Craig Mundie Blames Microsoft's Product Delays On Cybercrime 182
whoever57 writes "In an interview in Der Spiegel, Craig Mundie blames Microsoft's failure in mobile on cyber criminals. Noting that Microsoft had a music player before the iPod and a touch device before the iPad, he claims a failure to execute within Microsoft resulted in Microsoft losing its 'leadership.' The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering. The criminal activity in cyberspace was growing dramatically ten years ago, and Microsoft was basically the only company that had enough volume for it to be a target. In part because of that, Windows Vista took a long time to be born.'"
Never designed to be network-aware (Score:5, Informative)
Windows (and MS-DOS before it) was not originally designed to be network-aware, much less network-safe. MS-DOS was a thinly disguised clone of Digital Research's CP/M, circa 1974. CP/M, as a personal computer operating system, was specifically designed not to have any sort of security, versus what was seen as the draconian measures taken by "mainframe mentality" operating systems like UNIX (from Bell Labs, 1969).
It was no surprise to anyone that an operating system that treats all programs and operations as fully privileged, when connected to a global network, treats everyone in the world as a sysadmin. Microsoft's campaign, then, was to somehow graft basic security features into an o/s that never had them, without horribly breaking every existing application.
That they succeeded even a little is a triumph of engineering.
But they would have saved everyone, including themselves, a huge amount of time and money by using something more UNIX-like as the design basis of Windows NT in the early 1990s. Apple learned that lesson with OS/X. Microsoft had Xenix years before, but threw it away. We, and Microsoft, are still suffering the consequences.
As so-called "smart" phonecomputers and tablets further fragment the marketplace, it won't be the PC that "goes away" but, at long, last, Windows and the CP/M heritage. The UNIX way wins at last... Huzzah!
Re:Yeah, we remember the Zune. (Score:5, Informative)
He can't possibly be talking about the Zune. It came out in 2006; the iPod came out in 2001 and was on its fifth revision by the time the Zune came out.
Re:Never designed to be network-aware (Score:5, Informative)
was specifically designed not to have any sort of security, versus what was seen as the draconian measures taken by "mainframe mentality" operating systems like UNIX (from Bell Labs, 1969).
pffffft (spits coffee out) Unix security what?
Unix was designed as an experimental operating system for a lab setting and hence had the weakest security of all OSes at the time. In fact, old timers will remember the common quip from the 80's and early 90's: Unix security is an oxymoron.
Here's a sample quote from 1986:
"UNIX Security" is an oxymoron. It's an easy system to brute-
force hack (most UNIX systems don't hang up after x number of login
tries, and there are a number of default logins, such as root, bin,
sys and uucp). Once you're in the system, you can easily bring
it to its knees (see my previous Phrack article, "UNIX Nasty Tricks")
or, if you know a little 'C', you can make the system work for you
and totally eliminate the security barriers to creating your own
logins, reading anybody's files, etcetera. This file will outline
such ways by presenting 'C' code that you can implement yourself.
For example: 1) the original Unix did not even have disk quotas. 2) as late as the early 1990s any regular user could bring the entire system down with a simple stty command, 3) wall used to be enabled to all users by default which included the ability of writing control characters in someone else's TTY 4) the password file containing the encrypted passwords used to be publicly readable which opens the system to offline attacks 5) to this date, *nix does not support well the concept of application ownership of a file which leads to programs requiring their own user account, which is another kludge.
Unix security today is a hard won battle by many people who patched up the original Unix system. Even so it is still subpar compared to big iron mainframe security.
Re:Never designed to be network-aware (Score:4, Informative)
Oh, there are so many mistakes in this drivel that I am at loss as to where to start. Well, let's begin at the beginning.
Windows (and MS-DOS before it) was not originally designed to be network-aware
And how is that relevant? The Windows NT source code is not based on, and contains no, DOS code. DOS, and Win16 software runs in emulation on Windows since Windows NT, that is Win2K, WinXP etc. There is very little difference between the way Linux runs Win16 software (on Winw) and the way WinNT based OSs run Windows software. WinNT was designed from bottom-up to be a network operating system. In many ways, it has far more network awareness and security built in than does, for example, Linux.
The base of the Windows you are running today was designed to be similar to VMS from DEC, an operating system that actually had the "mainframe mentality".
draconian measures taken by "mainframe mentality" operating systems like UNIX
BZZZZ! WRONG! Unix was written as a "personal" operating system that would be a lot simpler than the operating systems under "mainframe mentality" (whatever that was at the time) and would free its users from the rigors of time-share systems etc.
no surprise to anyone that an operating system that treats all programs and operations as fully privileged
Windows hasn't done that since before Win2K. In WinNT (but that was sadly later dropped) a Microkernel mantra was used, where even most drivers ran in user-space rather than in kernel space. Graphics drivers were later (in Win2K as far as I can remember, but don't quote me on that) moved to kernel space.
Microsoft's campaign, then, was to somehow graft basic security features into an o/s that never had them
Oh, so wrong, so wrong. Clueless drivel in fact. Windows NT had far more security features than most desktop Unices at the time, and Windows still has a much more sophisticated security model than, for example Linux. Even the basic file system security of Windows is heads and shoulders above most Linux file systems.
Honestly, if you want to post about the technical underpinnings of something, you really should get a basic clue fist. Repeat after me
There is no DOS code in the Windows operating system.
Windows was built from ground-up based on VMS as a network-aware, multi-user operating system
Windows has better file and run-time security than almost any personal operating system in use today, including OS/X and Linux.
That, you see, is reality. Not the nonsensical drivel you posted.
Re:Never designed to be network-aware (Score:4, Informative)
NT4 moved the graphics into the kernel. It was controversial back then. http://technet.microsoft.com/en-us/library/cc750820.aspx [microsoft.com]
The biggest PITA to run outside of an administrative account was the software. It wasn't until XP that software *started* to work as a 'user'.
Microsoft made big leaps in security in the past decade. Security advisory/patch cycles to entrypoint randomization, driver signing, code signing, policy refinement, non-executable stacks, WSA, antivirus etc.
I don't buy that this cost them their leadership. Crappy decisions did. I'll add that ironically, because they didn't create marketplaces like itunes, their music player almost *relied* on piracy "cybercrime" for their marketshare.
Re:Never designed to be network-aware (Score:3, Informative)
Would you care to explain what is kludgey in using the uid namespace to also provide per-application ownership?
Gladly. The main problem is that user space and app space are orthogonal. Good security requires the ability to say "this file shouldn't be touched by anyone other than joe blow using acrobat reader". Each of the two parameters, namely userid and appid are independent and need to be treated differently.
So just because joe blow is a superuser this doesn't mean that all of his programs should run in that mode. In fact this deficiency is what eventually lead to the deprecation of su in favor of the sudo command, itself an 80s addition to Unix and not really popular until the mid-to-late 90s. It is an attempt to try to prevent unwanted inheritance of the su privileges to one and all applications.
This way for example, the java sandbox would be created by the OS rather than by the JVM sandbox kludge. The OS knows that the browser is not allowed to write to disk except to ~/.cache and ~/,downloads and you don't have to worry about what is the payload. You also want to have a per app+directory quota, to avoid denial-of-service attacks via disk/user account overflow.
All of these things were already available in 70s mainframe operating systems and greatly increase security. They were echoed in the Mac design which completely forbade the wrong app from opening a file (itself a bit of an overkill, as it made it impossible, for example, to hand edit a postscript file or to print a manually generated postscript file)
In fact most commercial flavors of unix are aware of this, and hence support an extended form of Access Control Lists (ACLs). However these have never taken on as all implementations feel awkwardly grafted into the file system.