In a Microsoft mailing list posting sent yesterday, Microsoft Chairman Bill Gates reports that the company is making progress on its initiative to make its products more secure, though he also notes that the demand for security has risen since Microsoft began the initiative. New versions of Windows Server 2003, SQL Server, and Exchange Server will have all passed the new, more stringent, testing, and users will notice that vulnerable services will be turned off by default. Gates also promoted the use of smart cards for authentication in the email. Read more in this PC World article.
Microsoft security will be comparable to Unix/Linux systems very shortly. Microsoft has the funds to do just about anything they want. The more money Microsoft pumps into security, the better windows will be. MS will and probably has already hired the best security people in the world to help them on this project.
Sorry Linux people, but Microsoft does have the funds to take over the world, like it or not.
Linux lives on the server, but the desktop war is a losing battle.
“Microsoft has the funds to do just about anything they want.”
Herein lies the problem, they have the money and are still only blowing smoke about it.
I beg to differ, the Desktop War is just starting. Not only Linux vs. Windows but even Mac is now a viable alternative again (would be even more if they’d slash their prices). The problem with Microsoft i think is that they stayed too long on the “unsecure but feature rich” track. They became what they are and other countries then the US are seeing this more and more from a different perspective. That all this wont happen over the next year is clear, however other Operating Systems are slowly gaining foot. I think its great that MS pushes into Security, because in the end its us the “users”* that benefit from the choices later on.
I have to agree with you however that the Server is where the change from MS to something else will be most noticeable in the near future
//vic
*users also mean corporations, and companies
You speak like all MS marketing (and so many compagny and all people who know nothing about security) as if the security is a feature, an add value. You’re soooo wrong !
Security is something that must be part of the system from the beginning. Even Linux kernel and many free software programs have recurrent security holes because of lack of risk management in the security field.
MS will never be able to close all security holes in its products. Security is not magic spell or marketing word, is good engineering practice.
The good news is that they will probably be able to close some security holes than requires less than 50 lines of C to work. And that’s no so bad.
and users will notice that vulnerable services will be turned off by default
Shouldn’t vulnerable services just not exist? :-p
>>>>Shouldn’t vulnerable services just not exist? :-p
Then don’t use ftp — because it sends your passwords in plain text. We use vulnerable services everyday, it’s just depends on how we use them.
Most people who use computers are completely computer illiterate. Think about your mom, dad, grandmom. If they use computers, it has probably taken them a LONG time to get use to using windows/word/excel. Switching them to Linux or even Mac would be a painful process. The only way that linux wins the desktop war is if they setup linux to look and function completely like windows does.
Techies, and IT Folk are able to adjust, but it would take my parent months/years to learn a new system with different features. And as for security…how often do you think the average user installs microsoft’s security patches or updates? The majority of the people dont have high speed ISP so imagine downloading the 80mb patches from microsoft. People dont really care that much about security on the desktop. On the servers…that is a completly different issue. I dont think that my mom would care if a “hacker” broke into her computer and read her email.
Linux needs to imitate Windows to win.
You fail to realize that a hacker could do much more then just read you email. Do your parent’s shop online ? I bet they do and if a hacker is smart he/she would gather credit card information from a lot of clues individuals like yourself who only think that hackers are only looking for personal email.
Yes… they do this too:
http://57r1k3.pwn3d.us/~ddipaolo/misc/images/computer_bomb2.jpg 😉
———————————————–
“…Bill Gates reports that the company is making progress on its initiative to make its products more secure, though he also notes that the demand for security has risen since Microsoft began the initiative.”
————————————————-
Translating…
“”…Bill Gates reports that the evil empire is making progress on its initiative to make more difficut to users to burlate copyrights, though he also notes that the demand for copy protection has risen since RIAA began the initiative.”
>>>>I bet they do and if a hacker is smart he/she would gather credit card information from a lot of clues individuals like yourself who only think that hackers are only looking for personal email.
Credit card data are almost always stolen from the online merchant’s servers, not from individual’s computers.
Please backup your statement with hard facts. A simple keylogger can easilly accomplish this feat on a windows machine running unsecurely on a broadband connection.
On the same day Bill Gates sent that message, a buffer overflow was found in the locator service on all (NT based) versions of Windows. This affects virtually all systems acting as domain controllers.
For more information, see http://www.microsoft.com/security/security_bulletins/ms03-001.asp
Of course, that vulnerability comes on the heels of a vulnerability found in CVS which forms the backbone of open source development.
I’d say MS’s approach to security is much more respectable now than it was when Trustworthy Computing was announced. MS is looking for these problems proactively and finding many more in house, which allows them to release fixes before exploits for the bugs are in the wild.
Contrast this to before Trustworthy Computing, when one vulnerability after another was found in IIS by eEye.
Of course, we saw a similar string of vulnerabilities discovered in OpenSSH.
We also saw two bugs in Solaris which combined to form a remote root compromise: the font server buffer overflow and the prioctnl() module loading vulnerability.
So, in conclusion, I’d say the security of Windows systems is rapidly approaching that of Unix systems.
>>>>Please backup your statement with hard facts. A simple keylogger can easilly accomplish this feat on a windows machine running unsecurely on a broadband connection.
Every news article about credit card data stolen were about the merchant’s servers getting breached. You get tens of thousands of credit card numbers at once. Criminals don’t want to steal credit card number one at a time. You have to backup your statement, not me.
Trustworthy? Does this mean their upcoming Windows OS will have the XP-spyware stripped out of it?
>>>>Trustworthy? Does this mean their upcoming Windows OS will have the XP-spyware stripped out of it?
Microsoft has one of the best privacy standards in the world. Everything is spelled out clearly (like wmp9) on the front pages now, it’s opt-in (not opt-out like the other silicon valley companies). WMP9’s privacy page is page #1 when you start the installation process, Real’s privacy page is hidden somewhere.
The best way for Microsoft to kill off their competitors is to up the privacy issues. For Microsoft, it’s even better than any strong arm tactic with their OEM partners. There is no anti-trust concerns and there is no anti-dumping concerns.
If Microsoft up the privacy standard for Hotmail, then yahoo’s email service has to follow — but then yahoo would has less income because they can’t exploit their customers’ data. Samething for Microsoft’s travel website, car website, ….
Microsoft… strong privacy policy… which alternate universe to you live in? We are talking about the company which developed a media player which sends back traceably information about all CDs and DVDs it has played. The company which produces a mouse which has a driver that isn’t fully functional until it is allowed to connect to a server owned by Microsoft. The company which not too long ago decided that they should have admin rights over your computer and put that as a clause in a security patch for their media player. (Lose your rights, or be hacked! Some choice they are giving you, huh?).
Everything about MS reaks of untrustworthiness. I’ve long ago decided that There is just no way that I will ever use Windows XP, and Windows 2000 will be my last OS from MS.
Most of them were stole from MS-based servers, with cheap admins.
>>>>(Lose your rights, or be hacked! Some choice they are giving you, huh?).
Everything is relative, isn’t it? Other companies are 10 times as bad as microsoft. And all linux distributions have automatic patching now. At least Microsoft says it on page 1 of the installation page.
All I am saying is that instead of Microsoft wiping out their competitors by lowering their prices or strongarming their OEM partners — Microsoft can wipe out their competitors by up-ing their privacy standards. The end result is still the same — yahoo’s email service would have lower revenue (not because microsoft lower their price) but because yahoo has to up their privacy standard also (causing lower ad revenue).
>>>Most of them were stole from MS-based servers, with cheap admins.
The problem is the admin’s fault, when most of the time a security patch was issued by microsoft years ago.
MS trustworthy sure, with the backdoor they built in Windows Media Player 9 & Pelidium (sp?) coming down the road MS seams more consumed with controling systems.
>>>>MS trustworthy sure, with the backdoor they built in Windows Media Player 9 & Pelidium (sp?) coming down the road MS seams more consumed with controling systems.
It’s not a backdoor when Microsoft tell you there is a door on the front page of the installation, which you are opt out by default.
All the spyware on virtually any windows machine is doing exactly what it’s supposed to do.This is not a problem of windows, it is doing exactly what it is instructed to do. It is doing what the programs instruct it to do.
The problem is the programs, and the impossibility to modify them. It’s closed source. There is money to be gained by boobytrapping your programs, so commercial vendors do it. Nobody can undo it.
It cannot be solved in any way at all. It won’t be changed by any technical mechanism. At least not for the user.
“Every news article about credit card data stolen were about the merchant’s servers getting breached. You get tens of thousands of credit card numbers at once. Criminals don’t want to steal credit card number one at a time. You have to backup your statement, not me.”
That’s because you never hear about the little guy who has been hacked and doesn’t even know about ! Not to mention the fact that it is not very news worthy to begin with as well in these days of rampant virii infections.
$hit a simple self-replicating trojan that has a key-logger built-in that only starts up when IE is luanched and only records 8 numeral digits along with a month and year value is all that is need. Then when 8 digits are inputed this proggy makes a copy of itself and sends off it’s data to some unknown IRC chatbot waiting in a unknown IRC chatroom to collect data. Then it uses the user OE address book to mail itself to other victims and so on…. This is all that is needed. You then just sit back and collect CC numbers. A whole lot easier then trying to crack some server.
>>>>You then just sit back and collect CC numbers. A whole lot easier then trying to crack some server.
If it is so rampant, slashdot would have already done stories about it. Why don’t you also talk about how people got robbed in the parks and woke up without one of their kidneys.
It’s much easier to crack merchants’ servers. All the merchant server break-ins involved well-known server/e-commerce software vulnerabilities (with patches issued ages ago). How’s that so hard to do? Script kiddies could have done that.
I posted first to this thread and it was deleted… Why? Because I posted
“HAHAHAHAHAHAHAHAHA gates is the biggest liar on earth HAHAHAHAHAHAHAHA”
The post was deleted for some reason… funny how current events prove a silly post to be true….
Board up your SQL servers kids. Saturday morning was a wild ride wasn’t it?
tell us some lies Bill Gates…