Microsoft moves beyond patches

[humpy]

Hi all,

I remember watching a UK TV documentary about 3 years ago where the evil do'ings of hackers was highlighted. If I recall correctly the members of "the cult of the dead cow" showed their skills with back orifice (whoohooooo!!!).

Anyway - during the documentary a spokesperson from Microsoft discussed the role of the security department and how they write patches etc. What was interesting to hear, in relation to this topic, is that Microsoft can and ARE ABLE to write a secure operating system. The spokesperson went on to say that they have to trade off security for user-friendliness (i.e. keep the masses happy).

Now I'm not really a microsoft fan, sure I use it but I also use Suse Linux as my main system. Unlike the majority of computer users, I've taken the time to learn, experiment and become familiar with computers even though I'm only a home-user.

The point I'm getting at is that Microsoft have dug themselves into a big hole with regards to computer security. They have comprimised themselves and their customers in order to keep the dollars rolling in. In addition, their policy to sell software so that all Mr. Joe Average has to do is turn on his computer has led to the problems we see today.

While I'll applaude the rise in computer usage I remain amazed at Microsoft's "keep it easy" mentality. The majority of computer users have no interest or inclination to learn about security simply because Mr. Bill has made it to easy for them.


To finish off here's an example that I saw on a UK TV news item a few weeks back.

During the outbreak of the sobig virus, the news item showed a nice old lady at PC World, she was taking her computer to the service department. The program interviewed her and she said "well the computer was ok yesterday, but now it keeps turning itself off - I don't know whats up with it at all" (hehehehehe - you got to laugh)

cheers
humpy

[St1cky]

I believe Windows Update automatically tells a user when a new patch is available, and will download it if they tell it to, or can automatically download the patch in the first place. Some poeple may disable it though, because it does get annoying after awhile. I personally turned it off, but I do go to the Microsoft Website and download updates.

[el-half]

I think it's stupid to hate Microsoft, ok WinME does suck but xp and 2k are very stable. Do you really believe they are using "newbie" programmers? As it's said before, it's just the user that messes up everything. *nix systems just don't get messed up because there aren't ordinary users that use *nix.
Ordinary users=people that download everything, regardless it's useful or not, etc.

[J3D1 M4573R]

3y3 agree. linux, for example, is never (ri7icised because it's only us3d by experienced users who h4ve allready learned it. Microsoft has a much larger audience to please. but i think they could still do a better security job then they did on xp...

sorry about the coloring...this is what i m34nt to s4y...

3y3 agree. linux, for example, is never (ri7icised because it's only us3d by experienced users who h4ve allready learned it. Microsoft has a much larger audience to please. but i think they could still do a better security job then they did on xp...





sorry about the coloring...this is what i m34nt to s4y...

3y3 agree. linux, for example, is never (ri7icised because it's only us3d by experienced users who h4ve allready learned it. Microsoft has a much larger audience to please. but i think they could still do a better security job then they did on xp...

[mnchur]

i agree with nihil on the tax laws thing...it is a very good paralell (did i spell that right?? ) he we are critisizing a project that was put together by a few guys over 12-18 months when we have had what 1 1/2 to 2 years to reveiw it....

[mohaughn]

Originally posted here by Striek
A professor of mine put it best when he stated that Windows XP is comprised of approximately 10 million lines of code written by college grads thier first year out of school (who else would work for Microsoft?). Once I realized how true this was, I stopped wondering why Windows is so full of holes. It's written by a team of newbies in locked rooms chained to thier desks and only tested by people who want to sell it. Linux is written by experts around the world who stand to make an ass of themselves (at the very least) if they screw up. It is then tested by people who are designing the product not for profit, but because they are personally motivated to better thier programming skills. When they test it, they look for reasons NOT to release it, unlike Microsoft.

Not true at all. I deal with MS CPR(critical problem resolution) on a frequent enough basis to know who the top exchange and platform engineers are. Most of them are older than I am, and I am way out of college. On the rare occasion that I have interacted with a developer, most of the time the CPR techs handle interfacing with clients, they were atleast my age or older. This is just the usual linux is better crap. When in actuality both OS'es have problems, and both models, open source vs. closed source, have issues.

Just so you know, our current availability is running in excess of 99.999% for 2003 with 209 defects per million for the year. This is with 70k mailboxes delivering over 5 million messages a day. Pretty high availability if you ask me. It is all about process and procedures.

[Turing_Machine]

Microsft's so-called "security holes" have been, for the most part, good ideas at attempting for centralized administration.

BO2k used a highly functional remote control interface originally designed to help administrators push updates, etc to client machines.

When the CDC was interviewed, and then Microsoft, what was said was interesting. Microsoft didn't immediately patch this "hack" because they were concerned that it would lessen their capabilities as far as centralized administration.

The "linking" between applications like the Office installation and the internet was intended to allow the Front Page Server Extensions to allow for a more "groupware" type of intRAnet (notice the RA, not ER) so people could share documents and files in a more "web-ish" way, using an interface that was a bit more familiar than Lotus Notes or Netware Groupwise, etc.

This "linking" was quickly attacked, since it allowed people access to the server to post information (duh) and files (double-duh) to the server that other people would be able to see (triple-duh).

That being said, those services designed to increase productivity and such internally were enabled externally by admins without the necessary understanding of what they were offering .

That explains many of the security holes in the Windows/Microsoft operating system.

Now there are hundreds others that are more particular to buffer overflows, which Microsoft has seemed to ignore in their programming practices. As these applications are now linked internally, any data connection between these services needed to be checked to be sure it would be secure.

Combining the three above issues (internal services enabled externally, lack of understanding of the services, and a "backdoor-ish" method of connecting to vulnerable services through other services) has made the process of tracking and extinguising these fires almost impossible.

With the advent of these distributed attacks that are now so common, and the publishing of exploit code, has made it very hard to make the OS secure and keep present customers that are using their services in very customized ways happy.

The re-design on Win2003 server has been a step in the right direction, but it still has to be legacy-aware, so that people will migrate without too much of a problem.

Some companies will spend the money to migrate their information to more secure platforms, and some will stick with what they already know, but until admins are much more aware of what they are running as well as the relative benefits vs. risks associated with their services, then running an open relay in Exchange or on Sendmail makes no difference.

Running an Apache webserver with server-side includes and access to /etc/passwd is much more dangerous than CodeRed ever was.

A little personal responsibility these days would be refreshing.

"Yeah, I was running a windows server, and I didn't update it, and I never cleaned up old accounts and left services running that we didn't need or use."

Doubt we'll hear that any time soon.

[ol jeb]

mohaughn thit the nail on the head....ALL OSs have their own issues and BOTH development models open-source and closed-source have have flaws.

I've been running 2000 for 3 years now and maintain websites that most of you have probably been to at some time or another, yet I have NEVER had one of my servers be compromised or become unstable. I have been in environments were it seemed like if you sneezed near the server it would blue screen, but that was because of some stupid admin that did not know his a*# from a keyboard.

I recently installed a 2kpro box and a RH9 box(basic workstation nothing more), then ran Windows Update and the RHN Update. I had 37 patches that needed to be installed onto the RH9 box and only 35 on the 2kpro box. Granted one of the M$ updates was a SP, but still...RH9 is not that old and and 2k is just over 3 years old???

I think M$ gets more publicity about its needed patches than any of the *nix distros. It almost seems as though they *nix issues get no PR, creating a false sense of security for those NOT in the know.

[cutty]

3y3 agree. linux, for example, is never (ri7icised because it's only us3d by experienced users who h4ve allready learned it. Microsoft has a much larger audience to please. but i think they could still do a better security job then they did on xp...

sorry about the coloring...this is what i m34nt to s4y...

3y3 agree. Linux, for example, is never (ri7icised because it's only us3d by experienced users who h4ve already learned it. Microsoft has a much larger audience to please. but i think they could still do a better security job then they did on xp...

J3D1 M4573R what are you saying, or what are you trying to bring across, and why so many times?

Anyway, am not going to bash M$ today but I will say they can do a little better than what we have today.

M$ created WinME which was very very bad, but then they came up with Win2K which I find to be quite stable with a view holes well maybe a lot of holes here and there but nonetheless it's stable in comparison to the others.

WinXP home, I can't stand that OS it beats the crap out of me. WinXP Professional a lot better but I can't see it as being as stable as Win2k but it should be it came out after. That's my problem with M$ when they are supposed to be getting better they pull out something that has more problem and claims it has more functionality. That's BS to me and I think M$ can do much better than that.

I have used M$ and I will continue using M$ along with my *nix flavors cause there are just something u need to run on either. One thing though I will continue to bash both *nix and M$ because that's the only way we will get something better.

Competition leads to a better product no doubt about it and we the users have to point out the flaws.

Guidance...

[el-half]

J3D1 M4573R, may the edit button be with you