Speaking in Australia, Microsoft Chairman Bill Gates stressed that more widespread use of firewalls would solve some of the Internet’s security problems. He also stressed that his company needs to reduce the frequency with which major security updates are released. He also noted that while most OSes can turn around a security fix in 60-90 days, “we have it down to less than 48 hours.” He stressed the importance of using the Window auto-update feature and noted that SP2 defaults the auto-update and firewall to on.
How can having less updates in a year be a good idea?
Or does reducing frequency of major updates imply they will increase the frequency of minor updates?
I think the article is pretty much BS(48hrs my ass) but I like the sound of MS turning auto-update on by default.
The time it takes to fix is not really as important as the fact that they are there to begin with. It is too bad interviews with MS is so staged, I would like to see them try to explain what exactly they were thinking when they shipped an operating system to end users with the attack surface of XP.
“Well we know almost every service we or anyone else has built has had several security vulnerabilities. We know that even if the code is audited throughly that there WILL be security vulns if we leave services in listening state. But we thought we would try something new and open up 20 or 30 listening connections on our consumer desktop right around the time we are announcing a major new security initiative.
Basically, XP ran pretty fast in the lab and we needed to find a way to make it bloated enough to sell hardware, so making every service accept the firewall default to on was the best avenue we had to accomplish this goal”
I must say, after reading the article, I feel kinda warm about how Bill’s business practices are chaging to meet all of the potential attackes that we see on the net today. I feel as though our once online freedom is being taken away by script kids whom have nothnig to do with their time then create a website that does a mailicious attack on someones freedom and security.
I’m not a Windows lover, so don’t even think about it.
But I am kinda disturbed at the fact that even thought Auto-Update is turned on, I still don’t think MS (Bill Gates) is doing enough. I mean in the terms of updates, the WIN XP service pack 2, when it is going to be RTM, will be roughtly 250 Meg. But for dialup users, thats a long time to be waiting for security problems that shouldn’t have been there in the first place. I know that they will realese a “Express” but dial up users are still going to have to D/L about 150 Meg (depending on Settings)
I would love to see Microsoft fund a project where they have a sales rep guy, that will update anyones computer on Microsofts Penny.
Why not, You pay a windows Tax with a New Pc, about $400 CDN for a professional version, and roughly $600 if you decide that you want their office suite, So don’t you think they should at minimun sell a slipstreamed version of Home, Pro, and Corp, on their website for $2.99 CND.
But that my 2 cents–
iamcanadian, You can order the SP from MS on CD
$10 US, $15 CDN
http://www.microsoft.com/windowsxp/downloads/updates/sp1/ordercd.ms…
All the fuss about viruses, bugs in Windows allowing people to easily hack a system are not due to script kids but big interests moving the phenomenum…
All the viruses, trojans, back doors and such are not just due to bugs in the code (that might be left on purpose sometimes at least….?!….) but due to big bucks involved in the market, it’s pretty obvious and clearly explains how comes that some many bugs are being exploited each single day like never before…
Perfect coding it’s just a myth, yes BUT nowadays things are looking much more than just fishy, users are being fooled and ripped off by crossed hidden interests to earn as much as possible out of people… this was called fraud once but after so called “New Economy” scam it became the norm…
I think this article sums up the Bill Gates visit quite well:
http://www.smh.com.au/articles/2004/06/28/1088274658575.html
My ass!
The last time microsoft released a patch it was months after the flaw was disclosed to them. 48 hours after the flaw went public maybe, but then, they get weeks before that to make the fix. If they do it in time, the flaw is never annouced – needless to say, microsoft treats this curtasy time with disdain.
widespread use of firewalls would solve some of the Internet’s security problems
Or then Microsoft could just fix their buggy insecure crappy listening services. I don’t have firewall on any of my Linux machines – big question is why I even should? I don’t have a single service listening for outside connections. In Windows, that is not possible. “Fixing” the problem with firewall doesn’t remove the fact that Microsoft’s outlistening services are crap code, insecure and buggy.
Why does the consumer have to pay MS, another dividan to update their product. I admit, I’m like most and don’t read the “User End Agreement”.
However Jim, Look at it from a birds eye view. If you are a programmer and create a wonderful application, get hundreds, and millions of people addicted to it, then down the road there are a number of serious issues that resulted in the client having to pay big (lost credit cards ..etc) for the problem.
Wouldn’t you feel a bit horrible?
I mean how much does a CD Cost? about $0.25 per Cd. Now sending out the Service pack to people whom just bought your old product and registered, should be good customer service and they should recieve any updates that he / she is paying for.
It’s like a client calling you, and you don’t answer the call .. How long would you be in business?
Either case, apparently corporate america has a chip embedded in your head.
Just think of the little guys, not everyone can afford cable, dsl , t1, etc. Some people still dial into the internet.
Firewalls (which isn’t a complete answer at all), patching and Auto Update. This guy does not comprehend security, how this actually works or just what is required in securing systems on a network or on the Internet. I’d steer well clear of a company whose Chief Software Architect talked like this.
Lol, 48 hours my arse.
Where’s the IE patch then?
It’s been 10 months, not 48 hours.
1. Go to Windows update and download any Critial Updates you find. Do this once or twice a month
2. Use a firewall (free ones from Sygate and others)
3. Anti-virus (you can get these for free as well)
4. Don’t use IE unless absolutely necessary (most important rule of all)
5. Use extreme caution when opening email attachments and don’t use any email program that renders HTML with IE unless you use text-only.
6. Before installing an app, do a quick search on Google or download.com (user comments) to see if it contains spyware.
And well, that’s really all there is to it. Not exactly rocket science, is it? And the only app you’re running that Linux users don’t is a virus scanner.
My gf got herself a mobile Athlon notebook the other day since she will move to UK. There she will have to hook up to all sorts of networks to get online on a daily basis. First thing I tried was to rid her of XP in favor of W2K, this didn’t work due to a lack of ATI drivers. But for all sorts of net/internet activity I installed Linux as well and I will kill her if she ever dares to use MS for surfing for she is too lazy to reboot.
Just adding to the post..
You can use Spybot Version 1.3 (http://www.safer-networking.org/)
They also have a immunize feature for IE.
Stay away from Peer-to-Peer
Kazaa, Blubster, Edonkey .. irc..
If you are absolutly unsure about something,
Create a restore point
Remove all “Start-up” Items that are not needed
Use a Disk Wipe program to destroy the data, Vs, sending it to your recycler.
Most of all, Practice Save Computing..
You can use Spybot Version 1.3 (http://www.safer-networking.org/)
They also have a immunize feature for IE.
Screw trying to immunize it – just don’t use it
Stay away from Peer-to-Peer
Kazaa, Blubster, Edonkey .. irc..
Not really necessary, as the thing that gets you in trouble on these P2P sites is what you download. If you follow my 6 rules, you shouldn’t have a problem even on P2P sites.
Remove all “Start-up” Items that are not needed
Good advice, but this is more for speed and stability rather than security. If you got something nasty on your machine that wants to start up when your computer does, you’ve violated a rule somewhere
Use a Disk Wipe program to destroy the data, Vs, sending it to your recycler.
What for?? I don’t think there’s a Disk Wiper available that can truly trash your data if somebody wants it bad enough. I know a guy who had his hard drive seized in a divorce hearing, as he had wrote some emails to his mistress. Not only did he delete the offending emails, but he also formatted the hard drive and used disk-wiping software to be sure he got rid of it – they still restored it.
I’m not fighting with you bro
I’m just saying that some programs are hard coded for IE, and there is absolutly NOTHING you can do about it. I mean you can try to avoid using it, but are you telling everyone on this fourm, at no point during your windows installation have you ever visited a website with IE. Not even 1..
Oh, wait,
By Darius (IP: —.dmotorworks.com) – Posted on 2004-06-28 17:25:21
1. Go to Windows update and download any Critial Updates you find. Do this once or twice a month
Last time I used Windows Update it used internet Explorer, and the new Windows update in Service Pack 2, will also use internet Explorer Hooks. And the rest of the browsers don’t have access to this feature.
Disk wipe utils.
http://dban.sourceforge.net/ – Run it 7 passes on highest security setting,
or
Acronis Kill Disk – http://www.killdisk.com/
No offence bro, but don’t bark up trees you know nothing about.!
“Use a Disk Wipe program to destroy the data, Vs, sending it to your recycler.”
“What for?? I don’t think there’s a Disk Wiper available that can truly trash your data if somebody wants it bad enough. I know a guy who had his hard drive seized in a divorce hearing, as he had wrote some emails to his mistress. Not only did he delete the offending emails, but he also formatted the hard drive and used disk-wiping software to be sure he got rid of it – they still restored it.”
I use a program called Eraser (was free). The thing is actualyl VERY good. It integrates well with windows and your recycle bin. When you right click on a file to delete or right click on the recycle bin to empty, there will be another option in the menu called Erase or Erase recycle bin….I have it set to over write the data, in that exact drive segment / block, 32 times with erronus data to make sure it’s good and gone. Formating a drive dosn’t remove the data, it’s just strips some segments off of it so that it looks “empty” the drive. Some disk wipers do the same things, but the eraser program I have removes it permanently…anyone that goes through all the trouble trying to get data back after that….well then they’ve earned it. I think over writting it 32 times destroys it nicely
I’m just saying that some programs are hard coded for IE, and there is absolutly NOTHING you can do about it.
True, though programs of this type generally have a hard-wired interface that you are ‘trapped’ in, so you should be fine unless a) the program itself has spyware (see rule #6) or b)you’re using the app as a web browser (eg – the Winamp mini-browser)
I mean you can try to avoid using it, but are you telling everyone on this fourm, at no point during your windows installation have you ever visited a website with IE. Not even 1..
Oh, wait,
By Darius (IP: —.dmotorworks.com) – Posted on 2004-06-28 17:25:21
1. Go to Windows update and download any Critial Updates you find. Do this once or twice a month
Last time I used Windows Update it used internet Explorer, and the new Windows update in Service Pack 2, will also use internet Explorer Hooks. And the rest of the browsers don’t have access to this feature.
Yeah, but you missed the part that says don’t use IE unless absolutely necessary and on Windows Update, it’s kind of necessary
MS may get a list of the apps you have installed this way, but it’s not going to put your computer at a security risk.
Disk wipe utils.
According to the sites you listed, these utils wipe the entire hard drive. So what exactly does this have to do with Windows ?
Even if you’ve got disk wipers out theere who truly do what they say they will do, this seems to me more an area of privacy and not security. IMHO, the only way it woudl be security-related is if somebody hacked into your machine grabbed the contents out of your recycle bin.
>1. Go to Windows update and download any Critial Updates
>you find. Do this once or twice a month
I heard windows often “breaks” or disfunctions after an update.
>2. Use a firewall (free ones from Sygate and others)
Firewalls or not often a solution for certain backdoors and trojans on Windows. A portsentry is a much better choice.
Better use Unix.
>3. Anti-virus (you can get these for free as well)
A MUST have but the only detect virusses and patterns they know new and unsigned virusses often bypass.
Better use Unix.
>4. Don’t use IE unless absolutely necessary (most important
> rule of all)
Agree but you could better use Unix and forget about iexplor.exe
>5. Use extreme caution when opening email attachments and
>don’t use any email program that renders HTML with IE
>unless you use text-only.
Agree but it better to use Thunderbird and forget Outlook.
Better use Unix
>6. Before installing an app, do a quick search on Google or
>download.com (user comments) to see if it contains spyware.
Far fetched and usure that works Google get loaded with spam
these days itself. Better use Unix
>And well, that’s really all there is to it.
I think its really strange a multibillion company cannot make a descent browser or mail client or even an OS.
It looks like there a doing it with a reason…
>Not exactly rocket science, is it? And the only app you’re
>running that Linux users don’t is a virus scanner.
Sure keep on dreaming..
I heard windows often “breaks” or disfunctions after an update.
Not from my experience – I’ve never had it happen.
Firewalls or not often a solution for certain backdoors and trojans on Windows.
Any decent firewall would alert you if a backdoor program was trying to access the Internet. Trojans should be covered by the virus scanner.
>3. Anti-virus (you can get these for free as well)
A MUST have but the only detect virusses and patterns they know new and unsigned virusses often bypass.
Following the other 5 rules, by the time a virus makes its way onto your computer, the chances that it is not known about are slim-to-none. BTW: Something I didn’t mention before, but as long as you scan any new incoming file, you don’t even have to run the virus scanner resident.
>4. Don’t use IE unless absolutely necessary (most important
> rule of all)
Agree but you could better use Unix and forget about iexplor.exe
Why, not like Firefox/Mozilla/Opera doesn’t run on Windows
Agree but it better to use Thunderbird and forget Outlook.
Better use Unix
Again, not like Thunderbird only runs on Unix.
>6. Before installing an app, do a quick search on Google or
>download.com (user comments) to see if it contains spyware.
Far fetched and usure that works Google get loaded with spam
these days itself.
Just try it.
Better use Unix
I can’t use Unix (especially Unix without Wine/IE), unless I want to find another job.
>And well, that’s really all there is to it.
I think its really strange a multibillion company cannot make a descent browser or mail client or even an OS.
Agree about the browser. The mail clients are insecure because of the browser and the OS. Otherwise, I think they’re alright (but certainly not the best).
Anyway, I’m telling you – just do what I say and you will see that I’m right. None of these techniques are foolproof, but put all of them together and your chances of having security issues drop dramatically.
I personally think Darius has been living under a rock .. Or at least visit a website listing all the benifits, of what Service Pack 2 fixes.
1. Go to Windows update and download any Critial Updates you find. Do this once or twice a month
Service Pack Will have this built in by default.
2. Use a firewall (free ones from Sygate and others)
Service Pack Will have this built in by default.
3. Anti-virus (you can get these for free as well)
Altho Not built in, there is support to make sure you have a A/V installed. And working. A good one, will intergrate into your browser, and e-mail program.
4. Don’t use IE unless absolutely necessary (most important rule of all)
Internet Explorer is not secure by default, nor does the service Pack update it to be secure, but a user can limit what content he or she see’s, and disable active X, Java, etc, Making it more secure then default. Thats not even intorducing the idea of Windows Policy.
5. Use extreme caution when opening email attachments and don’t use any email program that renders HTML with IE unless you use text-only.
Outlook express, in service pack 2, will infact not run scripts embedded in messages by default, it will display in plain text. you will have the option to view the HTML version.
6. Before installing an app, do a quick search on Google or download.com (user comments) to see if it contains spyware.
What does installing software have to do with “Bill Gates: More Firewalls, Faster Fixes, Auto Update” ..
I should have clarified – my list is a pre-SP2 list
Internet Explorer is not secure by default, nor does the service Pack update it to be secure, but a user can limit what content he or she see’s, and disable active X, Java, etc, Making it more secure then default. Thats not even intorducing the idea of Windows Policy.
Why would you want to disable all this crap as opposed to just not using it?
What does installing software have to do with “Bill Gates: More Firewalls, Faster Fixes, Auto Update” ..
Has to do with spyware, which is a security issue.
People may be forgetting to secure their computers, sure, but Mr. Gates is missing one of the key problems.
We are still living beneath bandaids and half-baked network plans. That is our real problem. We need to get busy and upgrade from ipv4; that is what we really need to be focusing on. The cost to upgrade to ipv6 may be high, but by not upgrading, won’t that cost us more in the long run? The way things are going, it would seem so.
“None of these techniques are foolproof, but put all of them together and your chances of having security issues drop dramatically.”
It’s refreshing to see someone who actually puts it that way posting at this site; most of the guys who have a similar list tout it as foolproof. No security setup is foolproof (although a properly set-up OpenBSD machine is extremely tough to crack), but with a little effort you can greatly improve the situation. It just always bugged me that the defaults were SO bad, which hopefully will be somewhat remedied by SP2 (at least for XP users).
It would be nice if all the non-techies out there would follow that simple list (they are, for the most part, the ones whose machines get nailed, used as zombie machines, etc.). I agree that Windows machines can be made relatively secure if configured properly and used with a bit of common sense, and I’m happy to see that Microsoft is (finally) starting to be more concerned with security in general.
I would like to see Microsoft build Longhorn as a secure environment from the ground up, but given their track record with security I will have to see it to believe it. Their general attitude about security seems to be improving though, so I’ll keep my fingers crossed.
It’s the average time to fix a bug:
10 months / 150 bugs = 48 hours per bug
I’ve been messing around with WinXP SP2 RC2 and I’ve got to say that it is solid. Obviously, you can’t ever know with 100% certainty that you’re not vulnerable or infected with some worm or another, but from everything I’ve read, every attack that’s been out in the news of late I’m immune to.
Of course that’s not to say that this OS (like any other) is or will ever be completely invulnerable, but the steps that Microsoft has taken with this release is impressive, and if it’s any indication of what Longhorn will be like, I’d go so far as to say that (the client versions at least, if not the server) will be well worth the money spent on the license, especially on a new computer.
Sure there are better firewalls available than the new Windows Firewall, but WF is simple, unobtrusive, and provides a much needed minimum level of protection against outside threats. Along with almost forcing you to turning on Automatic Updates and complaining incessantly if you’ve yet to install an anti-virus package, in addition to the new compiler enhancements used to build the files the SP contains (similar to propolice?) and (if you have an AMD64 based system) the NX support, you’ve got a fairly secure system out of the box, which is a novelty for a Windows system.
IIRC, DCOM also has been significantly hardened, so as to make future compromises less likely.
All in all, I think that Microsoft is doing good here, and if a few people (or trolls) can’t see this, or let their paranoia run rampant, well, too bad for them. In a world where most people run Windows, and will for a while, this can only be a good thing.
Admittedly, it does nothing for users of previous versions of Windows, but they are quickly becoming a minority anyway, as more new computers are bought, all coming with Windows XP preinstalled.
Besides, if the users are skillful enough, these older computers can be secured with OpenBSD or DragonFly (both OSes taking steps to mitigate the effects of the most common types of security vulnerabilities in software today, unlike most Linux distributions, and the other major BSD variants) if they are not capable of running Windows XP SP2 or if the owners of the computers aren’t willing or able to pay for a Windows upgrade.
All in all, I think that Microsoft is doing good here, and if a few people (or trolls) can’t see this, or let their paranoia run rampant, well, too bad for them.
Well by your standards I’d say they got the whole easy to 0wn3en windows since the days of 95! The only difference is that it has gotten easier over the years. And if a few people or (trolls) want to keep buying into the M$ PR then fine. It isn’t going to change what is happening in the real world.
In a world where most people run Windows, and will for a while, this can only be a good thing.
Nope these arn’t the 90’s anymore! Most people are looking, running alternative OS’es and their numbers keep growing. Just because very few people buy into the FUD of Bill & Co does not mean evryone else will!
Admittedly, it does nothing for users of previous versions of Windows,
Thats a problem right there concidering most people have older machines running win98 and 2k.
but they are quickly becoming a minority anyway, as more
Well, they haven’t so far and XP has been out for a while!
new computers are bought, all coming with Windows XP preinstalled.
And alot of people that work with windows usualy remove XP to put one of the older ones on.
Besides, if the users are skillful enough, these older computers can be secured with OpenBSD or DragonFly (both OSes taking steps to mitigate the effects of the most common types of security vulnerabilities in software today
Yep thats true.
unlike most Linux distributions, and the other major BSD variants)
Bullshit! Both Linux and FreeBSD for that matter are way ahead in the security game. Not only that but its easier to turn off a service or patch a Linux box by a click of a button and those updates will not crash the machine.
if they are not capable of running Windows XP SP2 or if the owners of the computers aren’t willing or able to pay for a Windows upgrade.
And I think thats a big plus for the Linux community and it will be reinforced with Longhorn!
You obviously have no real understanding of the steps that the OpenBSD people have taken to secure their operating system, nor do you have even a vague grasp of the security features that DragonFly’s architecture allows.
Right now, Linux is running neck and neck with Windows in the race for the least secure operating system, thanks to the carelessness of it’s designers, and the lack of skill of most of the distribution makers (Debian and Slackware being two notable exceptions).
FreeBSD has a wonderful mandatory access control framework (the TrustedBSD MAC Framework), but there are no reasonably useful policies that are ready for use out of the box, meaning that (like most Linux distributions, and older versions of Windows), FreeBSD is still just as vulnerable to attacks that take advantege of the inevitable buffer overflows that plague most software.
OpenBSD, DragonFly and Windows XP Service Pack 2 are not nearly so vulnerable, as they’ve all taken steps to mitigate the dammage that can be done by these sorts of attacks as part of the base system, out of the box. IIRC, Immunix is the only generally available Linux variant that does anything similar (and no, the fact that ProPolice is an option for Gentoo users doesn’t cut it).
At any rate, I’ve no intention to get into another flamefast with a clueless troll such as yourself. I’ve got better things to do with my time.
I run OpenBSD!!!!
Uhuh. And two days ago you only ran “LINUX” [sic].
Honestly, the trolls around here don’t even try anymore.
says CERT guys , and u’ll be safe
http://www.securityfocus.com/news/8998
I hate to be smug.
But just reading through these comments reminds me what it was like with Windows and all the hassle of maintaining and baby-sitting the OS itself.
Damn Im happy with OSX
Best investment I made was moving to Macintosh.