Forgot your password?
typodupeerror
Google Microsoft Security Apple

Microsoft Talks Back To Google's Security Claims 528

Posted by samzenpus
from the smack-talking dept.
Kilrah_il writes "Yesterday there was a piece about Google ditching Windows for internal use because of security concerns. Now Microsoft is fighting back, claiming its products are the most secure — more than Google's and Apple's. 'When it comes to security, even hackers admit we're doing a better job making our products more secure than anyone else. And it's not just the hackers; third-party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others.'"
This discussion has been archived. No new comments can be posted.

Microsoft Talks Back To Google's Security Claims

Comments Filter:
  • by eldavojohn (898314) * <eldavojohn@gm[ ].com ['ail' in gap]> on Wednesday June 02, 2010 @07:06PM (#32438608) Journal

    When it comes to security, even hackers admit we're doing a better job making our products more secure than anyone else.

    Hint: Your worst nightmares do not have open jovial dialogues with you. And if they did communicate with you or offer you a score card or report, they would want you to feel as though you are completely safe -- totally unaware and unprepared for what you may face.

    You've come a long way, Microsoft, but you have much much further to go. If you measure security by percentage increase in security then the evolution from Windows 95 to Windows 7 is nigh impassable. But that in no way means you're number one in the security scores. Run your marketing campaign with setting the "facts" straight but people like me know. With what little (journalistic) evidence you presented, there's no way I can build a conclusion that backs up your statement. And there's no way around that. It would better prepare you to look into the several thousand anecdotes found daily [krebsonsecurity.com] revealing the issues with Windows and Internet Explorer.

    • by onionman (975962) on Wednesday June 02, 2010 @07:11PM (#32438658)

      Microsoft's products are completely secure!! Completely! You don't even need to bother with any more security "research". In fact, I've even seen Bruce Schneier running Windows on his laptop, so it's completely safe!!

      • No one argues they are fool proof the point is merely that Microsoft ships a more secure product than most of it's competitors.
        • Re: (Score:3, Insightful)

          by DavidR1991 (1047748)

          I love the weasel words that come out in these kinds of discussions. "Most" - what is "most"? One competitor? (Maybe, Apple?). Because it certainly does not include (on an OS level) Linux, BSDs etc. Heck I'd be surprised if you could say definitively that MS trumps Google (I certainly don't think that's the case)

          • Re: (Score:3, Insightful)

            by jbeach (852844)
            I personally would doubt they're even more secure than Apple. I can't recall the last time Macs around the world were taken out by some virus. Ditto for botnet infections.
            • by micheas (231635) on Wednesday June 02, 2010 @08:37PM (#32439486) Homepage Journal

              I seem to remember the person that won the P0wn20wn contest stating that there are several security enhancements with regards to the memory stack that are not present in OSX but are in FreeBSD, Linux, and Vista.

              But this may be things like the windows login being provably secure, but the firewire driver allowing you to end run the login screen.

              Windows has security features that on paper make it look like it could be a very secure system, the problem is that once you have locked it down to use all the security features, you probably have to write your own applications, as most off the shelf windows software does not run in that type of environment.

              • by Bert64 (520050) <bert@sl[ ]dot.fi ... m ['ash' in gap]> on Thursday June 03, 2010 @04:25AM (#32442022) Homepage

                That's entirely the point, on paper windows has a very impressive set of security features, but once you get down to trying to use them the cracks show...

                The password hashing is trivially weak compared to what other systems have...
                The authentication system is tied in to the hashing algorithm so it cant easily be changed without breaking things...
                The authentication system is designed such that you never need to send the plain text password over the network, but you don't need the plain text password - you can just use the hash (google for hash spraying or the windows auth model is broken)...
                Many of the group policy restrictions are implemented in userland applications and are easily bypassed...
                Windows and its associated network protocols are extremely complex (greater complexity leads to greater chance of bugs) and in those network protocols there is often no clear demarcation between what functions can be accessed pre-auth and whats available post-auth... RDP for instance establishes a full gui session *before* you log in meaning any of those gui functions are open to attack by unauthenticated attackers...
                File extensions are used to differentiate between types of file and wether a file can be executed or not, although windows does implement execute permissions through acls they usually allow execute by default. a remote web/ftp/whatever server can control the filename but not the permissions...
                The complexity of the windows security system means that very few people try to use it fully, and those who do need to expend significant effort to get things working with it. Because so few people harden their systems in this way, very few applications are designed to run in such an environment and many simply don't.
                Windows is generally not modular, so removing things you don't need is far more difficult than it should be, win2k8 has gone some way in this regard but its still a long way from the package managed modularity of linux.
                Windows has a very messy filesystem layout, files are randomly lumped together in the windows and system32 dirs, unix has a far more sensible design which lets you do things like keep core parts of the system on read-only media.

                Windows is an unholy over complicated mess, consisting of parts of a relatively well designed OS (NT), merged with parts of an extremely poorly designed OS (win9x) and various poorly designed subsystems on top...

                Unix on the other hand keeps it simple, its easy to know exactly whats going on with a unix system, and the more you understand about a system the better you can monitor and harden it.

          • by man_of_mr_e (217855) on Wednesday June 02, 2010 @09:25PM (#32439844)

            Linux and FreeBSD boxes get hacked all the time. One can claim it's because people use weak passwords or use the same password on their box as they do on every site on the internet, and there are probably a lot of those boxes that compromised that way, but a lot are also do flaws in software installed on Linux boxes. Spend some time going through sites like Zone-H [zone-h.org] and you'll see that Linux sites get successfully attaced as much, if not more so than Windows servers (the numbers change from day to day).

            You're living in a dream world if you think Linux security is any better or worse than anyone elses. Most Linux boxes have 1000x more software installed on them, and each software package is a potential security flaw waiting to happen. Most of those can only compromise the account it runs on, but attackers are getting smart and creating blended attackes that include multiple vulnerabilities, including local root vulnerabilites that get executed via a user-level remote attack.

            But really, the only people who attack Linux boxes are those looking to either brag, or those looking for fat pipe DDoS zombies. Malware authors, who target stupid users who will pay $50 to the fake virus writers are going to target the vast majority of systems.. ie windows.

          • by nacturation (646836) * <nacturation@@@gmail...com> on Wednesday June 02, 2010 @09:33PM (#32439898) Journal

            I love the weasel words that come out in these kinds of discussions. "Most" - what is "most"? One competitor? (Maybe, Apple?).

            This reminds me of that Ford commercial I saw a month or two ago, where some dude is talking about how Ford won some kind of "most improved" award. That's like a retarded child who goes from flunking everything to getting straight C- grades ... relatively speaking, that's a far greater improvement that the straight A student who starts getting a few A+ grades.

            Nobody cares that Microsoft's "focus and investment continues to surpass others". When Microsoft's boat has thousands of holes in it and is sinking faster than the Titanic, is it anything to boast about that you have a great investment in a massive number of people highly focused on sticking their fingers in the holes? Compare that to Apple's boat, where they only have a modest investment because there are only a few holes.

            • by kimvette (919543)

              is it anything to boast about that you have a great investment in a massive number of people highly focused on sticking their fingers in the holes? Compare that to Apple's boat, where they only have a modest investment because there are only a few holes.

              That's because they've already patched the gaping holes with the arms and legs of early iPhone and iPad adopters!

    • That's a story about using your kid's unmanaged Windows PC for the first time to manage your finances.

      MS security record is far less than impressive, but that's an awesome case of PEBCAK.

      [OT]Oh god, I need to sleep but I keep getting given things to do. My fault for wasting half the afternoon on /..[/OT]

    • Re: (Score:3, Insightful)

      by Omega Hacker (6676)
      Even more interesting is that the "hacker" is comparing Microsoft to Adobe and Apple. Adobe is an *applications* vendor, which has no bearing on the OS security discussion. Apple has engineered a far more secure product from the ground up, being based roughly on OpenBSD et al, thus they have far fewer security holes in the first place. Not to mention he's talking about their internal processes, and not the results or the need for the process in the first place.
  • ROFL? (Score:2, Insightful)

    can i be the first to just say... ROFL
  • Security? (Score:5, Insightful)

    by WahCheng (1543195) on Wednesday June 02, 2010 @07:11PM (#32438656)
    Security is NOT about patching holes, a system must be designed from the ground up to be secure. Doze and it's predecessors were NEVER designed this way. Mind you, it's created one hell of an industry patching holes.
    • Re: (Score:3, Insightful)

      by hedwards (940851)
      That's just the thing, investment is one thing, but what has been their return on investment in terms of security? Are they really getting their moneys worth out of it, or are they just throwing it down a hole like they've been doing on IE. It's not just the investment it's the stupid ideas that they've failed to kill, most notably activex and the tight integration into the OS.
    • Re:Security? (Score:5, Insightful)

      by MrEricSir (398214) on Wednesday June 02, 2010 @07:19PM (#32438762) Homepage

      They've added a lot of security. For example, when I debug an application on Windows 7, I have to click four dialog boxes instead of just one. If that isn't real security, I don't know what is.

      • by WrongSizeGlass (838941) on Wednesday June 02, 2010 @07:43PM (#32438976)

        They've added a lot of security. For example, when I debug an application on Windows 7, I have to click four dialog boxes instead of just one. If that isn't real security, I don't know what is.

        Well, four is greater than one. A car has four wheels and a unicycle only has one. A car is more secure than a unicycle. In fact, in a collision between a car and a unicycle the passenger(s) in the car will always be safer - even if the car isn't moving. Based on the preceding car analogy I can confidently declare Windows 7 is more secure than a unicycle.

      • Re: (Score:3, Insightful)

        by Iyonesco (1482555)

        Everything in Windows 7 takes four times as many clicks as in XP so that's simply consistent user interface design.

        It's a shame that the one and only aspect of the Windows 7 interface that is consistent is somewhat of a negative one.

    • Re:Security? (Score:4, Insightful)

      by Barny (103770) <bakadamage-slashdot@yahoo.com> on Wednesday June 02, 2010 @07:22PM (#32438788) Homepage Journal

      This is the total point, it shouldn't matter if your apps have holes in them or not (although "not" would be best), they should never have the kind of privileges that allow things to take over (do a little search for "smitfraud" and you will understand what I mean).

      They seemed to be going top-down for a long time, when only now are they starting to realise that sandboxing (UAC) the user from the OS is a good idea, not the best, not 100%, but they are almost on the cusp of "getting it" at last :)

    • Re: (Score:2, Insightful)

      by edelbrp (62429)

      True.

      One argument that seems to come up over and over again when the topic of security comes up is that Windows is targeted because it's more popular. The fact is that modern networked equipment, from routers to printers to VoIP gateways, to gaming consoles, to cable modems, to smart phones, etc. run an OS with a network stack. Often many of these devices go for years without patches. I would argue that there are more non-Windows based networked computing devices than Windows PCs. I would also argue tha

    • Re:Security? (Score:5, Insightful)

      by nmb3000 (741169) <nmb3000@that-google-mail-site.com> on Wednesday June 02, 2010 @08:28PM (#32439394) Homepage Journal

      Security is NOT about patching holes, a system must be designed from the ground up to be secure. Doze and it's predecessors were NEVER designed this way.

      Is that why Ubuntu 8.04 prompts me to install some hundred or more security updates after installing it? No software is perfect and anyone who thinks that the only secure system is on that is "designed from the ground up to be secure" either A) has never worked on a large software project and/or B) doesn't have a clue what they're talking about.

      What is so fundamentally more secure from a design perspective about the Linux kernel compared with the WinNT kernel? How about a distribution like Ubuntu compared with Windows XP/Vista/7? Since one was "designed from the ground up to be secure" I sure hope you can point out a few design choices specifically.

      Since all software (even the Linux kernel and its ilk) have security holes, the ability and speed at which you discover the exploits and issue fixes for them is at least as important as the initial design and coding of the program. It's naive and obtuse to think any complex system will be perfect from the get-go.

      • Re: (Score:3, Insightful)

        by man_of_mr_e (217855)

        But.. but.. you don't know what you're talking about...

        Security patches on Linux are evidence that Linux has such a secure system that patches can be found so easily. Security patches on Windows are evidence that Windows sucks.

        Get with the program.

      • Re: (Score:3, Insightful)

        by w0mprat (1317953)
        Security is not a one time design effort. It's a ongoing process. The layout of interface is a one time design effort, because if you get that wrong it is a problem every single time your interface is used a flaw wastes a little of someones time, and it's hard to make changes without pissing off your user base.

        Security is the opposite. Great design should not be your focus. It helps, but you cannot forsee everything.

        Microsoft not only never planned for the internet but they failed to be a moving targe
  • Cisco (Score:5, Interesting)

    by abigor (540274) on Wednesday June 02, 2010 @07:12PM (#32438668)

    Well, I can tell you right now that a lot of Cisco's engineers use Macs, and server-side it's Linux. That said, I imagine Cisco management, marketing, etc. are mostly Windows-based.

  • Microsoft? (Score:5, Funny)

    by Anonymous Coward on Wednesday June 02, 2010 @07:12PM (#32438672)

    Secure products?

    Crap.... woke up in the wrong universe again.. I hate when that happens.

  • I just sprayed coffee all over my keyboard. I guess Bill is going to try stand-up comedy now? He's got a great prop, "Clippy"
  • In a rough sense, irony means a contradiction. In which case, can someone please explain how this:

    "There is some irony here that is hard to overlook. For starters, check out this story from Mashable a few months ago where it was reported that Yale University had halted their move to Gmail (and their move to Google’s Google Apps for Education package) citing both security and privacy concerns."

    makes sense as a comparison, let alone counts as irony/ironic? What the hell is ironic here?

    The fact Google i

    • by spazdor (902907)

      Come to think of it, maybe Yale backed out of the Gmail deal because Google staff were running Windows.

  • by Weaselmancer (533834) on Wednesday June 02, 2010 @07:16PM (#32438722)

    Nice zero content marketingspeak there:

    "...third-party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others."

    Focus and investment. Notice "results" aren't on that list.

    As a side note, I'd also like to add that lately BP has had a huge focus and investment on cleaning up oil spills. More so than any other oil company. But still - nobody loves them this week. Wonder why?

    • by grcumb (781340) on Wednesday June 02, 2010 @08:06PM (#32439188) Homepage Journal

      Nice zero content marketingspeak there:

      "...third-party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others."

      Focus and investment. Notice "results" aren't on that list.

      SECURITY ANALYST: WTF? You invest billions and billions of dollars trying to fix your software, and this is the best you can do? Christ on a kebab, man! Do your developers even know how to tie their own shoelaces? What do they do, sit their slack-jawed at their desks all day, watching the grass die on their Farmville plots and pissing their pants because they can't even remember where the toilet is?

      MS MARKETING PERSON: sotto voce Hmmm, billions spent... developers unable to leave desks... Ah!
      [WRITING] "industry leaders tell us regularly that our focus and investment continues to surpass others."

  • by morgan_greywolf (835522) on Wednesday June 02, 2010 @07:17PM (#32438734) Homepage Journal

    Microsoft has come a long, long way in security, yes, that's true. But the most secure? No way. Not compared to systems designed around security from the ground up like OpenBSD or a security-hardened Linux distro with SELinux and the like. I really like the progress that Microsoft has made, and Windows 7 is much improved over previous Windows versions, but if I want a system that's truly secure, it's not a system I'm likely to pick.

  • by thestudio_bob (894258) on Wednesday June 02, 2010 @07:18PM (#32438750)
    Hi, I'm a hacker and Windows 7 was my idea.
    • Best one line response I've read on /. in a long time. Someone please make a video with this line in it and post it on youtube or something.
  • by kaptink (699820) on Wednesday June 02, 2010 @07:23PM (#32438792) Homepage

    All I know is that for more than ten years I made good money removing malware from Windows boxes. In all fairness tho Windows 7 is a much better effort at a secure OS but saying that 'hackers' are making such comments is just not all that believable. Any serious geek will tell you the long sorded history of windows and all its memorable virii, malware and hacks is nothing to be proud of but I guess if you start telling people what you want them to think and keep at it one day it will stick. I think a few statistics should set the record straight.

    • Re: (Score:3, Interesting)

      by dave562 (969951)

      Any serious geek will tell you the long sorded history of windows and all its memorable virii, malware and hacks...

      Where are the equivalent virii in 2010? I remember Code Red and Slammer and the really malicious code that was raping any system stupid enough to expose 135/137 and 445 to the world. I don't remember any malware of that league in recent memory. The worst malware these days seems to be the AntiVirus 2010 and its related ilk. The malware itself is insidious and requires a pave and rebuild "ju

      • Where are the equivalent virii in 2010? I remember Code Red and Slammer and the really malicious code that was raping any system stupid enough to expose 135/137 and 445 to the world. I don't remember any malware of that league in recent memory.

        That's because modern spyware is more focused on hijacking your machine to be part of distributed botnets. That means you don't want the user to realize the machine is compromised. As such, vandalism is less prominent in favor of the lucrative enterprise of selling access to the botnets.

        • by dave562 (969951) on Wednesday June 02, 2010 @07:58PM (#32439114) Journal

          You are right that the focus has changed. The infection vector has also changed. The old vectors don't work, or if they do the access to them has been mitigated on the client by the software firewall, and on the network permimeter by hardware firewalls. The operating system has been hardened to the point that most of the exploits are targetting applications. That is an improvement. Once they figure out how to properly sandbox the applications, the entire system will become more stable. Whether or not Microsoft is really up to the task is debatable.

  • If indeed "hackers admit [you're] doing a better job making [your] products more secure than anyone else"
    then that just means your product is less secure in the first place, and you have to do more work to patch the holes

    Other OS's need not put so much effort in on a release-by-release basis
    the basic security of Unix was the there 35-40 years ago, and remains largely the same

    Extra security features (SELinix, AppArmor, non-root-X, etc.) come along every so often
    but agreed, no-one puts the sheer level of effo

  • Uh, yeah .... whatever. I'd say security has improved, albeit by a decent margin but it has a long way to go. I won't be convinced until Microsoft, Apple, and the Penguin can go toe to toe with OpenBSD. I have heard of would-be intruders performing OS fingerprinting, finding an OpenBSD machine, and moving on as if it is not even worth their time to try. If you need to protect a network, set up OpenBSD as your bastion host and you can rest easier at night.
  • Uh huh (Score:5, Interesting)

    by starfishsystems (834319) on Wednesday June 02, 2010 @07:26PM (#32438816) Homepage
    Right. That's why there's no longer any market for third-party virus checking on the Windows platform.

    And all those idiotic corporate restrictions on email attachments can go, too. That'll be a great relief, because right now I can't even attach a zipfile without Outlook complaining about it.

    And those flashes of screen content that appear when I reconnect to a locked Remote Terminal session, those are just in my imagination. No information exposure there, any more. Good, cause that was really stupid. Wait, I'd better check. Nope, still there.

    And those irritating and needless messages requesting permission after I've launched an Active Directory management window, those are gone too, right? Because now the system has finally caught up to the X Window System technology available back in 1993?

    Oh, no. Actually, I just checked, and it hasn't.

    Wow, Microsoft. I am impressed. You actually drank the kool-aid to prove that it was harmless. Except that it's not.
    • ...idiotic corporate restrictions on email attachments

      Amen! I've started having emails silently dropped by customer's email systems for having links in the email to driver downloads requested by the customer! The customer is usually unaware of the changing rules on incoming emails, so I get to troubleshoot it for them when they complain about a lack of response. I now break up any URL into a base on one line and a file on another line, but who knows how long that will work. In conclusion, I close my rant w

  • Vista reinstall (Score:5, Insightful)

    by NetNed (955141) on Wednesday June 02, 2010 @07:27PM (#32438826)
    I did a reinstall on a Vista machine recently for a friend. 100+ windows critical updates later and it was done! Really, the install itself took a fraction of the time that all the updates took. I guess if security is measured in security updates, you win Microsoft. Now claim your paper hat that says "We Won!"
    • Oh please (Score:3, Insightful)

      by Tanman (90298)

      I'm sure that if you install linux from a distro that's 2-3 years old that updating all of that goes really quickly and smoothly.

  • by naelurec (552384) on Wednesday June 02, 2010 @07:34PM (#32438884) Homepage

    Google is Microsoft's #1 competition right? Of course Microsoft wants Google to continue to use Windows.. not using Windows puts Google at an even further advantage.. its not like Microsoft can drop using Windows for its internal systems.

  • by Todd Knarr (15451) on Wednesday June 02, 2010 @07:34PM (#32438890) Homepage

    Certainly Microsoft's focus and investment surpasses everyone else's. That's because it needs to simply to tread water. The problem is that most of Microsoft's security problems aren't bugs, they're design features of their system.

    There's a quote from a boss: "I don't want the industrious guy who'll keep busy doing things over and over. I want the lazy guy who'll do it once, right, so he doesn't need to keep doing it over."

  • When it comes to security, even hackers admit we're doing a better job making our products more secure than anyone else.

    Yeah, that's why the Google breach in China was traced to Windows exploits, because hackers always go after the strongest link in the chain.

    I'd be the first one to admit Microsoft has come a long way on security. Vista and Windows 7 are better but you still won't catch me surfing the net with Windows or using it to access my bank account online or for anything that requires higher se

  • Microsoft might as well have said "oh yeah? well, your mom!"
  • by bmo (77928) on Wednesday June 02, 2010 @08:25PM (#32439366)

    When you finally get rid of "hurr, this file is a program because it ends in .exe" and stripping executability from incoming files, then maybe you can start talking about security with the grown-ups.

    But until then, go back to the kiddie-table with CP/M.

    --
    BMO

  • by GNUALMAFUERTE (697061) <almafuerteNO@SPAMgmail.com> on Wednesday June 02, 2010 @08:44PM (#32439534)

    When we speak about GNU/Linux functionality, nobody takes relative values into account. They only take into account the absolute final result. Example, nobody takes into account the great hardware compatibility considering 99% of all drivers were written by the community after reverse engineering the hardware and/or other OSes privative drivers. People (including microsoft) only mention that GNU/Linux doesn't support all features of X hardware, and windows does, and therefore it's better.
    Same thing for apps, marketshare, etc. They only say "More people have windows, it supports more apps, whatever, period. ".

    So, why should we take into account relative values when talking about windows?

    I don't care if they are trying hard, or if they have more marketshare, or about any other factor. The ONLY operating system that requires antivirus, antispyware, and other crap is windows. It is also the only operating system that is consistently, publicly and massively cracked around the world all the time. There are several botnets around the net that are the source of most spam, and this botnets consist of windows machines only.

    So, in absolute terms, the most secure OS is OpenBSD. The most insecure is Windows.

    • Re: (Score:3, Insightful)

      by Shados (741919)

      Except you don't need antivirus/antispyware on Windows. The only people who need it are those who disable the security features right after a fresh install, and people leaning heavily toward illegal activities. Since Vista you really didn't need it.

      You'll see how quickly a Linux box gets owned if I send grandma 100 free smilies with instructions about how to set exec permissions and how to sudo (similar to what you need to do to get "pwned" by an attachment in a default Win7 install).

      10 years without anti-v

I've got a bad feeling about this.

Working...