The MS programming crew writes bloatware that is no security at all, yet they have the advantage of writing for known systems. Some of their software actually works, but not reliably.
Virus writers write for unknown systems, and have to create small and efficient packages to work almost anywhere.
So far, I think the virus writers are doing a better job. For example, the Slammer Worm which is causing problems world-wide right now, is incredibly tiny, and cannot be detected by non-memory virus scanners, since it doesn’t live anywhere on a disk. According to McAfee:
“The malformed packet is only 376 bytes long (which is the full worm!)”
If only the virus writers and the MS programmers would switch places, we all would be better off.
Microsoft programmers don’t have to find gaps in their programs, it’s their job not to put them in in the first place. The fact that you think there might be thousands, or millions, tells you just what a horrible job they’ve done.
There is (yet another) vulnerable open port. That’s been known for a while. Many folks didn’t fix it when it first became known. Now some frootloop kiddie exploits it, and you blame MS?
Never thought I’d be posting in support of Microsoft from a linux box.
A common myth. It is quite possible with proper quality control procedures and a bit of theoretical know-how to design and build software that is quite secure (but of course probably not perfect) from the ground up. Microsoft has been thoroughly negligent in this regard for years. A great deal of the security problems in MS products are the result of such amazingly stupid design decisions it just boggles the mind.
My training in computer programming did not come thru formal channels (like college Computer Science classes), but from on-the-job training. Early in that training, 25 years ago, I discovered the “buffer overrun” problem, both in assembly language and higher-level ones. It’s a pretty simple concept, really; a certain, fixed space is set aside for data storage. If more data is stored than that space can handle, undesired things happen.
From then on, I guarded against that situation. It’s not difficult to check the size of incoming data to a routine and raise a red flag if it exceeds a limit.
I cannot imagine why this isn’t taught in Computer Science 101. I cannot imagine why anyone would write any program of any kind that did not check for this simple error or at least turn on an automatic check if available in a compiler.
So when I hear about another (another!) buffer overrun exploitation in a MS system or app, my first thought is, “My, these must be amateurs – is Wee Willy paying them only minimum wages?”
Now, for the comedic. What if virus writers switched places with MS system/app programmers? (That’s what the OP should have been titled).
Then, our operating systems would:
[ul][li]Be small and tight code[/li][li]Be invisible and work silently in the background[/li][li]Automatically install without operator assistance[/li][li]Send free copies to all my friends and near-friends[/ul][/li]And our viruses would:
[ul][li]Be humongous in size, take forever to load[/li][li]Take hours to install, spewing cryptic messages that need operator attention[/li][li]Break down constantly[/li][li]Need manual upgrades whenever something is plugged into a USB port[/li][li]Be incompatible with anything you have[/ul][/li]In short, we’d all be better off. Bulgaria would have full employment and Redmond would be underground.
FWIW, buffer overruns are listed as an explicit topic in the syllabus for the “Introduction to Operating Systems” class I’m taking right now.
MS has 30,000 coders. Windows XP has 40 million lines of code. Software complexity increases exponentially with the size of the codebase. And as someone noted, this hole was found and patched by MS; the problem is admins who don’t keep up.
I’ve been a Software Engineer for ten years. I notice you’re taking a shot at me but you didn’t actually address anything I said. State an opinion or back off.
And I was perfectly serious in what I said. I understand how complicated software is, but the ultimate responsibility for its flaws lies with the people and the company that created it. When Ford Explorers started rolling over, did people say “Well, SUVs are so complex that this sort of thing is bound to happen?” Cars get recalled for defects, and people should care enough about their safety to have their cars fixed, but let’s not forget who created the defect in the first place.
As I read it, the patch was out in Service Pack 3. When was service pack 3 released?
Hell, I’ve seen text editors that have revision numbers. Why would an operating system be any different? And yes, Ford is responsible, and they address the issue, just like MS does.
My problem isn’t this, but with the notion that a virus programmer is somehow better because they can write a destructive program that is useless.
