“A year after Bill Gates called for Microsoft to make its products more “trustworthy,” executives are touting myriad initiatives as proof of the software giant’s new resolve. The company has spent millions to train staff in privacy concerns and secure programming, while building new tools and processes to help create reliable software. But critics–and Microsoft’s own executives–said much more work remains.” Read the report at ZDNews.
One Year Later–is Microsoft “Trustworthy”?
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
What’s the discussion?
I would rather call it “Trustworried” instead of Trustworthy..
Especially when looking at their plans with DRM, TCPA and Palladium.
Trustworthy, what a joke Palladium for 1 thing is nothing to trust, plus the backdoor they built into Windows Medea Player 9.
If security problems of the beauuuuuuutiful MS products were waiting for two magical words from the very mouth of Billy the McCarty, why he didn’t say them years ago for non-existing god’s sake?
I can’t believe the level of stupidity that human beings can produce sometimes.
<<Far fewer changes are evident in the other two areas: reliability and business integrity. >>>
Micro$lop will NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER Have integrity in any shape, forme or mutation.
Why never? They are a business. They want to have better products. Once, they had worse OSes, with the line of Win9x, and before that they had even worse (Win3.1/DOS). But as everything gets matured, it gets better. XP/2k is already up to par with many unix solutions on many fields and even better on other fields. Security is not as great as in other platforms, and MS acknowledges this and works on it. I find this a very positive move.
“Security is not as great as in other platforms, and MS acknowledges this and works on it. I find this a very
positive move.”
What we need is security _from_ Microsoft.
They are not likely to defend us against themselves.
After reading it over, I’d have to say that it is probably the last paragraph that says it all.
‘”It’s not something that–bang–you realize Trustworthy Computing,” Lipner said. “One morning two years (from now), you’ll look back and say, Things are really different.”‘
Too early to tell definitively right now. Later, though …
I once read this in a talkback forum about a year ago and it stuck with me since then:
If you wonder whether MS (or any corporation for that matter) will do the right thing or the wrong thing, the answer is – they will do whatever makes them the most money – ‘right or wrong’ has absolutely nothing to do with it.
“It’s not something that–bang–you realize Trustworthy Computing,” Lipner said. “One morning two years (from now), you’ll look back and say, Things are really different.”
No what will happen is that i’ll wake up to find that Sentinals (x-men type huge robots) running “WindowsXP ME edition” are coming after me hunting me down (and the rest of the non MS community) merely because we’re the last people to have not read and signed the terms and conditions of the MS EULA and they are not sucking my freedom and bank accounts dry!
Excellent point. The original article’s quote has been fixed to more properly reflect on the situation.
“It’s not something that–bang–you (unless you are Mr. CracledButter) realize Trustworthy Computing,” Lipner said. “One morning two years (from now), you’ll (unless you are Mr.CrackedButter) look back and say, Things are really different.”
The “Trustworthy computing” intiative couldn’t have been too bad. In 2002 I think they must have released more patches for IE than they did in almost the two previous years combined. That might just mean that IE6 gold was released with more security vulnerabilities than IE 5.5 gold was, but at least they are pumping out patches. What will be the real test is how many security vulnerabilities are discovered in the recently released Windows Media player 9, and some of the other new stuff in the pipe(Windows .NET) Virtually all current products were written entirely before the trust worthy computing intiative and hence one can not say that trust worthy computing failed merely because past MS stuff was very insecure. My theory is that MS is doing better, but not good enough to convince the security minded to use MS software in the near future. Until they build up a better track record few people will trust MS software. I don’t think that MS can not produce more secure products, but I think that it will take more than a one month period of secure coding training to convince me that they are producing more secure products. Security will have to be part of the intial plan in their products instead of simply trying to fix as many mistakes as possible one month before the product ships.
Why never? They are a business. They want to have better products. Once, they had worse OSes, with the line of Win9x, and before that they had even worse (Win3.1/DOS). But as everything gets matured, it gets better. XP/2k is already up to par with many unix solutions on many fields and even better on other fields. Security is not as great as in other platforms, and MS acknowledges this and works on it. I find this a very positive move.
Why never? For the exact reason you reached the opposite conclusion – they are in business. In business, there is one sole motivator – shareholder return (better products are simply a means to that end). MS currently sees a threat to shareholder return on the basis that its products are less secure than some of the alternatives trying to break into the desktop market and in the server market. They see this as a potential threat, and evaluating the cost/benefit ratio, deem it necessary to spend money on security, to secure good shareholder returns for the future. If the potential threat were to go away, or the costs of implementing security rose above the benefit to shareholders, then security would be out the window. If MS keeps its monopoly position and successfully shuts out competition, we, the consumers/users are the losers. Security will only be implemented if it turns a $, product improvements will only be implemented if they turn a $. However, without competition, MS dictates the terms.
It is interesting that it was not until linux became a threat in both the server and desktop market that MS suddenly found the motivation to focus on security. Without viable competition, the incentive to innovate and improve is not there. Who knows where desktop computing might go if a properly functioning market place were to be achieved. However, while MS holds a monopoly position, we’ll never know. And while people sit back and say that MS’s current performance is good enough, we’ll never know.
I would love to see the day when you can go to a computer store, and pick up a computer with the OS of your choice, based on your personal requirements, safe in the knowledge that open standards mean you can share files and information with a user of any other OS/platform. However, while people continue to think MS’s monopoly position is acceptable, and do nothing about it, we’ll never get there.
I don’t think Linux poses a threat in the desktop market at all. I know technical users have a large disconnnect from the reality that is a normal user (myself), but if you think Linux is ready AT ALL for the desktop, you’re only lying to yourself (or ignorant to reality) in my opinion.
I don’t think Linux poses a threat in the desktop market at all. I know technical users have a large disconnnect from the reality that is a normal user (myself), but if you think Linux is ready AT ALL for the desktop, you’re only lying to yourself (or ignorant to reality) in my opinion.
I completely disagree with you, however, notwithstanding that you have completely missed my point. I don’t think I ever argued one way or the other as to whether linux was “ready” for the desktop. I simply said without true competition in the desktop market place, we’ll never know the true potential of dektop computing. Without true competition, innovation and the incentive to improve products is stifled (notwithstanding MS’s spin to the contrary).
I don’t care whether you think linux is ready for the desktop or not. If you don’t think it’s ready, so be it. It’s your loss. I am no technical user (I’m a lawyer), and I can use it just fine on the desktop. I download and edit my digital videos, store and manipulate photos from my digital camera, watch dvds, listen to music, surf the net, read emails and a myriad of other stuff. I just put RedHat 8.0 on my brother’s PC (he hasn’t used a PC for a couple of years, and used windows before that). He’s an ordinary user (he’s a baker). He’s doing just fine. He can do everything he wants to do and more. He can even install software (having taken the 2 minutes necessary to read up on how to use rpm and synaptic). To my mind, anyone who says linux isn’t ready for the desktop doesn’t want it to be, or thinks it should be just like windows and when it’s not, they simply say it’s not ready. Linux is as ready as you want it to be. I want it to be, and it is. My brother wants it to be (he can’t afford WindowsXP) and for him it is. In my view, that’s the reality.
Well I used a 2.5 Ghz Dell PC at work running Redhat 8 as my desktop and development workstation for about a month.
All I had to do to get it to work was to install Redhat 3 times to find out that XFree86 didn’t support the integrated i845 graphics chip. So after a couple more reinstalls I managed to figure out that it would run with a generic VESA driver, though VERY buggy, at resolutions no higher than 1024×768, and at color depths no greater then 16-bit.
To “resolve” the issue I had to use CVS to grab the latest source of XFree86 then I had to wore out some Makefile issues, then I had to compile it, then I had to configure it, then I had to deal with a machine that now had sort of “proper” graphics support which was really just a version of what I had before I “fixed” it with a greater number of bugs, but were of less irritating nature.
Once I did that I used that machine for a month, only managing to bring it to a state of uselessness twice in 4 weeks, once by changing the mouse, and a second time by changing the display to a flatpanel. The mouse problem was never fully resolved, if I’m using a PS/2 mouse and the PS/2 driver, the mouse acts haywire, and the behavior is fixed if I switch to a USB driver. However since that’s not the actual driver for the mouse type if I log out or restart the machine the mouse ceases to function at all.
Anyway the only reason the developers here have to use Linux is for some UNIX tools we use for our software. So I sold my home desktop machine and just purchased a loaded 1 Ghz TiBook from Apple. So far so good, all the UNIX tools I need work great, and the 3rd party programs for office, multimedia, and communication related tasks are several orders of magnitude better. BBEdit is about ten times better than Anjuta, and iChat is at least a hundred times better than GAIM. MS Office v.X is a whole mess better than OOo and the Gnumeric/Abiword combo (though I really do like Abiword).
I bought the PowerBook, and the company bought the software. At first they were hesitant until I showed them the cost of my lost productivity for 4-5 days of not being able to work due to machine related problems. With the prospect of there likely being more issues, based on the experiences of the other members of the dev teams, they sprung for the software.
Now I’m the testbed for the rest of the department. If everything we need to use seems to work with OS X, and the TiBook seems reliable then they’ll probably let me expense the TIBook to the company, and then go ahead and move the dev team over from Dell PC’s and Toshiba Laptops running Linux to Apple desktops and laptops running OS X.
So far so good.
Though as you can see from my working experience with Linux that what I had to do to get the machine running is something that any Linux software developer or distribution provider should, and perhaps ought to, expect their end users to deal with. I mean who’s little sister can’t get the latest source over CVS, and then fix any issues that crop up with compilation, and then manually backup, install, and configure a large piece of software all from the command line? Seriously if your little sister can’t then you should take a good hard look at your gene pool.
-Nathan
MS does not trust me – I don’t trust them. We’re even in that and I can not see that changing.
I would be more likely to trust MS if they had only 49% of the market, because they would not be abl e to act so freely. Much of the crap that they pull would not work if they had any real competition.
True Linux has its weaknesses, but they are no worse than those that Windows has. Many of which would stop Windows in its tracks if it were in the position that Linux is in now.
“Why never? They are a business. They want to have better products. Once, they had worse OSes, with the line of Win9x, and before that they had even worse (Win3.1/DOS).”
You cannot say that those products were bad. Criteria of good or bad is $$$. All ather is geeks lamentation. So those procucts are for sure best ever made – look at M$ financial state.
And i think, they in M$ have sufficient wisdom to avoid technically good products.
So we have dillema 1) We will see technically perfect product and MS will die. 2)This never happens
You only get so many chances.
Microsoft cannot be trusted to do anything except do whatever
it takes to maintain their monopoly, even if they have to
“cut off” someone’s “air supply” and “knife the baby.”
I do not forgive or forget.
>>>MS does not trust me – I don’t trust them. We’re even in that and I can not see that changing.
The first rule in X-Files — trust no one (including yourself).
From social engineering to improper computer set-ups, it is human errors that are the main cause of computer security problems. The majority of plane crashes are human errors.
Anti-MSFT people would like to say that someday, you will not be able to listen to mp3 files that you downloaded from the net. Well there have been security problems with both the windows media player and a linux mp3 player that if you play an infected mp3 file, you get a security breach on your computer.
>>>>Microsoft cannot be trusted to do anything except do whatever it takes to maintain their monopoly, even if they have to “cut off” someone’s “air supply” and “knife the baby.”
So is every single anti-MSFT billionaires in silicon valley. Boohoo, Microsoft is the only one convicted. All the other IT companies settled with various governments — they settled, paid a fine and admit no wrong doing. All those Wall Street brokerages settled without admitting any wrong doing, does that mean that they are less guilty.
pnghd wrote something about how MS would do anything to do
in there competition.
sam responded:
“So is every single anti-MSFT billionaires in silicon valley. Boohoo, Microsoft is the only one convicted. ”
——————————————-
That is mostly true, but the reason that MSFT is the only
one convicted is that they are a monopoly.
Accordingly, the cut throat actions that would otherwise get a “Corps will be Corps” knowing wink are
illegal.
One thing I will say for Microsoft.
They have earned all their enimity, honestly.
Much blahblah and everyone is ignoring that even after the end of one year “Trustworthy Computing” (ha!) Microsoft’s very core product Explorer has 19 known vulnerabilities. And those are not small tiny bugs but wide open backdoors allowing (in the order of the bug list) cookie theft, monitoring of the user, escaping applet sandbox restrictions and taking any action, circumventing security zones allowing local file reading and execution, read and write access to the clipboard, silent delivery and installation of an executable on a target computer and many more hidden but now well documented “features”. See http://www.pivx.com/larholm/unpatched/
Security and Microsoft are different worlds, and no talk will change that.
>>>That is mostly true, but the reason that MSFT is the only one convicted is that they are a monopoly. Accordingly, the cut throat actions that would otherwise get a “Corps will be Corps” knowing wink are illegal.
You don’t seem to understand my point. If Microsoft took a more conciliatory stance 4-5 years ago, they could have settled with the US government without admitting any wrongdoing. Does that makes them any less guilty?
If Enron settles with the US government without admitting any wrongdoing, but Anderson fought, losted the trial and was convicted. Does that mean Enron is less guilty than Anderson.
All I am saying is that every big business is guilty for something, Microsoft being the only ones convicted doesn’t mean that they are more guilty than everyone else in silicon valley.
>>>ha!) Microsoft’s very core product Explorer has 19 known vulnerabilities.
Many of those 19 vulnerabilities are in IE5, 5.5 and 6(pre-SP1). If you use IE 6 SP1, the number of unpatched vulnerabilities would drastically drop down.
>Many of those 19 vulnerabilities are in IE5, 5.5 and
>6(pre-SP1). If you use IE 6 SP1, the number of unpatched
>vulnerabilities would drastically drop down.
Did you read the site? The only bugs reportedly fixed by IE 6 SP1 are cssText (Local File Reading), DynSrc (Local File detection) and possibly the 2 1/2 years old and steadily reappearing IE https certificate attack vulnerability. That are only 3 out of 19 vulnerabilities. I’d expect more before I call the decrease a “drastical drop”, but maybe you are right since we are talking about Microsoft (they like to keep some reasons for updates later after all).
“All I am saying is that every big business is guilty for something, Microsoft being the only ones convicted doesn’t mean that they are more guilty than everyone else in silicon valley.”
No them being convicted doesn’t make them suddenly more guilty than everyone else. Their long sordid history does.
It is true that hearts may harbour no more darker designs than their Corporate rivals, but being a Monopoly allowed them to act on them in a way the others couldn’t.
That is why they need to be reigned in. They are a case study of what happens when a Corp can act without restraint.
It is not trust MS has earned but disgust.
Thus the concept is disgustworthy computing.
The best thing that could happen to MS is for them to stop
being the 800 pound gorilla and just be one of several
Industry titans. Hopefully , this process has already started.
It depends on how you read the site.
Most of the vulnerabilities are listed as IE6, not IE6(SP1). So either: (1) IE6(SP1) has patched the vulnerability and was listed as such; or (2) IE6(SP1) doesn’t have that vulnerability in the first place and therefore doesn’t need any patching; or (3) IE6(SP1) still has those vulnerabilities but they weren’t listed by the website because the website missed the information.
For example, in the clipboardData object caching vulnerability: It was clearly stated that “IE5.5 SP2 and IE6 are vulnerable to all of the above. IE6 SP1 is vulnerable to the “external” object caching and to the “clipboardData” object caching, it’s immune to the rest.”
However, in many other vulnerabilities — they were simply stated as: “vulnerable in IE 5.5, IE 6.0”. They didn’t say if the vulnerabilities are present in IE6(SP1), not present in IE6(SP1), or fixed in IE6(SP1).
>>>>No them being convicted doesn’t make them suddenly more guilty than everyone else. Their long sordid history does.
You know Microsoft’s “long sorbid history” because anti-MSFT companies and hackers publicize it.
I am saying that all the other corporations have also have “long sorbid histories”. But because they don’t have egotistical anti-MSFT billionaires and anti-MSFT hackers publicizing them, you will never learn about them.
Instread of making a song and dance about it, how about “just do it”(tm) ?
I am sick and tired ot hearing the same cheap rhetoric over and over again from different organisations, each claiming to be the “champinion of the little people”, each claiming that “this time we will get it right”.
Heck, I don’t mind the odd security hole here and there, thats life. Software is written by humans hence subject to mistakes,however, what I do get pissed off about is the patch that patches a patch that was meant to patch a hole but didn’t.
Just look at FreeBSD, and how secure it is, in a space of 3months, only three security “alerts”, I consider that pretty good.
The company has spent millions to train staff in privacy concerns
Was it not a just a few months ago, that MS employees had some large customer database availibe on their FTP server because staff were too lazy to secure it properly?
I mean software will always have bugs, its just a case of how many and how severe, but putting your customer database in the public domain is just slack.
Though maybe it was an effort to curb their anti-competition image by providing their customer database to their competitors.
What exactly would an “infected MP3 file” be “infected” with?
>>>What exactly would an “infected MP3 file” be “infected” with?
It happened with winamp:
http://news.com.com/2100-1023-895429.html
It happened with linux mpg123:
http://www.linuxsecurity.com/articles/host_security_article-6544.ht…
http://securitytracker.com/alerts/2003/Jan/1005918.html
It happen with windows xp/wmp:
http://news.zdnet.co.uk/story/0,,t287-s2127786,00.html
But linux (and all programs run on it are supposed to be more secure, right? They can’t have any security problems. I have decided that your links are lies.
MICROSOFT IE IS GOOD ENOUGH TO BE ABLE TO GET ON YAHOO AND PLAY POOL, WITHOUT A TWITCH. ALL YOU MICROSOFT HATERS OUT THERE, PLEASE TELL ME ANOTHER WEB BROWSER THAT DOES THIS WITHOUT HAVING TO DOWNLOAD AND INSTALL THE (PAIN IN THE ASS) “PLUGINS”.