Microsoft defends security track record
Posted by TheFamousGeoff on 08 July 2003 - 02:39 · 14 comments & 2048 views
About the Author
Full name: Unknown
Forum name: TheFamousGeoff
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name: TheFamousGeoff
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
#1 Posted by SariN on 08 Jul 2003 - 03:05
- "According to Microsoft's top security officer in the UK, however, the incidents are not due to poor code design"
its poor code design when you have patch(s) just about every week. Now i now theres millions of code but thats just rediculous. I hope they spend more time on making LongHorn more secure...
-
(1 reply)
#2 Posted by Goalie_CA on 08 Jul 2003 - 03:31
QUOTE less secure than any other complex code.
That's the problem with them. Everything has to be complex. What ever happened to the "kiss" rule through which engineers live.
The apache web-server (the latest 2.x beta series) has ~ 50,000 lines of code. The format for the code is very "strecthed out".
It's amazing but win2k3 took all night to compile on an amazingly large server farm (absurd amount of code). My lowly athlonxp 1800 can compile a complete linux webserver with all the bells and whistles (gui, media player, everything) in a day. It'll be installed, closed up tighter then a virgin (just changed some config files and some other tricks
), and never crash. Uptime is usually measured in power-outages.
-
(8 replies)
#3 Posted by trance on 08 Jul 2003 - 04:04
- 1, Windows is more than a webserver
2. Did you compile EVERYTHING from source? the entire 3 cd's worth of binaries? Of did you just compile the kernel and the webserver?
3. If linux had to support OOB nearly every single piece of consumer hardware, with full compatibility testing, then linux would be a hellava lot bigger.
For those of you that have not taken a look at the internal of linux as compared to windows, please do so, and you will see there really isn't much difference in the design.
For those of you that have, then you'll know what I mean.
Once linux has the same kind of support and complexity, you'll start to notice more and more bugs. And as parts of linux start to get more and more stable, and people don't touch the code as much, then more bugs will appear in the future because of some new feature breaking an old one.
No OS is perfect, granted, the number of patches are annoying, but would you rather the holes go unnoticed and get exploited in the future, or have the patches (which can be applied automatically) and thus be safe?
my 2 cents -
#3.1 Posted by werejag on 08 Jul 2003 - 09:57
- and your 2 cents are rejected
...becuase clearly you have not seen either linux kernal code or winodows kernal code or sat down and compared them.
"the patch issue " it is not that we dont want the patches. the point is that there had to be patches in the first place. the amount of patches lead us to believe that there are too many holes in the code.
and since linux has the same kind of support and complexity, we havent noticed more and more bugs. really a lot less
we have complete code for linux so when old features break. they will be fixed un like a certain hole filed os we know
-
#3.2 Posted by daveoc64 on 08 Jul 2003 - 10:05
- It hasn't got the same kind of support how many people are using it?? If overnight it became totally dominant and Windows became the least used then there would be more bugs found in Linux. More people searching for bugs, more bugs found.
-
#3.4 Posted by Goalie_CA on 08 Jul 2003 - 15:58
- Linux is totally dominating web-servers. So don't give me that ****e about it being more popular. That's not the reason why there's more bugs.
-
#3.5 Posted by JaggedFlame on 08 Jul 2003 - 17:58
- There are more bugs in Apache than there are in IIS.
-
#3.6 Posted by JaggedFlame on 08 Jul 2003 - 17:59
QUOTE "the patch issue " it is not that we dont want the patches. the point is that there had to be patches in the first place. the amount of patches lead us to believe that there are too many holes in the code.
You'd better be saying that you want this issue to go away with Linux, as well. Because while Microsoft products do need to have less patches, there are just as many patches in open-source products. Take Red Hat, for example.
http://bugzilla.redhat.com/bugzilla/duplicates.cgi
Last edited by 820 on 08 Jul 2003 - 18:04-
#3.7 Posted by werejag on 08 Jul 2003 - 18:36
QUOTE werejag on 08 Jul 2003 - 03:57
we have complete code for linux so when old features break. they will be fixed un like a certain hole filed os we know
but unlike microsoft windows each person can see the full code and create there own path if they need to. so bug fixes are not an issue.
remeber the sql slammer worm. the very small minor iis enabled servers took down something like 50-60 percent of he internet. this was becuase of the fualty code.
-
#3.8 Posted by werejag on 08 Jul 2003 - 18:43
- as for your point in the bugs, ok i conceed that point. but did such a bug take down the internet for most people?
nope
thanks jagged flame for showing that bugs are part of all software. and that microsoft should not code anything more complex than txt files. they have been way to sloppy in there coding and trust worthy computuing is a shame.
-
#4 Posted by Gary_Player on 08 Jul 2003 - 05:37
- ... ... ...
...I laughed so hard milk came out of my nose...
-
#5 Posted by Mr. Black on 08 Jul 2003 - 16:29
- I love PR Fluff...so entertaining...
Microsoft has admitted it does not expect to ever release completely secure, flawless code, but denied that its software was any less secure than any other complex code.
The company was responding to criticism of its security efforts following a recent spate of bugs in its products. In just over a week, Microsoft has had to fix security problems in Passport, Windows 2000, Internet Explorer and Media Player 9. According to Microsoft's top security officer in the UK, however, the incidents are not due to poor code design, but are a sign that "the Trustworthy Computing initiative is working".
Stuart Okin, chief security officer at Microsoft UK, told ZDNet UK that the Trustworthy Computing initiative by Microsoft is one of chairman Bill Gates' main priorities. "Trustworthy computing is a goal that Bill has set for the company to improve the quality of our code and to take security over feature seriously," said Okin, who admitted that Microsoft needs to "improve the way our coders write code".
But Okin insisted that ongoing security problems are not unique to Microsoft. "I do not think (these problems) have got to do with bad design at all," he said. "Whatever is humanly designed, you have got to recognise that there will be flaws and problems."
Okin said that some of the problems are due to the flawed design of fundamental Internet protocols. "There are flaws within the basic protocols on which much of this technology is based. We are taking a good long look at all of the different protocols -- the message protocol and TCP/IP are examples -- to see how we can make this a more trusted environment," Okin said.
An example that Okin gave was the problem of spam, which he said is difficult to fight because the protocols that handle email were never designed to stop senders from using fake, or "spoofed", headings that conceal the sender's real address.
Okin believes that the high number of patches are a sign that Microsoft is quickly addressing its problems: "If you were to see no patches after we announced Trustworthy Computing, would you take that seriously? What we are seeing here is the result of the Trustworthy Computing initiative."
No matter how successful Trustworthy Computing is, however, the nature of complex software means Microsoft will never have completely secure code, Okin argued. "We are moving in the right direction, but there are going to be things that will be missed. Will we ever get to the stage where we have zero vulnerabilities, the answer is going to be no, because we are never going to get there with complex code," he said.
The two most recent vulnerabilities in Passport -- Microsoft's central repository for personal information and credit card details -- were discovered by third parties who repeatedly tried to warn Microsoft about the problems, but said they did not receive a reply. Okin could not comment on exactly why the researchers were ignored, but he confirmed that this is not standard policy.
"We accept that there are situations where finders -- people that discover vulnerabilities -- may find it difficult to make contact. When we do receive these emails -- and we do receive quite a few -- a great proportion of them are not new vulnerabilities. We take them all very seriously and investigate them as quickly as we possibly can," he said.
Many patches
Microsoft's customers have had their work cut out for them for the past month where it comes to keeping up with software bugs.
Since the start of May, Microsoft has created and released patches for Windows Server 2003, Windows 2000 Server, Media Player 9, Internet Explorer and Passport (twice). It also released Windows 2000 SP4, but many users had to apply a patch to correct a flaw in the service pack.
During the same month, Microsoft managed to annoy its Australian customers because the Windows XP activation servers fell over, leaving then with a voicemail message announcing that the service was unavailable. Windows XP is unusable without centralised product activation, although some business editions of the operating system do not require customers to activate them.
In the UK, there was chaos at many ports where staff had to revert to paper-based systems because their migration from a mainframe to Windows went wrong.
While Microsoft customers were applying these patches and fixes, the software giant launched updated versions of its Messenger client -- which now includes multimedia features -- and gave handheld operating system a facelift and name change, from Pocket PC to Windows Mobile 2003 Software for Pocket PC.