Microsoft just doesn’t get Security – NOT!


I was reading Robert Scoble’s post on “Longhorn Myths”, and I noticed this comment from “Dave” in his comments thread:

Most outlandish Longhorn myth? I mean this with all due respect, and say it with complete sincerity…. it will be one that MS will in fact say: that Longhorn will be a very secure sytstem.

Yes, it will be much more secure than any other verison of Windows. Yes, it will be as secure as MS can possibly make it. But try as they might, a few factors come into play that will make it next to impossible for Longhorn to be a very secure system.

(1) Longhorn, being a Microsoft product and a popular product, is destined to be targeted by hackers around the world. If there’s a hole to be found, they’ll find it. And nobody can make a system 100% secure.

(2) MS still places a higher emphasis on new forms of functionality/interaction than they do on security. Yes, they have a greater emphasis on security than even one year ago, but their concern – at this point in the Longhorn product life cycle – is more on getting things to work and work well than it is to play devil’s advocate and find all the security holes they can find.

My response (updated and edited): Um Compared to what? Linux? Hands down, Longhorn will be more secure out-of-the-box than any Linux distribution available at the time.

There will be holes found in Longhorn, absolutely. But Microsoft GETS security nowadays. In general, Linux/Open Source community doesn’t yet (The OpenBSD guys appear to get it, but I’ve not seen any indications of this level of scrutiny associated with the other distributions).

The Linux guys will eventually, but they don’t get it yet.

If you’re going to argue that Linux/OSX is somehow safer because they’re not popular, then that’s relying on security by obscurity. And that dog don’t hunt 🙂

Even today, I’d stack a Win2K3 machine against ANY Linux distribution out there on the internet. And Longhorn’s going to be BETTER than Win2K3.  After all, Longhorn’s starting with an amalgam of Win2K3 and XP SP2, and we’re enhancing system security even beyond what’s gone into the previous releases.

 

“Dave’s” comment #2 is the one I wanted to write about though.  Microsoft doesn’t place a higher emphasis on new forms of functionality than they do on security.  Security is an integral part of every one of our development processes here at Microsoft.  This hits every aspect of a developer’s life.  Every developer is required to attend security training, starting at New Employee Orientation, continuing through annual security refreshers.

Each and every new feature that’s added to the system has to be thoroughly threat-modeled, we need to understand every aspect that any new component can be attacked, and the kind of compromise that can result from a failure of each system.  If there’s a failure mode, then we need to understand how to defend against it, and we need to design mitigations against those threats.

Every test group at Microsoft is required to have test cases written that test exploiting ALL of our interfaces, by various means.  Our test developers have all gone through the same security testing that the other developers have gone through, with an intensive focus on how to test security holes.

Every line of code in the system is code reviewed before it’s checked into the mainline source tree, to check for security problems, and we’ve got a security push built-into the schedule where we’ll go back and re-review all the code that was checked in during the lifetime of the project.

This is a totally new way of working, it’s incredibly resource intensive, but the results are unmistakable.  Every system we’ve released since we started implementing these paradigms has been significantly more secure than the previous ones, Longhorn will be no different.

I’m not saying that Longhorn will be security hole free, it won’t be.  We’re human, we screw up.  But it’ll be orders of magnitude better than anything out there. 

Edit: Added the following:

By the way, I want to be clear: I’m not trying to denegrate the entire open source community.  There ARE people who get it in the open source community.  The OpenBSD link I mentioned above is a good example of a team that I believe DOES understand what’s needed these days.

I just don’t see the same level of rigor being applied by the general community.  Maybe I’m just not looking in the right places.  Believe me, I’d LOVE to be proven wrong on this one.

Edit: Replaced thread-modeled with threat-modeled 🙂

 

Comments (46)

  1. Anonymous says:

    Larry, that’s all Well & Good, but you didn’t seem to factor in that 2005 will be the Year of Linux ;-).

  2. Anonymous says:

    "My response (updated and edited): Um Compared to what? Linux? Hands down, Longhorn will be more secure out-of-the-box than any Linux distribution available at the time."

    OK thats big… and brave I’d have said "AT least as Secure, possibly more"

    and I agree that

    "(2) MS still places a higher emphasis on new forms of functionality/interaction than they do on security. Yes, they have a greater emphasis on security than even one year ago, but their concern – at this point in the Longhorn product life cycle – is more on getting things to work and work well than it is to play devil’s advocate and find all the security holes they can find."

    is out of date by at least 9 to 12 months…

    funny how folks keep saying things and fail to check and see if they are still true…

  3. Anonymous says:

    In reference to Windows 2003: I agree. We loaded a Windows 2000 system and pushed it onto the Internet, live, without a firewall. (Forget the stupidity of the situation. I’m not laying blame here, on my guys or Microsoft.) That box was compromised 48 hours later and was consuming our entire DS3 with traffic.

    I reloaded it using Windows 2003 and since we had just been destroyed, I was curious and ran the various security measures against it. Out of the box MSBA complains about a few things, but nowhere near the number that Windows 2000 has. I want to say there was two critical updates, one being the Slammer worm fix. Windows 2000 has a slew of vulnerabilities. Age has something to do with this, but I doubt that was the sole reason for a variety of reasons, including but not limited to later security scans.

    I used eEye’s Retina to scan both operating systems as well. The Windows 2000 version of the box had been Windows Updated to the hilt, all service packs had been applied (SP4 for Windows 2000 and SP3a for SQL Server 2000). Retina still reported over twenty known vulnerabilities. (Disclaimer: all of these vulnerabilities were fixed and patches were available. Lazy administrators simply had to retrieve the patches.) Windows 2003 came up clean. The only complains Retina had was in regards to the open ports (80, 1433, 110, 25).

    I configured ICF on the Win2K3 box and even those complaints went away. (Although I want to strangle the person who decided that port ranges couldn’t be opened in a single swoop. ;p)

    Security auditing turned on by default inside Windows 2003 let me see the return of the attackers. The ICF connection log let me trace everything they tried. I shot a quick report off to their ISP’s abuse email and we’ve had no trouble since.

    I think Microsoft gets security. What folks don’t understand is that it requires some work on the part of your administrators as well. If I were to list my biggest complaint about Windows security it would be that almost every security patch requires a reboot. I understand they are system files, etc., but can’t we find some way ala ASP.NET DLL caching to avoid this requirement? Uptime is one of the biggest reasons you hear people say "I can’t patch right now!" You’ve got to remove that excuse.

    So if Longhorn represents as great of a stride in security as Windows 2003 did, then I say "Great. Let’s get the party started."

    (Note: How many would complain if hardening the operating system required Microsoft to nullify compatibility with a large number of applications? Can you imagine the screams of "Microsoft is just trying to make more money by forcing us to upgrade?!?")

  4. Anonymous says:

    Those capital letters on the title should have served me as a warning..

  5. Anonymous says:

    so will MS ever push for people not to run under Administrator by default? but then I can see that would probably confuse all the non tech savvy users, the same people who have a billion spywares running on their machines. 🙂

  6. Anonymous says:

    Daniel, I sure hope that Microsoft will. At a minimum, I’m REALLY hoping that we’re going to lock down the administrator account on Longhorn’s "home" SKU.

    It’s utterly stupid that every home user runs as an administrator. The reason that this was done for XP was that too many things broke (mostly games) if the user wasn’t an administrator, the hope is that by now most (if not all) of this has been fixed.

  7. Anonymous says:

    I saw your post on Scoble’s blog and figured that it was somebody else spoofing you, seeing as it seemed a tad confrontational, which is not your style. Seeing you confirm that it WAS you must mean these accusations rile you up pretty good. To me that’s sign that you guys are working hard at security. Trust me, those of us using Win2K3 know it’s pretty solid. Good stuff.

  8. Anonymous says:

    Nope, it was me. My boss likes to say that I’m "forthright", which is really nice way of saying "A pain in the neck if he’s pissed off".

    People keep repeating the "Microsoft doesn’t get security, they want features instead of security" meme and it just frosts me.

    If we didn’t care about security I wouldn’t have had to spend 3 weeks last year doing NOTHING but code reviewing 15 year old multimedia code (this was NOT fun, it was written for Win3.1 and ported forward).

    If we didn’t care about security, I wouldn’t have had to carefully examine every one of the RPC interfaces used the audio subsystem on both XP SP2, Win2K3 SP1 AND Longhorn for potential problems.

    I can go on – but security is something I’ve felt passionate about for almost 10 years now, I’m ecstatic that Microsoft as a corporation feels even more strongly than I do about this.

  9. Anonymous says:

    "But Microsoft GETS security nowadays. In general, Linux/Open Source community doesn’t yet"

    The Linux/open-source doesn’t yet get security?

    A single factual example that exposes the ignorance of that statement: Only within the last few years has Windows had any kind of implementation of file permissions (one of the basics of OS security), which Linux has had since the beginning (1991).

    As I see it, it’d be more realistic to state that Windows is finally starting to catch up with Linux in terms of security.

  10. Anonymous says:

    Actually, Windows has had file permissions since the very first release of Windows NT. It has been there "since the beginning".

  11. Anonymous says:

    Tom B:

    That depends on which file system you are taking about. NTFS has been around at least that long and it has file permissions. Security goes way beyond just file permissions.

  12. Anonymous says:

    Tom B: Um what?

    Permissions were built into windows NT since day one. In 1989, NT had working ACLs and a robust security system.

    And NT’s ACL model provides orders of magnitude finer granularity than the *nix OWG permissions.

    Please note: Win9x and it’s friends are NOT real operating systems IMHO, they’re toys that should never have been deployed on the internet. They weren’t designed to be robust, much less secure.

    And no, the *nix development community doesn’t get security in general. They won’t get security until the entire community does something like the OpenBSD team has (I did say that I think they get security): Rigerous code reviews instituted as a policy against every single check in; NX (or W^X) permissions on all platforms it’s possible. Stackguard if it’s not.

    Removing every single instance of the C runtime libraries string handling functions from the entire *nix source code (with the possible exception of strlen) would be a good start. The existing C APIs are too dangerous for them to be used in production code. See Michael Howards articles on the C runtime library here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03102004.asp

    If you don’t want to believe a Microsoft person, try here: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/library-c.html

    For Longhorn, we’ll be doing the same thing – there will be NO C runtime library string functions in the Longhorn code base by the time we’re done.

  13. Anonymous says:

    I just edited the article slightly to add a comment above to soften what may be perceived as a complete anti-open-source slant to the article.

    It’s NOT my intent to denegrate open source people here. There are some extraordinarily talented people working in that community, and there are many people who absolutely do get security.

    I’m just trying to counter the people who seem to believe that Microsoft’s still as clueless as it was two years ago before we started this whole security drive.

  14. Anonymous says:

    1) And for how many years has NT been present in releases of Windows? It’s not very relevant here how long NT has been around while it _hasn’t_ appeared in a release of Windows.

    2) I guess our opinons differ on the meaning of "getting security."

    3) When did anyone say that I wouldn’t want to believe a Microsoft person?

    4) I too believe that MS are buckling down in terms of security. What provoked my original reply was the part about Linux not getting security (written as though it’s a fact, not an opinion).

  15. Anonymous says:

    1) NT’s been present in releases of Windows since 1993. I have the ship-it awards and boxes of packaged product on my shelves to prove it.

    2) Getting security: Putting processes in place to aggressively guard against security vulnerabilities instead of saying: "We’re smarter than those idiots at Micro$oft, and besides our platform was designed with security in mind".

    4) I thought for sure I said it was an opinion above. And in general, I believe that the open source community doesn’t. Linus might (I don’t know), others on the kernel team might, but the open source community as a whole seems to be wholeheartedly embracing the "Many eyes make shallow bugs" fallacy (see the "Three unexpected results in software engineering" for some eye opening statistics on this one:

    http://www.vuse.vanderbilt.edu/~srs/three.unexpected.ppt) instead of facing up to the fact that there is no excuse for not engaging in rigorous engineering practices across the entire product.

    Every single line of code that goes into a *nix distro must be considered suspect, just like every piece of code that goes into Windows is considered suspect. The OpenBSD guys do this, why doesn’t every *nix distro do it?

  16. Anonymous says:

    <smartass>I stopped reading at "thread-modeled" ;)</smartass>

  17. Anonymous says:

    I find it hard to believe that Windows is more secure than Linux. The reason I find your statement to be laughable is that my friend just bought a computer a few weeks ago. It had WinXP Home on it. I adviced her to install the security patches before actually using it. Of course, the moment she connected to the internet she got hit with a virus and couldn’t install the security patches at all. Please don’t tell me that Win 98, Win 95, Win XP are not design for the internet. If they are not designed for the internet then why did you guys included the TCP/IP stack in them for? If there weren’t a TCP/IP stack in there then I am sure she wouldn’t have been hit with a virus. Of course, she wouldn’t have been able to connect to the internet either.

    Please don’t tell me how secure Long Horn and Windows 2003 are. I don’t have access to them and she sure doesn’t have access to Long Horn and Windows 2003.

    The sad part was that they charged her 15% restocking fee for returning the machine. Maybe you would like to explain to her why she was out 150 dollars because she connected her machine to the internet?? I got a good laugh out of it but then I am not the one short $150. I don’t know how secure future version of Windows are but from what I saw. It is not very secure.

  18. Anonymous says:

    Conrad,

    Win9x is MS-DOS on steriods. When it was designed, robustness was not considered to be an important design criteria, in fact in many ways it was optional. Being compatible with existing applications and running on machines with 2M of RAM were critical criteria, anything that stood in the way of that was optional.

    When Win9x shipped (1995) the internet was in its infancy. It wasn’t the dangerous wasteland it is today. You could put anything on the internet and it’d be safe.

    Any Win9x machine put on the internet today would be rooted in minutes, if not seconds. So, for that matter would any 1995 vintage Linux machine (or any other 1995 vintage OS).

    Windows NT was designed from the bottom up to be industrial strength. Robustness WAS a primary design criteria of NT (I actually wrote ROBUSTNESS on my whiteboard and it stayed there throughout the NT 3.1 process).

    If you were to take a Linux distribution from 2001 (when XP shipped) and put it on the internet, you’d have the exact same set of problems – it too would be rooted quickly. Maybe not as quickly as on XP, simply because there are fewer worms running out there looking for Linux boxes, but you WOULD have been rooted.

    That’s why you should ALWAYS have a hardware firewall between your machines and the internet. A DLINK DL610 costs about $36.00, and is worth ten times that cost.

    I’m sorry your friend wasn’t able to get the patches, I really am. I wish there was something I could do about it. When you’ve been messed over like that, saying "Trust me, it’ll be better with XP SP2 when it ships" rings really cold, I know.

    It’s a bit late to suggest this, but I found this link: http://www.microsoft.com/security/protect/cd/order.asp where you can order a free CD with all the patches for XP, Win2K, WinMe, Win98 and Win98SE (as of February 2004). There may be a newer one available soon, I don’t know.

  19. Anonymous says:

    <sheepish>Bob: Doh! I fixed it :)</sheepish>

  20. Anonymous says:

    Can you provide proof the following three assertions?

    1) "When Win9x shipped (1995) the internet was in its infancy. It wasn’t the dangerous wasteland it is today. You could put anything on the internet and it’d be safe."

    2) "Any Win9x machine put on the internet today would be rooted in minutes, if not seconds. So, for that matter would any 1995 vintage Linux machine (or any other 1995 vintage OS)."

    3) "If you were to take a Linux distribution from 2001 (when XP shipped) and put it on the internet, you’d have the exact same set of problems – it too would be rooted quickly. Maybe not as quickly as on XP, simply because there are fewer worms running out there looking for Linux boxes, but you WOULD have been rooted."

    I doubt that you can, as I believe that you’re twisting things to either make Linux look bad or make Windows look good. 😛

    It’s such a shame that an otherwise very decent blog would be ruined by all this apparent scare-mongering.

  21. Anonymous says:

    Don’t feed the trolls.

  22. Anonymous says:

    Tom B: Go to http://www.securityfocus.com/archive/1/1994-06-03/1997-06-09/1 and count all the exploits and you’ll see easily how true nr. 2 is. Red Hat was very infamous at that time for being easily rooted. They did like Microsoft, at that time, and designed it to be easy to install & use – but also easy to be rooted.

    And nr. 3 could also be proved true.

    Nr. 1 I’m not sure is quite true, but I think I can see what Larry means – which I find is true. But if you look at the number of exploits then it wasn’t safe then either, however there wasn’t lot’s of worms and such floating around. Someone had to do the work to root you.

    But the discussion would be better instead of talking about Linux vs Windows NT/XP to remember that Linux is just the base for a lot of operating systems. So IMO it would be better to discuss some distros against Windows NT/XP.

  23. Anonymous says:

    Woah, just a comment.

    Comparing the "open source community" isn’t fair. I’d say a better comparison is Linus’ and the kernel team vs. Microsoft, and the "open source community" vs. "Microsoft developers."

    Even when Longhorn is as secure as it can ever be there will be developers who create products with holes in them. Same for Linux.

    In regards to the above comparison: Linus and fellows certainly understand security. Very few kernel exploits are around.

    Note: this still doesn’t provide an apples vs. apples comparison — not possible, IMHO. Windows Longhorn is an entire operating system. For Linux that would be GNU/Linux. Is GNU/Linux secure? I don’t know.

  24. Anonymous says:

    "Please note: Win9x and it’s friends are NOT real operating systems IMHO, they’re toys that should never have been deployed on the internet. They weren’t designed to be robust, much less secure."

    Oh well sure, you can also make the argument that all Bridgestone tires never fail if you discount the ones that did. Are you going to prove that all Microsoft products are secure and try to say that Microsoft has always "gotten" security just by throwing out any example where they didn’t? That’s an easy way to win an argument, throw out all your opponents facts. So sure the ACL works better than Unix permissions and it’s been in there since 1989 or whenever, what about the buffer overflows in IIS? A product that is most definately not a toy and IS, by definition, designed to be on the internet?

    (Note I make my living by programming using the .NET Framework so I’m not just bashing MS because it’s fashionable.)

  25. Anonymous says:

    Andreas: You’re right. I’m gloming Linux together with it’s distros. IMHO, There’s no other way to make a comparison. The unit of inspection for NT is the NT operating system version, the comparable unit for *nix is the distribution.

    Brian. You may be right. The thing is, I see that the OpenBSD team’s made a very public commitment to the kind of measures that I believe are necessary to write a secure operating system. I don’t see any similar evidence for Linux. I haven’t heard of major initiatives in the Linux kernel to implement NX protections. Or to remove unsafe C runtime library calls. Yes, the Linux kernel’s pretty good. Absolutely. But the Linux kernel’s not the only piece in a distribution. This is a commitment that must be exercised across the distribution. It doesn’t help if the kernel’s a rock solid mountain if the web server (or the POP3 daemon, or the SMTP daemon, or …) has a remotely exploitable root vulnerability. The box will get rooted just as easily.

    The FreeBSD guys have the right idea there – a distribution AS A WHOLE must be secure. Not just the kernel.

    Scott: How many IIS exploits have been found in Win2K3 in the 13 months since Win2k3 shipped? ZERO. Why? Because IIS6 is the first shipping version of IIS that was shipped after Microsoft "got" security. I’m not saying that it won’t happen. But it hasn’t in 13 months of inspection. And why is that? Because IIS6 we went through the kind of thorough inspection and design review that I’m talking about. Even exploitable bugs in ISAPI filters won’t be exploitable, because all the ISAPI filters no longer run as LocalSystem – instead they run as LocalService, which is a hideously reduced security context.

    And as I said: Robustness wasn’t a requirement for Win9x, speed and size was. So was validating inputs received from the network, etc.

    The world today is very very different from the world of 15 years ago.

  26. Anonymous says:

    reading through comments, I think some people are missing the point of this blog entirely, which is Microsoft FINALLY do get security. they didn’t 10 years ago when they made windows 95, but with Win2k3 and the upcoming Longhorn, now they do.

    but you can’t convince everyone no matter how hard you try to do the right thing. there will always be the group that breath linux like a religion; that believes Microsoft only hires stupid and technically inferior people because the smart ones obviously are embracing the open source; that predicts next year or the year after next will be the year of linux.

  27. Anonymous says:

    "

    The world today is very very different from the world of 15 years ago. "

    That’s very true, but I also remember back in the old BBS days hearing about people uploading trojans to BBS download areas. In fact I ran a BBS under OS/2 and was able to scan an upload by a user in another window and delete a trojan they had uploaded before anyone could download it. The events in "The Cuckoo’s Egg" took place in the early 80’s I believe. hmmmmmmm, maybe the world ISN’T a very different place than it was 15 years ago, just the technology is different.

    I thought you were trying to say that Microsoft always understood the need for security starting with Windows NT 3.51 and any bugs on platforms not based on NT didn’t count in your mind towards security gaffes. You weren’t saying that though, you were responding to a specific charge (file permissions missing in NT).

  28. Anonymous says:

    Scott, I didn’t use BBS’s 15 years ago, but you’re right, I do remember that it was a big deal (my kid brother used BBS’s a lot to get stuff for his Apple ][ and Macintosh and he had a running issue with viruses/trojans) – but the thing is, it was a lot easier to not use a BBS than it was to not use the internet 🙁

    And Microsoft HAS NOT gotten security in the past. In the past, we thought that having a decent authentication system and having ACLs was enough to make yourself secure. How hideously wrong we were.

    Microsoft didn’t start really getting security until about 2 years ago.

    Wehen the slammer and ms-blaster worms hit, it sent Microsoft a great big wake-up call and we realized we needed to make a huge paradigm shift in our way of doing business as developers.

    We get it now, it’s just up to us to prove to the rest of the world that we do. I think that Win2K3 and XP SP2 and Longhorn will do a lot to change peoples minds.

  29. Anonymous says:

    "there will always be the group that breath linux like a religion; that believes Microsoft only hires stupid and technically inferior people because the smart ones obviously are embracing the open source"

    …and there will always be people that think that if you like Linux you automatically hate Microsoft and are automatically some kind of zealot.

    It’s a pity there’s such prejudiced people here.

    Anyway, this is probably the last I’ll say, as this is getting quite boring now.

  30. Anonymous says:

    > …and there will always be people that think that if you like Linux you automatically hate Microsoft and are automatically some kind of zealot.

    sorry, I’m not generalizing all linux users and developers. but I do believe there is such a subgroup within the linux community that fits the description, who will never give Microsoft any credit for their effort.

  31. Anonymous says:

    Lazycoder weblog &raquo; Microsoft just doesn&#8217;t get Security – NOT!

  32. Anonymous says:

    Daniel: And vice versa with some Microsoft zealots. One of the problems we have as a community (as a whole, not as Microsoft vs. Linux) is understanding that when you deal on a global scale you’re going to run into zealots, troublemakers, and loudmouthed hooligans.

    One day on the Internet will expose you to more people than most individuals will meet in a year. Most people that we meet in a day are nice, reasonable people that we don’t mind. Thinking back over the past year how many have you met that you’d live happily ever after never having to deal with again?

    It’s my opinion that catering to the hooligans is a lost cause. Critics will always exist — if Windows became a perfect operating system the environmentalists would pick up and begin to scream about the "insane size of the packaging." Or some such other bull.

    Larry: You’re correct. Makes me wonder if perhaps Linux distributions should begin to concentrate on a core group of applications and ship that as a distribution vs. the "the pot, the kettle, the microwave, and everything else in the kitchen" approach that garners you eight installation CDs. The teams at Red Hat, SuSe, Mandrake, etc., would have a lot less auditing to do if they did so.

  33. Anonymous says:

    Larry Osterman wrote:

    > I haven’t heard of major initiatives in the Linux kernel to implement NX protections.

    Maybe you just didn’t want to hear? Linux has had support for NX protection on not-so-broken platforms that support the NX bit (like Sparc, I believe) for years. It recently (~1 year ago?) also gained the ability to emulate the NX bit on x86 as well.

    You make some good points, but don’t hate me if I don’t buy into the "we get security now. please believe us"

  34. Anonymous says:

    Cool, that’s good to hear Rob. I had no idea that the mainline Linux kernel supports W^X in user mode for x86.

  35. Anonymous says:

    Re: MS only "got" security in the last two years:

    The original UNIX worm happened in 1988, and nothing really new exploit-wise has happened since then, no? Still the same buffer overflows. That’s a lot of lost time.

    Well, let’s hope the new MS monoculture will be a little bit better than the current.

  36. Anonymous says:

    Bjorn,

    You’re right, the original Morris worm was in 1988, and the reason it caused so much damage (it infected 3000-4000 hosts :))was that every *nix system in the world was totally insecure, and they were all running the same version of sendmail.

    Heck, I still remember wandering around the arpanet (this was pre-internet) trying to find systems with an RMS userid. There were a lot of them :).

    Speaking of worms, do you remember the christmas card worm? It took out bitnet and IBM’s corporate network back in 1987 (the year before the Morris worm)(http://att.com.com/Year+of+the+Worm/2009-1001_3-254061.html and http://csrc.nist.gov/publications/nistir/threats/subsubsection3_3_2_1.html)

    It took 13 years before the majority of people really started taking security seriously.

    And you’re right, Microsoft didn’t REALLY start taking security seriously until about 2 years ago (when SQL slammer hit).

    I’m just hoping and praying that the rest of the computing world follows Microsoft’s lead on this one. The OpenBSD team is doing the right thing, but when will Apple start (to pick on someone other than the various linux distributions that were mentioned above)?

  37. Anonymous says:

    Re: Christmas worm: No, I wasn’t around those kind of machines then.

    The thing about breeding monocultures (like the Vaxes and Suns of the 80’s and the NT’s today) is that it is a crushing responsibility. I really can’t help drawing on these biological similarities.

    As for Apple – well, at least we can read the Darwin code. Where’s my NT kernel source download? 🙂

  38. Anonymous says:

    You’re absolutely right about the monoculture issue. Monocultures are bad imho. Competition is good.

    Btw. The most recent Apple vulnerabilities weren’t in Darwin – they were/are in the Aqua help engine. And we don’t get the source to that. If you want the source to Windows Microsoft is more than happy to license it to you btw, there are several dozen universities that have had full source licenses since 1992. I believe that it ain’t cheap but you can get a source license.

    Also, in reality, "Many Eyes Make Shallow Bugs" is a fallacy – the reality is that people don’t proactively code review code for bugs. MEMSB depends on a large number of people agressively code reviewing code for bugs, but the reality is that the only people who look at code are people trying to get their work done.

    There just aren’t cadre’s of people who spend all their time proactively reviewing source code for exploitable security bugs (unless they’re hackers looking for things to exploit).

    In our case, Microsoft has dedicated a significant portion of the ship cycle of every component to nothing but aggressive code reviews – we recognized that the cadres of people won’t spontaneously appear and we designed in the code review process into the ship schedule.

  39. Anonymous says:

    Yes, some daft person had decided you could mount disk images and other bad things via URIs – bad. But pretty easy to disable (not that Apple shipped the utility to do so).

    But the majority of the servers vulnerable to outside exploits are available, like Apache. And they’re turned off initially – neat, huh? [SP2 joke]

    As for access to NT source, I wouldn’t pay a cent – and I shouldn’t have to. Not for a system that after 11 years still can’t make a softlink, anyway…

    As you may have guessed, I’m an OS X user by choice and an XP user by profession.

  40. Anonymous says:

    Can’t make a softlink? I’m pretty sure that NT 3.1 had the ability to make softlinks (it’s required for Posix). Win32 didn’t get that until Win2K (I believe), but it’s there. SysInternals has a utility for this (I don’t know why it’s not exposed through the UI, probably because of the potential for confusion).

    http://www.sysinternals.com/ntw2k/source/misc.shtml#junction

  41. Anonymous says:

    Yes, I’ve seen something about that, but it seems like quite another thing.

    "Win2K’s version of NTFS supports directory symbolic links…"

    Only for directories on NTFS volumes, right? The neat thing about BSD-style symbolic links is that they are above the physical file system and can point to mounted network directories or whatever.

    One neat trick we did in a BSD environment was export header files from module directories to a common include directory as symbolic links.

    That reduced makefile chores while keeping the modules neat and self-contained. When you checked out you generally didn’t need to re-export, beacuse the files were linked. I’d like to do that today on XP, but I can’t.

  42. Anonymous says:

    NT’s had them forever (check out DeviceDosDevice), but they’re not persistant.

    For persistant cross volume links, look at the shell APIs for creating links.