-
October 31st, 2003, 09:20 AM
#1
Microsoft focuses on security
Microsoft focuses on security
Product priority reflects 'a defining moment' after recent virus attacks
By TODD BISHOP
SEATTLE POST-INTELLIGENCER REPORTER
LOS ANGELES -- Microsoft Corp. spent the past week touting the new graphics, storage and communications features to come in the next Windows. But the product's fate in the marketplace may ultimately depend on something much less glamorous.
The company, plagued in recent years by viruses that infiltrate flaws in Windows, is promising fewer bugs and new levels of security in Longhorn, the next generation of the operating system, unveiled publicly at a Microsoft conference here this week.
Watching closely will be a beleaguered public -- businesses and individual computer users, many of them overwhelmed by viruses and the steady stream of software patches needed to thwart them.
"It's really a defining moment for us, and we need to get it right," acknowledged Amy Carroll, director of the company's security buiness unit.
Longhorn, due on the market in 2005 or 2006, will be the first version of Windows developed entirely under the company's Trustworthy Computing initiative. That initiative began last year, when company Chairman Bill Gates publicly declared security and related issues the company's top priority.
As part of Trustworthy Computing, the company is using new methods to analyze software code for flaws and to assess whether a given program is truly secure.
Examples include a practice called threat modeling, which examines different ways hackers might be able to exploit a program; and automated tools that check code for common errors, such as buffer overruns.
Microsoft executives say the results are already starting to become apparent in the company's products.
For example, Windows Server 2003, released this year and developed in part after the company launched the Trustworthy Computing initiative, had six reported critical or important vulnerabilities in the first 180 days after its release, compared with 21 vulnerabilities in the first 180 days after the debut of its predecessor, Windows Server 2000.
But problems persist, nevertheless. Windows Server 2003 was one of several Windows versions for which Microsoft reported a critical flaw and issued a patch in July.
A few weeks later, the Blaster virus exploited that flaw to penetrate unpatched computers worldwide, causing erratic behavior and planting files designed to launch an online attack on a Microsoft Web site.
The effects of Blaster and other viruses that hit around the same time were apparent in Microsoft's first-quarter earnings, reported last week. The company experienced a $750 million decline in unearned revenue -- billings from volume licensing deals that are recognized as revenue over time -- in part because the viruses distracted customers and kept salespeople from closing deals.
Around the world, particularly outside the United States, municipal and national governments have cited security concerns as one reason for considering alternate computing platforms, such as the open-source Linux operating system.
"Security has opened a crack in Microsoft's dominance on the desktop," said John Pescatore, vice president for Internet security at the Gartner Inc. research group.
At the same time, Microsoft has an inherent advantage because its platform is so entrenched. Even if a widespread shift to Mac or Linux were to happen, it would take place incrementally, over time, said Ted Schadler, principal analyst at Forrester Research.
Yesterday, Microsoft held a special symposium on software security during its Professional Developers Conference at the Los Angeles Convention Center. The aim was to share with attendees -- primarily software developers from outside the company -- some of the techniques that Microsoft has learned for creating secure software, to let them use the same practices in developing their own.
Mike Nash, corporate vice president in the company's security business unit, told the audience that part of the problem in the broader industry is that many developers weren't taught sound security practices as part of their computer-science education.
During the symposium, Microsoft representatives went through the intricacies of common programming mistakes, such as buffer overruns, and described how to prevent them. One example they showed was the very section of flawed code exploited by the Blaster virus this past summer.
They also repeated a common theme, pointing out the lengths to which hackers will go to find and exploit vulnerabilities.
"You may live in the nicest part of town, but the moment you plug that network cable into the wall, you are in the seediest neighborhood on the planet. There are some really rotten people out there," said Michael Howard, a Microsoft senior security program manager and an author of the book, "Writing Secure Code."
Seeing Microsoft security experts demonstrate what they have learned about preventing flaws and protecting computers left some attendees with the impression that the company is on the right track.
"It's a tough job, but they've just gotta keep going at it," said Sheldon Riesen, a software developer with Tantia Technologies in Calgary, Alberta.
At the same time, Riesen acknowledged the magnitude of the challenge that Microsoft faces. "They have millions of lines of code. With so much, there's bound to be some problems in there," he said.
Microsoft executives say they believe the Longhorn operating system will translate into significantly fewer vulnerabilities for viruses to exploit. But even with the new methods that the company is using to create secure programs, they say, the advent of Longhorn won't mean the complete end of software flaws.
That means there will still be a need to distribute software patches -- fixes for identified flaws -- to businesses and individual users. Microsoft is trying to make that process more manageable by, among other things, improving the quality of patches, making patch file sizes smaller, and simplifying the process of notifying consumers and businesses about flaws and available patches.
Although Longhorn isn't coming out for as many as three years, a number of the planned security improvements will be available to Windows XP users next year as part of an update known as a service pack. Expected improvements include the activation of a computer's firewall by default and the handling of e-mail attachments in such a way that a user can't open a file that might infect a computer.
Further down the road, Longhorn's debut should give Microsoft a unique opportunity to make it easier for users to track and apply patches, said Forrester Research's Schadler.
"They can build into Windows the ability to do patch management in a much more native way," Schadler said. "That's a big deal, because you're never going to build a bulletproof operating system, so patch management has to become a more natural part of the landscape."
At its Los Angeles conference this week, Microsoft spent much of its time talking about the other features to come in Longhorn, including an updated graphical interface and a data-storage system that makes it easier to search for files and create relationships across otherwise disparate computer programs.
The security symposium was held on the last day of the conference, as many attendees were heading out of town. Some people left the symposium early to catch flights home.
But Neil Charney, director of product management in Microsoft's desktop Windows group, said the company considers security a higher priority than any of the new Longhorn features unveiled this week. "We get to go there," Charney said of those features, "when we focus on the security elements in the right way."
http://seattlepi.nwsource.com/busine...ecurity31.html
-
October 31st, 2003, 09:40 AM
#2
Good article.
For the good of computer security I sincerely hope that they make good on their promise to do a better job with security, and that this is not just more lip service from the Redmond Gang.
Perhaps they should hire the services of Theo de Raadt and friends to teach them about security.
-- spurious
Get OpenSolaris http://www.opensolaris.org/
-
October 31st, 2003, 11:51 AM
#3
It is a shame that Microsoft is under so much pressure to sink its system to the level of the lowest common denominator. Firewalls on by default? More secure configuration by default? Because thousands os System Admins are too stupid and lazy to read the damned TFM? Very, very sad.
catch
PS. Theo de Raadt is NOT a good exmple of someone that knows security, OpenBSD is garbage by every single measure except for what system has the least functional default install and what system can best cover up security issues by using the most narrow definition of "exploit."
-
October 31st, 2003, 12:25 PM
#4
Originally posted by catch
PS. Theo de Raadt is NOT a good exmple of someone that knows security, OpenBSD is garbage by every single measure except for what system has the least functional default install and what system can best cover up security issues by using the most narrow definition of "exploit."
And you have an example of a non-experimental OS in use in an actual production environment with a better security record?
An expert apparent, I am certain you will be able to enlighten we groveling insecure garbage using peons as to the only truly secure way to compute. SE Linux perhaps oh' enlightened one?
Get OpenSolaris http://www.opensolaris.org/
-
October 31st, 2003, 02:37 PM
#5
Originally posted here by catch
It is a shame that Microsoft is under so much pressure to sink its system to the level of the lowest common denominator. Firewalls on by default? More secure configuration by default? Because thousands os System Admins are too stupid and lazy to read the damned TFM? Very, very sad.
catch
PS. Theo de Raadt is NOT a good exmple of someone that knows security, OpenBSD is garbage by every single measure except for what system has the least functional default install and what system can best cover up security issues by using the most narrow definition of "exploit."
OpenBSD is garbage, humm perhaps we should inform Microsoft of that seeing that it runs hotmail, we should also tell the military as they are switching over to BSD and linux do to security and stability issues. MS is under no pressure to code things to the lowest commen denominato, they are under presure to wirte code that works...as for lazy admins, I think a lot of the none patching is due to broken patches, I know I cannot roll out the newist RPC patch because it breaks a lot of DCOM objects but see I work in a real inviroment with real issues so I luckly have a BSD based firewall protecting my MS ****.
Who is more trustworthy then all of the gurus or Buddha’s?
-
October 31st, 2003, 02:54 PM
#6
BBallad: Not trying to get into a flame war or anything but I think the point I am about to make is a valid, real world point.... take it as that please......
I work in a real inviroment with real issues so I luckly have a BSD based firewall protecting my MS ****.
Question: Why do you use Microsoft products if they are such a load of......?
Answer: Because you have no choice.... You are told/forced to!
So, despite all the ranting, raving, bitching moaning and complaining, (by everyone), about M$'s "****" the reality is we have to use it. Therefore it is our task to secure it, period.
It's a fact of life.......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
October 31st, 2003, 03:13 PM
#7
Senior Member
One important thing to notice, is that 90% of the people that criticize Windows, run it themselves. Why?...
Going along with Tiger Shark's point, is that we ARE forced to use it, do you know of any gaming vendors that use BSD/Linux for their main game ports? No you don't, so by totally boycotting Windows, you screw yourself out of a lot of stuff, such as gaming, and some good applications as well.
Also, as I keep saying in discussions like these, the reason why Microsoft gets so much heat from the industry, is because it has become an industry standard! I'm not saying that Linux couldn't be, but if it were to be as big, and as widely used as Microsoft's products are, then you would see more people familiar with Linux, and therefor, more people trying to break it.
Now I'm not playing favorites between OS's, I'm just saying there are key factors as to why we use one or the other. And to bash Microsoft and call it crap, is proposterous...Because like I said, we all use it, and just don't want to admit it.
Bottom line, Microsoft could use some tuning...but it most certainly isn't crap...It gives us functionality that we all need sometimes.
It goes along with the saying "When its going fine, then everything is peachy, when it breaks, everything is ****"
Just my 2 cents
Creating further mindless stupidity....through mindless automation.
-
October 31st, 2003, 04:01 PM
#8
Originally posted here by Tiger Shark
BBallad: Not trying to get into a flame war or anything but I think the point I am about to make is a valid, real world point.... take it as that please......
Question: Why do you use Microsoft products if they are such a load of......?
Answer: Because you have no choice.... You are told/forced to!
So, despite all the ranting, raving, bitching moaning and complaining, (by everyone), about M$'s "****" the reality is we have to use it. Therefore it is our task to secure it, period.
It's a fact of life.......
I agree with you compleatly here tigershark, in fact I fell that MS dose a lot of things well (I would expect nontech usres to have a nonms/nonmac working enviroment.) and I admit that the VB programers come much cheaper then perl or C programers. But to claim that MS has the best security record around is shear insanity, to claim that openBSD is a experiemntal os is insane, to claim that Linux has no place the the busniess world is pure FUD. I didn't post to bash MS put to put some prospective back in the thread, you (at least if you are a serious computer profeshional with data that cannot be compromised) do not trust your security to MS products, their new security focus so far has been a lot of talk with no real gain.
Originally posted here by disc0rd
One important thing to notice, is that 90% of the people that criticize Windows, run it themselves. Why?...
Going along with Tiger Shark's point, is that we ARE forced to use it, do you know of any gaming vendors that use BSD/Linux for their main game ports? No you don't, so by totally boycotting Windows, you screw yourself out of a lot of stuff, such as gaming, and some good applications as well.
Also, as I keep saying in discussions like these, the reason why Microsoft gets so much heat from the industry, is because it has become an industry standard! I'm not saying that Linux couldn't be, but if it were to be as big, and as widely used as Microsoft's products are, then you would see more people familiar with Linux, and therefor, more people trying to break it.
Now I'm not playing favorites between OS's, I'm just saying there are key factors as to why we use one or the other. And to bash Microsoft and call it crap, is proposterous...Because like I said, we all use it, and just don't want to admit it.
Bottom line, Microsoft could use some tuning...but it most certainly isn't crap...It gives us functionality that we all need sometimes.
It goes along with the saying "When its going fine, then everything is peachy, when it breaks, everything is ****"
Just my 2 cents
No one should be playing games on your server, I was under the impresion that we where discuessing real mechines here and not game boxes.
Who is more trustworthy then all of the gurus or Buddha’s?
-
October 31st, 2003, 04:26 PM
#9
To: The Imposter.... We agree!!!!! Who are you and what have you done with BBallad????
I do not, nor ever have said that M$ has the best security around or that openBSD is experimental..... That was our friend Catch who, we are all well aware of, has his own strong beliefs about OS security..... So I won't go there.... Morning Catch.....
you (at least if you are a serious computer profeshional with data that cannot be compromised) do not trust your security to MS products,
Actually I do, insofar as you do. Are my machines open to the world? No, I have a firewall that isn't M$'s. Do I have intrusion detection systems? Yes, they aren't M$'s because M$ doesn't have one. I have machines outside my firewall - utterly unprotected? No - M$ machines? Yes - part of the overall IDS system. Have they ever been compromised? No - they almost certainly have never been discovered. Once you get inside the firewall you will be confronted with totally M$ boxes. If you have read my posts and tut etc. in the past you will know that I place very strict parameters on my systems and my users. They work. The combination of well thought out and implemented systems coupled with strictly enforced policies has kept this network pretty much "pest" free for some ten years, a fact that I am quite proud of. In fact I was only thinking about this the other day having just picked up on a machine 15 miles away that got some petty little adware on it....... The thought was - "If my job has reached the stage that my big excitement for the week is picking up on adware then I am "the boy"!!!!!". Then I jerked myself back to reality and realized that what is all fine and dandy right now might have changed in five minutes.... But this is a Windows environment and I trust it - because I _almost_ trust myself........
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
October 31st, 2003, 04:56 PM
#10
tiger my coments where directed mostly at catch and his "security" advice. Ahh to live in your world where you can lock down the desktops compleatly...stupid felid sals reps with home pc's infecetd that then ompromise network with viri that are not yet defende aginst the VPN is the bane of my existanse, but its a sals driven company and one cannot inconvince the sales monkies....ok rant mode off now.
Who is more trustworthy then all of the gurus or Buddha’s?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|