Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Windows Operating Systems Software

Ask Microsoft's Security VP 543

There's always lots of discussion on Slashdot about Microsoft's security problems, and whether Windows is or isn't more secure than other popular operating systems. In a "Let's clear the air" move, Mike Nash, Microsoft Corporate Vice President, Security Technology Unit, has agreed to answer 12 of the highest-moderated questions you submit here. (You can skip the "Microsoft and security in the same sentence?" comments we've all heard 1000 times, and ask actual questions, since Mike is answering for himself instead of having PR do it for him.) We'll post his answers next week.
This discussion has been archived. No new comments can be posted.

Ask Microsoft's Security VP

Comments Filter:
  • What has changed? (Score:5, Interesting)

    by suso ( 153703 ) * on Wednesday January 18, 2006 @01:16PM (#14500849) Homepage Journal
    Besides the same old PR scripted answers that corporations like to give in order to obscure or downplay what is really going on. What assurance can you give us that Microsoft is more focused on security and that Vista is going to be any different from the previous incarnations of Windows? What proof can you give us? Information like "We have a new team doing X" or "our process for reviewing changes has gone to X" are helpful pieces of information to answer this question. What else have you seen in the way MS is developing Vista that is different from how you've developed previous products?

    From what I've heard, even though most of Vista is being rewritten from the ground up with more scrutiny on what code goes into it, it will still have major flaws generated by the way Microsoft works internally as a company.
    • Please mod parent up - it's been 4 years since Bill Gates' statement "Security is priority" and we've all seen WMF bug in Vista beta...
    • Re:What has changed? (Score:5, Interesting)

      by electroniceric ( 468976 ) on Wednesday January 18, 2006 @06:33PM (#14504658)
      One major security difference between Windows and *nix is the need for many userland programs to run as Administrator. Clearly this enlarges the attackable surface area of the Windows platform by allowing attacks via applications that run as Administrator. Presumably this accounts for the decision to have XP Home users be Administrators by default.

      What is Microsoft's plan for eliminating this problem? How will Vista address the tasks that require higher levels of privileges? What restrictions does this place on normal users? How do focus group users respond to these restrictions? Has there been communication with applications vendors to ensure that they are making the necessary changes?
    • Re:What has changed? (Score:5, Interesting)

      by kestasjk ( 933987 ) on Wednesday January 18, 2006 @07:11PM (#14504924) Homepage
      On the same subject:

      Most of the most glaring Windows XP security problems (being in the Admininstrators group by default, being allowed to write anywhere by default, having the firewall off [pre-SP2] by default) were there to preserve compatibility with previous versions of Windows.
      Will Vista comprimise on security, or compatibility?
  • by no_pets ( 881013 ) on Wednesday January 18, 2006 @01:19PM (#14500874)
    Are you afraid that if Microsoft Security isn't greatly improved in Vista that a chair will be thrown at you?
  • by eldavojohn ( 898314 ) * <eldavojohn&gmail,com> on Wednesday January 18, 2006 @01:20PM (#14500888) Journal
    Mr. Nash, what are the greatest differences and similarities between Microsoft Corp. and Data General Corp., your two most recent employers? Most importantly, how drastic were the changes you saw (not necessarily changes due to job function but changes in general)? What do you like the most and what do you hate the most?
  • by winkydink ( 650484 ) * <> on Wednesday January 18, 2006 @01:20PM (#14500892) Homepage Journal
    What is the status of the Windows OneCare program? Is a released product expected soon?
  • by VitaminB52 ( 550802 ) on Wednesday January 18, 2006 @01:21PM (#14500897) Journal
    What is the Windows / Internet Explorer design decision that MS does, from a security point of view, regret most?
  • Patch Release Cycle (Score:5, Interesting)

    by skywalker107 ( 220077 ) on Wednesday January 18, 2006 @01:22PM (#14500919)
    Did the WMF Patch now set a standard that severly high risk problems will be patched out of the standard patch Cycle? How did Microsoft come to the conclusion that is was important enough to go against what it promised it's corporate customers?
  • by dada21 ( 163177 ) * <> on Wednesday January 18, 2006 @01:22PM (#14500922) Homepage Journal
    As a Microsoft product user, it has always made me wonder what the User:Bug ratio might be. Do we see more bugs found BECAUSE more users are using a product?

    Has Microsoft tracked the "security bug" to user ratio on their products and found that products with fewer users seem to have fewer bugs? If that is the case, I wonder if it is the normal process of higher supply leading to more people spending time looking for bugs.

    It is like the population:innovation ratio -- as a population goes up, the amount of innovators being born goes up, too, leading to more innovations.
  • Vista (Score:2, Interesting)

    by gcnaddict ( 841664 )
    I am in the Vista beta program, and the latest build has UAP implemented in a rather annoying way. Seeing as to how 5270 was nearly code-complete, will there be any change in how the UAP is implemented so as to not bug the user? I know many people in the beta besides me are bugged about this issue. (It takes 5+ steps to delete a shortcut on a desktop! Come on!)
  • by qwijibo ( 101731 ) on Wednesday January 18, 2006 @01:22PM (#14500927)
    Is there a general policy within Microsoft to help product teams make consistent security decisions? There are frequently issues where the decision has to be made between being more secure or more user friendly.

    For example, file and printer sharing defaulting to off prevents people from unknowingly sharing their resources, but requires non-technical users who do wish to set up a small network to know more about the process than in previous versions.
    • Furthermore, as Windows is (for better or worse) the most widely-deployed operating system, why doesn't it make a better job of educating users about security? (That is, why does it pester me when the AV or update is out of date, or the firewall is off, but doesn't remind me of the destructive potential of doing ordinary stuff as Administrator?)
  • Hi,
    after happening WMF bug, which is (according to Microsoft own statement) from Windows 3.1 (!!!) - even if it was hardly-happening in Windows 9x - what exactly you changed in your security process to prevent these happening?
    • Re:WMF bug in Vista (Score:4, Interesting)

      by TimTheFoolMan ( 656432 ) on Wednesday January 18, 2006 @01:41PM (#14501198) Homepage Journal
      To elaborate, what does the security review process look like from the inside (such that other development teams might learn from it)? How does it differ from a code review? Why would this process *not* catch something like the WMF hole, given that this appears to be blatantly erroneous programming (assuming it wasn't intentional at the corporate level)?

      My biggest concerns about MS today surround this process, which is completely invisible to the world, but which we rely on for having greater confidence in MS products. Understanding how MS approaches these reviews might make us feel better (or might depress us beyond reason).

  • by Anonymous Coward on Wednesday January 18, 2006 @01:23PM (#14500941)
    Given that security is a major topic on IT manager's minds these days with security flaws and patches practically making front page news of some publications, What do you feel is going to be the main focus for security in 2006 for yourself and the industry as a whole?
  • Security and usability often conflict. Microsoft has always erred in the side of usability, and, well, you can see the results for yourself. Do you have any magic wand to wave, or do you plan to give up usability?
  • by gid13 ( 620803 )
    Those that have been paying attention have repeatedly heard the same old arguments. "More eyes make more security", "Popularity increases the likelihood of being targeted", and so forth. My question is this: If Windows' undeniable popularity increases its odds of being targeted, how can one make a fair comparison of security between it and less popular OS's?
  • MS "bundled" it's web browser as part of the OS. This decision was in part brought about by legal challenges facing the company at the time. In my view, this was a very poor engineering decision, and the resultant "marraige" of browser and OS have led to repeated security nightmares for admins, companies and individual users. To my mind, the obvious solution would be to unbundle the two. But if MS did that, they would be admitting to perjury in court. I find this lack of judgement and integrity
  • Patch Schedule (Score:3, Interesting)

    by jtdennis ( 77869 ) <[moc.liamekaens] [ta] [20m942ryo]> on Wednesday January 18, 2006 @01:25PM (#14500969) Homepage
    Microsoft recently deviated from their normal patch schedule to release the WMF patch. What is Microsoft's reasoning on trying to hold critical patches until a specified date every month instead of releasing it as soon as its ready?
  • by nizo ( 81281 ) * on Wednesday January 18, 2006 @01:25PM (#14500974) Homepage Journal
    Have you started drinking or taking drugs since seeing the questions sent to you by Slashdot? Are you emotionally scarred and bitter now?
  • Speed factor (Score:2, Interesting)

    by FortKnox ( 169099 ) *
    Are many security flaws are due to features in windows that were under a time crunch and needed to be released? Perhaps due to bad testing or some other quality issue.

    As an aside, great job Roblimo! What a catch for an interviewee! Not going through a PR person, either. Can't wait to see his replies.
  • by kalpol ( 714519 ) on Wednesday January 18, 2006 @01:25PM (#14500976) Homepage
    Has open-source software such as Linux influenced the way you think about security in Windows, and if so, how?
  • Question (Score:5, Funny)

    by specialbrad ( 884393 ) on Wednesday January 18, 2006 @01:26PM (#14500981)
    Did you honestly expect to get 12 serious questions from a group like slashdot?
  • by kickabear ( 173514 ) on Wednesday January 18, 2006 @01:27PM (#14501003) Homepage
    Does Microsoft lean more towards rigidly enforced coding standards as a way to prevent exploitable bugs, or does the company focus more on brute-force bug detection during testing?

    I know the easy answer is to say "both, of course" but a 50/50 split is unlikely. So, does testing take the backseat, or does the code?
  • SP vs Vista (Score:2, Interesting)

    by sinucus ( 85222 )
    If security is really a prime concern of Microsoft, why is it that new OS's are now getting the main focus of the dev teams? I don't know the exact number of coders in Microsoft, but it must be above 300,000. Why not have dev teams specific to each OS performing their roles? Why push back SP 3 for XP to develop Vista? Any person who has ever worked in an company knows that most companies lag behind when it comes to OS deployment. Isn't supporting and fixing bugs/exploits just as important to security as re
    • by Caspian ( 99221 ) on Wednesday January 18, 2006 @01:41PM (#14501205)
      I don't know the exact number of coders in Microsoft, but it must be above 300,000.

      Yeesh. This sort of quote reminds me of when I was a naive little proto-geek, wondering what sort of supercomputer my favorite MU* ran on.

      Microsoft has only 60,000 employees [] TOTAL.

      Of that count, surely no more than 50% (and probably much less than that) are programmers. Remember, that count includes not only the veritable hordes of management types and marketroids, but the guys who clean the toilets and the ladies who answer the phones. (And the ladies who clean the toilets, and the guys who answer the phones. And the guys who clean the phones, and the ladies who answer the toilets...)

      So you're off by at least a factor of ten.
    • Re:SP vs Vista (Score:3, Informative)

      by QuantumFTL ( 197300 ) *
      I don't know the exact number of coders in Microsoft, but it must be above 300,000.

      Check out Microsoft on Wikipedia []. They have approximately 60000 employees, and while it doesn't say the number of contractors, I would be shocked to find it is four times that amount. Also, remember that a large amount of these employees are *NOT* coders but managers, marketing and sales (that's a biggy), accounting, secretarial/administrative, researchers, and HR.
  • by Anonymous Coward on Wednesday January 18, 2006 @01:28PM (#14501010)
    Hello, Mr. Nash.

    I'm from China and I was wondering [remainder of message censored by People's Center For Internet Enhancement - Powered by Microsoft]

  • Pre-installed (Score:3, Interesting)

    by schlichte ( 885306 ) on Wednesday January 18, 2006 @01:28PM (#14501018)
    This seems to be more of a problem on pre-installed systems. You get it home, set it up, and it basically boots the OS with its pants down as far as security is concerned.

    I know when I bought my Gateway laptop it came with a default login as Administrator and to identify itself on the network, it used the OEM key as its name. I knew enough to change these options and many others myself, but many users do not.

    Why is it that Windows offered pre-installed on machines doesnt at least come with some sort of brochure or pamphlet explaining the least a user can do to add any level of security?
  • Will Vista default to an Admin account with no password?
  • by kortex ( 590172 )
    Some in the industry believe that part of the problem with security gaps in MS operating systems stems from the fact that each new OS release has been entirely built on existing technology. The recent WMF scare seems to amplify the truth in that statement. Apple seems to have had a great deal of success rearchitecting OSX - will Microsoft ever be willing to start from the ground up on a new OS with security being a primary strategy from the outset?
  • Audit of Software (Score:5, Interesting)

    by WebHostingGuy ( 825421 ) * on Wednesday January 18, 2006 @01:32PM (#14501062) Homepage Journal
    Certain open source projects such as OpenBSD have routine audits of the software to search and remove potential security problems. While I understand Microsoft Operating Systems are very complex Microsoft does have an enormous amount of talent and resources at its disposal. Is it possible that Microsoft will review all new operating systems in the future with the same sort of audit performed by others? Wouldn't you think this would be worth it to prevent mistakes which could be costly to end users?
  • Home vs Pro (Score:4, Interesting)

    by Cro Magnon ( 467622 ) on Wednesday January 18, 2006 @01:33PM (#14501074) Homepage Journal
    Will Vista have a watered-down Home version that has fewer security options than the Corporate version?
  • by Caspian ( 99221 ) on Wednesday January 18, 2006 @01:34PM (#14501087)
    Time and again, I've seen average end-users-- grandmothers, "soccer mom" types, businessmen-- whose computers are positively clogged to the gills with spyware, viruses, and other sorts of malware, the overwhelming majority of which they were infected with via the exploitation of security flaws in Microsoft software. I'm often tasked with disinfecting their computers.

    How often do you (and the members of your team) spend time with average end-users-- not just in large corporate settings but in small businesses and (just as importantly) in real-world home settings? I believe that if you would spend time with Joe Average and see just how badly his computer's performance (not to mention his personal privacy and the integrity of his data) is suffering from the exploitation of certain bugs and design decisions (e.g. the fact that most end-users run with Administrator privileges) in Microsoft software, it would cause a significant shift in Microsoft's security strategy.

    No matter how often $LATEST_WINDOWS_VERSION is touted as more secure than its predecessors, I still keep getting called to average homes to remove countless items of spyware which infected Windows systems via holes (and/or poor design decisions, e.g. the handling of ActiveX controls and the abilities they can have to alter files on the system) in Internet Explorer, and to this day (despite the wide use of antivirus software) most end-user systems I examine do contain at least a few viruses (which entered the system via Microsoft Outlook).

    What are you doing to secure Joe Average's PC? Do you have any interaction with average end-users? And if not, why not?
  • by tz ( 130773 ) on Wednesday January 18, 2006 @01:34PM (#14501094)
    The XP Embedded version can be created with or without IE or WMP, but I don't know how many DLLs have chunks of code designed to launch or provide IE or other MS product functionality (designed to give Netscape Users "a jarring experience" in the words of a Microsoft person). Is Microsoft ever going to sort and layer things so that there will be an isolated kernel, application layer, GUI, device drivers, (and if so, when), or is "Windows" going to continue to integrate things, e.g. "The Spreadsheet and Editor are now 'part of the operating system'"?

    Rationale: Many security problems are due to everything running as Administrator, with privileges, or as part of the OS. One thing I like about GNU/Linux is that each part is separate, so Firefox runs on X which runs using services, which runs using the kernel, with only the kernel having privileges. Generally a buffer overflow problem in X, or Apache doesn't let someone format my hard drive. Also you can put something to analyze or intercept things between such layers - even things like ltrace or strace.
  • Dear Microsoft Security VP:

    I know a person who doesn't have his copy of Windows registered. His PC got infested by spyware, so my deduction is that his computer was probably used to send SPAM, spread viruses and whatnot. When He called me for tech support, I told him to download the Microsoft Anti-spyware from Windows update, but his answer was that it required a registered copy.

    My question is this: If Windows updates make the Internet SAFER from hackers, spyware and viruses, why limit them to registered copies of Windows? (IMHO this is analogous to not giving the vaccine of the bird flu to illegal aliens)

    What do you plan to do about this?
  • by dpbsmith ( 263124 ) on Wednesday January 18, 2006 @01:35PM (#14501106) Homepage
    On January 17, 2002, p. 1, the New York Times reported, "Stung by Security Flaws, Microsoft Makes Software Safety a Top Goal" and quoted Jim Allchin said "Every developer is going to be told not to write any new line of code until they have thought out the security implications for the product" and that "the company was trying to change the culture of its software developers, who have been putting their emphasis on adding features to the company's software to increase its value."

    In your opinion, has Microsoft succeeded in changing its culture so that every developer now considers security first, features second?
  • What are your thoughts on security through obscurity []? Do you believe the technique works? In what ways do you think the closed nature of Windows prevents the corollary many eyes principle [] from being used? Do you have any ideas on how Windows could utilize the many eyes principle?
  • WSUS Release Dates (Score:5, Interesting)

    by Mr.Fork ( 633378 ) <edward.j.reddy@g ... com minus distro> on Wednesday January 18, 2006 @01:36PM (#14501121) Journal
    As a Service Desk manager and network guru for my organization, I am responsible for ensuring that all workstation desktops are kept up-to-date and secure. Currently, Microsoft releases patches once a month, usually on the second Tuesday of the month.

    With the current advances in smart viruses and malware, that release schedule seems unrealistic. OS security threats have been addressed with emergency patches, but that does not seem like a sustainable methodology.

    What is Microsoft's long-range vision on OS patches to ensure that our Server and Workstation Operating Systems are secure, safe, and patched in a timely manner?
  • Lots of us on /. have "great" memories of coming in on weekends, staying overtime, or coming in early to deal with bugs, viruses and various problems caused by no fault of ours, but mainly due to holes we could not see or prevent.
    This kind of business, in addition to Bill Gates' wildass (and often incorrect) speculation about future technologies and sweat-dancing, chair-throwing antics of Ballmer has jaded our image of MS.

    How does MS plan on restoring a serious security image with Vista, which does not see
  • by teklob ( 650327 ) on Wednesday January 18, 2006 @01:36PM (#14501131)
    I'm honestly not trying to troll here, but wouldn't it be easier to rewrite IE from the ground up? Have you guys considered this and ruled it out, or have you just not contemplated it. Not to vaguely bash microsoft, but a large percentage of PC and/or Windows power users would probably consider Internet Explorer 6 a write-off. Any thoughts?
  • Application software (Score:5, Interesting)

    by Cro Magnon ( 467622 ) on Wednesday January 18, 2006 @01:36PM (#14501132) Homepage Journal
    I realize that Microsoft cannot control what 3rd party software does, but will Microsoft's applications and games run under a limited account, or will they still need Admin access?
  • by timster ( 32400 ) on Wednesday January 18, 2006 @01:36PM (#14501133)
    We all know that a very important part of system security is the lack of fatal security bugs. This is a problem that has been very large with Microsoft products in the past, and is reflective of code quality. Fixing these bugs is crucial.

    However, even when a security system doesn't have any bugs, it can still be very insecure. We can define "security" in a more general sense as "the extent to which a system is doing what the owner or user expects". The problem is not that the system is capable of malice so much as that the system is capable of malice of which the user is unaware.

    How is Microsoft in the future going to design their systems so that users know what is really going on?
  • Whatever (Score:2, Insightful)

    Look, we all know the drill by now. Microsoft looks bad. The guys get somebody who they think we'll all trust, he comes and says "ask me some questions", but at the end of the day, it's all PR. No one from Microsoft is going to honestly answer any question. Not yesterday, not today, not ever. The purpose of all these idiotic "ten questions" or "twelve questions" is purely PR, to try to make Microsoft look good, and quite frankly I have to ask myself why any employee of Microsoft would so willingly whor
  • Donald Rumsfeld once said, "You go to war with the Army you have." What is your philosophy on how you work with a large organization such as Microsoft to balance security with the need to meet deadlines and to keep costs low? You know there are going to be exploitable holes (there always are) in an operating system, when do you and how do you know when to say, "OK, we are good to ship this." Does security of future Microsoft applications and operating systems correlate to costs spent on your team?
  • Spyware (Score:5, Interesting)

    by PetyrRahl ( 880843 ) on Wednesday January 18, 2006 @01:39PM (#14501168)
    Mr. Nash,

    In regards to spyware MS has already taken some steps to try and stem the flow (asking about running exe files, the Spyware Removal Tool, etc), however as a consultant I find many of my clients are still infested with the stuff. From my perspective it appears that many users are affected still by these programs and that they are either unaware of how to prevent them in the first place, or how to get rid of them. Many times it is significantly faster and easier (and in some cases, safer) to just format the machine in question and start from a clean slate. Does MS feel that spyware is still a major problem, and if so, what new measures MS doing in order to combat it?

    Petyr Rahl
  • The Windows security model really isn't bad in theory, in fact it's quite nice, I wish the standard Unix filesystem permissions were as flexible. However, the implementation of the permissions on default installs of Windows are absolutely terrible, it's a nightmare really tightening them up to make systems secure and useable.

    So, my question... When is microsoft going to tighten up the default configuration of windows and make application vendors stick to good practice?

    I'll make a wild guess at never, howeve
    • On a related note, it seems MS is afraid to change the default configuration of Windows file permissions because it would break existing apps that either were written for Windows 9x, or that were not written to conform to the standards of the Windows 2000/XP file tree. Would MS consider tightening the file permissions, even though it will break many existing apps, in order to demand better behavior from app developers and have a more secure system?

      Also, it seems to me that Windows' dual focus on consumer

  • Marketplace (Score:2, Interesting)

    by alfalfro ( 120490 )
    Mr. Nash,

    Security decisions are usually dominated by economic and business considerations; it's often been said that Microsoft will stop making insecure software shortly after customers stop buying it.

    Let's say I'm a shareholder, explain to me why you should be spending money on security. Where and how much is the return on investment?

    You will also have to balance many considerations when determining what security to implement. What are the major security tradeoffs/decisions you anticipate making this year?
  • ...when me and my company's sysadmin are trying all day long to get rid of a nasty new virus (nyxen.d) plus over 85 spyware programs installed on average on any pc on the network.
  • User privileges (Score:5, Interesting)

    by azpenguin ( 589022 ) on Wednesday January 18, 2006 @01:40PM (#14501183)
    Many users still don't understand the importance of creating user accounts instead of using the default administrator account. Will Vista work "out of the box" in a manner that will encourage those who are not technically savvy to work under a user account instead of an admin account?
  • Why does the default user account of Windows XP have administrator privileges? Why does it still include technology like ActiveX although Microsoft has developed safer technologies (such as .Net) that could replace it? Why do critical parts of Windows like Windows Update depend on ActiveX?
  • by ZiZ ( 564727 ) on Wednesday January 18, 2006 @01:40PM (#14501188) Homepage
    Mr. Nash,

    There are a number of industry best-practices that any system administrator will tell you are vital for proper security. I will not claim to provide a complete list, but the two that seem to have the most frequent effect on an OS's percieved security are:

    • Minimizing the number of services and processes running (preferrably via a service opt-in rather than opt-out policy)
    • Performing all activities as an unpriviliged user, with some method of securely and briefly authenticating to higher permissions when required

    Windows has been steadily improving on the first point, but the second point has long been a problem for administrators; there is no generally-used near-transparent way for a program to request higher privileges, for instance.

    Worse, many third-party (and, for that matter, some Microsoft) programs will fail silently or with obtuse errors if you run them as less-privileged users because they demand the ability to, say, write to system areas - often without warning - and require heroic gymnastics by administrators to resolve (if a resolution is even possible).

    Is this issue of least-privilige being difficult to acheive being addressed in future versions of Windows? What changes can we expect to come down the line soon and in the near future?

  • What do you feel is currently the biggest security threat to the Windows Operating System and what are you all doing about it?
  • by yamla ( 136560 ) <> on Wednesday January 18, 2006 @01:40PM (#14501192)
    When counts are released showing the number of Windows security holes vs. the number of holes in Linux, the counts generally include software that can be installed from the original CD. With Windows, this includes MSIE, Windows Media Player, etc. On Linux, this includes thousands of end-user applications, programs that Microsoft does not include with Windows. Do you think these comparisons are fair? Would you rather see comparisons to minimal installs of Linux?
  • Product Activation (Score:3, Insightful)

    by Shawn is an Asshole ( 845769 ) on Wednesday January 18, 2006 @01:40PM (#14501193)
    Will Vista still have the same anoying Product Activation that only affects legitimate users of the software?
  • Over the last few years almost all the big worms and security holes have come about due to the dreaded buffer overflow. What steps has Microsoft made to sweep through your expansive code base looking for such things?
  • by dtfinch ( 661405 ) * on Wednesday January 18, 2006 @01:41PM (#14501203) Journal
    We see news all the time about Microsoft vulnerabilities discovered by third parties, and later patched by Microsoft, but I can't recall many being discovered by Microsoft. I often imagine that it's because releasing patches for vulnerabilities previously unknown to researchers and the public creates an unnecessary risk by disclosing the vulnerabilities to anyone willing to reverse engineer the patches, and so the patches are held back until they vulnerabilities are rediscovered outside of Microsoft or until the next major product release, but I'm basing this on nothing more than speculation. What does Microsoft do inhouse identify and patch vulnerabilities that have not yet been discovered by third parties?
  • by tringstad ( 168599 ) on Wednesday January 18, 2006 @01:42PM (#14501221)
    Why is there no way to submit easily reproducable and verifiable bugs other than by snail mail to a generic address, or worse, opening (and paying for) a support case?

    And why does the phone number on this "report a bug" page: []

    call a generic technical support & sales line, which ultimately will tell you that you must either open (and pay for) a support case, or submit your bug by snail mail to 1 Microsoft Way?

    Is it Microsoft's stance that the inability of its users to report bugs makes its OS more secure?

  • XP's firewall (Score:5, Interesting)

    by fudgefactor7 ( 581449 ) on Wednesday January 18, 2006 @01:43PM (#14501233)
    When Microsoft added a firewall to XP, it was a since first step; but why was the decision made to have it only work in one direction? Surely, a better solution would have been a firewall that worked for not only incoming packets, but for outgoing as well? And as a followup: why not add that functionality?
  • by arminw ( 717974 ) on Wednesday January 18, 2006 @01:43PM (#14501237)
    In current Windows systems, many programs will only work correctly if the user is granted administrator rights. Will MS lean on developers to write their software such, that a normal user status is sufficient? Much malware today silently installs itself without so much as a warning to the user. Will VISTA incorporate some sort of warning and ask for a password before ANY executable file can run for the first time or install itself deep in the system? Will users be told NOT to type password unless they are SURE the file comes from a trusted source?
  • OpenBSD (Score:5, Insightful)

    by hahiss ( 696716 ) on Wednesday January 18, 2006 @01:47PM (#14501278) Homepage

    How is it that OpenBSD is able to be so secure by design with so few resources and yet all of Microsoft's resources cannot stem the tide of security problems that impact everyone, including those of us who do not use Microsoft programs?
  • by tz ( 130773 ) on Wednesday January 18, 2006 @01:47PM (#14501280)
    When will drive letters go the way of floppy disc drives (or at least let me add or remove a drive without completely hosing my system)?
    When will we have actual symbolic links?
    When will you ship with everything possible disabled until needed or manually enabled?
    When will defragging a disk or some obscure network function not lock up every task?
    When will you not install by default two thousand modem or other .inf files (or at least keep them in an archive)?
    When will you not keep asking to insert a driver disk when the files are already in c:\windows\system32\ (and will "install" if I just point the directory there)?
    When will you disable autoplay features by default, or at least make them prominent in a security area (instead of editing obscure system setting panels)?
    When will you get rid of, split, or otherwise do something reasonable with the trash "heap" otherwise known as the registry?
    Are you ever going to allow me to change my hardware and do autoconfiguration (Both MacOS and Linux will let me boot from a disk in another system, a CD, etc. and manage to find all the necessary and most of the exotic hardware)?
  • How will Microsoft handle the differences between the security enviornment for Home PC's vs PC's in Business enviornments?

    Business PC's usually live in live in administrated, controlled networks, which hopefully have someone in charge of security on those networks. They also live behind firewalls, proxies and have shrinkwrapped as well as in house answers to security threats. Users have much reduced privilages, security policies are in effect and companies backup data and can even use imaging to secure against vunerabilities.

    Contrast with Home PCs which live in small, largely unadministored networks. Many are still directly connected to the internet. These PCs may have no anti-malware technology at all. On top of that, users are uneducated and often do not even realise they have been the victims of security breaches. Typically, security involves extensive suites of specialist software that gobble ever more resources.

    There are also intermediate security enviornments. Small to medium sized businesses may have sizeable networks, but fail to implement any real security policy due to time and budget constraints. Home users can also have sizable networks, with a multitude of internet capable devices in the one home becoming more commonplace.

    Typically, Microsoft has offered essentially the same software framework for both Home and Business computers. Will Microsoft offer a one size fits all security framework also?
  • by Bob_Villa ( 926342 ) on Wednesday January 18, 2006 @01:48PM (#14501305)
    Why are you adding in DRM controls to Vista that regular users are not going to want? It may come in handy for corporations wanting to control their documents, but I can't see how regular users would knowingly want a product that restricts their access to their documents or files.

    Also, I think you could dramatically improve security by decoupling Internet Explorer from Windows. Have it be a separate program similar to Opera, FireFox, Safari, etc... Is there really a valid reason that Windows Explorer has to be driven by Internet Explorer?
  • Legacy Code (Score:4, Interesting)

    by chill ( 34294 ) on Wednesday January 18, 2006 @01:51PM (#14501347) Journal
    As the recent WMF issues have demonstrated, there is a lot of legacy code in the core OS. Some of it seems to date back over a decade. Much of it seems to originate in a time where security was no where near the concern it is now, and network connectivity was the exception and not the rule. While I understand backwards compatibility is important for some customers, has there been serious efforts to audit that old code? What about the idea of a clean break with ancient code?

  • users and auditing (Score:5, Interesting)

    by H310iSe ( 249662 ) on Wednesday January 18, 2006 @01:53PM (#14501367)
    As a windows desktop administrator since the bad old days of 95 and 98 I have to give you guys some credit for how far you've come; however there are two issues I'm faced with that continue to be problematic - user rights and security auditing.

    Despite whatever SU-like features you have, on XP I still can't reliably install, or in some cases even run(!), programs under restricted user accounts, forcing me to give most of my clients admin accounts and just hoping for the best. How seriously do you treat this issue and what work is being done towards getting an OS that can be used in the real world with restricted user rights?

    Auditing - finding, say, if user X has any write rights anywhere on a server, who has done what on the system in the past day, what files were modified by a program's install, etc. all these things are do-able but not easily, and not using just MS supplied tools. How about a toolset for administrators that give us (especially the part-time admins like myself who don't just live and breath security) easy access to the reporting, auditing, and security tweaking we need to do our jobs well. And no, configuring and interpreting the security logs in the event viewer doesn't count as an easy to use auditing tool.

  • by avalys ( 221114 ) on Wednesday January 18, 2006 @01:54PM (#14501380)
    What modern, in-use, server operating system do you consider the most secure one available today? I'm talking about one along the lines of Linux (name the distro), OpenBSD, Mac OS X, Windows, and so forth. How about a desktop operating system?

    Please name a specific answer for both questions, and please don't name something useless like DOS. Your answer must be something that a sane network administrator might choose for an internet-connected server and desktop deployment.

    Separately, do you think that Mac OS X is a more secure _desktop_ operating system than Windows XP? Obviously there have been far fewer worms, trojans, and viruses for OS X than Windows. Is that really solely due to OS X's lesser popularity, or is it truly a fundamentally more secure system?

    If you think Windows XP is more secure, why? What security features does it have that OS X doesn't?

  • by The_Crowder ( 946902 ) on Wednesday January 18, 2006 @01:54PM (#14501384)
    Does the creation of an antispyware tool by Microsoft mean that your team has failed in their role of creating secure software?
  • by jonathan_lampe ( 943581 ) on Wednesday January 18, 2006 @01:55PM (#14501393)
    Why hasn't Microsoft added AES to its SSL stack yet? As a Microsoft developer, it's annoying to get beaten over the head when facing competing solutions that can use the AES (128-,192- and 256-bit) encryption algorithm in their SSL implementations.

    (OpenSSL - including the Mozilla browsers - and Java SSL have all had AES support for a while. Most SSH implementations have also had it for a while.)
  • by jthrelfall ( 946894 ) on Wednesday January 18, 2006 @01:57PM (#14501418)
    IMHO - I find that the reason that Microsoft's products are insecure is because of the level of backwards compatibility that has been engineered into the product lines. While being able to run older applications is useful for many corporations that have difficulty in finding replacement apps, the sad state of affairs is that it is just that level of compatibility that hampers a full rewrite of the Windows core architecture. If Microsoft were to make a bold decision and create a truly new architecture that had the Windows look & feel but was based on sound secure coding practices, the possibility for exploits would be drastically reduced than with the current 'we have to make sure that the app written in Visual C ++ v2.0 still works' mentality. Backwards compatibility for older applications can be achieved with running the app(s) with a slim kernel & supporting services in a virtual machine that has very limited privileges. So my question is: Will Microsoft ever make the move to a newer, secure architecture, or can we expect Win9x compatibility with WinOS circa 2025?
  • Next big thing? (Score:5, Interesting)

    by Randolpho ( 628485 ) on Wednesday January 18, 2006 @02:01PM (#14501459) Homepage Journal
    By now, many of us have heard about Singularity [], Microsoft's research OS with its ultimate goal of dependability (in which security plays a very large role). How does Singularity fit into Microsoft's long-term security and operating system goals? Will Microsoft eventually adopt Singularity and its inherent security? Will Microsoft adapt the concepts of Singularity to its current NT-based OS structure? Is there a third option coming down the pipe?
  • Culture and Security (Score:4, Interesting)

    by Hard_Code ( 49548 ) on Wednesday January 18, 2006 @02:07PM (#14501538)
    I have started watching videos at Channel 9 that explain in-depth the internals of some core Windows components, which has given me some perspective and respect for those developers. However, even from these videos it is clear that Microsoft has been in the past (and perhaps still is) ruled by a "cowboy coder" culture (revealed for example in the series on the Vista kernel in which they openly discuss their attempts at managing the "state" issue, and talk about the problems due to unscrupulous use of the registry).

    I would like to think that Microsoft has finally "got the religion" about reliable code, unit testing, defensive programming, etc. (it seems that many historic decisions were made on disputable performance grounds instead of a long-term view of security implications, and now Microsoft is paying the price).

    Is this the case (do you even agree with the premise) and if not, what is Microsoft's strategy for evangelizing safe and robust programming practices (as well as overall architecture) *inside* Microsoft? It seems that the best laid plans of kernel and system architects can be ruined by some guy working on the shell that is getty pressured by marketing to Hurry Up and implement that gee-whiz feature that will "impress" the customer.

    (extra cheat question: Raymond Chen has recently posted about "decoy" windows and other hacks that MS has implemented to compensate for badly written application code - as a user, this does not seem to serve my interests. Instead of quiety accepting the misbehavior, I would like Microsoft to make these sorts of problems apparent in some manner to make the user aware of their software and demand better behavoir from developers of the software they purchase, and also to shame software developers into behaving well. Continually accommodating intentionally bad software seems to be a bad long-term strategy. Any comment on that?)
  • by spyrochaete ( 707033 ) on Wednesday January 18, 2006 @02:09PM (#14501573) Homepage Journal
    Mr. Nash,

    I understand that MS has recently decided to extend the deadline to abandon official support of Windows XP Home to 2008. While many applaud this 1-year extension, others feel this deadline is insufficient. Considering this is the most popular operating system in the history of personal computing, will MS take responsibility for any damages caused by this deadline? (e.g., unpatched vulnerabilities resulting in spam and DDoS zombies, virus proliferation, identity theft, etc.) Is MS willing to reconsider this deadline?
  • MSFT employee here (Score:5, Insightful)

    by Anonymous Coward on Wednesday January 18, 2006 @02:13PM (#14501616)
    Hi, Mike,

    I have just one question for you. Why do we STILL ship products with KNOWN security issues?

    I'll even tell you how it works in the trenches. Folks build the product. At the end of it all a "Security Push" gets declared. For two to three weeks people pretend they care about security by coming up with potential security issues and assigning DREAD+VR scores to them. Then management arbitrarily sets the "bar" below which we don't fix potential and real security issues. This bar is usually very high, sometimes at around 8, because hardly anyone has time in the schedule to fix all issues found. Now, DREAD score 8 means that flaw will affect a ton of customers and cost Microsoft significant litigation. Some of very severe bugs slip under the bar just because they don't affect more than 10% of customers. Now, even this exercise is a joke, because most developers don't know what DFD is and how to put one together.

    This wasn't even the most ridiculous part of the exercise. The most ridiculous part is security "code reviews". It's when feature owners walk into a room with a huge stack of printouts and pretend they can be reviewed in a couple of hours they've allocated for this. You can barely glance through this much code in this much time, 90% of security issues remain unnoticed during this "code review".

    After all is said and done, product is only slightly more secure (SOME of the most ridiculous things have been fixed), and management gets delusional saying that product is now Fort Knox secure.

    If you ask me, that's abomination, not a proper security process. Are there any plans to change it?
  • by Asprin ( 545477 ) <> on Wednesday January 18, 2006 @02:16PM (#14501653) Homepage Journal

    Does Microsoft have any regrets regarding its historical strategy of designing software that mixes code in with data (E.g., ActiveX, IE, VB Office, etc.) to make life easier for developers, despite the security implications and risks of such a strategy?
  • DRM (Score:3, Interesting)

    by Stomkrow ( 945742 ) on Wednesday January 18, 2006 @02:18PM (#14501679)
    Given the recent spate of ugliness regarding DRM in the marketplace what solutions does Microsoft intend on implementing to ensure consumer rights? Do you really think DRM will float with consumers or that it is destined a slow and terribly painful death? I know that I speak for a great many of us when I say that I fully intend on banning any and all DRM materials from my home and my business. PERIOD. There is no debate in this.
  • Security & Education (Score:3, Interesting)

    by SchrodingersRoot ( 943800 ) on Wednesday January 18, 2006 @02:19PM (#14501684) Journal
    As a former PC tech, I have many of the usual horror stories regarding tens of thousands of spyware components on machines. Now, while I never objected too strongly to users having lots of spyware, as it helped pay my salary, I appreciated the fact that Microsoft purchased and made MSAntiSpyware available free. I'm also glad that Vista will be deployed with Windows Defender, along with automatic updates, and that IE will ship with security improvements, such as 'protected mode' and ActiveX controls disabled by default.

    However, to me, this seems only half of the real battle when it comes to spyware (and other security issues). The other half, in my experience (And in GI Joe's, apparently), is knowledge. Education. I have noted that some systems, even heavily used systems, without tools like MSAntiSpyware, AdAware, and Spybot installed can have very little spyware, whereas even some systems with such tools can become heavily infested.

    So my question is this: especially given that many of the users of Windows are less tech savvy than would be preferable, are there any plans to address the other side of the equation in Vista (or elsewhere), for security issues like spyware? A Security Tour, recommendations, help features, tutorials, etc?
  • Security for Morons (Score:3, Interesting)

    by chadjg ( 615827 ) <> on Wednesday January 18, 2006 @02:27PM (#14501779) Journal
    I'm not very smart about computer security, but I can follow directions with precision, think about threats in a general way, and I care. What is your company doing for people like me? It seems that no matter what I do I have problems with your software. Ok, I'm still using windows 98, but why do I have to run two security apps plus the cheap Zone Alarm firewall just to stay functional?
  • Slashdot bites? (Score:3, Interesting)

    by rilister ( 316428 ) on Wednesday January 18, 2006 @02:29PM (#14501801)
    How do you feel about the at-least-slightly-prejudicial busted-up broken window icon Slashdot use to highlight this article?

    realtedly: Do you believe the anti-Microsoft bias of Slashdot is peculiar to this forum or does it reflect a general antipathy in tech circles? Why do you care what the community at Slashdot thinks?
  • by Stan Vassilev ( 939229 ) on Wednesday January 18, 2006 @02:31PM (#14501825)
    I hope my question is not too technical, but here goes:

    One of the most important innovations in Vista regarding security is the revised user/privileges system, including the new "limited" mode IE (and potentially other web apps) will run in.

    The basic goal is that even if IE has a flaw which allows malicious code to run from the browser, that it will not have the privileges to read/write/execute code, with the exception of writing in the IE temp files folder (the cache).

    However to allow the IE plugins and IE itself to go on its business (such as download files to where the user wants), special 'broker' processes were introduced IE to talk to.

    Apparently those processes have higher privileges. So if IE can command them to download code, doesn't it render the point about the privileges protection moot. If not why.

    And another such concern. I suppose the limited IE mode applies only when the mshtml engine is launched from within the "official" IE shell.

    However many apps use that shell, and since the malicious code retains the ability to write to the Temp Files, won't it be possible the reuse of "infected" cache via embeded IE to raise the privileges for execution and infect the system anyway.

  • by DrSkwid ( 118965 ) on Wednesday January 18, 2006 @02:38PM (#14501891) Homepage Journal
    If you had to store your Credit Card Number, SSN, etc. on your computer, where would you put it/them ?

  • by Hackeron ( 704093 ) on Wednesday January 18, 2006 @03:36PM (#14502659) Journal
    My question is there are currently 23 security exploits in windows xp that you have known about for many months and they are well documented on sites like and With Microsoft's unlimited resources and focus on security, why arent they getting fixed?

We don't really understand it, so we'll give it to the programmers.