I can’t believe nobody has pitted Microsoft’s plans to sell Security Software [Slashdot, ZDnet]. I suppose that trashing MSFT is stale and cliché, but come on people. How can a company sell a poorly designed* product and then proceed to sell you a fix for it? It’s so easy to make comparisons to other industries – isn’t this like an auto manufacturer putting out a car whose wheels are prone to falling off, and then trying to sell you a kit to prevent this from happening? I don’t see any other parallels with regard to companies in other industries. Try looking at this from a business, or even common sense, point of view and not from a technology industry perspective. I just shake my head in amazement. This was originally headed for the pit, but I’d much rather have a debate.
*Correct me if I’m wrong, but you’d be hard pressed to find a person who will deny that Microsoft has the ability and/or willingness to correct the countless major design flaws in their OS’s.
I was going to bring up the auto industry halfway through the first sentence of the OP.
Do you understand how big Microsoft is? Not just the market share, but how many divisions there are within the company? Hell, my company is a major player within Microsoft, and we are a supplier to them for various tech support, sales and auxillary services. They are one of a dozen national and multi-national firms we support. And I can almost guarantee you’ve never heard of my company.
Microsoft has 95% (give or take) market share of the desktop OS field. That’s a shitload of people working in various capacities with various firms designing and implementing the most comprehensive and arguably easiest to use platforms to integrate it all. (Yes, I know Linux fans will disagree, you’re in the minority. Mac fans are just insane in this arena) Windows is the easiest to use and most comprehensive overall. It is. There is no debate in this. Use those systems if they are better for your needs, but you are in the minority. I’m not disparaging, just stating fact in the business world.
Now then, to the auto comparison. Complete fallacy.
Ever hear of a recall involving millions of vehicles? Often they involve things like brake pads, wiper motors, starters, engine compartment insulation, etc. Basically stuff that no matter who made it, you can hold it in your hand and test it. Software isn’t a fair comparison. Can you imagine the size of code for an OS as versatile as Windows? There are going to be problems.
If Ford can’t get every single bug worked out of a specific vehicle before it’s put on the market, how can you reasonably expect Microsoft to do the same? If the F150 is subject to recall, how can you expect an entire OS to be perfect? You can’t. Any given model of car can have massive recalls, and as far as I know, no model has such a dominent market share.
No big fan of Microsoft here but what do you suppose all those service packs are for? Most of the updates that MS does these days (automatically if you enable them IIRC) are to close various security holes. Why does it have so many security holes? Well, part of it is that MS has always tried to be backward compatible to its older trash…er, older stuff. Part of it is just that most hackers go after MS because, well, most people use it. What? You don’t think there are security holes in Apple or Linux?
Well, I would say MS has the ability…and it seems they have the willingness too. Again, what did you figure all those friggin service packs are for? I can’t stand they OS, only time I mess with it is for my various clients that use it (mostly Windows 2000/2003 Server)…but even I can see that they make an effort to fix their crap on pretty much a continuous basis. They are still patching Windows 2k Server to this day as folks find new hacks.
If they make money off this, it’s the same thing as an auto manufacturer charging for factory recalls.
Further, if they use this to eliminate other antivirus manufacturers… well, it’s pretty much abuse of monopoly power.
Basically, this is a no-win for Microsoft, in the long run. There’s an old story, even appeared in a Dilbert cartoon, of programmers of a product offered a prize of $50 for each bug they found in the code.
They promptly found thousands… that hadn’t previously existed.
Not meaning to be abrasive, but I think I’m going to be abrasive. This is crap. Just sheer crap. The problem with Microsoft software is not that it’s so huge, nor that it can’t be tested. The problem is that there is always a tradeoff between security and usability. Microsoft has, in every case that I’m aware of, chosen the latter, their choices always constrained by improving their bottomline. Despite their squawkings of putting security front and center, it must be limited by how much it would actually cost. As company policy, to do otherwise would be irresponsible. But here’s the worst part: Windows is a mishmash of cobbled together code that is severly lacking from an engineering perspective. I give you this.
For the record, let me head off some obvious responses. Yes, I know that no piece of software is bug-free. Yes, I know that Windows is the dominant operating system and therefore receives a greater number of attacks. Yes, I know that Linux, Mac, *BSD, etc. are not invulnerable. Yes, I know that backwards compatibility is a huge issue for Microsoft. I’m amazed that they’ve successfully maintained it as well as they have. Yes, I know that the original single-user (non-networked) paradigm is responsible for a lot of the faulty software structure. Yes, I know that Microsoft is a company and should be ultimately concerned with their bottomline. Furthermore, I hope that they do improve their OS.
None of that excuses their piss poor security record, nor justifies charging money for the deficiencies of their product.
Any OS will be vulnerable to hackers[sup]1[/sup]. Microsoft may several design choices/errors that made it very easy to hack the Windows OS. An industry sprouted to provide protections missed by Microsoft. Now, it’s a no-win scenario for Microsoft. The can continue to allow third parties to provide security (anti-virus, anti-spyware) software. People will say Microsoft is an unsafe OS. They can integrate the products into the OS. People will say they are killing the competition and stifling innovation. They can enter the software market. People will say it should have been included in the OS and Microsoft is only padding its bottom line.
Microsoft is a corporation answerable to its shareholders. They should do what is best to sustain growth (not easy, given their size). They should enter the security software market and compete with the likes of Norton, McAfee et al.
[sup]1[/sup]I know “crackers” is more appropriate and those proud to call themselves hackers bridle, but it is common usage and hackers need to accept it.
I don’t know if the comparison to defective automobiles is really fair. Microsoft security problems aren’t a defect in their software whereas it doesn’t work in “normal” conditions. It’s just vulnerable to deliberate attacks. How can a company be responsible for that?
It would be as if there were suddenly an outbreak of tire slashing incidents around the country. Do you blame Ford because they didn’t make sure their tires were resistant to knife blades?
Or how about hood ornaments? Is it Mercedes fault that kids can rip these off of cars? If they sold a kit later that would lock the hood ornament down would they be pit worthy because they should have made the hood ornaments secure in the first place?
I think a lot of people exaggerate the lack of quality of Microsoft software in comparison to other platforms. Paper mache analogies and so forth are just silly. Comparing Honda to Ford might be a somewhat more apropos analogy.
There is NO operating system that does not have bugs, serious design flaws, and numerous potential exploits. None. Not Linux, not Mac OS X (although my personal preference is for OS X over Windows XP). And I am not at all convinced that Microsoft software is always significantly worse in this regard. Its software is far, far more frequently targeted, that’s true, but it is not apparent to me that this is necessarily due to any significantly worse design flaws on the part of Microsoft’s Windows XP.
Only the truly naive believe that OS X or Linux systems are difficult to hack into. If you use one of the operating systems, just be glad that you’re enough in the minority that not too many malicious hackers are paying any attention to you.
No, I am not loyal to Microsoft. Frankly, I think it is a terribly arrogant, monopolistic company that produces a lot of flawed, committee-designed software. It’s just that I do not think Apple is any better, and lord knows Linux users are anything but humble themselves.
Those would be the two phrases I’m thinking of.
Oh, and MS Outlook’s fun habit of executing certain scripts within emails. Having macros enabled in emails at all.
Common scripting between your e-mail program and your word processor that allows you to launch files or access other web sites.
It’s just not safe. Yes, compared to most other operating systems, it is far easier to damage Microsoft. Furthermore, if properly damaged, it is harder to repair it… I ran into a rootkit once that not only was invisible to administrators, but somehow managed to get Microsoft’s own repair system to rebuild it.
In most other operating systems, you can turn things off. In Microsoft OSes, you can turn things off… unless the OS feels it needs to be turned back on.
Anyone else remember a few years ago when Microsoft had a highly-touted project where they would stop all activity for three (six?) months, so all of their engineers could comb through their code and remove all the security problems in it?
People who harp about MS security are about 2 years too late. In reality, MS is making impressive strides in fixing the inherent flaws present in windows and the new generation of products (Win2K03, Vista, IE7, SQL Server 2005, IIS6, .NET 2.0) look to be noticably more secure than the competition.
Whether you believe secunia or random slashdotters*, the data is there, IE has had less exploits than Firefox of late. IIS6 has had less exploits than Apache 2, .The NET VM has had zero exploits as opposed to 60+ for the Java JVM. Win2K03 has fixed the a whole bunch of things related to ActiveX and is secure-by-default for most of it’s settings. IE7 is also promising to fix many of the exploits that made IE6 such an easy vector.
In reality, the big push for security that MS made in 2001 has really started to show dividends and it’s largely the perception of lack of security that still persists. Looking at hard data, MS is at least at a comparable level of security of other products if not vastly more secure in some areas.
*cites can be furnished on request but I’m not going to go crawling for them now.
This may be true. The general public can only hope. Personally, I’ll only come to believe it when enough time passes, however long that may be.
I’ve no desire to get into a cite war (as I don’t have the time), and I certainly don’t want to go near the criticality issue that generally gets lost in the shuffle. So, I just looked up one thing. According to this, .NET has had 6 advisories, of which 2 remain unpatched, while JDK 1.5 has had 3, of which two are unpatched. Both from 2003-2005. Perhaps I’m reading the pages wrong; I just glanced quickly at them (as I said, I don’t have the time). However, I call bullshit.
And, as I said, the general public can only hope that this is the case. I know I do.
I should just point out that the ties Internet Explorer has to the operating system means that every vunerability it has, is several times more serious than one in Firefox.
Understandably, perceptions of security will always lag behind action security and thats a healthy sign because it means companies will value reputation. However, the pointless bashing of MS based on outdated facts is getting really old now. (pointless bashing of MS based on current facts is perfectly fine)
Just so we’re clear, I don’t doubt that Microsoft is getting better. What I object to is slanted info. For instance, in the case of Java and .NET, simply stating that Java has had 60+ vulnerabilities while .NET has 0 ignores (1) that the 60+ number includes all previous vulnerabilites, even if they’ve been fixed (if I’m reading your cite properly) and (2) that MS built on knowledge provided by Java’s missteps (which is as it should be, and kudos to MS for that). The IE6 vs. Thunderbird is another instance, as E-Sabbath pointed out.
What set me off was your bolded “more secure” and the phrase “if not vastly more secure in some areas”. The first can only be proven with time, and yet some of those products you list haven’t even been released yet. The second is a throwaway phrase due to its vagueness, worsened by the use of “vastly”.
I realize that you’re tired of MS bashing, but you took on the air of a MS fanboy in their defense. Give credit where it’s due, and blame equally so.
I will begin this by saying that i am an o/s zealot, keep that in mind while readting this.
OpenBSD has had 1 remote expolit in its default install in the last 8 years. When Microsoft has that kind of track record, I would consider giving them money for a security product. Keep in mind that the contest in question is one of the smaller open source (read: volunteer) projects versus the largest software company in the world.
Now, OpenBSD requires you to decide to turn on services that could potentally be vunerable. Windows has the opposite philosiphy (and it has been pointed out, you cannot turn off everything, at least not with ease). The point is, which do you care more about? The machine just working without you knowing/learning how to do anything, or losing all of your data to various fools?
Really, if Microsoft actually cared about security half as much as it pretends to, then you would see a record more like OpenBSD’s. They could hire the people to do the code audit, anyone saying they could not do this if the will was present is shilling for Microsoft. As it is, they are more interested in shipping the product. Though the automated code auditor and the process described in the article cited by DigitalStimulus does show an encouraging trend, we will see who wins out when the new codebase nears the ship date.
As for their Security Software, if it is not written a lot better than their previous versions of the o/s, then it will probably expose the user to more security problems as it shuts down old ones. I dunno, it would just chap my ass to pay someone to fix something that they did not write well in the first place. I am glad I will not be needing it.
I’m certainly not claiming that MS is all of a sudden the paragon of security and they can do no wrong. However, I think the .NET example shows that MS circa 2001 is capable of building systems from scratch which are secure by default and resistant to exploits.
I think an order of magnitude can safely be considered to be “vastly”. Again, the difference between IIS5 and IIS6 is striking in terms of security yet the old prejudice still remains.
Okay, in the interest of full disclosure: The Firefox vs IE figures are flawed in a number of ways, mostly because they don’t consider the severity of the problem and how deeply IE is integrated into windows. Furthermore, MS seems a lot more content to leave critical security updates unpatched for extended periods of time.
The IIS6 vs Apache 2 figures are also misleading because IIS6 has not really gained widespread marketshare so has not recieved much focus from hackers. Furthermore, Apache 2 is commonly regarded as having been released prematurely and many people are sticking to Apache 1.X until all the kinks are sorted out with 2.0. The blog I linked to is a MS blog so is naturally going to be MS slanted but the figures are from secunia. The study done on .NET was by a university and I could find no obvious ties to either MS or Sun but it could easily be biased.
Having said that, Of the products I listed as next-gen, 2 of them have been released so far (IIS6 and Win2K03) and .NET 1.1 could be properly be considered next-gen as well. Of the products released, all historical data shows not just comparable but vast improvements in security over competing solutions. There is no reason to suggest that further products coming down the pipeline will not also follow this trend. It will certainly be interesting to see IE7 vs Firefox numbers because that seems to be the biggest source of contention.