MS & security: The speech of god

Printable View

March 27th, 2003, 07:18 PM
Networker

MS & security: The speech of god

I found this funny Mail sent by Bill Gates in the early days of 2002. About the goal for MS to focus on decurity

Quote:

src: http://www.wired.com/news/business/0,1367,49826,00.html At the same time, we're in the process of training all our developers in the latest secure coding techniques. We've also published books like Writing Secure Code, by Michael Howard and David LeBlanc, which gives all developers the tools they need to build secure software from the ground up. In addition, we must have even more highly trained sales, service and support people, along with offerings such as security assessments and broad security solutions. I encourage everyone at Microsoft to look at what we've done so far and think about how they can contribute.

And in the mean time XP SP1 came up ....
March 27th, 2003, 07:47 PM
Maverick811

Re: MS & security: The speech of god

Quote:

Originally posted here by Networker
And in the mean time XP SP1 came up ....

Yea, but would you honestly expect anything less from Microsoft?

I applaud their efforts to try and build secure software, but I don't know that it will ever happen to the degree in which it needs to. Will MS code be more secure in the future? We'll wait and see, but I know what my guess would be.....
March 27th, 2003, 07:51 PM
TheFiend

they ARE trying, i mean if i had as much money as them i think id prolly have a lil better software too, there coming along way better than they did back a few years ago (Windows NT, Windows2,000 and XP) are way better than 95 and ME, i think what they should do, is work with a BSD team, take there pretty GUIs and add the reliability of BSD:) then wede have something out there that would kick the hell outta everyone.
March 27th, 2003, 07:58 PM
tonybradley

Isn't it somewhat of a pipe dream? I mean, they can build more secure programs, but I don't believe its possible to build impenetrable code.

The security of any coding is only as good as whatever is known now or what those particular developers used. Its only a matter of time before someone more clever comes along or new technology is created that nullifies that security.

Being Microsoft, they are constantly under a microscope- both because so many dislike them and want to embarass them by finding flaws and because finding a vulnerability in a Microsoft product creates such a target rich environment. I think that under such a microscope someone will eventually find some vulnerability no matter how hard Microsoft tries.

That said, I think that it is nice that they make the effort. While their efforts may not build perfect or impenetrable code, eliminating vulnerabilities, especially the ones that are easiest to exploit, will still significantly improve things.

Just like I can leave my house unlocked- that is one level of security. I can lock the door- that is another level. I can lock the windows. Install a deadbolt. Install an alarm system and video surveillance. In the end my house won't be impenetrable, but each increased level of security keeps out another level of burglar so that only a dedicated professional should be able to get into my house.

Similarly, I would hope that Microsoft's efforts will make strides toward building software secure enough that only a dedicated professional hacker can break it and not just your everyday script-kiddie.
March 27th, 2003, 11:09 PM
smirc

MS are trying to clean up their act as far as security is concerned but it's going to take them quite a few audits to get the OS code anywhere near as nice as a Unix (such us OpenBSD). Windows didn't start out as a networking OS but Unix has had decades in the trenches. Unfortunately, it's hard to make a secure OS that is built on fundamentally insecure code and principles.

Windows is moving towards more Unix-like principles as far as resource management and permissions are concerned. The Windows networking API was based on BSD though I fear the implementation of their TCP/IP stack leaves something to be desired. On the other hand, Linux and some Unixes are moving their user interfaces towards the Windows style which is creating it's own set of security problems. Check out VictorKaum's recent discovery of a Redhat security problem that exploits the GUI based password management tools.

It makes me wonder whether Unix and Windows will borrow so much from each other that over time it will be hard to tell the difference.