Craig Mundie Blames Microsoft's Product Delays On Cybercrime 182
whoever57 writes "In an interview in Der Spiegel, Craig Mundie blames Microsoft's failure in mobile on cyber criminals. Noting that Microsoft had a music player before the iPod and a touch device before the iPad, he claims a failure to execute within Microsoft resulted in Microsoft losing its 'leadership.' The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering. The criminal activity in cyberspace was growing dramatically ten years ago, and Microsoft was basically the only company that had enough volume for it to be a target. In part because of that, Windows Vista took a long time to be born.'"
Obviously the dog ate their decent designs... (Score:5, Interesting)
He's discussing the time period right about when I finally bailed on MS. I had been trying to be a security advocate for my group for a couple of years - and was told over and over again that users don't want security, and who cares? (Admittedly, the group I'd worked for before that, which was more server focused, was also more security focused.) ...and then the security initiative began, and while I was cheerfully packing up my office, I suddenly had coworkers stopping by, picking my brain and trying to get me to give them my phone number so I could, continue to work for the company I was so eager to depart from, for free. And, of course, the security infrastructure they produced was incredibly annoying and non helpful for most users. (Somewhere in here my not particularly computer literate mother switched over to linux.)
Of all the stupid statements I've heard coming out of Microsoft about why they have made lousy products and terrible missteps which were, inaccountably, not embraced by customers, this has got to be the stupidest.
Mobile? The core problem continues to be that mobile is much more about hardware (which Microsoft itself has finally acknowledged). And even aside from the hardware, more about clean interface design than market dominance.
What bufoonery.
Re:Never designed to be network-aware (Score:4, Interesting)
ohhhh shit, the world's just been turned upside down - Unix is for personal, hack-style users and Windows is for mainframe, secure datacentre applications?! :)
Of course you're right - Dave Cutler did a great job with the original WNT, and Linux was a crashy bit of crap for many years, but things change and Linux had a load of good engineering put into it, and WindowsNT had a load of crappy engineering put into it.
So today, the faults with Linux lie in the original design flaws, and the faults with Windows lie in the bodged up crap that was added by other teams in Microsoft. (however, I'd take a slight contention about Windows NT security model - it started life really well, simple to use and understand. Today even running as administrator you don't have administrator privileges, then there's the overly complex way of applying some security aspects, and then there's the different models of security that just don't use the underlying model that worked so well - for example I once attended a course from MS about MTS and in there they talked of security roles. I put my hand up and asked "why have roles when you could have used Windows groups?" The guy ummed a little, gave a little laugh and said "ah yes, I see where you're coming from with that... next question"). Obviously some team at MS had decided to roll their own security system rather than rely on the underlying thing, and this is what still happens today.
Re:Well duh (Score:5, Interesting)
You should've just bitten the bullet and enforced the user / superuser paradigm as early as you could have. i.e. Back when the Internet became big, around when Windows 95 came out, you should've realized the future was for all computers to be networked
Bill Gates, that great visionary at Microsoft, famously missed the onslaught of the Internet. He didn't even see it coming until he had to play catch-up.
Microsoft was run by idiots. (Score:4, Interesting)
I remember Redhat 6.x from the ealy 2000's. It installed with all services+listeners running by default. Stuff like SMTP and RPC and bind was listening. For a Redhat install, the only safe way to install was from CD. Then run "lsof -i" and see what services are listening to the internet, and spend the better part of an hour shutting them down, and/or uninstalling them altogether. Worms like L10n and Ramen were rampant. After a lot of yelling+screaming Redhat finally listened, and stopped installing that stuff by default. Installs could be done without needing a firewall. The worms went away.
Microsoft was run by a bunch of idiots who wanted everything to "just work". One of the advertising claims for Windows 3.1 was "ease of administration". You could send a script as an email to all users in the office, and they simply had to click on it and it would re-configure their PC as you desired. This worked great in a 10-person office before the WWW. On a hostile web/internet, it was a disaster waiting to happen.
In order to make things "just work" for home PCs, Windows defaulted to NetBIOS/NetBEUI and RPC all turned on. This was one of the causes of all the worms that spread by portscanning. To make things worse, by Win98SE, *YOU COULD NOT TURN OFF RPC EVEN IF YOU WANTED TO*.
The "Autorun" mentality was another problem. We all know about sticking a USB key into a Windows machine, and it "automagically" ran stuff. That was not the only such problem.
Excel had "autoexec macros" that ran when you fired up the spreadsheet. MS' first response was to change Excel to set a bit in the file header of the spreadsheet, flagging that it had autorun macros, and Excel shouldn't run them if the user had changed his Excel config to disallow autorun macros. It didn't require genius for bad guys to save a spreadsheet with autoexec macros, and edit the file header of the spreadsheet with a hex editor, telling Excel that the spreadsheet was "safe". Excel then proceeded to run the autoexec macro when loading the spreadsheet, regardless of the user's settings. That was eventually fixed.
Outlook Express (known "affectionately" as "Outhouse Excuse") also "auto-rendered" files. This allowed photos to be displayed inline, and music files (WAV, etc) to be played automatically. The "security" consisted of filtering against a list of safe file extensions (WAV, JPG, etc), and then handing off the file to the OS to run. The OS ignored the extension, and determined the file type by checking the file header, then it handed off the file to the appropriate program. So the bad guys renamed "virus-installer.exe" to "song.wav", and it was automatically executed. This is how SirCam and Bubble-Boy wormed their way around the web.
And then we get to Active X, known "affectionately" as "Active Hacks". This was the mechanism behind so many "drive-by-downloads". What made it worse was that Active-X was rammed down people's throats by Internet Explorer. Let's say you disabled Java, Javascript, and Active-X in IE.
* Java was Sun's product. You launched a webpage with a Java applet, the applet didn't download and run, but the rest of the page displayed properly. IE "degraded gracefully".
* Javascript (originally called "Livescript") was Netscape's baby. You launched a webpage with javascipt, the javascript didn't run, but the rest of the page displayed properly. IE "degraded gracefully".
* Active-X was Microsoft's baby. A lot of webpages had Active-X code. When IE came across a page with Active-X, and IE had Active-X, then IE came to a screeching halt, and put up a modal dialogue about how "This page may not display properly". It would not budge until you clicked OK. With all the Active-X applets on the web, IE was effectively unusable with Active-X disabled. Just like UAC several years later, people got sick and tired of clicking "OK" every 30 seconds, and simply enabled Active-X in IE. That was what kept drive-by-downloads going.
Microsoft have only themselves to blame.
Pipes and filters (Score:3, Interesting)