"Will Microsoft Do What It Takes?"

[RandomBox]

Langa Letter: Enough Already: Microsoft Must Change Sept. 28, 2003 http://www.informationweek.com/story/showA...icleID=15200416 You may wish to subscribe to Mr. Fred Langa's free newsletter (LangaList) at http://www.langa.com/ or better yet his LangaList PLUS edition (http://www.langa.com/plus.htm) for a mere $12/year that also supports needy children!! Partial EXTRACTs :"Fred Langa wonders if Microsoft will do what it takes to greatly improve its software development processes and improve its product security.All this hostile activity caused InformationWeek's Editor in Chief Bob Evans to focus several articles on the topics of hacking and security, including a column that looked at the front two-thirds of the problem--- (1) the malicious hackers who produce hostile worms, trojans, and viruses; and (2) the software vendors themselves--- especially Microsoft--- who generate code with abundant security holes that miscreants can exploit. Indeed, Microsoft is at the heart of our current online security woes; there are real and systemic problems with Microsoft's software development process. For example, consider buffer overruns, which can be exploited to stuff hostile code into a PC. It's easy for buffer-overrun vulnerabilities to happen--- they're one of the most common types of programming error. But buffer-overrun problems have affected Microsoft software time and again across the years and across multiple Microsoft product lines. But that's also the good news: We *can* be part of the solution. We don't have to sit by as passive victims of the shortcomings of Microsoft and other vendors, nor of the malicious intents of crackers and cybercriminals; nor do we have to ascribe to simplistic and sophomoric "Dump Microsoft" strategies that--- as I'll show you--- actually would make things worse, at least in the short term.'

[ibe98765]

As usual, Fred Langa writes a sensible article. I particularly like the part about people still using Win98, a nearly 10 year old OS, and that it is not fit for today's environment (and please, let's start another argument about the Win98 subject). He also mentions something that I have brought up a number of times in the past about people who do not secure their systems being negligent and socially irresponsible.However, I think all discussions on this subject miss one major point. Regardless of if MS or any other vendor has patched all the software holes, IS THIS THE REAL ISSUE? The problem isn't so much that the software or the development process isn't perfect, but the fact that a sub-group of people choose to take advantage of the situation, in order to cause problems for everybody else. What has gone wrong with society? Is the fact that holes in software can be taken advantage of any different from leaving your house unlocked and expecting that no one will come by and steal all your possessions? Or losing your wallet and expecting that it would be returned to you intact with everything still there, including the money?In the not too distant past, you could leave your house unprotected, you could leave your car unlocked, you could be reasonably confident that if you lost your wallet it would be returned to you intact. But not any more. I think the attacking of software code is just one more symptom of the continuing decline of our society.Anyway, here is good story on how MS is dealing with software bugs in the October Fast Company magazine:Can Microsoft Finally Kill All The Bugs? Viruses, flaws, and worms, oh my! With PCs crashing and the Internet wheezing, Gates & Co. are on the quality hot seat. We'll take you inside Microsoft's effort to get its software right, right from the start.http://www.fastcompany.com/magazine/75/microsoft.html

[Cluttermagnet]

Yep. I read this article tonight. What is clear is that you have to have some minimal level of security written into the programs, as we can count on some percentage of users to be newbies running Windows machines wide open and completely unprotected. Yes, it is right to expect users to take up some of the slack. I agree with that. It is fitting and proper. But some machines are inevitably going to fall into the hands of the clueless, so the solution _must_ start with Microsoft. In that sense, they have shown themselves to be entirely not up to the job. Some of the fixes they have in mind for their coming OS's are so draconian that they will be driving users away to their competition. Acts beneficial to the bottom line are not necessarily beneficial to the greater community of users. One gets the impression that in the final analysis, they just don't care all that much about security. They have other fish to fry.

[Marsden11]

Don't just point a finger at MS. How about the OpenSouce community? Or Oracle or Adobe? How about anybody or company that writes code for a living? They are ALL responsible!

[nlinecomputers]

I’ve proposed this before and I will again. IMHO Microsoft and other software vendors are not the real problem. The problem is the open nature of the internet. Back when the Internet was first built, when it was the Arpanet, it was a private network of mostly secure locations of mostly equal and knowledgeable clients, the military, universities, and tech related businesses. The net was also designed to be very cooperative in the event of a catastrophic loss of part of the net. (RE: some part gets nuked.) The Internet is one big partnership based co-op. The Internet is a network but it is not the only network we deal with in life. We have a power network, a phone network, a network of gas and water lines, a cable network, even cell phone networks. All of these nets are utilities. No one person can disrupt these networks as easily as one person can disrupt the internet. The internet is designed to be trusting and even helpful. Every packet has a destination and even if you don’t have a direct link you can pass the packet on down the line and even reroute to a different path if needed. There is no real central point of control like a telephone network has. It is not possible to rebuild the internet like a telephone network but it is possible to put more control over key entry points in the networks. The ISPs. Everyone MUST connect to the internet via some kind of ISP. All viruses, probes of ports, connection to computers of any kind pass through that point. As much as we hate the idea of government regulation I can’t see this getting any better till we force the ISPs to regulate the data that passes through them. We expect good power all the time from our power companies, we expect clean static free sound on our phone lines, and we expect strong signals from our cable companies. Why should this utility, the Internet, be any different? I have a right to have a connection free of viruses and hackers attacking my system. Most end users don’t need but a handful of ports to function on the net all others should be by default blocked. Viruses can be scanned just as easily on a big mail server as it can in your Email box after you have downloaded it into your buggy copy of Outlook. Indeed such costs can be leveraged out to all the subscribers at a rate that is cheaper then any individual can buy the same. And yes this will cost more money and that will push some people off the net. But part of the problem now is that we have too many users that are on the net now then should be allowed on for safety reasons. If we are going to force ISPs to do this then we should push that burden on the end users either by higher costs or some kind of tests that force users to demonstrate that they know how to keep themselves clean and secure. Lock down the ISP and much of this problem would be gone.

[GolfProRM]

I particularly like the part about people still using Win98, a nearly 10 year old OS, and that it is not fit for today's environment (and please, let's start another argument about the Win98 subject).

Ibe... check your math please... Win98 is only 5 years old currently... if you count it as the re-hashing of Win95, you're up to 8 (which is quite a bit less than 10)... The problem I have with this article is that he uses MS as the example. He tries to mention that it's everyone's fault, but keeps coming back to MS, which in my opinion, hurts his credibility. Granted, Windows is the most widely used software in the world, but targeting MS with a column is almost becoming cliche. I think he should have spent more time arguing that all software designers need to change. Shoot, whenever I buy any software, the first thing I have to do is download a patch right after I install it. Even computer games are horrible with this. My thought is when I buy a game on release date, I should be able to just come home and install it and go. Not usually the case. Most games have one patch out for release date, but I've seen some games with patches resulting in version 1.03 by release date. For all the testing that's done, you'd think they could solve this problem beforehand.

[Prelude76]

I particularly like the part about people still using Win98, a nearly 10 year old OS, and that it is not fit for today's environment (and please, let's start another argument about the Win98 subject). He also mentions something that I have brought up a number of times in the past about people who do not secure their systems being negligent and socially irresponsible.

no, let's not start another win98 arguement . just want to make 2 points on this topic and then i'll be quiet :1. let's not BLAME win98 users. chances are if someone uses win98, its because they have an older computer, and with the crazy requirements of WinXP, some people choose NOT to upgrade their hardware or get a new computer just so they can upgrade windows. if people use win98 and it works for them and it does what they want, who the heck are WE to tell them "You MUST upgrade to XP. oh, and go buy a new computer too, while you're at it." If all they want to do is some typing, casual surfing, and playing solitaire, win98 is PERFECT and they shouldnt have to change, IMO.2. i'm getting tired of these "blame the victims" mentality of the computer-knowledgeable people out there. many people i feel where 'tricked' into thinking computers are a 100% necessity, equating it to a TV or telephone. they at least expect the computer experience to be easy and mainless, and it is most of the time. now if you took the same "socially responsible" things and apply them to other consumer items, like TV, its like telling people they have to upgrade their TV drivers, and keep TV anti-hacking firewall on and set up, and check TV for viruses and worms and dont get 'tricked' into thinking you watching CBS when its really a scammer who's going to clear out your bank account. i know TVs and computer are two seperate beasts, but the fact is many people just view a computer as a web surfing/email/typing tool, and though it's easy for us, its NOT easy for many people to even grasp the concept of what a firewall is and how it works, let alone go and buy the right one and install it and set it up by themselves. so lets just be reasonable about this. i mean, what next, pass a law to make people have a computer test to get a license to surf the net? no! the answer should be 2 versions of windows. one as a consumer item no-questions-asked tool that is like XP but with everything turned ON (firewall, anti-virus, auto-updater etc...) and one as a techie windows version which lets us install and set it up anyway we please.

[ibe98765]

2. i'm getting tired of these "blame the victims" mentality of the computer-knowledgeable people out there.  many people i feel where 'tricked' into thinking computers are a 100% necessity, equating it to a TV or telephone.  they at least expect the computer experience to be easy and mainless, and it is most of the time.  now if you took the same "socially responsible" things and apply them to other consumer items, like TV, its like telling people they have to upgrade their TV drivers, and keep TV anti-hacking firewall on and set up, and check TV for viruses and worms and dont get 'tricked' into thinking you watching CBS when its really a scammer who's going to clear out your bank account. i know TVs and computer are two seperate beasts, but the fact is many people just view a computer as a web surfing/email/typing tool, and though it's easy for us, its NOT easy for many people to even grasp the concept of what a firewall is and how it works, let alone go and buy the right one and install it and set it up by themselves.

Puh-leeeze Once and for all - computers are not TV's and will never be. If anything, TV functionality will be completely integrated with computers in the not distant future, eliminating the need for a seperate TV device, VHS/TIVO and so forth. Two thoughts:1. Ignorance is no excuse2. Caveat emptor...

[Marsden11]

The end user must be responsible. When they connect to the Internet they join and participate in a giant network. They are responsible for their actions and the actions of their machines.It has been said before... ignorance is no excuse...

[nlinecomputers]

The end user must be responsible. When they connect to the Internet they join and participate in a giant network. They are responsible for their actions and the actions of their machines.It has been said before... ignorance is no excuse...

Yes but it is no HELP either. I'm not ignorant but MY use of the internet is effected by these nitwits. Something has to be done to either bring/force end users to be more secure or block them when they misbehave. The later is easier to pull off in my opinion.

[Prelude76]

Puh-leeeze  Once and for all - computers are not TV's and will never be.  If anything, TV functionality will be completely integrated with computers in the not distant future, eliminating the need for a seperate TV device, VHS/TIVO and so forth.  Ignorance is no excuse

:'( oh yeah, i see TV being replaced by all-in-one computers too... trouble is, only us GEEKS will understand it. i mean, non-tech people can't even program their friggin VCR clock, let alone have all-in one video computer movie workstations. you must be living on an alternate plane, coz the earth i know is 80% comp-illeterate. just coz you and me and all your friends know about computers, firewalls, trojans, worms, ports, SCSI, etc.., doesnt mean farmer bob and grocery store clerk Neil and hairdresser Jill and bus driver Rob know what we talkin' about. oh, and your thought about "ignorance is no excuse" is disturbingly similar to "ignorance of law is no excuse", which makes me think you're implying to treat people that dont install firewalls or patch their systems to be 'criminals', and thats going a bit too far, fellow survivor fan.

[Prelude76]

The end user must be responsible. When they connect to the Internet they join and participate in a giant network. They are responsible for their actions and the actions of their machines.It has been said before... ignorance is no excuse...

Yes but it is no HELP either. I'm not ignorant but MY use of the internet is effected by these nitwits. Something has to be done to either bring/force end users to be more secure or block them when they misbehave. The later is easier to pull off in my opinion.

guys, i feel like that guy in "Zoolander" when he says "is everyone but me taking CRAZY pills?" hmmm, okay. two ways to make internet safer:1. make MS more responsible to release secure software. ban the use of Outlook Express. filter for worms/virii/spam at the ISP level. make registered domains more regulated (no more spam registering thru island of Toga to bypass US laws). release patch for XP that turns on auto-patch, turns on firewall if you dont have a 3rd party one, and block the use of VBscripts/active X by default (it CAN be done, and it IS done on IE inside Win2003; they just need to make it available to XP users right away). or2. create an army of Internet cops who bust down your door, confiscated your computer and fine you big bucks if your machine has been inadvertently taken over by a worm or a DoS attack probe.AND EVERYONE HERE IS LEANING TO #2!.. for the last time, ignorance of the LAW is no excuse. ignorance of internet CAN be excused if you use XP with Outlook Express and IE and MSN messenger since it was all activated and installed right out of box with lax security settings and with firewall turned off by default. the excuse then is we need to either fix it at MS's end or EDUCATE EVERY SINGLE COMPUTER USER. fixing it at MS end makes more sense though.

[bjf123]

the excuse then is we need to either fix it at MS's end or EDUCATE EVERY SINGLE COMPUTER USER.  fixing it at MS end makes more sense though.

I agree. However, it will take years before MS gets everything fixed on their end (which is one reason I'm moving to a Mac and to Linux).

[Freddy]

I see a patent in the making here.....

[RandomBox]

Ha, Ha Predude76

hmmm, okay. two ways to make internet safer: ....................

There used to be THREE ways, until the FIRST one had to shelved!1) Don't keep sensitive material in your PC!I wonder if we can resurrect that one back without having to worry about infecting someone else!

[ibe98765]

2. create an army of Internet cops who bust down your door, confiscated your computer and fine you big bucks if your machine has been inadvertently taken over by a worm or a DoS attack probe.

Yeah, I'm liking number 2 In fact, I bet John Ashcroff and the Bush Justice Dept. is working on this as we speak

[Prelude76]

we HAVE keep our sensitivie files off our PCs.reminds of this funny thing i saw:

Homeland Security Dept. Warns of Microsoft Windows FlawTerrorists could enter your computer, play your games, read your e-mail.