Microsoft Seeks Questions on Security

apparently now's your chance to ask all those burning questions pertaining to M$ security at zdnet
I would honestly like to see this become a learning experience for both sides rather than what I've seen in the past which is m$ rationalizing bad security with user freindliness and integration.
Not to say that users can't learn something too. As a developer it always seems hard to give the customer who wants everything just that.
Your opinions, possible questions?

I find Microsoft beginning to learn what people want. Excrutiatingly slowly, but learning nonetheless.

That reminds me of a joke I read on the Gentoo forums:

forgot the best part:

Jimmy runs up to God and asks Him, "When will Java OS be completely secure and bug-free?" God sits and ponders for a moment. After a few minutes He replies, "When you get off those d*mn forums and actually get something done!" When he hears this, Jimmy becomes very depressed. "I may not live to see that day," he says.

ha! - I'm glad to agree with cybersaga in that m$ is actually moving in the right direction (slowly).

Still, my main problem with m$ products including and not limited to IIS, XP, and IE, and bug resolution / reporting. How are they gonna compete with a mature OpenSource community in coming years if they are slow to resolve bugs and publicize the security risks? The OpenSource community is brimming with developers who give a damn. When there is a bug/security hole it is promptly identified and fixed by the same person in lots of cases due to the open sourcecode. The proprietary model is much less efficient due to the protol a bugfix must travel through in order to reach implementation.

To illustrate my point: In this scenario I will play the role of software provider/publisher. I have two clients using my software, lets just call them "Kissmart and Caremart" Kissmart is a company that does not have a web staff and relies on me to do everything, and Caremart is a company with an internal web team.

Both companies figure out the same security hole exists at the same time. Caremart's web team fixes the problem on the spot. Kissmart emails me about the bug, email sits there for a half hour or so. I read it - I have extra questions: did you receive an error when you did this? blah blah blah - the usual set of clarification questions I could ask. All of a sudden, it's 1 day later and I've provided them with the new, secure code to use on their server. 1 more day passes and they finally upload the change.

There is a major disconnect here. If Kissmart had a web staff (ability to modify the source) they would have the problem licked on their own and wouldn't have to wait for me to respond with a new version and they wouldn't have to wait for an expanse of time to get the change implemented.

Do you see what I am saying? It takes a while for m$ to fix bugs because they have all the resources in-house. When we put error reporting and fixing in the hands of a user, the efficiency and overall security for this model far outweighs any accolades the m$ sector. It is easier "for me" if a client can make their own changes and it is easier on the client because they have some catchin mydrift?

Oh I'm cartching your midrift... and please don't ever wear that tube top.... ever again.

M$ has long followed the use of security by obscurity technique in their products. It's almost like having that page on your website that doesn't check for a login session, it just doesn't have any links to it. If you know where the page is at, you should be there.

In the same way with their bugs they dont reveal so they cannot be exploited. Well people know they are there, and unfortunatly it's all the wrong people.

IE vs FF seems to be the OOS's perfect example of why their system works. They have consistantly fixed critical holes within the span of days, not months.

But now put all that aside M$ does have a lot of things already stacked against them as the industry giant. They are the one's who have to deal with the "everyman" user. A user who wouldn't know about security if you hit them in the head. They need to open up their doors to software and development on thier system to a bunch of developers who really don't even like them, and they need to do it securely.
In an unusual defense of the OS for me, I think they have done quite a few things better as of late, but they have so much more to do. Windows update - great, now stop it's vulnerabilities and hacks. Windows firewall - great, now make it usefull. Antivirus software? is this is a good step for them?

Bottom line, M$ needs to open their hand, open their ports and give into the OOS community to a) remain compeditive and b) better their product

jerk

And then you go and totally redeem yourself - proxy rep++ requested from someone with at least one rep point (what a sordid world this is where we only have 1 rep point )

Using M$ to refer to Microsoft is somewhat like swearing, in both cases it's a sign of a weak vocabulary.

This is a Microsoft-related site, it's childish to keep posting here using M$. There are plenty of other sites for this kind of talk.

Point taken, I shall refrain

Sorry, it's habit-forming.

Microsoft opening their code all at once would be a nightmare security by obscurity would all of the sudden be destroyed, and things would go mad.

Additionally I have no problem with some MS code staying closed source. Features such as the windows standard driver library and (um... I can't think of anything else right now) but those are things that MS has invested time into to and I don't mind them keeping them.

But there's some things that are no reason to keep open source anymore. With windows 95 the start menu was new and revolutionary, now it's old hat... release the code for that, maybe a bit of code for port handling, and a few other toys to get people in and playing, along with 98% of windows code as pre-compiled libraries, dlls or object files and you have something that people can play with, supply feedback, and fix glaring issues.

Then maybe the next service pack would be timed to come out with the next open source release with the fixes and maybe more public functionality.

They could still keep all of their core and private functionality private, while allowing security (as validtion to ensure the copy was bought not stolen) and newer functionality to be their closed domain. While having the benefit of the open source community checking and helping with security.

Just my two cents.

-MBirchmeier

you make a good point with that. And at this point releasing it all at once would be a flood gate. FF has grown up OOS and so a new flaw found can be fixed the next day. with windows there would be an initial rush of these and it would take years to fix them. A time period in which the OS would just become a playground. (not making any comment on what I think it is right now).

Many (including myself) directly blame Bill Gates for the rise of the proprietary software model. Microsoft wants to lock people into using Microsoft-only tools and formats. If they released their source code as Free/Open-Source, then these tools and formats (many of which have been at least partially reverse-engineered) would also be Free and they would have no way of forcing their users to use MS-only software. Microsoft is very much the _epitomy_ of proprietary software development.