Microsoft: "Our products aren't engineered for security" [Duh!]

Computer Weekly ^ | Friday 6 September 2002 | CW360 Staff

[toupsie]

Microsoft: "Our products aren't engineered for security"

Friday 6 September 2002

Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server .net developer conference in Seattle, USA.

"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.

In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.

Microsoft's regular stream of security bulletins has continued despite Bill Gates company-wide Trustworthy Computing Initiative, announced earlier this year.

The Initiative was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, and saw the company halt production on new code in all of its products while employees scanned every line of existing code in search of vulnerabilities.

"We realised that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.

But the company is dealing with a problem that is not easily resolved. Valentine told developers at the conference that as the company works to shore up its products the security dilemma will evolve as hackers become more sophisticated.

"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."

Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.

According to Chandra Mugunda, a software consultant with Dell who attended Valentine's presentation, buggy software is "an industry-wide problem, not just a Microsoft problem. But they're the leaders, and they should take the lead to solve them," he said.

[toupsie]

"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."

Good luck Windows Users! The next sound you hear will be a hacker going to town on your hard drive. Sounds like using running Windows is about as safe as bending over at a Gay Pride march--eventually, you are going to get screwed.

Microsoft is finally admitting that their problem isn't a large market share, its that they produce a completely insecure operating system. Its like Ford or GM admitting they purposely made unsafe cars! Preserve your data and switch or sort of switch. These two products with a focus on security.

[Poohbah]

Remember the "trusted computing initiative" memo to all the MicroSofties from Uncle Bill last year?

In ten years, you're going to be b!tching about how it isn't fair that Microsoft is hitting Orange Book A1 standards and has a monopoly on security technology.

[toupsie]

��5{��������ars, you're going to be b!tching about how it isn't fair that Microsoft is hitting Orange Book A1 standards and has a monopoly on security technology.

If in ten years, Microsoft produces a secure operating system, I will be dancing in the streets. That way I won't have hoards of zombied Windows servers pinging the hell out of my Class Cs around the country.

[sigSEGV]

I find it amusing that they think a memo and maybe some classes for their programmers will fix the problem. No, Microsoft, it is about rewriting all your old code from scratch with security in mind for every line.

[Poohbah]

I find it amusing that they think a memo and maybe some classes for their programmers will fix the problem.

One memo that says, "Do this."

Add a bunch of MicroSofties that want stock options so they can be rich. How do they get stock options? By giving Uncle Bill what he wants.

Mix in 20-hour days.

Presto, secure products.

[toupsie]

As you have said to me before, "Defend this!". Large market share? More software? Cheap hardware? Should be interesting to hear what you have to say about Windows and the confirmation by the lead M$ Windows guy that its completely insecure.

Don't just say I hate Microsoft, this was posted with a Microsoft Wireless Intellimouse and proofed in Word. :P

[Hodar]

This aspect is much like finding fault with a Cadilac for being easy to steal. The Cadilac was built for comfort, not security. Windows was designed for the average user, to become a useful cog in the technology industry. Windows is designed to work with a plethora of different hardware products, all using specialized software, on different processors, all operating at different speeds, as a base of yet another group of software applications doing 'God knows what' to hardware and software components. Do you think Windows anticipated connecting digital video recorders, morphing the pictures, adding sound plus internet security when it was written back in the 80's?

The public has clamored for features, but only a small minority have demanded security. Market demand determines marketing strategy. I think MS has done a wonderful job, trying to please bazillions of customers, all running near unique configurations; while keeping the OS fairly stable, adding features, and EARNING the marketshare they have acquired. If ONLY the leadership at Apple were 10% as competent.

[HAL9000]

"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."

Yes, apparently it is impossible. Microsoft operating systems are trivial for unauthorized users to crack because Microsoft is institutionally incapable of developing good software. Windows users are sitting ducks for any sufficiently motivated teenage intruder to break in and have his way with the user's files.

Mac users don't experience those problems. Apple's level of developer talent and dedication to secure, high-quality software puts Microsoft to shame.

[sigSEGV]

There are not 50 people constantly banging on a Cadillac trying to get in 24 hours a day. If we lived in a world like that people would want a secure Cadillac. Trust me, corporations that depend on MS want security, not features.

[Hodar]

I concede that the 'NEED' for security is real. However, say a corportation buys 1,000 copies of 'Secure MS Windows' and there is a market for 1,000 other such companies, that is only 1 Million copies of market to please.

We are quite aware that the individual is quite content to buy Symantec or other Firewall software (or a router) to solve the issue, not spend the major bucks to purchase MS's Enterprize software.

Thus, it is simply reduced to a market equation. Tweak existing software and make major bucks vs. re-write software and lose money.

[sigSEGV]

I think that might have been the case 5 years ago, but just about every corporation is getting sick of spending millions on personal firewalls, virus scanners, etc. And we're also sick of facing stuff like this:

http://www.pivx.com/larholm/unpatched/

or this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691

In which none of the things mentioned above will have any effect.

[toupsie]

This aspect is much like finding fault with a Cadilac for being easy to steal. The Cadilac was built for comfort, not security.

Well I don't agree with this analogy. This more like an M1A2 Abrams Battle Tank not being able to handle small arms fire. Windows is designed to be used on the Internet, it should be able to handle "Script Kiddies" like the Abrams can handle small arms fire.

Windows was designed for the average user, to become a useful cog in the technology industry.

Then why can Apple do it? Its designed for the average user and generally described as more user friendly than Windows.

Do you think Windows anticipated connecting digital video recorders, morphing the pictures, adding sound plus internet security when it was written back in the 80's

Apple did. Apple had TCP/IP networking technology built into Mac OS before there was a World Wide Web. Apple even had a website before Microsoft.

If ONLY the leadership at Apple were 10% as competent.

They aren't the ones standing up in front of crowds saying, "Our products have so many holes that swiss cheese is jealous!".

[TechJunkYard]

One memo that says, "Do this."
Add a bunch of MicroSofties that want stock options so they can be rich. How do they get stock options? By giving Uncle Bill what he wants.
Mix in 20-hour days.
Presto, secure products.

Hahahahahaaaah! That's some formula, but tired and whipped employees do not make better coders.

Try folding in some training, code inspections, testing and some mandatory security audits.

[IsItTimeYet]

I always like the expression "Using Microsoft is like sharing needles!"

Just about sums up the risks and the distasteful habit :)

[Hodar]

Then why can Apple do it? Its designed for the average user and generally described as more user friendly than Windows

Because Apple is ran by marketing fools. Their product is easier to use, uses less parts, is more stable, and generally is the envy of the industry. But, when a consumer has a choice of buying the lowest Mac with little/no software; or a top notch PC with scads of software; the user typically choses the PC.

[rdb3]

I don't like the sound of his "built-in" excuse.

[toupsie]

Because Apple is ran by marketing fools. Their product is easier to use, uses less parts, is more stable, and generally is the envy of the industry. But, when a consumer has a choice of buying the lowest Mac with little/no software; or a top notch PC with scads of software; the user typically choses the PC.

I wouldn't say marketing fools considering the praise they get in the advertising industry. Its basically a price issue. People think they are getting a bargain when they buy a cheap PC.

[Hodar]

I worked on the PowerPC chip, and was made aware of how much Apple paid for it. Let's say that the price is ~20% of the Intel rival. The motherboard costs are similar, the drive costs are similar, the memory is similar, and packaging is similar. Why is the apple so expensive? PowerPC made products superior to what Apple was turning out, and as a reward was shut down. I LOVE the Mac, but it's way overpriced for what you get. The Mac is awesome, but the PC is 'good enough', and that's what wins the market.

[steve-b]

The problem is that for years Apple was run by managers who couldn't sell ice water to people in hell.

[Bush2000]

As you have said to me before, "Defend this!". Large market share? More software? Cheap hardware? Should be interesting to hear what you have to say about Windows and the confirmation by the lead M$ Windows guy that its completely insecure.

I don't have to defend it. If you had some technical knowledge, you'd realize that no product is engineered to provide complete security. Not Windows. Not Linux. Not Apache. Not OSX. Etc, etc. Or have you already forgotten about hacks to OpenSSH, Apache chunk handling, Mac OS X Setuid root access, PHP for OSX, Linux WU-FTPD, Linux line printer daemon, Linux BIND, etc, etc, etc ...