Hello all this morning at about 6:40 .A.M est Bill Gates announced that security would now be at the forefront of all windows products{about time}. Bill also claimed that individuals would receive training in Microsoft Security {any oxymoron if i ever heard one} .:Ladies and gents i can see it now People having a full 7 test certification to secure a product that doesn't truly belong to microsoft , I am curious to hear what you think.



eViL

I think it is time to stop thinking of Micro$oft products as the defacto standard... god...my stomach just can't take any more of this $hit!!!

I'm thinking it's something that Bill wants to get out into the open so that MS will have less heat from everyone, but this is nothing new. Until you get your departments talking to each other and programmers working together (what a concept), security will be limited to what each individual can do, and given the nature of the "code" existing right now for IE, Winblows, etc...I'd say there's a long way to go.

Steps to take to "secure" MS products:

1: start talking to each other at work
2: stop bullshitting around and worrying about politics
3: walk through every line of miserable "code" and remove bloatware
4: stop "patching" functions at the end of the code...patch it where it's broken, not at the end you f'ing morons.
5: check all variables and VALIDATE all user input against a strict function. Put rules on everything.

Example of #5 (in perl):

# declare get_name function to get the name from standard input (STDIN)
sub get_name() {
print "Enter your name: ";
$name=<STDIN>;
# call function check_name() for validating $name
&check_name();
} # end the function

# define the function check_name()
sub check_name() {
# check against empty/null lengths and those greater than 15
if (length($name) < 1 || length($name) > 15) {
printf "Illegal name length : %d\n", length($name);
# call get_name again
&get_name();
} else {
# keep going
&continue_parsing();
} # end the if check
} # end the function

This is a very very simple check for just length and empty/null variables. I could do more, but I don't know if people really want to read all that shite, hehe. If people want it though, I could post varying checks both in shell, in c, and in perl for simple error checking. Maybe if MS starts doing "simple" stuff like this, we'll stop seeing crap like this. How many bugs exist that just come from buffer overflows (unchecked data length), and variable exploits (unchecked variables and assignments)? Too many...way too many.

What do I think? I'll tell you what - I'm tired of patching their crap os's, apps and browsers. I still have to patch various unixes and other os/apps but M$ keeps us almost daily patching, hotfixing or service pking. :mad:

micro$oft sux... it's as simple as that... :D

Originally posted by EvIl eLf
Hello all this morning at about 6:40 .A.M est Bill Gates announced that security would now be at the forefront of all windows products{about time}. Bill also claimed that individuals would receive training in Microsoft Security {any oxymoron if i ever heard one} .:Ladies and gents i can see it now People having a full 7 test certification to secure a product that doesn't truly belong to microsoft , I am curious to hear what you think.



eViL

Okay, now I'm confused - you mean Microsoft is going to release software that you don't have to patch 23 times a week? Since I agree with what Vorlin said, Microsoft probably can't pull this off so I'd say that these new statements from Microsoft mean nothing. However, if Microsoft software is more secure in the future, it'll probably only require 15 patches and fixes per week. Of course, I guess that is an improvement :D Well, at least Microsoft realizes that their software just ain't the most secure in the world.

There is something fundamentally flawed with Windows. But I think when it comes to making new products that the M$ marketing department has more to say then engineering does.

I agree with anything said against Microsoft. I've never understood why M$ can't just do one of two simple options:

1. Distribute Windoze source code, so the leigons of computer literates on the net can help in the monumental task of debugging it. (yeah, right)

2. Make Windows open-source, like most UNIX-based Os's, and allow an option for people to send the revised code directly back to the programmers, so they can implement it in future versions of Windoze.

I know that Gates is to interested in $$money$$ to take the time to put a decent OS on the market.

Just a thought:
<breath>I reckon that if even half of the decent programmers out there who are sick of Microsoft OS's, worked together for half the amount of time that is spent bitching about Microsoft dodgy product, they could write an OS that is at least twice as good as any Windows!</breath>

Originally posted by smirc
Just a thought:
<breath>I reckon that if even half of the decent programmers out there who are sick of Microsoft OS's, worked together for half the amount of time that is spent bitching about Microsoft dodgy product, they could write an OS that is at least twice as good as any Windows!</breath>

We don't need to... we've already got linux! :)
but ur right... we shouldn't waste so much time on bitching about M$, we should use our time to do something creative and injoy our interests.... but if "bitching about M$" is ones main interest then I find it quite alright for him/her to do it all he/she wants to... lmao :D :D :D... we all (well, except Bill Gates) hate M$ and it's unsecured, overgraphical, flawfull programs so let's fight the power and kick them the hell out of the 'puter market! revolution! yea! :D

Vorlin you the man , Microsoft is not a horrible product although its not the coupdegras the idea of windows does not suck its the release timing i believe if old billy would wait a while and actually do some serious wind tunnel type tests on his products they would be excellent. i have some problems with people debating Unix vs XP VS Mac os vs Netware. They all have weaknesses and strengths .Now as for firewalls ok i admit
Watch Gaurd is not for a large business but i know of several prominent clothing companys who have never been cracked are using it . Check point does not suck it does have alot of holes to be exploited but Marcus Ranum stated a firewall is only as good as its Admin most of the holes found are because Checkpoint can be severly scrutinized since it is very common,plus there are specific configurations to follow that Admins just dont Adhere to . Let me not go off on Checkpoint or Pix for that matter If Microsoft waited to release XP an extra Year say 2003 I believe it would have been the best os they have made .Do not misquote me not the best os in the world just the best Microsoft has made but i think thats a long way off .About firewalls they are not the end all solution if they were alot of us would work at factories.



PS i enjoyed all of your imput and i look foward to more comments.




EviL

It seems that this "Bill Memo" was sent out at in interesting time. There is some talk that there may be a law (Criminal or Civil) that will hold a company responsible for any damages incurred from an security issue in their software. In other words, if a server running WIN NT / 2000 etc.. becomes compromised, and it is proven that the breach was done using a security hole within the Microsoft program (OS, application etc...), then Microsoft would be liable and there would be penalties and fines.
I don't remeber the links that I saw this from but it causes an interesting set of events. We know that Microsoft products have securtiy issues. We know that it costs money to resolve these issues, both at the customer level and at Microsofts level. Now the gov wants to step in and make it illegal to prduce software that is not secure. The question that comes to mind is: Should the gov be deciding this issue?

Just a question. :)

Infiltrator

Alot of breaches occur when someone sets up a sever such as windows 2000 server with checkpoint and does not apply the proper patches or hardening methods , we all need to consider that Microsoft came long after Tcp/ip which by default is insecure .I am not saying the microsoft is not at fault "They are" but only partially some of the blame is on ack of knowledge i once met an MCSE who did not know what DNS was he is the admin for a hospital comforting thought isnt it, imagine it now his boss asks him to implement a security solution guess what he does he buys checkpoint or somthing like that and if he is even smart enough to configure it properly he leaves holes in the OS .I can see it now .


EviL

EvIl, I agree. There are so many areas in computer science that it is impossible for any one person to be a master of all of them. However, when a company designs a program and does not do enough QC on their product, should they be liable? I say yes. I just don't think the Gov is the one to make the decision of security.
One of the biggest exploits I have seen listed on Microsoft NT has been buffer overflows. This is an attack at the fundamental are of a program. This issue could be avoided with more QC from Microsoft.
The problem as I see it is thus:
A tech, engineer, computer scientist or other highly technicaly trained person has a certain mindset which is, 'Do it right the first time'.
A business man, CEO, CFO, or generic bean counter generaly has the mind set of, 'What is the bottom line? How much can we shave off the top?'

When Microsoft developes a product. (Gadget X). The marketing dept is spending tons of money to promote it and the business side of the house wants to get it out on the selves as soon as possible to start getting a return on it's investment. In other companies the product has to be of good quaility or that company won't survive very long. Their customers will lose faith in them. With Microsoft, they are the King Of The Hill at this time so they can get away with much more. Since Microsoft is a business, the business rules seem to apply first. I think that if a better balance is found within Microsoft such that more QC is done on their products and resonable ship dates are set, their products should be of a better quality. Of course, this will allow Microsoft to become even stronger in its position and I am not so sure that is a good idea but that is for another post.


Infiltrator

infiltrator hit it right on the head .

thats all
EviL

One of the biggest exploits I have seen listed on Microsoft NT has been buffer overflows. This is an attack at the fundamental are of a program. This issue could be avoided with more QC from Microsoft.

Buffer overflows are as common people asking how to hack hotmail and could be prevented if MS actually hired decent programmers and/or the programmers they do have actually checked their shit. It takes NOTHING to put a few constraints on a program for length. That's all we're really talking about here, length of data being shoved in a variable or array. Why this is so hard for them to understand is beyond me, as any programmer knows this stuff right out of Programming 101 (or maybe 202 if the programming 101 is to teach them what all the keys on the keyboard mean). I might come off as hostile against programmers but as a unix administrator working with 8 - 10 NT admins who "program", I've seen them constantly forget the "basic fundamentals" with their scripts and worse yet, their cgi scripts that they put into "production" on the intranet. Twice to date, I've crashed their web server just by putting in invalid data and a huge length at that. You'd think some people would learn. All they do is get mad at me and they've stopped telling me when they add something (like adding a cgi script is really a big deal?). Maybe when they actually decide to write good code that has error checking in it, I won't be as pissy towards them. :rolleyes:

But who knows, it IS point-and-click after all. Maybe my expectations are too high.

Go Vorlin!

Originally posted by zion1459


We don't need to... we've already got linux! :)
but ur right... we shouldn't waste so much time on bitching about M$, we should use our time to do something creative and injoy our interests.... but if "bitching about M$" is ones main interest then I find it quite alright for him/her to do it all he/she wants to... lmao :D :D :D... we all (well, except Bill Gates) hate M$ and it's unsecured, overgraphical, flawfull programs so let's fight the power and kick them the hell out of the 'puter market! revolution! yea! :D

Yeah linix rocks. It just occurred to me that A LOT of energy was being devoted to complaining that could be used to do other really cool things =).

Buffer overflows are as common people asking how to hack hotmail and could be prevented if MS actually hired decent programmers and/or the programmers they do have actually checked their shit.

It certainly could be their programming staff, but it could also be management imposing undesirable limitations on their code. Just a thought.

It is definately the time constraints imposed on these poor programmers .
Imagine how they must feel having to patch somthing they could have done with some QA hmmm.Look at enron its all about the bottom line i dont knock the fact that microsoft products cost money i believe if an os is costing me a grand it should at least work properly. Think about it Windows 2000 has a c2 security rating so does netware 5.0 but the c2 for windows 2000 is with most of the networking services disabled novell's rating is in a networked environment, why do you think most companies install checkpoint on a unix or linux based system they know it easier o armour unix and still use a Windows based management gui .

Let us all thirst for more knowledge and not have inflated egos

PEaCe Evil Elf

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by TechnologyBudda
I agree with anything said against Microsoft. I've never understood why M$ can't just do one of two simple options:

1. Distribute Windoze source code, so the leigons of computer literates on the net can help in the monumental task of debugging it. (yeah, right)

2. Make Windows open-source, like most UNIX-based Os's, and allow an option for people to send the revised code directly back to the programmers, so they can implement it in future versions of Windoze.

I know that Gates is to interested in $$money$$ to take the time to put a decent OS on the market.

I agree that turning Windows to open source would solce many problems in security, stability, and overall quality of the os.

However, as we both know this will never happen. I totally understand why they don't:

(1) Microsoft has been open source's biggest critic, how would it look if they just released window's source code
(2)Microsoft likes to do a lot of sneaky things in the background, releasing the source code would be the end of that
(3) The world would know just how poorly programmed Windows really is