Comments on: Microsoft's lessons from the desktop

While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.
Photos: Leading Microsoft's security crew

[MaLvaDo39]

Build it right

If Microsoft was a car company, they would have been sued
until they were left with nothing.

How can a consumer accept a car that is unstable, crashes, is a
magnet to viruses and allows break-ins from a poorly built
machine?

The only way is for Microsoft to start over and create a whole
new OS. Until then, the dark ages of computers continues for
most.

Many are already in the renaissance with their Macs.

[chash360]

You know they won't

At this point M$ can no longer claim incompetence for the security holes, it must be intention. They know how they are utilized (evident in this article) and yet the holes exist, persist and get moved around with every update. Cross site scripting? Who invented that? (M$ did) in violation of existing HTML security standards which did not provide such obvious risks (oh but look what features you can have with it, says M$...). Skipping bounds checking of buffers in memory to improve speed at the cost of security, another M$ 'invention'. My biggest question is why, is it for M$'s own thieving ends to monitor users and steal intellectual property, or are they doing this for someone else as well? Selling spam holes, and ad-spyware methods? Government interests?
There are 4 simple rules to follow for computer security: 1: No unauthorized access to memory. 2: No unauthorized access to Storage. 3: No unauthorized processes. 4: Administrator sets all authorizations requiring at least one physical access to the system/console.
Security comes before anything else. M$ likes to through anything out there they think they can sell, saying look what this could do for you...without ever thinking that the very nature of what they introduce is a complete violation of security. As an longtime Internet user (long before the WWW) it may appear a novel idea to be able to automatically execute and process arbitrary code on a remote machine simply by sending an E-Mail to it, but all you have to do is think once about how such a thing can be abused, and decide its not worth the risk. But noooooo, we have this thing called outlook express preinstalled on thousands of computers with no protection against such malware configured. I can fall back on my Mac roots (thankfully), but many can't. Quite honestly, I don't think M$ has the expertice to create a really new system, they have been regurgitating the same old crud code that Mr. Bill bought (not developed) many years ago, yes it has evolved, and been built upon, but they still use the same old mindset. If they were a car company they would have asked the government for a bailout, if they got sued to insolvency, unfortunately the gov won't hold them accountable for anything, so we must all pay.....

[aemarques]

Gosh, you are so right - NOT!

Hummm. Let me see: the "superior" Macintosh OS is around since 1984 (!); and there are "great" so called "free" alternatives as well. I wonder: if MS software is worse and costlier than the competition how come 90% of the world is using it...?

Wait, I know! WE are all stupid, and YOU are the only smart person around (not...).

Oh my... Another day, another MS bashing thread...

[n3td3v]

Google wins out of the three reports

Google: Level headed report and level headed photos

Yahoo: Completely weird trying to put humor into security with drug-like tactics with cartoons and paranoia

Microsoft: They decided to have their own photographer and in the last photo http://news.com.com/2300-1002_3-6192282-3.html?tag=ne.gall.pg drink was seen within the Microsoft office

Who wins on a Cnet report level? Google.

In security and public relations, behind the scenes and ideals don't matter, this was a media and public relations face off, and out of that only Google came out best. The public don't care about cartoons, paranoia and other behind the scenes stuff, they want to hear stuff that is going to make them feel better as a consumer, but how you're better serving your employees.

Consumers wanted to hear about things that effect consumers, and the Google report and photographs done that, Yahoo and Microsoft failed to do that.

Funnily, Google are winning over consumers, something you've failed to beat in your cnet public relations, yet again Google stand out as #1, not only as the number one search company, the number one company online but the crown in public relations and giving the public what they want to hear in terms of cutting edge journalism.

Kudos to Joris Evers for the three reports.

[sbwinn]

Voted #5 Worst Job

Interestingly enough MS Security Grunt was recently voted #6 in
Popular Science's "Worst Jobs in Science 2007". It was right
between Coursework Carcass Preparer and Gravity Research
Subject. "Like wearing a big sign that reads 'Hack Me'".

http://tinyurl.com/2v9la9

I have to disagree with PopSci's analysis on one point --
Microsoft's products are not hacked for the challenge. They are
hacked to create bot nets that send spam, launch attacks, etc.
Zombie PCs are money makers for virus and worm writers.

Just like Plug and Play. . . only Microsoft could invent
Trustworthy Computing.

[sbwinn]

Sorry, it's #6

Coursework Carcass Preparer is apparently worse.

[wbenton]

So what have we learned...

We've learned that Microsoft has finally learned what it should have already known many many years ago.

However, just stating that they're aware and actually implementing it are two totally different things.

It's too late for them to implement such in Vista because it's just a bake-off of XP with extras.

To really implement what they're claiming properly, it must be done from the Ground Up meaning at least the next operating system after Vista at the earliest!

But can they really pull it off correctly remains to be seen?!?!

Walt

[oxtail01]

MS has a security director?

Isn't listening to MS security director like having a robber guard your house?