| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Microsoft does security sweep - Workers drop everything to check Windows for holes | |
|
||
| Time: 12:05 EST/17:05 GMT | News Source: USA Today | Posted By: Robert Stein | ||
|
For the rest of this month, no one at Microsoft will be working on new bells and whistles for the company's flagship Windows software. Instead, 7,000 programmers have been directed to scour Windows code for bugs and security holes. The unusual hiatus was set in motion by Chairman Bill Gates' Jan. 15 directive making security the software giant's No. 1 priority. The company immediately began cycling Windows programmers and managers through two days of training based on the book Writing Secure Code by Microsoft security specialists Michael Howard and David Leblanc. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 318 Last | Next |
The time now is
5:57:33 AM
ET.
Any comment problems? E-mail us |
| #1 By 116 (66.68.170.138) at 2/12/2002 12:36:36 PM |
| How can anyone complain about them doing this? THis is a great thing for them to be doing. Everyone wins from this. Well I guess everyone except Microsoft's competitors . . . |
| #2 By 2 (24.54.153.167) at 2/12/2002 1:19:24 PM |
| I agree Red. Microsoft's Chief Security Officer seems to have studied W. Edwards Deming's 14 points to suceed with total quality management (tqm). They adopted a new philosophy (point 2), decided to improve quality at the source (point 3), insituted on the job training for security (point 6), improved leadership (point 7), instituted parallel processing for the security change by breaking down some of the barriers between depts. (point 9), and established the fact that everyone in the company basically helps to accomplish this transformation (point 14). Microsoft's past and future product quality through security will be much, much better now that they've decided to change their ways. And as the article says, since corporate spending is lagging right now - Microsoft chose a good time to do it. Sooner, rather than later will benefit us all. Also, Microsoft's future products will be designed with their new security philosophy in mind, allowing future security problems to be handled with much more ease than in the past. |
| #3 By 2960 (156.80.64.157) at 2/12/2002 1:21:31 PM |
|
I see.... They are going to un-do 10 years worth of spaghetti in, what was it, 30 days ?
Does the term "Needle in a haystack" ring a bell ? They need to do this BEFORE and WHILE coding, not as some sort of mass Field-Day party. TL |
| #4 By 2 (24.54.153.167) at 2/12/2002 1:24:47 PM |
| TL - At least they are doing it, right? I agree with you though, in the future this has to be done in the product design and planning phases rather than mass inspection. :-) |
| #5 By 1845 (12.254.230.100) at 2/12/2002 2:38:11 PM |
|
Contrary to popular belief Larry, Microsoft products haven't been entirely devoid of security. I think it is rather simple minded to say that the code which has given Microsoft a 300 billion dollar market capitalization is spaghetti. We can say that Microsoft has a great marketing team, but the bottom line is if the product doesn't live up to consumer and corporate need, then the product will fail.
Microsoft has made many mistakes. They have quite admitted this and release patches and service packs often. Currently the altering their coding practices to give the conumer what it is currently focusing on - security. If they don't live up to what you call the marketing hype it will hurt Microsoft's reputation more than CodeRed, CodeRedII, and Nimda ever could. |
| #6 By 2332 (129.21.145.80) at 2/12/2002 2:47:50 PM |
|
#5 - To some extent, I agree.
The open-bsd style of project management is very interesting and apparently very effective. I think, however, it has much less to do with the fact that it's open source, and more to do with the fact that the primary goal of the BSD developers is security. Their security practices have been sound from the very begining of the project, and thanks to that, there are far fewer compounding bugs that live on in subseqent product releases. In addition, features and functionality have *always* taken a back seat to security, a stategy that probably wouldn't have helped Microsoft very much in the days they were struggling to compete with companies like Apple. The primary problem is competitiveness. The OpenBSD development process is painfully slow compared with that of nearly all the alternatives listed above. One way Microsoft could overcome this problem would be to simply spend that extra money, higher more developers, and release less often. This is likely what they will be doing in the future. I don't think that this is a 1 month PR stunt, although it has some nice PR effects. 7000 developers working 12 hours a day (the avg. at Microsoft) equates to about 2.5 million hours of work in a single month. That is a lot of time. That's not to mention the fact that Microsoft has finally changed their strategy about software releases, with all new software coming in a "lock down" mode, which is very similar to OpenBSD. I expect this will weed out a fairly high percentage of the bugs that haven't yet been found, making, at the very least, Microsoft products appear to be more secure. In the end, it doesn't really matter how many bugs are in the software, it only matters how many of them are found and who they are found by. |
| #7 By 1845 (12.254.230.100) at 2/12/2002 2:53:31 PM |
|
#6 When looking at the merits of one product it is very important to be objective. You are so right. However, as a consumer you must evaluate many variants. If you look at a web browser and it only supports http but not https, then it doesn't make much sense to say "Oh product A is terrible it doesn't support https" when product A's competitors don't support it either.
I'm not trying to excuse Microsoft's failings by saying this. The point is that with all the attacks and cynical comments againts Microsoft, let's remember that their competitors have bugs and security holes too. |
| #8 By 135 (209.180.28.6) at 2/12/2002 2:55:11 PM |
|
#5 - Ahh, OpenBSD...
Do you use it at home? at work? Is it the only OS that you do use? If you didn't answer 'yes' to that last question you are in no position to discuss security. Here's a quote for you. How do you think OpenBSD applies here: "Security is important, but if your network is so secure that nobody can get any work done, you haven't really performed a service for your company. " Which is why hardly anybody uses it. How large of a marketshare do you think OpenBSD has anyway? .2%? 6 users? |
| #9 By 2332 (129.21.145.80) at 2/12/2002 3:12:55 PM |
|
#15, Soda, I have several friends who use it as their primary machine. (Granted, I have some weird friends, but that's a different discussion.)
Simply because something doesn't have market share doesn't mean it's not a good product. Hardly anybody uses OpenBSD because it's a pain in the ass to get it to a point where you've got everything just the way you want it, and it takes patience and some degree of knowledge to even attempt to get it to that point. That has a lot less to do with security, and a lot more to do with very poorly designed UI's and really bad documentation. Once you get it going, it's an extremely stable OS that has some good performance as well. You can always rely on it being secure considering the fact that it hasn't had a remote root exploit in over 4 years. I wish I could say the same for Microsoft. Anyway, I prefer WinXP/2k over OpenBSD because I need to get work done, not simply gloat because nobody can hack my box. (I doubt anybody could hack my Windows box either, but I'm less confident of that than of my OpenBSD machine.) Most people use Windows because it's easier to use, and because security, despite the hoopla, is not the primary concern for Joe-User. |
| #10 By 1124 (165.170.128.65) at 2/12/2002 4:27:19 PM |
|
A Letter To Linux Fanatics Bashing Microsoft
http://www.angrycoder.com/article.aspx?cid=11&y=2002&m=2&d=11 interesting article |
| #11 By 135 (209.180.28.6) at 2/12/2002 5:09:59 PM |
|
RMD - I'm not saying it isn't a good product. It's just that it obviously is not adequate as far as functionality for most people.
Also OpenBSD has had a variety of remote exploits over the years. They're very open about this, publish updates and so on which is good. And they are certainly an example of an attitude you can take to develop software suitable for a specific purpose. But when you say they put functionality at a backseat to security, you aren't kidding. OpenBSD lacks many of the features that we have come to rely upon in enterprise applications. The CERT report sent out today about the SNMP problem mentions OpenBSD with this note "OpenBSD does not ship with SNMP functionality." But that's not what Microsoft's market is. They produce software for the masses, not the DoD. So this makes the issue more complicated. Security is important, but so is productivity. Using OpenBSD as an example provides some useful tips, but it doesn't yield perfection. |
| #12 By 135 (209.180.28.6) at 2/12/2002 5:16:49 PM |
|
#17 - Over the past several years Microsoft has been cultivating a group of people within their organization which understand writing of secure software. Microsoft knows how to hire talent, and they are willing to pay top dollar for it if they feel they need it.
The worm security exploits of last year were all preventable. Microsoft has made some efforts to educate Administrators, but the Admins have to be willing to be taught. They have to attend classes such as the ones SANS offers, they have to subscribe to NTBUGTRAQ and especially the Microsoft security bulletins lists, etc. |
| #13 By 135 (209.180.28.6) at 2/12/2002 6:31:51 PM |
|
#22 - I wouldn't say that, the influence has been dramatic with notable improvements going from NT4 to Windows 2000 and now towards WinXP. Go back and look at NT4 and how many problems it had.
Also the management of hotfixes and such has been steadily improving. WinXP's new automated download mechanism is a real step in the right direction. Good point on documentation, but this is an industry wide problem. Right now I can rattle off at least half a dozen good places to go for information on securing Win2k(NSA, labmice.net, microsoft, SANS.org, etc.) but it isn't included in the default help files. The Resource Kit goes into some detail on say Kerberos versus NTLM, but not in depth enough. Still I can't think of a single vendor which does any better. Microsoft at least has the information on their website, try to find similar knowledge from Sun, Redhat, Oracle, etc. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 318 Last | Next |
The time now is
5:57:33 AM
ET.
Any comment problems? E-mail us |
