Microsoft bad practices

By imv at 2:42 am on February 17, 2008 | 2 Comments

Given all the Microsoft-bashing that takes place among Linux-users, I’m surprised that no one has posted an article (that I’ve seen, at least) that clearly has an anti-Microsoft bias. Despite the bias of the following article, it makes a valid argument that Microsoft should adopt some C-variant that is more safe with regards to buffer-overflows, which are still the “bread and butter” (according to the article) of malware-authors.  The author definitely overestimates the amount of time required by a user to maintain a reasonably secure and patched system. That said, the author makes a valid point: it is the algorithm, not the language, that dictates the overall speed of an OS – hence a “safe” language would be a better choice. Unix worked fine on hardware 20+ years ago, so there is no reason Windows should not be both secure and speedy on today’s hardware.  Windows/ze-bashers, indulge.

Filed under: Policy2 Comments »

2 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by jessicaf

    February 17, 2008 @ 3:05 pm

    First of all, it brings up the classic problem of where responsibility for security lies – the user or the software provider? There certainly is a balance here. The author of the article cited in this post, Usman Latif, says “Surprisingly a lot of smart people still believe that computer security is best addressed by educating users, applying patches and installing scanners. On top of this a blame the victim philosophy is also prevalent. Of course, Microsoft is also doing its part to promote such views, as it shifts blame away from Microsoft.” As we all know, users can be awefully ignorant. We all have a mom or uncle or neighbor who has clicked on the email that says, “Run me” even though they have no idea who the sender is and then wonder why in the world their computer has come to a complete standstill as malware takes over their computer. Really now, there is not a lot anyone can do to prevent these situations short of Eugene H. Spafford’s solution – “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.” That or telling your mom to stop opening emails from people she doesn’t know.

    The next interesting thing Latif talks about is “relative security.” He blames Microsoft for having a mindset that security is relative. I hate to burst your happy little bubble, Latif, but nothing can be completely secure and thus, only relatively secure.

    Next, safe languages. I like this quote from Latif: “efficiency is no longer critical for OS code.” Yeah. When’s the last time you were sitting at your computer and opened a file and thought, “Wow, that was just TOO fast. Windows really needs to scale back on their efficiency.” Ha! No matter how fast computers have gotten over the years we are still frustrated with how slow they are. Human brains move fast. It will be a very long time before computers can move fast enough to satisfy us. Windows and every other operation system had better be continually working on faster algorithms, faster languages, faster EVERYTHING!

    I’m not sure about the author’s call for a ‘safe’ language to be used in systems programming. ‘Safe’ languages still have to be compiled into machine code and this compiler code can introduce the exact same vulnerabilities as C code. Who says that ‘safe’ language constructs are correctly translated into ‘safe’ machine code? I don’t think there is such a thing as a truly ‘safe’ language. Even so, using a safe language would make it so only a few people had to really think about the hard buffer overflow problems and so forth. Everyone else can just trust that compilers are correct and safe. It certainly reduces ‘genetic diversity’ because now everything is built with the same building blocks. There is a lot to think about.
    In all reality, it would be an enormous re-write to change Windows to be written in a safe language. That would make the price of Windows skyrocket and I think it is high enough where it is. It is definitely a trade-off. How much security are people willing to pay for? If you could buy Windows as it is now for a couple hundred dollars and you just have to be careful about what you choose to install or buy a couple thousand dollar version of Windows that is written in a safe language – which would you buy?

    I am not necessarily defending Microsoft or saying they have the best security (even though I do like Microsoft), I just wanted to refute a few of the un-supported and incorrect arguments from the article. There is definitely a lot of room for Microsoft to grow in the security arena.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Robert

    February 18, 2008 @ 4:14 pm

    I think this article is ridiculous for numerous reasons. A lot of the information in the article is apocryphal and inaccurate. I will discuss two points that stuck out in particular.

    “Microsoft has to accept blame because it is following extremely poor practices with regards to security.”

    In 2002, Microsoft began the Trustworthy Computing Initiative which completely revolutionized the way Microsoft writes code. David Aukland talked about this in his guest lecture stating that Microsoft now codes for an adversary instead of assuming a safe environment. This initiative coupled with the many different ways that Microsoft addresses security issues and updates (Windows Update, SUS, OneCare, etc) shows that Microsoft has changed their practices involving security and puts security concerns at the forefront of their technologies.

    “If the average person was to strictly follow just the common sense security guidelines pertaining to Windows, he/she will likely need to spare 10 or more hours of time each month.”

    I own several home computers and am a Systems Engineer supporting hundreds of computers and I don’t spend 10 hours a month on security updating. I seriously doubt there are end users who come anywhere close to spending this amount of time. Most end users don’t even know their system is at risk from anything other than a virus. Microsoft has also created tools like Windows Firewall and Defender to help combat malware, worms, and viruses for end users.

    This article was written in 2004, two years after the Trustworthy Computing Initiative was founded. Since then Microsoft has proven over and over their commitment to secure software. Given that their systems and applications are more complex than probably anything that the people who slam them have written, I’d have to say they are doing a fairly good job. If you have a real problem with the way Microsoft does business, go work for them and change it yourself.

RSS feed for comments on this post