Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Businesses Microsoft Software Hardware

Craig Mundie Blames Microsoft's Product Delays On Cybercrime 182

whoever57 writes "In an interview in Der Spiegel, Craig Mundie blames Microsoft's failure in mobile on cyber criminals. Noting that Microsoft had a music player before the iPod and a touch device before the iPad, he claims a failure to execute within Microsoft resulted in Microsoft losing its 'leadership.' The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering. The criminal activity in cyberspace was growing dramatically ten years ago, and Microsoft was basically the only company that had enough volume for it to be a target. In part because of that, Windows Vista took a long time to be born.'"
This discussion has been archived. No new comments can be posted.

Craig Mundie Blames Microsoft's Product Delays On Cybercrime

Comments Filter:
  • by Anonymous Coward on Saturday October 27, 2012 @07:27AM (#41788391)

    Yep, cyber criminals armed with chairs...

  • by BoRegardless ( 721219 ) on Saturday October 27, 2012 @07:30AM (#41788401)

    If MS had wanted to start a new division for mobile devices, it had the cash to do it. Mundie's excuse doesn't cut it.

    If what he is saying is that he and Balmer are so much of a micromanagement team that they couldn't handle one more project and still tell everyone what to do, I can buy that as an excuse.

    • by DarkOx ( 621550 ) on Saturday October 27, 2012 @07:40AM (#41788441) Journal

      That and attempting to duck responsibility for the security situation is a little pathetic too. Yes, the people responsible for crime are the criminals. If someone hacks you trashes you site, steals you trade secrets whatever that cracker is the responsible party. Just like if someone breaks the glass in my window reaches around and opens the lock, they own the breaking and entering. That does not mean however its not a good idea take steps to protect you valuable assets, because we know there are bad actors out there.

      The reality is most of us want an operating system where the security controls are effective. Microsoft was forced by the market to 'focus on security' because businesses really were going to start jumping ship for alternatives like Apple desktops and Linux in back office (an in some cases the front office too). If Microsoft had made a correct allocation of resources to security in the first place they would not have to sideline so many other efforts to fill in the deficit later.

      • by jhoegl ( 638955 )
        I also like the theory that because Windows XP was the only OS for 5 years or so, it made it more porous. So once Vista came out, it somehow caused problems for hackers.
        Shill article is terrible.
      • by MysteriousPreacher ( 702266 ) on Saturday October 27, 2012 @10:20AM (#41789265) Journal

        I feel for Mundie. My construction business went through something similar. After many happy years of designing and building sub-standard residential properties, we were caught off-guard when people began to exploit the tendency of our houses to catch fire, explode, and be easily burgled.

        As the largest builder of houses, we were a common target. We lost our lead in commercial buildings because we had to devote a lot of resources to learning how to build houses that lasted more than a few days.

        it's easy in hindsight to say that electrical insulation is useful, or that gas pipes should not leak, or that front doors be made of something more sturdy than cardboard. Back then we had no reason to assume that anything of those things were ever going to be important, and I assume everyone built houses that were prone to sudden annihilation.

        We're not entirely blameless. This would never have happened if people had kept naked flames at least 30ft away from the houses. The cardboard doors on the houses not at the time exploding and/or burning, was only an issue because criminals were trying to burgle houses.

        • Best extended metaphor I've read on Slashdot -- blows the doors off all those car ones!
        • But you didn't overlook security! You had video cameras in every room of the house, feeding live video directly to the local police stations and your headquarters. Admittedly, there were a few problems and instances of abuse-- some homeowners briefly locked out of their own homes when the automatic locks malfunctioned, a few rogue employees caught downloading the feeds from the cameras in the shower stalls whenever in use by homeowners' children, and sales of occupancy information that regrettably ended u

        • This is great! I love it! This is exactly the issue Microsoft has - blaming others instead of themselves. If they did well, it is because *THEY* did it. If they didn't do well, it is because others were fucking with them.

          Bah, whiny.

  • by jabberw0k ( 62554 ) on Saturday October 27, 2012 @07:38AM (#41788433) Homepage Journal

    Windows (and MS-DOS before it) was not originally designed to be network-aware, much less network-safe. MS-DOS was a thinly disguised clone of Digital Research's CP/M, circa 1974. CP/M, as a personal computer operating system, was specifically designed not to have any sort of security, versus what was seen as the draconian measures taken by "mainframe mentality" operating systems like UNIX (from Bell Labs, 1969).

    It was no surprise to anyone that an operating system that treats all programs and operations as fully privileged, when connected to a global network, treats everyone in the world as a sysadmin. Microsoft's campaign, then, was to somehow graft basic security features into an o/s that never had them, without horribly breaking every existing application.

    That they succeeded even a little is a triumph of engineering.

    But they would have saved everyone, including themselves, a huge amount of time and money by using something more UNIX-like as the design basis of Windows NT in the early 1990s. Apple learned that lesson with OS/X. Microsoft had Xenix years before, but threw it away. We, and Microsoft, are still suffering the consequences.

    As so-called "smart" phonecomputers and tablets further fragment the marketplace, it won't be the PC that "goes away" but, at long, last, Windows and the CP/M heritage. The UNIX way wins at last... Huzzah!

    • by Alomex ( 148003 ) on Saturday October 27, 2012 @08:15AM (#41788579) Homepage

      was specifically designed not to have any sort of security, versus what was seen as the draconian measures taken by "mainframe mentality" operating systems like UNIX (from Bell Labs, 1969).

      pffffft (spits coffee out) Unix security what?

      Unix was designed as an experimental operating system for a lab setting and hence had the weakest security of all OSes at the time. In fact, old timers will remember the common quip from the 80's and early 90's: Unix security is an oxymoron.

      Here's a sample quote from 1986:

      "UNIX Security" is an oxymoron. It's an easy system to brute-
      force hack (most UNIX systems don't hang up after x number of login
      tries, and there are a number of default logins, such as root, bin,
      sys and uucp). Once you're in the system, you can easily bring
      it to its knees (see my previous Phrack article, "UNIX Nasty Tricks")
      or, if you know a little 'C', you can make the system work for you
      and totally eliminate the security barriers to creating your own
      logins, reading anybody's files, etcetera. This file will outline
      such ways by presenting 'C' code that you can implement yourself.

      For example: 1) the original Unix did not even have disk quotas. 2) as late as the early 1990s any regular user could bring the entire system down with a simple stty command, 3) wall used to be enabled to all users by default which included the ability of writing control characters in someone else's TTY 4) the password file containing the encrypted passwords used to be publicly readable which opens the system to offline attacks 5) to this date, *nix does not support well the concept of application ownership of a file which leads to programs requiring their own user account, which is another kludge.

      Unix security today is a hard won battle by many people who patched up the original Unix system. Even so it is still subpar compared to big iron mainframe security.

      • by CajunArson ( 465943 ) on Saturday October 27, 2012 @08:19AM (#41788601) Journal

        Shush you! Your irresponsible knowledge of history and politically-incorrect use of "facts" are getting in the way of us praising the perfect security of anything associated with UNIX!

        Now excuse me while I go purge my SSH logs of all those pesky login attempts that I'm sure are all coming from only Windows machines since Microsoft forces everyone to use SSH on Windows. I'll ignore all those nmap reports that indicate the attack machines are actually compromised Linux boxes in Asia since its theoretically possible for someone to lock down a Linux box, therefore ALL Linux boxes are always perfectly admined and cannot be hacked!

        • I realize that you're joking, but you're supposed to automatically rotate your logs. If you're constantly purging the those attempts, you're doing it wrong. Run fail2ban or denyhosts and turn on your firewall.

          Linux/Unix is only as secure as the security minded sysadmin can manage. Windows has actually become more secure in the last 4-5 years. They had to because of all the attacks on them. Linux has to play catch up now. The whole network advantage someone else mentioned is now long gone.

          I will say tha

      • by Anonymous Coward

        Disk quotas are not a security measure.
        Password file was encrypted.
        Application ownership of a file isn't security.

      • by doshell ( 757915 )

        I actually agree with you in that the first Unix implementations had a number of security holes, and that the so-called iron-clad Unix security only came many years later with the accumulated experience of dealing with those holes. But I take trouble with the following claim:

        to this date, *nix does not support well the concept of application ownership of a file which leads to programs requiring their own user account, which is another kludge.

        Would you care to explain what is kludgey in using the uid namespa

        • Re: (Score:3, Informative)

          by Alomex ( 148003 )

          Would you care to explain what is kludgey in using the uid namespace to also provide per-application ownership?

          Gladly. The main problem is that user space and app space are orthogonal. Good security requires the ability to say "this file shouldn't be touched by anyone other than joe blow using acrobat reader". Each of the two parameters, namely userid and appid are independent and need to be treated differently.

          So just because joe blow is a superuser this doesn't mean that all of his programs should run in

          • Pipes and filters (Score:3, Interesting)

            by jabberw0k ( 62554 )
            The whole idea of "The UNIX Way" is that files are just files ... and that you accomplish tasks by running files as streams through various pipes and filters. This is utterly at odds with requiring file associations to any particular program. You can use vi or Emacs or pico or whatever you like to edit a .c file. You can use Emacs to edit a PostScript file... you can use any of half a dozen common programs to edit a .docx file... It's the "Apple way" of forbidding anything but the Anointed Holy Programs f
            • by Alomex ( 148003 )

              thank you for explaining why the security hole came to be, and why it might be hard to fix, or alternative, why ACLs feel like a kludge. The fact remains however, that file security in Unix is unsophisticated and as such one of its weak points.

              It's the "Apple way" of forbidding anything but the Anointed Holy Programs from operating on my files, that is broken

              I said so myself. The solution is to have the safety device enabled by default and raise an exception when breaking it, which, depending how you do it,

          • In Linux, applications (such as browsers or web servers) can be restricted from writing to arbitrary directories with SELinux or AppArmor. Most modern distros have it baked in and enabled by default at this point, and many have had it available for years. OTOH, the best security is security that's actually used. If the only way for people to get into a building is by someone else holding the door for them, sooner or later someone will just sneak in. Similarly, if your admin can't get something to work witho

          • by sjames ( 1099 )

            The main problem is that user space and app space are orthogonal.

            No, they're not. That config file with my preferences in it is MINE, not the app's. That document is MINE, not the word processor's. That's why we say my document and my preferences. Otherwise, anyone able to run the word processor (enter it's security context) could read my documents (because they would live in the word processor's security context). Taken to the other extreme where app and user context are both required for access, you're back to not allowing a user to hand edit his own documents. That is

            • by Alomex ( 148003 )

              You are confused. The permissions are an AND, you need the word processor AND you have to be you to open the document.

              you're back to not allowing a user to hand edit his own documents.

              Not really. What this says is that by default only the right application should open the document, but a regular user can override this through UAC (as opposed to you reading someone else's documents which requires superuser/root privileges).

              That is a violation of one of the key philosophies of unix where a chain of small sp

      • The "wall" command was the frigging joy of my life as a student doing unix. It taught me about /dev/tty* priveleges and the fact that on the unix boxes at the time for a brief few seconds any logging in terminal had a wide open write permission, in which you could make havok.

        And yeah, I nearly got kicked out of my studies for "CHUNGA LIVES". But it was for Frank Zappa, and since I didnt get kicked out, it was worth it.

        God I miss the 90s.

      • by sjames ( 1099 )

        Yes, and for all of that, Windows was worse. It didn't even have a concept of 'user' until NT took over. It still seems a bit shaky on multi-user, particularly concurrent multi-user. Unix had the 'honor system virus' but it took Windows to make the concept of an e-mail virus anything but a moderately lame joke.

        Unix needed some real improvements, and research continues in making it better still, but because it at least started life with some concept of permissions, users, and groups, it had a big head start.

    • by terjeber ( 856226 ) on Saturday October 27, 2012 @08:16AM (#41788583)

      Oh, there are so many mistakes in this drivel that I am at loss as to where to start. Well, let's begin at the beginning.

      Windows (and MS-DOS before it) was not originally designed to be network-aware

      And how is that relevant? The Windows NT source code is not based on, and contains no, DOS code. DOS, and Win16 software runs in emulation on Windows since Windows NT, that is Win2K, WinXP etc. There is very little difference between the way Linux runs Win16 software (on Winw) and the way WinNT based OSs run Windows software. WinNT was designed from bottom-up to be a network operating system. In many ways, it has far more network awareness and security built in than does, for example, Linux.

      The base of the Windows you are running today was designed to be similar to VMS from DEC, an operating system that actually had the "mainframe mentality".

      draconian measures taken by "mainframe mentality" operating systems like UNIX

      BZZZZ! WRONG! Unix was written as a "personal" operating system that would be a lot simpler than the operating systems under "mainframe mentality" (whatever that was at the time) and would free its users from the rigors of time-share systems etc.

      no surprise to anyone that an operating system that treats all programs and operations as fully privileged

      Windows hasn't done that since before Win2K. In WinNT (but that was sadly later dropped) a Microkernel mantra was used, where even most drivers ran in user-space rather than in kernel space. Graphics drivers were later (in Win2K as far as I can remember, but don't quote me on that) moved to kernel space.

      Microsoft's campaign, then, was to somehow graft basic security features into an o/s that never had them

      Oh, so wrong, so wrong. Clueless drivel in fact. Windows NT had far more security features than most desktop Unices at the time, and Windows still has a much more sophisticated security model than, for example Linux. Even the basic file system security of Windows is heads and shoulders above most Linux file systems.

      Honestly, if you want to post about the technical underpinnings of something, you really should get a basic clue fist. Repeat after me
      There is no DOS code in the Windows operating system.
      Windows was built from ground-up based on VMS as a network-aware, multi-user operating system
      Windows has better file and run-time security than almost any personal operating system in use today, including OS/X and Linux.

      That, you see, is reality. Not the nonsensical drivel you posted.

      • by terjeber ( 856226 ) on Saturday October 27, 2012 @08:20AM (#41788611)

        For the record, the rubbish Craig Mundie says in the referenced article seems like drug-induced nonsense. Microsoft dropped the ball on security by basically, in Win2K defaulting to run anything under the "root" user, which was a stupid idea, but understandable, most users of Win95/98/ME would have been lost if the security in Windows had actually been used properly.

        • by sjames ( 1099 )

          And that is the inheritance from the DOS/Win95 days. The capability came from the NT side of the 'great merge' but expectations remained firmly in the Win95 camp. To this day, there are apps in the Windows world that think they should be able to overwrite themselves as an unprivileged user.

        • Comment removed based on user account deletion
      • by gbjbaanb ( 229885 ) on Saturday October 27, 2012 @08:46AM (#41788735)

        ohhhh shit, the world's just been turned upside down - Unix is for personal, hack-style users and Windows is for mainframe, secure datacentre applications?! :)

        Of course you're right - Dave Cutler did a great job with the original WNT, and Linux was a crashy bit of crap for many years, but things change and Linux had a load of good engineering put into it, and WindowsNT had a load of crappy engineering put into it.

        So today, the faults with Linux lie in the original design flaws, and the faults with Windows lie in the bodged up crap that was added by other teams in Microsoft. (however, I'd take a slight contention about Windows NT security model - it started life really well, simple to use and understand. Today even running as administrator you don't have administrator privileges, then there's the overly complex way of applying some security aspects, and then there's the different models of security that just don't use the underlying model that worked so well - for example I once attended a course from MS about MTS and in there they talked of security roles. I put my hand up and asked "why have roles when you could have used Windows groups?" The guy ummed a little, gave a little laugh and said "ah yes, I see where you're coming from with that... next question"). Obviously some team at MS had decided to roll their own security system rather than rely on the underlying thing, and this is what still happens today.

        • things change and Linux had a load of good engineering put into it, and WindowsNT had a load of crappy engineering put into it

          I am not sure I agree with the description. Win NT/2K/XP etc had a lot of good engineering going in, but it had some problems on both the marketing side and on the project management side. In essence, there was too many retarded developers developing software for Win2K really which was the first mass adoption of the NT kernel. Instead of telling these developers to go get an education, the marketing/project management fluff decided to cuddle their ignorance and allow Windows to ship with a terrible default

          • yes and no :)

            Windows is a good product nowadays, and the Windows division is certainly full of excellent engineers. Too bad the guys who wrote Explorer shell extensions (and explorer itself) wouldn't know a clue if someone took a large one and shoved it up them!

            But the problem with running an OS isn't that is runs "clean", you have to install products to make it do the things you want. The biggest problem I have with Windows nowadays is complexity. An OS should be as simple as possible so there is much fewe

            • look at the log it produces when you run a .NET app - hundreds of lines of it simply looking for the assemblies to load. Hundreds. Whatever was wrong with search the path for matching filenames?

              I am not quite sure what the trace is showing, I haven't run it, but a .NET app will look for assemblies more or less the same way a Linux app will, with one twist. It will search the bin directory of the app, it will search the path, and (and this is the difference) it will search the GAC. Not sure why that turns into hundreds of lines. Perhaps bad developers on the .NET team.

      • by Waffle Iron ( 339739 ) on Saturday October 27, 2012 @08:50AM (#41788745)

        Windows (and MS-DOS before it) was not originally designed to be network-aware

        And how is that relevant? ... The base of the Windows you are running today was designed to be similar to VMS from DEC, an operating system that actually had the "mainframe mentality".

        It's relevant because for many years they shipped their OSes configured "out of the box" to bypass or hobble much of that wonderful-on-paper NT security model. This was so they could preserve the nonrestrictive DOS/Win95 the user experience that people were so used to. The security technology might as well not be there if nobody actually uses it.

        This problem was compounded by a lack of quality control on much of the system code outside of the kernel itself. Remember when the half life to 0wnage of a fresh XP box connected to the Internet was measured in minutes?

      • by Dr. Evil ( 3501 ) on Saturday October 27, 2012 @08:56AM (#41788779)

        NT4 moved the graphics into the kernel. It was controversial back then. http://technet.microsoft.com/en-us/library/cc750820.aspx [microsoft.com]

        The biggest PITA to run outside of an administrative account was the software. It wasn't until XP that software *started* to work as a 'user'.

        Microsoft made big leaps in security in the past decade. Security advisory/patch cycles to entrypoint randomization, driver signing, code signing, policy refinement, non-executable stacks, WSA, antivirus etc.

        I don't buy that this cost them their leadership. Crappy decisions did. I'll add that ironically, because they didn't create marketplaces like itunes, their music player almost *relied* on piracy "cybercrime" for their marketshare.

        • I don't buy that this cost them their leadership. Crappy decisions did.

          I totally agree. Lack of focus, complacency and bad decisions made Microsoft bad. That is still a problem within Microsoft where different team either don't communicate because they don't feel they need to or because they have different outlooks and visions. MS would be better off spinning off some of their stuff into smaller focused entities and open quality dedicated communications teams to keep teams in sync.

      • by DarkOx ( 621550 )

        Windows has better file and run-time security than almost any personal operating system in use today, including OS/X and Linux.

        Thank you for your post I was waiting for someone to set the record strait. I do take some exception with your final thought though.

        The NT Kernel has better file and run time security than pretty much everything else out there. That is true, but in practice its not and has never been used fully. The presentation and application layers of Windows pretty much until failed to expose lots of the features until Server 2003. Even now many of them are not widely used because making much use of them tends to

      • by PPH ( 736903 )

        Oh, so wrong, so wrong. Clueless drivel in fact. Windows NT had far more security features than most desktop Unices at the time, and Windows still has a much more sophisticated security model than, for example Linux. Even the basic file system security of Windows is heads and shoulders above most Linux file systems.

        Number of security features does not result in more security. The Unix/Linux security model is simple. But that simplicity gives the administrator or user the ability to get a few settings correct and secure system resources or user data. The more additional 'features' you add, the more likely the average user* will screw them up and open a hole.

        Unix was designed with a simple 'everything is a file' model. Anything details you want on top of that are the responsibility of the application developer. For ex

        • by makomk ( 752139 )

          The more additional 'features' you add, the more likely the average user* will screw them up and open a hole.

          Not just the average user either; it's easy for the average developer to screw up and leave a hole too. For instance, under Windows many application installers need to install one or more system-wide services (it's basically mandatory if you want to do automatic updates). As part of the service installation process, you need to specify the ACL to be applied to the newly-created service. Lots of app developers such as Adobe screwed this up and set a generic wide-open ACL, which meant any user on the system

        • Number of security features does not result in more security

          This is self-evidently true, and I didn't address that. I just pointed out that the posting I replied to was dead wrong on basically all accounts. Sadly, the more sophisticated security features of Windows are badly understood by brainless developers, and therefore often open to exploit. If the developers had come from a Unix or Mainframe background, where such security measures are dealt with at the outset, it wouldn't have been a problem, but most developers on Windows (back then) grew up on 3.11, 95 and

          • by PPH ( 736903 )

            If "all" developers on Linux wrote apps that required elevated privileges, Linux would have had serious problems too.

            Perhaps its a Windows shortcoming that so may apps need privilege escalation. On Unixes, its rare. And when it needs to be done, its done by small, single purpose utilities (services) that don't include a backdoor for an unprivileged user to run miscellaneous scripts, send e-mail from within the app, etc.

            The Unix user/group model allows the partitioning of restricted objects into logical silos. Privilege escalation within one app. means nothing to the next app. over. Its just another user with no business

            • Perhaps its a Windows shortcoming that so may apps need privilege escalation

              It isn't. It is just lazy and/or ignorant developers. For example, if I install an app on Unix for all users, I typically have to run the install as root. Generally the same with Windows. The problem is that on Windows, most applications expect to be able to update them selves when being run. So, a lot of them require escalated privileges to run, the idea that they should be able to update them selves is absurd though, and it is a developer problem, not an OS problem.

      • by Super_Z ( 756391 )

        There is no DOS code in the Windows operating system.

        The OP never claimed there was.

        Windows was built from ground-up based on VMS as a network-aware, multi-user operating system

        Some of the engineers working on NT came from DEC, but Win NT was never based on VMS in any way. Having coded for applications for both, I can assure you that VMS is like night and day compared to WinNT

        Windows has better file and run-time security than almost any personal operating system in use today, including OS/X and Linux.

        • The OP never claimed there was

          So his rant on DOS and CP/M was just a meaningless rant? Also, the title of his post, "never designed to be..." was utter rubbish. Much as his entire post.

          Win NT was never based on VMS

          You are right, I worded that poorly. The design philosophies were influenced by the work of Cutler at DEC, but VMS was not the basis for Win NT. Saying that "some engineers" came from DEC is the understatement of the century. Cutler brought over a good bunch of people, and Cutler was the team lead.

          This is an unsubstantiated opinion disguised as "fact".

          You are then of course able to substantiate that with some

    • From what i remember, it wasnt designed to be all that secure, and beisdes, it wasnt theirs anyway. It was rebranded/licensed from SCO, back when they were still a legit company producing code.

      And dont forget even MSDOS wasnt original in the beginning, they bought ( stole ) it from another company.

      Hell they even had to buy SQL server from another company to get that started.. ( have they ever had a true original thought from the beginning? )

      Overall microsoft is a huge joke, and would have never had a chance

    • MS-DOS was a thinly disguised clone of Digital Research's CP/M, circa 1974

      Yeah... this was thoroughly debunked

      • I'm not up on the current conspiracy theories, but my understanding was that the notion that Microsoft STOLE CP/M was debunked. It's pretty clearly patterned off of it, IMHO. At least the command line interface is superficially very similar.

    • by hawk ( 1151 )

      >CP/M, as a personal computer operating system, was
      >specifically designed not to have any sort of security,

      It had one little, itty-bitty piece.

      CP/M had users 0-15. If memory serves, default was 0, one of the others was reserved for something or another, and setting to any of the other 14 caused only files set to that user to be visible. Or something like that.

      And I don't think there was any protection from two users using the same filename; it got overwritten.

      hawk

    • But they would have saved everyone, including themselves, a huge amount of time and money by using something more UNIX-like as the design basis of Windows NT in the early 1990s.

      The Windows NT security model is basically the UNIX security model (with a few additions and refinements). The problem isn't that NT-based operating systems are inherently insecure. The problem is that (as you allude to in your post) NT had to be backwards compatible with existing applications, especially when it was rolled out to

      • .. "The problem isn't that NT-based operating systems are inherently insecure. The problem is that .. NT had to be backwards compatible with existing applications" ..

        Why didn't they run older apps inside a virtual DOS machine like on OS 2 [wikipedia.org]?
    • "Windows (and MS-DOS before it) was not originally designed to be network-aware, much less network-safe

      Windows has been 'network-aware' since at least Windows for Workgroups 3.11 [microsoft.com]
    • by Kirth ( 183 )

      In short: "Microsoft's product delays are to blame on the fact that it threw away Xenix". Now THAT is a reason ;)

  • by tylikcat ( 1578365 ) on Saturday October 27, 2012 @07:39AM (#41788439)

    He's discussing the time period right about when I finally bailed on MS. I had been trying to be a security advocate for my group for a couple of years - and was told over and over again that users don't want security, and who cares? (Admittedly, the group I'd worked for before that, which was more server focused, was also more security focused.) ...and then the security initiative began, and while I was cheerfully packing up my office, I suddenly had coworkers stopping by, picking my brain and trying to get me to give them my phone number so I could, continue to work for the company I was so eager to depart from, for free. And, of course, the security infrastructure they produced was incredibly annoying and non helpful for most users. (Somewhere in here my not particularly computer literate mother switched over to linux.)

    Of all the stupid statements I've heard coming out of Microsoft about why they have made lousy products and terrible missteps which were, inaccountably, not embraced by customers, this has got to be the stupidest.

    Mobile? The core problem continues to be that mobile is much more about hardware (which Microsoft itself has finally acknowledged). And even aside from the hardware, more about clean interface design than market dominance.

    What bufoonery.

  • With security out of the way, it looks like they can knock out a new version about every 18 months now. Lucky us. Especially if you happen to be in the business world and they screw you over and say they are not even going to offer more service packs for an operating system a lot of businesses just installed.

    Microsoft needs a new business model that doesn't involve forced, non-needed upgrades. Don't know what that exactly is, but the current method is not working.

    • Well, they've been trying to get software-as-a-service pushed down our throats. And if it doesn't work directly, well, I guess this is their way to cram it down our neck.

  • What a whiney rant to cover up his own malfeasance.
  • In other words the corners cut ignoring the lessons learned on *nix and other systems before MS Windows even existed eventually needed to be at least partially dealt with.
  • The reason for MS's failure in that field was clear to all. Even it the poor company it shared, it still stood out as a crock.

  • Here we go... (Score:4, Insightful)

    by Anonymous Coward on Saturday October 27, 2012 @07:52AM (#41788477)

    "Microsoft was basically the only company that had enough volume for it to be a target"

    Tying security to volume of installs shows, to me, a lack of understanding of the actual models underlying the operating systems.
    Windows is an entirely different creature from say Linux. Linux is merely the kernel, everything else is a package. A properly secured linux box, (proper PAMs, selinux, permissions, Least user privs, and minimum packages) != a hardened windows box. They are not even close. Volume has little to do with the security models. I hate that is always pops up. As if.

    • by hawk ( 1151 )

      The real problem with the "volume" argument is that that volume exists only in the low value targets.

      The high value targets (e.g., banking) are not running on windows.

      And as far as "cracker cred" would go, a linux or Mac virus would put the cracker in a league of his own; the suggestion that it's the larger quantity of windows boxes that makes it the target is just plain silly.

      hawk

      • You are kidding me right? You honestly believe banks don't run their services on Windows? From ATMs to check clearing to anything else...?

  • by The Rizz ( 1319 ) on Saturday October 27, 2012 @07:55AM (#41788491)

    In part because of that, Windows Vista took a long time to be born

    Too bad they didn't use that extra time to abort...

  • Well duh (Score:5, Insightful)

    by Solandri ( 704621 ) on Saturday October 27, 2012 @08:01AM (#41788509)

    The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering.

    You took an OS which effectively ran with superuser privileges (DOS) all the time, and added a graphical shell on top of it (Win95, Win98). You then tried to switch it to a more secure user / superuser model, but you made it so inconvenient that it was easier for everyone to just run as superuser all the time (NT, 2k, XP). Finally you started trying to enforce running as a regular user except when needed (Vista). But the industry had had a decade to acclimate to running as superuser, so you were met with so much resistance you had to scale it back (7). Of course you're going to have a huge security problem.

    You should've just bitten the bullet and enforced the user / superuser paradigm as early as you could have. i.e. Back when the Internet became big, around when Windows 95 came out, you should've realized the future was for all computers to be networked, and that user vs. admin privileges were going to become very, very important. But no, you took the easy way out and stuck with the one-computer one-user model, and you've been paying the price for it for the last decade and half. You made your own bed; it's disingenuous to now blame someone else for having to lie in it.

    Part of being a good leader (of a group, country, market, whatever) is to foresee and recognize what's going to become important or a problem in the future, long before your followers do. A good example is what the NSA did with DES [schneier.com]. They had done enough secret research into DES that they knew of a vulnerability; and when DES was proposed as a standard they made some secret changes to it which eliminated that vulnerability before the public was even aware of it. Your job as a leader is to act on that foresight, even if your followers can't see what you see and complain about it. If you can't do that, you just aren't cut out to be a leader.

    • by Anonymous Coward

      Microsoft is a Marketing Operation With Some Shoddy Software. They are very good at polishing the surface of crap-balls so that the naive/dumb/ignorant "management talent" with their MBA "degrees" buys their crapola. Just look at their MFC container classes - they don't have a fecking clue about complexity analysis. They don't know what an automatically growing hashtable is. So they employ tons of software developers who apparently never went through a proper CS fundamentals course.

      Google knows their stuff

    • by Anonymous Coward

      ... that in XP, all the users you created at install time (up to 4, IIRC) in addition to the "Administrator" root account, were members of the "Administrators" group, that the account type for newly created users in control panel defaulted to "Computer administrator", and you had to change that on purpose to "Limited" (who - if they are not computer experts, wants to be limited?); the new naming convention ("Standard User" instead of "Limited") in Win7 is much better.

      Obviously, the fact that a lot of progra

    • At the time of 9x, every piece of software written for DOS and win 3(.11) was written with two assumptions: That it could put files wherever it wanted, and that it could do low-level hardware access for sound, graphics, etc. What you propose they should have done would have broken that. It would have been a business disaster: Users would get their shiny new Windows 95, and discover that none of their software or games would run! People would have held back upgrading for years, by which time competitors coul
      • by doshell ( 757915 )

        That it could put files wherever it wanted

        They could have implemented VirtualStore as early as Windows 95 as a stop-gap measure for write-anywhere programs. Sure, it's an approach with its own problems, but sometimes you have to trade something in for security.

        low-level hardware access for sound, graphics, etc

        Trap the hardware interrupts in software, then emulate the low-level I/O routines at the OS level. Possibly with a performance penalty, but again: you have to decide where your priorities are.

        And yes,

    • Re:Well duh (Score:5, Interesting)

      by QuietLagoon ( 813062 ) on Saturday October 27, 2012 @11:37AM (#41789737)

      You should've just bitten the bullet and enforced the user / superuser paradigm as early as you could have. i.e. Back when the Internet became big, around when Windows 95 came out, you should've realized the future was for all computers to be networked

      Bill Gates, that great visionary at Microsoft, famously missed the onslaught of the Internet. He didn't even see it coming until he had to play catch-up.

    • by Kirth ( 183 )

      > around when Windows 95 came out, you should've realized the future was for all computers to be networked,

      Not at Microsoft. Remember that Windows 95 had no way to connect it to the internet on its own first? Only some "MSN"-thing? This was the state of mind at Microsoft then.

  • If you release a lot of crappy software, sooner or later, somebody will have to pay the bill. The secret of Microsoft is that make so the customer is the one paying this bill, but sometimes Microsoft has to pay part of it. Imagine if Microsoft where forced to retroactivelly pay for all the lost because of OS crash, and all the expenses because of antivirus software. But we don't live in a world where Microsoft is being forced to pay for his crappy products faults.

  • The OS was horribly insecure. That it took them a decade to (more or less) fix that is their fault, not the fault of their market-share.

  • Awesome term. Can anyone translate into human? I think he's saying that they done fucked up, but for all I know, he's talking about literally killing employees who didn't fit in with the corporate culture.
    • Ximinez: Hm! She is made of harder stuff! Cardinal Fang! Fetch...THE COMFY CHAIR!

      [JARRING CHORD]

      [Zoom into Fang's horrified face]

      Fang [terrified]: The...Comfy Chair?

      [Biggles pushes in a comfy chair -- a really plush one]

      Ximinez: So you think you are strong because you can survive the soft cushions. Well, we shall see. Biggles! Put her in the Comfy Chair!

      but Ballmer used and threw an office chair - see, he managed to fuck up even this simple act of corporate motivation.

      Ximinez [with a cruel leer]: Now -- you will stay in the Comfy Chair until lunch time, with only a cup of coffee at eleven. [aside, to Biggles] Is that really all it is?
      Biggles: Yes, lord.
      Ximinez: I see. I suppose we make it worse by shouting a lot, do we? Confess, woman. Confess! Confess! Confess! Confess

      ah... well, I suppose he does try to make up for it by shouting a lot.

  • Microsoft came out with a tablet and it did everything you liked about a laptop but less. Apple came out with a tablet that did everything you liked about a smart phone only more. Apple was a bit more clever.
    • My interpretation is that Apple embraced touch and built their OS around it while MS tried to shoehorn it into Windows and call it a tablet.
  • by number6x ( 626555 ) on Saturday October 27, 2012 @08:28AM (#41788635)

    When Windows first came on the market it was not the market leader. It did not have years of legacy code or legacy applications holding it back. It could have been built more secure from the ground up.

    All of Windows competitors competed in the same market with the same 'cyber-criminals'. They built products that better withstood attack. All of the parties building products for sale in all of these markets were subject to the same market forces. By the time we got to the world of touch surfaces, music players and phones, Microsoft had a few things it could have used to its advantage: $49B in the bank and market dominance. They are complaining that they had to re-direct resources to make Windows secure. Then they should have tapped into their reserves and gotten more resouces!

    Maybe if they didn't waste money on ads for churros and running shoes with Jerry Seinfeld and put that money towards product development they would have succeeded.

    Microsoft failed in these markets because they failed to understand what consumers wanted. They have no one else to blame but themselves.

    Build procucts people actually want to buy.

    • by plover ( 150551 )

      When Windows first came on the market it was not the market leader. It did not have years of legacy code or legacy applications holding it back. It could have been built more secure from the ground up.

      No, it could not have been built securely from the ground up. It was built on the legacy of MS-DOS, which was more of a boot-loader than an operating system. The security model was the old one of physical isolation - if you wanted the contents to be secure, you put it in a room and locked the door. As all security was external, there was no consideration of security in the products being written, and there were a lot of them. As Windows evolved from 1 to 2 to 3, they still had a rich legacy of DOS apps

  • TFA and Craig Mundie believes his own spin.
    If MS managed to avoid having security loopholes, what makes anyone think that Zune or Touch would've made it? How easy it is to forget DRM and playing by MS rules, proprietary file types, half-baked software, codecs and technology that dosen't fit anything else.
    Oh, and just insert Apple pretty much anywhere if you're not a fanboi.
    What troubles me the most is the attempt to rewrite history. Much like modern politics I suppose....

  • Translation (Score:4, Insightful)

    by folderol ( 1965326 ) on Saturday October 27, 2012 @08:34AM (#41788671) Homepage
    It's everyone else's fault. Not ours.
  • I was under the impression that at least early on Microsoft kinda sorta turned a blind eye to pirating - that way they could spread their stuff far and wide. Only after everyone was "hooked" did they start tightening the screws.

    I remember how easy it was to install ms office (and other sw) throughout a business with a single set of installation CDs/diskettes + add extra bogus seats/connections/licenses to your server etc.

    Just sayin'

  • News to me. I think this is a case of rewriting history to not admit abysmal failure across the board.

    Incidentally, I think that if MS had any real competition for Windows and Office, they would fail about as bad. The technology is still decades behind.

  • Victimhood [wikipedia.org].

  • Actually, Windows NT 3.51 was in good shape on the security front. It was intended to run 32-bit programs only. The 16-bit subsystem, which was an optional add-on (you could install NT without it), was intended as a short-term conversion aid for legacy code. It didn't support many of the vagaries of Windows 95.

    The Intel Pentium Pro had a similar problem. It was a good 32-bit CPU, able to run 16-bit x86 code as well, but not with full performance. Reviewers gave it bad reviews running Windows 95 with 16-

  • During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering.

    Why did Microsoft have to shift focus? Because Microsoft had taken a "features have priority over security" mindset previously. That mindset led to software that was so full of security issues, it is amazing it wasn't exploited more than it was.

    .
    This premise is substantiated by the fact that other vendors have software in the marketplace and appear to weather the cyber-criminal attacks much better than Microsoft does.

    Microsoft will fix its strategic problems only when it stops trying to blame others f

  • Microsoft has never taken security seriously until the point that Mundie mentions and even after that one can hardly given them a glowing review. That Microsoft failed to build in security from the start was clearly a gamble of some sort. Clearly Microsoft knew of computer security issues; that MSFT choose to ignore serious security for the sake of profits, market share or whatever other factors only to have to stop and fix things, isn't the fail of hackers; that MSFT choose to ignore security is what made

  • by knorthern knight ( 513660 ) on Saturday October 27, 2012 @11:58AM (#41789871)

    I remember Redhat 6.x from the ealy 2000's. It installed with all services+listeners running by default. Stuff like SMTP and RPC and bind was listening. For a Redhat install, the only safe way to install was from CD. Then run "lsof -i" and see what services are listening to the internet, and spend the better part of an hour shutting them down, and/or uninstalling them altogether. Worms like L10n and Ramen were rampant. After a lot of yelling+screaming Redhat finally listened, and stopped installing that stuff by default. Installs could be done without needing a firewall. The worms went away.

    Microsoft was run by a bunch of idiots who wanted everything to "just work". One of the advertising claims for Windows 3.1 was "ease of administration". You could send a script as an email to all users in the office, and they simply had to click on it and it would re-configure their PC as you desired. This worked great in a 10-person office before the WWW. On a hostile web/internet, it was a disaster waiting to happen.

    In order to make things "just work" for home PCs, Windows defaulted to NetBIOS/NetBEUI and RPC all turned on. This was one of the causes of all the worms that spread by portscanning. To make things worse, by Win98SE, *YOU COULD NOT TURN OFF RPC EVEN IF YOU WANTED TO*.

    The "Autorun" mentality was another problem. We all know about sticking a USB key into a Windows machine, and it "automagically" ran stuff. That was not the only such problem.

    Excel had "autoexec macros" that ran when you fired up the spreadsheet. MS' first response was to change Excel to set a bit in the file header of the spreadsheet, flagging that it had autorun macros, and Excel shouldn't run them if the user had changed his Excel config to disallow autorun macros. It didn't require genius for bad guys to save a spreadsheet with autoexec macros, and edit the file header of the spreadsheet with a hex editor, telling Excel that the spreadsheet was "safe". Excel then proceeded to run the autoexec macro when loading the spreadsheet, regardless of the user's settings. That was eventually fixed.

    Outlook Express (known "affectionately" as "Outhouse Excuse") also "auto-rendered" files. This allowed photos to be displayed inline, and music files (WAV, etc) to be played automatically. The "security" consisted of filtering against a list of safe file extensions (WAV, JPG, etc), and then handing off the file to the OS to run. The OS ignored the extension, and determined the file type by checking the file header, then it handed off the file to the appropriate program. So the bad guys renamed "virus-installer.exe" to "song.wav", and it was automatically executed. This is how SirCam and Bubble-Boy wormed their way around the web.

    And then we get to Active X, known "affectionately" as "Active Hacks". This was the mechanism behind so many "drive-by-downloads". What made it worse was that Active-X was rammed down people's throats by Internet Explorer. Let's say you disabled Java, Javascript, and Active-X in IE.

    * Java was Sun's product. You launched a webpage with a Java applet, the applet didn't download and run, but the rest of the page displayed properly. IE "degraded gracefully".

    * Javascript (originally called "Livescript") was Netscape's baby. You launched a webpage with javascipt, the javascript didn't run, but the rest of the page displayed properly. IE "degraded gracefully".

    * Active-X was Microsoft's baby. A lot of webpages had Active-X code. When IE came across a page with Active-X, and IE had Active-X, then IE came to a screeching halt, and put up a modal dialogue about how "This page may not display properly". It would not budge until you clicked OK. With all the Active-X applets on the web, IE was effectively unusable with Active-X disabled. Just like UAC several years later, people got sick and tired of clicking "OK" every 30 seconds, and simply enabled Active-X in IE. That was what kept drive-by-downloads going.

    Microsoft have only themselves to blame.

  • So let me get this straight: nasty criminals taking advantage of the security holes stopped them making and marketing glorious new products with glorious new security problems? Perhaps if security wasn't so bad to start with that would have been less of a problem. (yes, I know Windows security is pretty good these days, but it wan't then which is both my point and, essentially, his too)

    Microsoft was basically the only company that had enough volume for it to be a target

    Crap. Volume is not the only value of import here at all. Volume isn't insignificant, but the overall problem is more propo

  • You built Windows starting with DOS and slapped Windows on top. With each release, it was a new evolution which mixed in the result of Microsoft's collaboration with IBM's OS/2 to create NT.

    The Apache web server got its name because of how it was built and developed. But if any one product deserves the name, it's Windows. It is simply far too patchy to be secure.

  • I'm glad Mundie is sorting me out here. All this time, I've been thinking Windows' security problems were due to stupid decision making - creating the Administrator account without a password by default; having an SQL server running and listening to the outside by default; stuff like that. Nope - now I know it's just that Microsoft was big, and any other OS would've had the same issues if they were just used more.

  • MS' claims that they had to shift their focus to security engineering and had to delay release of new products is BS. It's like the republicans claiming that we need more tax cuts for the rich to create jobs in the US. If they had really done an security research and development Windows might now actually be the stable, reliable platform that they keep claiming it is.

    MS deserves it's long overdue death.

  • Wayback in 2003, Microsoft achieved dominance in the mobile consumer electronics market with TRON, the real-time OS, or they would have if they didn't perceive it (and everything else) as a threat to the Windows platform.

    Microsoft v. Tron [super-nova.co.jp]
  • Its clearly unfair to blame Microsoft for losing this opportunity to dominate another space. Its not their fault that criminals chose to exploit their wildy insecure and unstable software. They can't be held responsible for the quality of product that they develop.

    No one (at Microsoft) should lose their job (or CEO-ship) over such activities.
  • the iPod was released in 2001

    Zune was released in what.... 2006?

    Diamond Rio in 1998, but it was from Diamond

    Creative Nomad in 2000 but it was from Creative.

    What is this guy talking about that MS had a music player before the iPod?

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...