With the recent unleashing of yet another worm targeted at Microsoft's most secure operating system yet, I'd appreciate hearing a bit about what you guys are doing differently to make Longhorn more secure. Microsoft has accomplished many amazing thing over the last 25 years. When you put your minds to it, you usually accomplish something very impressive. (Internet Explorer for example) Is software security something you now have as top priority? Are we going to see 'revolutionary' improvement? (IMHO - we really need too.)And maybe, if you have the time, help me a little - how would you characterize XP today security wise? Would you describe XP as being secure? How would you defend yourselves when challenged by non Windows users who use the worm and virus outbreaks as anti-Microsoft ammunition?- surferdude
Wait for Windows XP Service Pack 2 to come out.
I would describe windows Xp as a pretty good security system. Alot of security features have been added to it therefore preventing hackers to having access to your computer. Service Pack 2 will 'boost' up those features. The firewall for example, i love it, pop up blocker, love it!
surferdude wrote:Is software security something you now have as top priority? Are we going to see 'revolutionary' improvement?
Yes. Security is Microsoft's top priority accross all of our products. With XP SP2, for example, you will see revolutionary improvements in both core system security and user administration of security settings via the Windows Security Center. You will have much more granular control over what Windows can and can't do on your behalf.
Securing our products comes before everything else we do and this will not change.
My Security is my responsibility. Microsoft can give me the tools, but I have to build my apps and OS securely.
The last few worms/virii have used exploits that were only publicised after the appropriate Microsoft patch had been released. In other words, the malware writers are sitting around waiting for a patch to appear, then reverse-engineering the patch, producing a worm to exploit the hole, and hoping that enough people haven't patched their systems to allow their worm to spread.
For example, the current Sasser worm targets a Win2k/WinXP hole that was patched two weeks ago - and that hopefully most systems have picked up by auto-update.
Thing is, you say that like your blaming the home users that haven't patched... I think if people are not patching that means you haven't done your job.
They should be made aware of why they need to patch or do it for them. People like us of course patch regularly but we are not the people that this worms targets or strikes.
I know it sounds tripe but there needs to be some idiot proof tutorial or something which explains why people are patching.. I'm thinking clippy appears on the screen and starts deleting their files, he then says "If you patched I wouldn't be deleting your files", and then explains that he will continue deleting their files until they patch (and the Windows Update button lights up).
The main problem I see at the moment is, your relying on SP2 to fix these peoples systems and stop them from hurting themselves, but these are the LAST people who will install SP2. Kind of dug your own grave on this one. If nobody (home users) installs SP2, you could release a very cheap 'XP Enhancement pack' for like £5 that gives them new backgrounds and installs SP2
IMHO - Expecting every internet user running Windows to apply a patch within a two week period is a pipe dream. Plus, patches are reactionary - the right solution is to prevent coding the vulnerability in the first place. This was more what my question was - How is Microsoft preventing / detecting security holes in Longhorn before the release? Can you prevent them? Or can we expect major worm outbreaks that exploit holes in Longhorn as well?
Manip - yep, we're not going to have done our job until all systems get updated in time, whether that's by auto-update or by user education. It's a hard problem, with a lot of sociological (as opposed to strictly technical) aspects to it. And "in time" is a shorter and shorter interval these days. But I'm not sure that bringing Clippy back from the dead to devour their files is quite the education that many users are looking for
Personally I'm hoping that we flood the market with free SP2 CDs - and maybe cheap "upgrade from Win9x to XP SP2" offers? The idea of adding extra content to the CDROMs as an incentive for people to actually take them home is a good one, though!
surferdude - there are no absolute guarantees. But Longhorn *will* be the most secure Microsoft OS yet. Windows Server 2003 currently holds that title - it's immune to Sasser, for example - and Longhorn is going to be another big jump beyond that. Windows Server 2003 was being written as the big security push at Microsoft was just starting, with lots of developer training, extra tools, security reviews, threat surface analyses, etc etc. Now the dev teams are taking that experience and putting it into Longhorn.
everything is secure enough..
SECURITY MEANS LOSS OF USER RIGHTS
and because there are alot of programmers here - i used caps on the above.
NO more security
Release some free stuff
YOU ARE BORING THE PANTS OFF YOUR CORE AUDIENCE
* even i am thinking of playing with Linux as there is nothing new thats EASY to play with from MS
Just like "homeland" security -= loss of people "user" rights
you are all out of your mind if you think SP2 is liberating - it is BAD
just WAIT for the press
"MS goes against all it's core philosophies with SP2"
" Service PAck TOO much!"
"Service pack or rights attack?"
Jamie.. are you insane? Microsoft put everything they had into a lot of core technologies in the last 5-7 years only to have it all visciously attacked resulting in nimba, iloveu, etc.. and they were the target of more than one "Microsoft losing the enterprise" articles in business magazines.
Everyone pretty much agrees that MS has very feature rich applications, but without security those applications are worthless. I think that windows server 2003 is awesome in that out of the box it is not listening for sh*t.. that is rule number one. LOCK DOWN THE ATTACK SURFACE!
I hope you are only kidding because some of your past posts I am inclined to think that. If you aren't .. whoa.. ^_^
jonathanh wrote:But I'm not sure that bringing Clippy back from the dead to devour their files is quite the education that many users are looking for
I was kind of joking about the clippy thing
Microsoft is always discussing 'Value Add' and such, well if people don't care about security then from that point of view SP2 adds nothing! That is a scary thought... I think depending on how much Microsoft 'cares' about its customers, it could consider giving away ($0) XP Plus pack, that would definitely encourage people to update. You could also (Although annoying) force other Microsoft applications to require SP2. Like MSN Messenger - "Please Install SP2 before updating MSN Messenger" etc.
I will admit that the pop-up blocker would be good for normal home users, but most of them don't know what pop-up's are (or at least not by that name).
I most definitely agree that it is a social issue but XP is a social tool. That is why you guys went to such lengths to ensure XP is as usable as possible and do usability studies etc. I think the current Windows Update is a step in the right direction (compared to downloading individual patches) but a lot of people don't want to use it because they don't understand what is does and feel - 'If it ant broke don't fix it'.
On that note, I just want to say I hate it when people say that. If we (humanity) stuck to that then we would still be living out of caves. Another expression that bothers me is "Reinventing the wheel", like nobody should try to progress because they might fail. I mean if everyone did try and re-invent the wheel don't you think we would have fare superior wheels than we do at the moment? - Just something I wanted to get off my chest
i wish i was kidding but im not
2 years of nothing but patches updates and security secturity security with the next version of windows no where near in sight - 2/3 years.
forgive me for getting bored..
release aqua - err - i mean aero/avalon as a free patch for XP or something..
give us something new and fun
STOp letting Jim Alchin hord all new features till next version
that mans gotta go
Exactly what is so bad about SP2, and which rights does it take away?
SP2 is a step in the right direction. I think it'll take to longhorn to see some major progress.
The recent article on MSDN about least privilege access shows some of the steps they are taking.
Focus on Least Privilege I really like the Copy-On-Write registry and file system that allows you to run older programs without admin rights without them breaking,
Please don't try to ship Longhorn too early and remove features like this.
I agree with the need to add some consumer doodah to SP2 to get people to install it. Ideally make SP2 discs as available as AOL CDs as well. Computer stores, magazine covers, etc. Maybe include something like Plus! DME, or perhaps just a few extra themes screensavers and wallpapers.
On the "Diversionary Tactics" section of the .Net Show the last couple of times they have had a guy interviewing people on the street about Windows Security.
Very few people knew anything about Windows Update and fewer knew what a firewall was. "How do I know its really from Microsoft", "I don't want to install anything because it might be a Virus"
I've seen it myself, people who have been using XP for over two years are still getting the balloon popup "Stay current with Automatic Updates" every day. They just ignore and close the balloon. They've never taken the time to tell it if they even want to be told when updates are available.
SP2 has automatic updates on by default, which is a good idea until there is a patch that misfires and breaks a few people installations overnight.
The patch that fixes the vulerability that Sasser attacks has caused a whole load of problems for some people. Perhaps you shouldn't try to fix so many issues in a single patch in future?
The problem with that balloon popup is that after the first click-away it is easier for them to get into a pattern of clicking away at it. I have been described it in context of a bug on more occasions than I like to remember. I have no suggestions on improving the box except putting it in simpler context - "Your computer is unsafe, download free update to protect it", it is a little long winded but maybe something to that effect.
Microsoft should also be looking at its education links and start getting IT courses in the US and UK to add 'Computer security 101' to the course. And a little half hour talk for those beginner classes. Give away free presentations with open copyrights...
Thing is, on one hand there computer pushes them away. These are applications like bonzi buddy and spyware always asking the user to click this and do that and then you have good software asking them to click something else. They are so confused by the good|bad split that they can no longer tell which is which.
Microsofts secrecy isn't helping either. It just spawns distrust and articles like this one: Inside Windows-Update
I think there should be an even clearer separation between what is CRITICAL and must be downloaded, and the other not so important add-on crap. Users on 56k modems that can't tell the difference get tired of windows update real quick.
And after the update is done, there should be some kind of better feedback to the end user. To in some way explain why it was important that they just spent 2 hours online downloading something they don't know what it is, what it does, and why it's needed in the first place. All they know is that now they're protected against, well, something or another.
It was also a dumb move to block pirated version of XP from updating. Serves them pirates right one might say. Yarr. But since they're on the same internet as paying customers they hurt everyone when they turn into unupdated cyberzoombies. Spreading spam and worms.
As far as the baloon tips go, I think it's yet another shot in the foot. There are just too many of them. And one of the first ones that pop up is about getting a Passport account. No wonder people turn those off ASAP. Or just keeps igoring them.
Given some thought windows update could have been alot more effective.
I think that, with a full retail price of $300.00 (U.S.) for WinXP, each registered user of an operating system should receive a annual replacement disk with a fully updated version (all patches, SP's and updates), Until a more current operating system is released. You could drop it in and be offered the option of updating or boot from it for a full regular install. OEM's could be responsible for part of the cost.
I do understand the difficulty with the task, especially after I read articles like "Windows XP hits 210 million in sales", but not only would this make life easier for power users and free up bandwidth at Windows Update, it would be a giant step towards securing the network systems.
Windows update is one of the great things in this industry. It's a shame that it's so poorly thought of by so many. I've actually read people complaining about having things (updates) pushed on them. Of course, these are the same users that immediately click yes on a Security Warning while they're web surfing, without reading it. Now SP1, Direct X, Media Player and codec's are all available for download separately as is IE (for Win98 only, which bugs me). I've got them all on the same cd going back several versions. I've also merged my XP install cd with SP1 so that it's all on a separate bootable cd (actually makes for a great install).
I think the other thing to keep in mind, is that we here, using these forums, are very VERY different than the average end user, who wants nothing to do with any of this. They simply want to turn on their PC and go to work. Making it easier for them to stay secure makes all of us more secure. Sure it seems simple enough to teach them how to do things properly but try doing it...lol..I support over 65 users, all in different environments.
The small business user has a written policy they have to adhere to or they lose their job, but home and SOHO users are a nightmare. I've actually had a client pay me for cleaning up his spy ware mess, then tell me he didn't have time to learn what went wrong, he'd just call me again. I've written step be step procedures for SOHO users, on my own time and at no cost to them, and they'll flat out tell me they don't have time for it. It puts me in a very difficult position. On one hand I have a business to run and a family to feed, on the other, it seems like I'm pounding my head against a wall trying to make them better users, when they have no interest in being better users.
I can see a future where the computers with always on connections will have all internet activity stopped with a warning up in front of them that states they are not allowed to proceed without first updating their PC.