the world had switched to open source software because it was more secure.

  • Insecurity System (Score:5, Informative)

    by Doc Ruby ( 173196 ) on Thursday February 17, 2005 @06:58PM (#11706400) Homepage Journal
    Yesterday, in a Manhattan Chamber of Commerce presentation, Microsoft's CIO Ron Markezich came out to take a Q&A. Most questions were softballs, but two really stuck out, showing Microsoft really is at least as out of touch as it is "evil".

    Markezich had detailed how his IT department did more than just support 90K desktops worldwide. The were the first consumers of MS software - MS "eats its own dogfood", as Markezich said, and nothing gets released without Markezich's department signing off, after supporting it for months, if not years. A question from the audience asked "I've been using Internet Explorer for 4 or 5 years. It has so many issues, new ones all the time. So much so that when something like Firefox comes along, it knocks IE out of the leadership. What good is all your testing, if it can produce something as bad as IE"? While there are few good answers to that question, Markezich offered probably the worst possible: "I don't know, it works for me". He said he doesn't have IE problems, that they were surprised that it had all the problems in the field, that he doesn't have to install all the patches MS releases, because he doesn't have the problems they address. Astonishing. Remember, this is the CIO of Microsoft, responsible for all their IT globally, including release of their software "when it's ready".

    Another question described, anecdotally, getting a black desktop and mysterious prompt warning that the computer had a security compromise, and the user should click to install important MS security updates. But the user wasn't sure the prompt was from Microsoft, though it claimed to be, and the next click could completely trash a compromised computer. Their question was "how can I tell that a warning and recommendation is from Microsoft, and trust it", considering scams like trojan horses and phishing messages. But Markezich laughed it off, treating it like a weird request for personal tech support - saying "call MS for tech support". I'd have thought that his IT department would be familiar with the scenario, and the issue, and that the question would easily trigger whatever was Markezich's stock response, like "Longhorn will make sure that if a window says "Microsoft" in the title bar, that it's a message only from MS software, or some other lie he made up on the spot. Instead, it's obvious that that kind of social engineering security hole is news to him, though it's been addressed in, say, Java, since day 1.

    There is no Microsoft security. There is only spin control. The marketers, and their lawyer "quality control" agents, control the whole company. Even their CIO just takes their marching orders. Without their monopoly, they'd be a joke, game over. As it is, such performances as we got in midtown yesterday have the smell of a dying beast [slashdot.org].
    • Fascinating. (Score:3, Insightful)

      by aug24 ( 38229 )
      So their test process for IE involves installing it in a secure, corporate environment. No-one outside the room can take it, sandbox it and try to crack it, but they at least check it surfs OK. Wait for a few months and then, when the surfing experience is good enough and there have been, count 'em, no security issues, bung it out for install on a billion unprotected machines, and let the hackers take it to pieces and actively look for holes. Then - suddenly - all these security issues just 'occur'.

      If

  • by Alsee ( 515537 ) on Thursday February 17, 2005 @07:00PM (#11706414) Homepage
    Clarke said he would want to see government regulation of ISPs to ensure that they offer adequate levels of security to their customers.

    He gave a speech at a Global Tech Summit back when he was the President's Cyber Security Advisor. Here's a link to it. [bsa.org]

    And let me give you a few select comments from that speech:

    I think we need to decide that from now on IT security functionality will be built in to what we do, to the products that we bring to market.

    TCPA, the Trusted Computing Platform Alliance, is an example of bringing hardware and software manufacturers together. But TCPA is not enough.

    It is not beyond the wit of this industry to figure out a way of forcing down patches

    ISPs and carriers can insist that when cable modems and DSL hookups are made, firewalls are installed. It is not enough for an ISP or carrier to say, oh, and by the way, you might want to think about a firewall.


    A law to require ISP's to impose security on their customers. The security he means is TCPA, also known as Trusted Computing, TCG, Palladium, NEXUS, Longhorn and about 42 other names. And using this system they can "force down" operating system patches, whether you want them or not. Of course you can't get onling in the first place without an approved operating system (Trusted Linux is in the works, but you'd be screwed trying to use it). It can also scan what software you are running, in order to insist that you are running an approved firewall and/or virus scanner. And any other software they feel like making mandatory.

    Of course it will be a few years before ISP's could do this, almost no one has a Trusted Computer yet. But as Clarke said, the system is to be built into all the products brought to market. Samsung announced a few months ago that they are now manufacturing nothing but Trusted systems. IBM, Dell, and pretty much any PC maker is already selling Trusted system and that will only increase. Microsoft has announced that only Trusted hardware will be properly compatible with the next Windows release, Longhorn. If Longhorn runs on non-Trusted hardware at all, it will only run in a crippled reduced graphics mode. So once Longhorn comes you you can be sure all new PCs will be sold Trusted compliant only. Give it a couple of years after than for the normal PC replacement cycle and *poof*, the majority of PC's out there will be Trusted compliant. And at that point ISPs could very well impose such a security system. And anyone with a non-Trusted computer would be unable to get on the internet. Anyone who did have a Trusted computer but who wanted to control his own computer and software would also be unable to get on an internet.

    Clarke is no longer the President's Cyber Security Advisor, but there are still draft poposals in the government for forcing this through. There's really not much point in them doing anything publicly until more Trusted PCs ship. They'll probably wait for Longhorn to come out and start getting established.

    -
    • The Pirate Internet (Score:3, Interesting)

      by demachina ( 71715 )
      "Of course you can't get online in the first place without an approved operating system"

      From a geeks perspective I'd look upon this as a challenge. In particular would it be possible to create a Pirate Internet, along the lines of Pirate Radio. Use unregulated wireless and create a mesh network that covers the U.S., and links to the rest of the Internet through Canada and Mexico, or maybe shortwave. Would it be possible to create a alternate network for everyone that opts out of trusted computing and co
  • by JeffTL ( 667728 ) on Thursday February 17, 2005 @07:43PM (#11706758)
    Clarke was talking in thinly concealed terms about a Windows worm being theoretically put out by America's enemies, resulting in a shift towards open-source operating systems.

    I wonder if some of the viruses that cause so much trouble are in fact backed by scumbags like bin Laden -- there have been a lot more dangerous Windows viruses since roundabouts 9/11, it seems to me, so I wonder if that's a function of an increase in terrorism, or just the suckage of Windows XP, which came out October 25, 2001. If 19-year-old Russians, the usual suspects, can do so much damage, imagine what people who will not hesitate at suicide can do -- it is frightening at best.
    • But Bin Laden doesn't WANT unorganized chaos and death. This is a common misconception of mose Americans. If you actually READ the stuff Bin Laden says, his goal is to get us and our influence out of Muslim lands.

      If Bin Laden wanted to kill as many Americans as possible, there'd be people getting shot at malls and suicide bombs in America EVERY DAY. Trust me, there's a LOT of available suicide manpower here in the U.S., they just aren't tapped beause the goal of terror is to make a point and get your needs

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...