Microsoft’s Ballmer: Hackers getting smarter

2004-10-22 3:06 pm

Anonymous

“I think we’ve learned a lot more about security basically than anyone else in the world,” he said.

They probably know how to best *fix* flaws and roll updates out, but their continued failures even after hyped SP releases downplay anything they claim for security. They now excel at manufacturing bit-band-aids, and everyone knows a band-aid won’t help if you are missing a limb.

Other systems were just designed better from the ground up, and therein lies the difference.

2004-10-22 3:06 pm

Anonymous

He’s absolutely right, but I’m sure he’ll be crucified for saying it. It’s an arms race.

2004-10-22 3:07 pm

Anonymous

Imagine that – a hacker getting smarter. Here all this time I thought hackers for confined the 64 intelligence points as defined in the Player’s Guide Book. I guess everyone is playing by the revised 2005 edition.

I run Linux, that means I get a +9 on being smart.

2004-10-22 3:09 pm

Anonymous

Nobody expects Microsoft to eliminate _all_ security problems in their products. But how about starting to fix some of the vulnerabilities that are generally known and which shouldn’t have been in a final product in the first place?

I think Ballmer is trying to suggest to the general public, that there is nothing they can do, which is truly rediculess.

2004-10-22 3:17 pm

Anonymous

That may be the case, but it’s simply a fact that there’s an arms race between coders and crackers, whether the operating system involved is Windows, Linux, or whatever.

Windows does have a crappy infrastructure, I’ll grant you. (“C:Program Files” is writeable? I’ll stick with my Mac.) But what he said remains true.

2004-10-22 3:18 pm

Anonymous

“Other systems were just designed better from the ground up, and therein lies the difference.”

….and you know this how?

2004-10-22 3:24 pm

Anonymous

“Other systems were just designed better from the ground up, and therein lies the difference.”

….and you know this how?

..for 1, we can see the source code most others

2004-10-22 3:35 pm

Anonymous

it’s the brain shattering speeches of Mr. Ballmer. Newsflash to Ballmer, even attendees of a Gartner Symposium do have brains and feel insulted by being treated as morons.

Fix your software and stop making excuses!

2004-10-22 4:00 pm

Anonymous

Since when was a hacker “dumb”. I mean, it will always be possible to get around things if one really want to.

I’ve considered hackers (real ones, not script kiddies etc) to be very creative and smart.

I wont really bother reading anymore “I am fat and wear a suit and tie therefor I know everything”-statements from Mr. Ballmer.

2004-10-22 4:02 pm

Anonymous

It’s easy really, and you don’t even need the source code.

Users are restricted in what they can run and what they can access.

Programs can’t install themselves without permission.

A program can be accessed by multiple users at the same time.

The file systems actually can grow or shrink easily. You need more HD space?? simply tack it on. Under Windows you are limited to 26 drives. now that may seem like a large number but I am using 20 drives now. Networking software that treats remote drives as local cut into that number. *nix isn’t affected by this limitation.

2004-10-22 4:07 pm

Anonymous

…I can see what I get, take them apart, even modify them, and in general all I risk is losing some warranty. Same goes for keys and locks. I can fix my own leaks if I want to, and protect myself from intruders in whatever way I choose.

I can do the same thing with Linux or the BSD’s.

If I had to rely on people like Ballmer to explain to me why my plumbing fixtures wouldn’t last more than a year without springing a leak, that would be a really nasty pickle indeed, no?

2004-10-22 4:10 pm

Anonymous

“Under Windows you are limited to 26 drives. now that may seem like a large number but I am using 20 drives now. Networking software that treats remote drives as local cut into that number. *nix isn’t affected by this limitation.”

Correct me if I’m wrong, but don’t the new versions of Windows have mount points?

2004-10-22 4:24 pm

Anonymous

“What’s one of Steve Ballmer’s biggest headaches? It’s not Linux or security breaches. It’s piracy, the Microsoft CEO said Wednesday.

“The biggest problem we have right now is that people who should be paying for software aren’t,” Ballmer told an audience of technology executives at an industry conference here sponsored by market researcher Gartner.”

Their biggest problem is piracy? Obviously their focus isnt on security.

2004-10-22 4:26 pm

Anonymous

Correct me if I’m wrong, but don’t the new versions of Windows have mount points?

True. But only on NTFS (why?).

In fact, theoretically NT isn’t limited to 26 drives. Drive letters are simply aliases to keep ex-DOS/Win9x users happy. Unfortunately there is no simple way I know of to access drives in a more sane way. I don’t like mount points much but drive letters are too limiting. A multi-named-root system would be more flexible…

Again, Amiga does it the correct way!

2004-10-22 4:37 pm

Anonymous

Have network admins really gotten smarter on average?

In the late 80’s a worm totally infected NASA comuters by guessing that the system account password was “system” for their VMS systems (like having the root password in Unix set to “root”)

Sure big important networks have gotten much better but for smaller ones: how many accounts to day still have the password as the account name? or they use something easy to guess? for example my college had the admin password as the college name.

2004-10-22 4:39 pm

Anonymous

How does the Amiga do it. How come everyone says how the Amiga is so good?

2004-10-22 4:41 pm

Anonymous

This should count as news? Come on…

2004-10-22 4:44 pm

Anonymous

“How does the Amiga do it. How come everyone says how the Amiga is so good?”

Yeah…and how did we get a computer brand called “girlfriend,” anyway?

2004-10-22 4:48 pm

Anonymous

“Yeah…and how did we get a computer brand called “girlfriend,” anyway?”

Do you really want one your computer called “boyfriend”

2004-10-22 4:49 pm

Anonymous

in fact, amiga means feminine friend.. girlfriend is namorada in portuguese, and novia in spanish

2004-10-22 5:03 pm

Anonymous

Your right – Newer versions of Windows can mount drives and partitions – even onto themselves and yes just about any user can do it themselves often without realizing what they have done or where. This of course causes all types of problems until fixed. – With this kind of crap going on – you do not need smarter hackers – dumb users is all it takes.

2004-10-22 5:03 pm

Anonymous

http://s87767106.onlinehome.us/mes/NovioSite/main.html

An os [well… so the page designer claims] named ‘novio’.

2004-10-22 5:05 pm

Anonymous

They keep releasing holey OSs, plus they tied IE into the OS so a IE flaw is a OS flaw. I still have windows for games, but SuSE home 8.1 for other stuff.

2004-10-22 5:25 pm

Anonymous

> They keep releasing holey OSs, plus they tied IE into the OS so a IE flaw is a OS flaw. I still have windows for games, but SuSE home 8.1 for other stuff.

Yeah. I met the head of security for Microsoft Switzerland recently. He talks about things like modularity, and claims that IE might be rewritten; but he says that it being integrated into the OS isn’t a problem, which is, alas, nonsense.

Sure, as he points out, if it’s bug-free….. but that’s not a safe assumption, especially given its security record.

2004-10-22 5:28 pm

Anonymous

I think the folks over at openBSD know the most about security, that or hackers/virii writers. Obviously Microsoft is not a group of security experts. They may be bug fixing experts though.

2004-10-22 5:34 pm

Anonymous

> I think the folks over at openBSD know the most about security, that or hackers/virii writers. Obviously Microsoft is not a group of security experts. They may be bug fixing experts though.

Heh. No, although some OpenBSD people are quite clueful.

Most ‘hackers’ and ‘virus writers’ are idiots, including technically. There are some quite clueful people on every system though, really; Linux has some pretty interesting kernel patches for increased security.

Microsoft doesn’t appear to be very aware of OpenBSD for some reason; they could learn a fair bit from them.

2004-10-22 5:35 pm

Anonymous

Yes Bill it’s not your fault that your devs don’t know how to use strcpy and sprintf its the “Hackers” fault.

2004-10-22 5:40 pm

Anonymous

On the Amiga all partitions have both a label and a drive name, on my system I used to have three partitions:

system, wb3x:

work, dh0:

games, dh1:

tou could name them whatever you liked previous lines were only an example, and you could call them using either the label or the drive name, for example:

system:c/<command>

wb3x:c/<command>

if it wasn’t enough you could always create an assign like this:

assing potato: dh0:myprogram/potatofiles

and magically a new drive appears on the system called potato: that points to the dh0: drive on the program/potatofiles directory.

Nice, simple and easy, like everything on the Amiga, and by the way, years before anything else.

2004-10-22 5:42 pm

Anonymous

Solution is: Stop writing viruses and malicious code.

2004-10-22 5:44 pm

Anonymous

“I think we’ve learned a lot more about security basically than anyone else in the world.”

Hmmm thats arrogant, *nix has been here long before M$ became “security enlightened.” So according to them they are the supreme security experts yet are continually being exposed for vulns. Maybe M$ should switch into a line of production they can handle, like toasters?

2004-10-22 6:09 pm

Anonymous

A decent cracker can break into any system– Windows or *nix or whatever. I’ve seen documentaries on Discovery (or NGC, I’m not sure) where crackers got various assignments– like break into the server of a major ISP, and read John Smith’s email-account– they were able to do so within less then a minute. And the various asignments targetted all sorts of systems.

Windows sure as hell ain’t secure– but in the end, *nix ain’t that much more secure either. Like someone else pointed out already– passwords are everything but secure. The divide between the root account and restricted accounts is of course more securet than not having that divide, but in the end it doesn’t matter that much. A cracker will break into your system anyway.

2004-10-22 6:15 pm

Anonymous

They keep releasing holey OSs, plus they tied IE into the OS so a IE flaw is a OS flaw.

They cannot stop releasing holey OS – complete redesign and rewrite entire OS takes huge amount of time and work, especially if they want keep it compatible with old apps (even first XPSP2 releases were incompatible with 5-10% of old applications – and XPSP2 isn’t redesign of XP, even not rewrite, just bugfix). Longhorn rumoured to be complete code rewrite – when it started, when will it available?

About IE and OS – think about this problem a bit differently. They aren’t tied, [in ideal variant] they ARE the same thing. Or more specifically – IE=Explorer, “shell” layer on top of kernel. This itself isn’t that bad idea at all.

What MS did wrong (IMHO) – they included any kind of active content into IE/Explorer from one side and sacrified security between layers to speed from other side. This is rather implementation issue, not design issue.

(Have some of you used first NT? It was slow, but very stable and relatively secure – XP has basically same design, just lot of code added. Oh well, this isn’t MS design, after all:)

This is typical for commercial software – following utopical deadlines (and many more factors) causes negligent coding (implementation), which in turn spoils even best initial design. Possible that this will happen to linux distros soon too…

2004-10-22 6:16 pm

Anonymous

Yes, and in the movie “Hackers” the password was `GOD`

documentaries….

2004-10-22 6:24 pm

Anonymous

Windows sure as hell ain’t secure– but in the end, *nix ain’t that much more secure either.

—-

thats crap. *nix is very secure by design

2004-10-22 6:31 pm

Anonymous

thats crap. *nix is very secure by design

More secure than Windows, yes. But in the end, security in *nix is still based on the human factor, and therefore it is insecure. Just like a car that is proclaimed “safe”. It doesn’t mean one can’t still crash into a wall with it.

The root account is protected by a password– and that password is setup by humans, and therefore it is still insecure. As a whole, than yes, of course the *nix design is more secure than the Windows model. But secure? Of course not.

2004-10-22 6:41 pm

Anonymous

“Microsoft’s Ballmer: Hackers getting smarter”

He is right, Hackers are making OpenSource software better everyday.

2004-10-22 7:04 pm

Anonymous

You have 2 problems with network security

Network admins that are over their heads and shouldn’t be network admins. These are people that have passwords like: root,toor,system,ect and don’t keep logs (or ingores them) or backups.

Network admin that have skills run having to deal with n00bs on the network. Demand users change their passwords regularly and they’ll ingore you. Give the accounts expiry dates and they will ingore the messages of “Contact admin to your renew account” till their account dies and they get all man and blow up at the IT deparment. Suspend an account becouse the n00b put a modem on his machine (actully happened at AT&T Canada some years ago) and you have to be chewed by the stupid n00b.

Unix is secure but like Thom Holwerda said, humans are the weak point.

2004-10-22 8:21 pm

Anonymous

“I think we’ve learned a lot more about security basically than anyone else in the world.”

Yeah, and its taken them years to figure out what everybody else in the computer industry knows instinctively from day 1.

This roughly translates to ‘I think we have made more security mistakes than anyone else in the world’.

And instead of learning from their mistakes and correcting them, they cover up the problem hoping nobody will notice until it finally gets so bad they have to address it or lose significant market share.

Nice one Steve, you come across less intelligent every time you speak.

2004-10-23 12:19 am

Anonymous

Amen to that.

2004-10-23 12:36 am

Anonymous

In the late 80’s a worm totally infected NASA comuters by guessing that the system account password was “system” for their VMS systems (like having the root password in Unix set to “root”)

are you referring to the Robert Tappan Morris worm? that used exploits (and undocumented features) in finger (and sendmail). i know it attacked Solaris as well as VMS. groundbreaking for its time since it was multi-platform and used a form of buffer overflow. there’s a whole RFC written on it, and a good section of Cyberpunk is devoted to it.

i didn’t know it used default passwords as well, but several hacking zines from the time mention that liberally. default passwords even play a role today, e.g. Zipslack sets root pass as null, and various network devices like routers have had backdoor passes for maintenance. password crackers still play a large role in client security e.g. aol, webmail, pcanywhere.

2004-10-23 1:06 am

Anonymous

A decent cracker can break into any system– Windows or *nix or whatever. I’ve seen documentaries on Discovery (or NGC, I’m not sure) where crackers got various assignments– like break into the server of a major ISP, and read John Smith’s email-account– they were able to do so within less then a minute. And the various asignments targetted all sorts of systems.

this is partially bullcrap no doubt, but interleaved with fact. there do exist zero day exploits and advanced techniques that aren’t generally publically available. the infamous “this is the public version” is attached to most every garden variety exploit. but still there are limitations.

The divide between the root account and restricted accounts is of course more securet than not having that divide, but in the end it doesn’t matter that much.

for sure. in the debian.org fiasco, an ssh password was “sniffed,” then an unpublished local root exploit was used. the attacker may or may not have been skilled (evidence using burneye), but he knew someone. this type of stuff may not work against an EAL-7 system, but it works on traditional unix.

2004-10-23 1:07 am

Anonymous

>> More secure than Windows, yes. But in the end, security in *nix is still based on the human factor, and therefore it is insecure. Just like a car that is proclaimed “safe”. It doesn’t mean one can’t still crash into a wall with it.

What a total cop-out.

Of course any system is at the mercy of the humans that run it. That doesn’t mean that an OS can’t be secure from a technical standpoint. Holes in an OS and human stupidity are two entirely separate things. Going around dismissing all differences in OS security with the “human stupidity” argument is throwing the baby out with the bathwater.

2004-10-23 1:09 am

Anonymous

>> He’s absolutely right, but I’m sure he’ll be crucified for saying it.

He’ll be crucified because it’s a straw man argument. Nobody is complaining over Windows security because it’s not PERFECT. They’re complaining because it is inferior to everyone else’s, to the point where a system begins getting “infected” within hours of being plugged into the Internet.

2004-10-23 1:16 am

Anonymous

are you referring to the Robert Tappan Morris worm? that used exploits (and undocumented features) in finger (and sendmail). i know it attacked Solaris as well as VMS. groundbreaking for its time since it was multi-platform and used a form of buffer overflow. there’s a whole RFC written on it, and a good section of Cyberpunk is devoted to it.

No I was referring to the WANK worm.

2004-10-23 1:44 am

Anonymous

Because they already were smart enought. They just getting more knowledgable. You cannot increase your intelligence much but you sure can increase your knowledge.

As for bug free software that is a myth, you might want to read this article about a software company that writes very little bugs in their software and how they do it.

http://www.fastcompany.com/online/06/writestuff.html

Maybe Microsoft could take one of their mottos onboard.

“Don’t just fix the mistakes — fix whatever permitted the mistake in the first place.”

2004-10-23 5:00 am

Anonymous

Rassian Hackers no slip and hacking a lot of programms and

Microsoft corp Again remain in the back.Or who that disagrees?

2004-10-23 6:31 am

Anonymous

When you up to your neck in alligators, it’s hard to remember

that your initial objective was to drain the swamp.

2004-10-23 6:54 am

Anonymous

Then again why is MS going through with it’s DRM technology in the first place if it can’t stop crackers or hackers ?? Oh I forgot it’s to leverage even more market share over the desktop by trying to remove choice on a hardware level.

2004-10-23 10:07 am

Anonymous

smarter than microsoft…that’s not so hard.

2004-10-23 5:26 pm

Anonymous

When I start YaST2, there is a option to keep the pasword. Why in the crap is that there?

2004-10-23 7:21 pm

Anonymous

Of course any system is at the mercy of the humans that run it. That doesn’t mean that an OS can’t be secure from a technical standpoint.

agreed to some extent. i’ll add a logical fallacy and say — anyone who thinks Trusted Solaris, Trusted Multics, and OpenVMS are as flawed (security-wise) as Windows NT deserves to have all certs and degrees stripped from them. NT simply makes a security, usability, and time tradeoff.

a whole class of stack overflow doesn’t even exist on OpenVMS.

2004-10-23 7:23 pm

Anonymous

As a whole, than yes, of course the *nix design is more secure than the Windows model. But secure? Of course not.

NT does have some sophisticated ACL’s. then again so does SE linux and Solaris.

2004-10-23 11:10 pm

Anonymous

so does SE linux and Solaris.

—

selinux is a very different kind of beast from acl. acl is primarily dac while selinux is MAC

2004-10-24 2:33 am

Anonymous

Windows does have a crappy infrastructure, I’ll grant you. (“C:Program Files” is writeable? […]

Only to Power Users and Administrators.

[…] I’ll stick with my Mac.)

Your Mac is configured the same way (/Applications is writable).

2004-10-24 2:39 am

Anonymous

Users are restricted in what they can run and what they can access.

Programs can’t install themselves without permission.

A program can be accessed by multiple users at the same time.

The file systems actually can grow or shrink easily. You need more HD space?? simply tack it on.

All of which is doable under Windows. So…your point was ?

Under Windows you are limited to 26 drives.

Untrue, drives can be mounted under directories.

now that may seem like a large number but I am using 20 drives now. Networking software that treats remote drives as local cut into that number. *nix isn’t affected by this limitation.

Neither is Windows. Only broken applications that require network shares to be mapped to drive letters are affected by that limitation. Properly written applications quite happily use UNC paths.

2004-10-24 2:43 am

Anonymous

…I can see what I get, take them apart, even modify them, and in general all I risk is losing some warranty. Same goes for keys and locks. I can fix my own leaks if I want to, and protect myself from intruders in whatever way I choose.

So, your plumbing fixtures – do you know the metallurgic content of them ? Are you privy to the process under which they were designed and forged ? Do you have the engineering documents showing their design ? Do you have the tumbler patters for the locks ? Design documentation ?

Must be some hardware store.

2004-10-24 2:51 am

Anonymous

They cannot stop releasing holey OS – complete redesign and rewrite entire OS takes huge amount of time and work, especially if they want keep it compatible with old apps (even first XPSP2 releases were incompatible with 5-10% of old applications – and XPSP2 isn’t redesign of XP, even not rewrite, just bugfix).

Please explain why you think an entire rewrite and redesign is necessary, and what needs to be changed.

Longhorn rumoured to be complete code rewrite – when it started, when will it available?

It’s not and never would have been. Longhorn is just Windows NT 6.

2004-10-24 3:17 am

Anonymous

thats crap. *nix is very secure by design

More secure than Windows, yes.

How ? Be specific.

2004-10-24 5:18 am

Anonymous

Just because Ballmer says that hackers are “getting smarter” doesn’t mean that they were originally dumb. Geez, take a basic course in logic.

NT ain’t limited to drive letters. You can just as readily open a mount point \serversharelah. Get a clue before you criticize.

The availability of source code doesn’t mean that that same source code is free (or even largely free) of security defects. The “million eyeballs” theory only works if people are actually looking for defects in the code — and while that may be true of the largest projects (Linux, Apache), there’s no evidence that the theory holds true for smaller projects. Vulnerabilities are just as prevalent in open source code as in closed source. And denying it isn’t a substitute for a counter-argument, before you zealots try that cr*p…

2004-10-24 11:49 am

Anonymous

“Of course any system is at the mercy of the humans that run it. That doesn’t mean that an OS can’t be secure from a technical standpoint.”

Yes, but technically secure OSes have been invented decades ago (e.g. Unix). The security challenge of today is to make handling of that “human factor” easier while at the same time provide lots of features in a system.

2004-10-24 2:03 pm

Anonymous

Yes, but technically secure OSes have been invented decades ago (e.g. Unix).

Unix is probably not a good example there. I mean, holy shit, if your UID == 0 you basically *bypass* the entire security system on a typical unix box. Not to mention the primitive and inflexible user/group/other permissions model.

Microsoft’s Ballmer: Hackers getting smarter

About The Author

Eugenia Loli

61 Comments