Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Security

Microsoft Security Whitepaper 269

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."
This discussion has been archived. No new comments can be posted.

Microsoft Security Whitepaper

Comments Filter:
  • by BFedRec ( 257522 ) on Saturday November 22, 2003 @09:37PM (#7539709) Homepage
    cause the oxymoronic nature of using MS and Security in the same vicinity... one would think it's just an all white blank sheet of paper.
  • they (Score:5, Funny)

    by AnonymousCowheart ( 646429 ) on Saturday November 22, 2003 @09:37PM (#7539715)
    they recently published the bug list [buxeres.com] too
  • Good to see (Score:5, Interesting)

    by H.G. Pennypacker ( 649549 ) on Saturday November 22, 2003 @09:39PM (#7539719)
    It is encouraging to see a big security industry leader such as Microsoft make such a public display of its unwavering belief that security through obscurity is not security at all - by publishing an open document on its security infrastructure. Perhaps other large players could take a cue from this (IBM, Sun)?
    • Re:Good to see (Score:2, Insightful)

      The white paper is surprisingly detailed, which makes it actually useful - it even mentions specific non-Microsoft products (such as Trend Micro Viruswall.)

      But security through obscurity is alive and well at Microsoft. Tell me, when you select "store password using reversible encryption" in Active Directory, what algorithm is used to (reversibly) encrypt the user passwords? Where are the published specifications for PPTP? For MS-RDP? Obscurity goes hand-in-hand with closed source.

      Note that, especially for

  • No Problem (Score:3, Funny)

    by Anonymous Coward on Saturday November 22, 2003 @09:39PM (#7539720)
    However, the document does open a window on how...

    Sounds like somone needs to switch to Mozilla to avoid these annoying pop-ups! ;)
    • Re:No Problem (Score:2, Informative)

      by jjhlk ( 678725 )
      Or get an equally unobtrusive and effective plug-in for IE. Like this one. [osborntech.com]
      • Or get one that's slightly more obtrusive, but adds a shitload of other USEFUL features (unlike the one that I saw that had a button for "Cumshots" - you're not going to get any work done with that one). Like this one. [google.com] Of course, IE sucks. That's one reason! (Personally, I can't stand Mozilla - I tried forcing myself to use both Moz and Firebird, and found I could stand it less than I could stand IE - I use Opera, thank you very much)
  • Smart cards $50??? (Score:5, Interesting)

    by terraformer ( 617565 ) <tpb@pervici.com> on Saturday November 22, 2003 @09:40PM (#7539729) Journal
    from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?)

    Where does the $50 figure come from? I have two of them in my wallet (AE and Fleet Fusion) and two readers (useless on a mac) that retail for $29.99 a pop that I got for free being that I was an "early adopter". So where does that $50 really come from? And yes, I read the story, I just want to have a better handle on why someone supposedly "in the know" would trow out a figure like that for a quantity purchase of 65,000.

    • by rindeee ( 530084 ) on Saturday November 22, 2003 @09:48PM (#7539780)
      $50 is cheap for some cards. Depending on the type of card you have there are a lot more things than simply a contact chip involved (multiple frequency radio power/emitters, blah blah blah etc.). $50 is probably a good average figure when one considers the range of cards on the market.

      On a different but related subject, I think that three factor authentication will become the universal norm...a good thing me thinks. If anyone has seen the new military ID's, they are also CACs for login, med, etc. Very cool once they (EDS) gets things to speed up a bit.
    • by Anonymous Coward on Saturday November 22, 2003 @10:14PM (#7539900)
      I was thinking along similar lines, then I has a look at the linked document [microsoft.com] which states:

      "OTG estimated that at a price range of approximately $55-75 per user, including labor for deployment and tool development as well as hardware such as cards and readers, Smart Cards were an inexpensive way to significantly strengthen corporate security."

      So evidently $55-75 per user is a reasonable amount for them to pay for each user inclusive of hardware and software development.

      To be honest it sounds a lot to roll that out to 65,000 users, but when you consider that this cost is tiny compared to what those guys get paid, the actual investment across the workforce is negligible. I mean if you can afford to pay 65,000 employees, you can afford to spend $55+ on each of them. And considering that a network instrusion might be the outcome of not doing it (See Valve for more information) it's incredibly cheap.
    • by nick_davison ( 217681 ) on Saturday November 22, 2003 @10:32PM (#7539970)
      from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?)

      Either way, the implicit statement's invalid (that buying 65,000 x $n is wasteful).

      Microsoft has, what, $40 billion in cash floating around? I work for a company that is lucky to have $40 million in cash floating around - does that make 65 smart cards wasteful? If your company has $4m, are 6.5 smart cards wasteful? If you have under a half a million in readily available assets, should you not use smart cards at all?

      It's a simple scale thing. Microsoft is stupidly large when compared to most other companies. 65,000 of anything sounds like a big number, and it is. Still, relative to the size of their business, it's bordering on frugal, not wasteful.

      See, I have so much Karma I can even occasionally support Microsoft on something. ;)
    • Wasn't that 65,535 cards? ;-)

      and $50 * 65000 is around $3,250,000. but I'll guess a deployment like that costs around 10x the cost of the [?Java-based?] cards.

      -- Multics

    • by swillden ( 191260 ) * <shawn-ds@willden.org> on Saturday November 22, 2003 @10:49PM (#7540045) Journal

      Where does the $50 figure come from?

      I can't answer that, but I can tell you what smart cards cost.

      The costs depend heavily on both volume and capabilities. At the low end, there are cards available in large volumes for substantially less than $1. At the high end, programmable cards with both contact and RF capability, lots of fancy printing, etc., plus some loaded and personalized applications can be up to $10, in large volumes, and over $50 each in developer quantities.

      So, in general, $50 each for 65,000 cards is ludicrous.

      However, in this case the figure may actually be accurate. The numbers I mention apply to "stock" cards, where the R&D investment is spread over hundreds of thousands, or even millions, of cards.

      Microsoft, however, may very well have used Windows for Smart Cards cards, from their brief flirtation with the smart card business. These cards are based on a 32-bit processor from Atmel, which is itself significantly more expensive than many of the more common cores. In addition, the cards run a custom smart card operating system developed by Microsoft. They're high-end programmable cards that interpret (what else?) Visual Basic bytecodes (eeeeewww).

      So the cost of these specialized, low-volume chips, plus the cost of developing a smart card operating system, building tools to construct, load and manage applications, implementing the card applications, implementing the workstation and server software, implementing the key management systems, issuance systems, etc... Yeah, $3.25M is not only believable, it's impossibly low.

      I suspect that the $50 per card figure is accurate, but that it includes more than just the cost of the cards.

      • Microsoft, however, may very well have used Windows for Smart Cards cards

        Ha! That's like saying they use SourceSafe for source control.

      • I really doubt that they used Windows for Smart Cards. I think that the program was totally cancelled in 2001. However, I do not doubt that they spent that amount on the card deployment. Figure $10 per card (yes they could be a lot cheaper) and $25 per reader (again could be cheaper) and that only leaves $15 for development and installation. Yeah, it seems like the figure is low, depending on how they arrive at it. I really doubt that the cards themselves cost $50, unless they have some sort of secret
      • Going off-topic.

        Swillden, we were talking a couple of days ago about TCPA. I was wondering if you saw the Slashdot story: Cisco Working to Block Viruses at the Router [slashdot.org], and if you caught that Slashdot got the story wrong? These routers don't block viruses, what they really do is deny anyone a connection unless you are running TCPA. The "virus blocking" spin comes in that they could then use TCPA to attest that you are running specific anti-virus software. If you carefully read their press release [bizreport.com] you can s
    • The article probably gets it wrong. True Smartcards are almost useless for remote access at this point because there are few readers deployed in the field. At best, you can use them with specially equipped laptops, but even that is a hassle.

      Microsoft, like most other large companies, almost certainly uses something like RSA's SecurID token or some challenge/response thing, and those things are quite a bit more expensive. The reason why companies use them is because they work with any web browser or ssh
  • by SuperBanana ( 662181 ) on Saturday November 22, 2003 @09:41PM (#7539735)
    to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data.

    What about World Domination plans? Are those Highest Value data class? Or Really Highest Value?

    I have a friend who now works for Apple, and they had training on the various classifications of stuff - I forget what any of the acronyms were, but they were pretty oddly named. I fully expected a bunch of troopers dressed in titanium and perfectly polished clear plastic(hopefully Ti in the, uh, right places) to come storming through the door to erase my brain after being told of such things.

    Oh crap- maybe they DID!

    • Actually, you hope it's the clear plastic in the right places; with all Apple's emphasis on look and feel, all their clone warriors will look like that iMac girl that we saw rendered and rerendered on every mac site and its sister.
  • "MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code "

    Poor Microsoft, still stuck in the old paradigm of closed-source software. Oh sure, it's been a profitable paradigm for them, but those days will gradually erode as the trend toward Free and Open Source continues over the years ahead. Meanwhile Micros

    • by duffbeer703 ( 177751 ) on Saturday November 22, 2003 @09:56PM (#7539817)
      Perhaps you forgot about the compromise of kernel development servers and the Debian website?

      Microsoft's concerns regarding source code are likely less about preventing someone from SEEING it (you can pay them money to look at code) and more about modifiying it.

      Open Source is a wonderful thing -- but it isn't a silver bullet. Sophisticated programmers with access to any source repository, open or closed can create all sorts of havoc.
      • Uh, riiight... (Score:5, Interesting)

        by Svartalf ( 2997 ) on Saturday November 22, 2003 @10:05PM (#7539866) Homepage
        I do believe the issue isn't just code compromise (i.e. putting back doors in...), but in the case of the closed source, finding exploits and backdoors. I need only point to the rationale that MS gave for not disclosing pieces of their source code- it would endanger National Security. Now, either that was a dodge, in which case, Allchin should be doing time in at least Club Fed for lying to a Judge, or it's the God's truth. If it's the God's truth, being in the open is going to reveal most of those things and get them zoomed right off the bat- if it's closed, only the people working on it know about the code (well, and anyone that manages to see it without them looking...) so you don't have as many people looking over the code in question so you end up with things like MS Blaster which caused a packet storm from Hell on the Internet.
        • MS claimed they couldn't release the source to windows becaause of National Security; then promptly started a program where a country such as China could buy access to it.

          Finding bufffer overflows has little to do with scanning through source code, it has more to do with feeding bad data and watching if a program crashes, coredumps or otherwise fails.
          • They're more fundamental than that. A buffer overflow allows you to execute code in ring 0 that would otherwise not be ran. This isn't the same thing as something like MS Blaster and it's ilk. Now, those were found the same way as the buffer overflow exploits, but they could have been even more easily found via an audit of the source code. Under Open Source, the code's looked at by MANY people- it's likely to be found and corrected. In Closed Source, it's not so likely and it's more likely that a code
      • Not quite (Score:3, Informative)

        by Synn ( 6288 )
        Except that you forgot to mention that the "compromise" of the kernel never happened and the Debian compromise was a password issue and again nothing serious happened.

        The difference between open source and closed source is that due to open source being so open the developers on it tend to trust no one. Closed source projects tend to be a little more lax because the closed nature of the project makes it easy to get sloppy.
        • Except that you forgot to mention that the "compromise" of the kernel never happened and the Debian compromise was a password issue and again nothing serious happened.

          Sounds like how a drunk driver rationalizes his actions.

          The fact that "nothing serious" happened is luck.
          • Re:Not quite (Score:2, Insightful)

            by Avihson ( 689950 )
            Nothing serious happened because there were eyes looking at the code.

            Luck plays out in closed source, when the consumer never finds out about the holes until the " new version fix" is ready for shipping.
      • Perhaps you forgot about the compromise of kernel development servers and the Debian website?

        Yes, and I bet the Debian developers were shaking in their boots that someone was going to steal the Debian source code, right?

        Microsoft's concerns regarding source code are likely less about preventing someone from SEEING it (you can pay them money to look at code) and more about modifiying it.

        Microsoft has said again and again that they consider the closed source nature of their code itself highly valuable.
      • I'm no moron; you misunderstood my message. I wasn't talking about security exploits. I was merely talking about how when you choose the closed-source paradigm, you are forced to spend a lot of time and money to keep people away from your source code. A problem that is non-existant in the open source model. That's all.

        I wasn't saying open source is a silver bullet, so that part of your message was off-topic as well. All I was saying is that there is one inherent advantage to the open source model, an

    • by Fruny ( 194844 ) on Saturday November 22, 2003 @09:59PM (#7539830)
      Meanwhile Microsoft is stuck spending mega-bucks and lots of time trying to protect themselves from having anyone actually...gasp...see the source code. Horrors!

      Have you considered that the masses should actually be protected from Microsoft's source code ? You wouldn't want your neighbours to become stark raving lunatics after having been confronted with the lovecraftian abomination that is Hungarian Notation, would you ?

      Trust me my friend, there exist Code Man Was Not Mean to Read. Microsoft is dutifully protecting reality as we know it. We should be thankful.

    • Fuck that, keep the data like my SSn and pay scale secret.
  • by SargeZT ( 609463 ) * <pshanahan@mn.rr.com> on Saturday November 22, 2003 @09:45PM (#7539756) Homepage
    Microsoft hit the nail on the head this time! It's security is as strong as white paper.
  • [A] successful attack will occur that could compromise the High Value and/or Highest Value data class.

    Hey, even without all the security holes this would happen! Let me re-define some terms to my liking.
    A successful attack: Linux on more machines.
    High Value data class: Microsoft's stock price.
    Highest Value data class: Bill's bank account.

    See, if you twist a quote out of context, it can mean whatever you want!
  • Didn't those Russian hackers get ahold of some of their "highest" value data, namely the entire source tree for one of their operating system versions?
  • by Animats ( 122034 ) on Saturday November 22, 2003 @09:58PM (#7539824) Homepage
    The real risk is if Microsoft loses a signing key, like the one that allows Active-X controls to be trusted implicitly by Internet Explorer.

    Of course, that's a risk to Microsoft's customers, so that may not be considered as critical.

    • uhm, is there such a key? Considering I have to agree to get the windows update v4 control on my system..
      • uhm, is there such a key? Considering I have to agree to get the windows update v4 control on my system.

        ... And what do 99% of the users base their decision on when they click "yes" to do the update? It's the fact that the dialog box says it verified that the control has been signed with Microsoft's secret key.

        However, I'd be surprised if they would be dumb enough to keep such a key on any system that is physically attached to any network.

        • Actually, the PC that key is on would have to have an Internet connection. Otherwise, it has no way of accessing the VeriSign TimeStamp server (timestamp.verisign.com), which verifies the date and time of signing (and prevents the signature from expiring when the certificate does).
  • by rice_burners_suck ( 243660 ) on Saturday November 22, 2003 @09:59PM (#7539829)
    Doublespeak. That's what this document is. To quote George Orwell:
    Here is a well-known verse from
    Ecclesiastes:

    "I returned and saw under the sun, that the race is not to the swift, nor the battle to the strong, neither yet bread to the wise, not yet riches to men of understanding, not yet favour to men of skill; but time and chance happeneth to them all."

    Here it is in modern English:

    "Objective considerations of contemporary phenomena compels the conclusion that success or failure in competitive activities exhibits no tendency to be commensurate with innate capacity, but that a considerable element of the unpredictable must invariably be taken into account."

    All you need to do is add, "By leveraging innovative Microsoft technologies, content providers streamline compelling enterprise solutions," and you have something very similar to this security whitepaper.

    To make a long story short, this document is an "Emperor's New Clothes"-style piece of PHB-speak/business-speak/market-speak/PR-speak that nobody really understands, but every business IT strategist that reads it will pretend that its meaning is very profound, like the emperor pretends to see his nonexistant clothes, to avoid appearing stupid to colleagues.

    Microsoft. Where do you want to go today?

  • by boatboy ( 549643 ) on Saturday November 22, 2003 @10:00PM (#7539834) Homepage
    How can they afford the all the Licenses?
    • Easy (Score:5, Funny)

      by Mistlefoot ( 636417 ) on Saturday November 22, 2003 @10:23PM (#7539942)
      It's easy for them to afford 65,000 licences.

      The sell them to themselves as a loss. Therefore using them as a tax deduction twice - once for the loss and once for the cost......and if the loss is great enough they might even make a profit!

  • by DAldredge ( 2353 ) <SlashdotEmail@GMail.Com> on Saturday November 22, 2003 @10:00PM (#7539839) Journal
    This is the same company that said, under oath, that reveling the windows source code would harm the National Security of the United States, then they gave the source code to China.

    Isn't that perjury?
    • by Anonymous Coward on Saturday November 22, 2003 @10:03PM (#7539853)
      This is the same company that said, under oath, that reveling the windows source code would harm the National Security of the United States, then they gave the source code to China.

      Isn't that perjury?


      Or treason?
    • Isn't that perjury?

      Well, either that or treason.

      (Except that the legal standard for treason is quite a bit higher than that in this country, otherwise some folks from Loral-Hughes would probably be doing jail time now over certain launcher technologies. Hmm, maybe there's something in the PATRIOT Act we can throw at Microsoft?)
    • Isn't that perjury?

      No, terrorism.
    • This is the same company that said, under oath, that reveling the windows source code would harm the National Security of the United States, then they gave the source code to China. Isn't that perjury?

      Nah, let's call it treason instead.
  • Now the black hatters are going to have to call off their plans for the year so they can prove Microsoft's "high probability" wrong.

    That, or switch to trying to take over their Mr. Coffee instead of their source code.
  • by duffbeer703 ( 177751 ) on Saturday November 22, 2003 @10:21PM (#7539931)
    Did any of the idiots commenting on this story with sophmoric (hehe, M$ security sUx045!) even start to read the Whitepaper?

    If they did, they would probaly notice that the paper describes a methodology of security management, including dealing with operating system & application security issues.

    Information security is more reliant on process than using x product or y product. If you have established methods to classify what needs protection, identify vulnerabilities & intrusions and rectify the situation, you have a secure IT shop.

  • by BWJones ( 18351 ) on Saturday November 22, 2003 @10:21PM (#7539932) Homepage Journal
    .....and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process.

    Hrmmmm. Kinda like their upgrade cycles. :-)

  • Ok without putting in some microsoft bashing statement I have to say Im horrified at the idea that Microsoft admits in their own white-paper that they might be compromised on the highest level. Screw source code, what about automatic "updates" (They have been in the past few months especially promoting their automatic-update software, and it is expected within the next few years to be a binding part of their EULA, but even now I know for a fact most users will chose to let windows download selected updates
    • by duffbeer703 ( 177751 ) on Saturday November 22, 2003 @10:32PM (#7539971)
      The whitepaper simply presents the dirty little secret that highly technical IT people have always known -- there is no such thing as a totally "secure" system.

      Sophisticated hackers identify exploits before they get mentioned on bugtraq and before a fix or patch is even looked at. Those people are a big threat to a company like Microsoft.

      Instead of being horrified at Microsoft, you should be pleased. They are taking a remarkably straightforward tack by highlighting the industry's dirty little secret. That is an about face from typical Microsoft FUD.
      • I wouldn't be horrified if a company putting out a competing OS admitted that they are working towards a more secure network due to a poor level of security at the moment. What horrifies me is a monopoly, seeking to gain the power to push updates to millions of computers instantly, simply stating that their current level of risk is medium to high. How is that any different from NORAD saying there is a Medium to High level of risk of Islamic Extremists infiltrating their facilities gaining access to the co
    • The quote from the article (There is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class) is being taken out of context. The white paper was giving an example of how an assessment is made to justifiy the "IPsec project." It seems pretty clear to me that if MS published this article saying they were vulnerable in this area that the project was approved and completed, thus eliminating the threat risk in t
  • Before I go drinking (Score:4, Interesting)

    by teamhasnoi ( 554944 ) <teamhasnoi@yahoo. c o m> on Saturday November 22, 2003 @10:22PM (#7539937) Journal
    Wouldn't a leak of Windows source be a great excuse for MS to sue everyone who codes, ala SCO?

    I know when the BeOS source was leaked, every smart programmer stayed away from it - else be blamed for stealing 'IP'.

    Consipiracy Theory #234,345,234: MS deliberately leaks the source to some EOLed code such as Win 95 or NT, and sues anyone who is making inroads with alternate OSes or applications, such as Linux, Mozilla, Open Office etc.

    What fun! No doubt, there will be no need to show their code for National Security reasons. We'll just need to trust them.

  • "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network." Does this include the policy, "Do NOT patch MySQL servers, so we can get infected by the Blaster Worm again."
  • by kuzb ( 724081 ) on Saturday November 22, 2003 @10:39PM (#7540003)
    It amazes me that most of you really can't be constructive at all any time 'security' and 'microsoft' are uttered together.

    What's more, the moderators encourage this lack of constructive talk by modding up things purely because they decry microsoft. How many days in a row are we going to hear the same old tired MS jokes?

    Just because you run linux/bsd doesn't mean you're safe [geek.com]. Hell, by being connected to the internet at all you're at risk. Anyone with enough time, education and willingness to exploit you is going to eventually find a way in.

    Anyone running any operating system can be attacked and comprimized. Security is only as good as the people who maintain the machines. You people sometimes seem to forget that despite MS's faults, they do employ some of the best and brightest in the world. I imagine some of you may not believe that, but I do.

    Personally, I think that if linux were a home desktop platform that had enough popularity to be a significant enough player in that market you'd be seeing a whole lot more hackers focusing specificly on linux. Realisticly, what is the point of trying to exploit linux? Why exploit the little guy when you can go after the big fish? Especially when the majority of people running the big fish's stuff couldn't secure _any_ box to begin with, regardless of what it was running.

    Same thing with the mac. I love it when macos users say "I never get viruses/worms!" well, who would write a virus/worm for such a miniscule percentage of computer users? The whole point of a virus/worm is to propigate, and if you don't have the userbase for it to propigate well, what's the point?

    I apologise if I've offended people here, but I really felt this needed to be said. This persistant catscrap between linux and windows users doesn't help anything, or anyone.

    Linux/BSD ARE good operating system
    MacOS/OSX ARE good operating systems
    Windows IS a good operating system

    and they ALL have faults.
    • What about menuet? it can run a tiny server and was coded in pure assembly, I wouldn't be suprised if it's code was tight enough to resist any network attack due to the very small number of network services (shoutcast server, web server, and i think an FTP server) I'm not a security expert but i would imagine a product like that could be made air tight, perhapse boxes running customizable Assembly coded OS's will be the future of network security for at least the highest priority systems,
    • by mao che minh ( 611166 ) on Saturday November 22, 2003 @11:18PM (#7540148) Journal
      We are always scarcastic when it comes to Microsoft's relationship with security because of the many unpaid hours of overtime it has cost us.

      I, like many here I would imagine, have to manage a lot of computers. In any common enterprise environment systems tend to range from old Windows 95 systems whom's only purpose is to drive some old piece of software with a very specific function, to Windows 98 and 2000 workstations, to Macintosh boxes for the marketing folk, to Linux servers running enterprise anti-virus solutions, to Netware servers running ZENworks, to 16 processor HP-UX beasts for databases, to OS/2 servers that run physical security systems (like magnetic card readers that grant access to the NOC for certain people/staff).

      Of all of these operating systems that we people manage, a disturbing trend of insecurity has always plagued the Windows operating system(s) and the applications that Microsoft pushes for it. For years. Email clients, mail servers, web servers, core OS compenents, or just plain bad OS design that leads to the easy proliferation of things like viruses and worms. ANd worst of all: there is no escape from it. Everyone uses it, the management only wants stuff that is "supported" and/or "warrantied", and let's face it, it gives us job security.

      So, when we relax, unwind, and gripe, we tend to end up taking a stab at the shitty software that has absorbed so many of our hours - time that could have been better spent having fun, or with our families, or responding to morons on web forums. You know.

    • by Tony-A ( 29931 ) on Sunday November 23, 2003 @12:16AM (#7540406)
      It amazes me that most of you really can't be constructive at all any time 'security' and 'microsoft' are uttered together.

      A minor password incident at Debian and it's front-page news.
      Similar incidents at Microsoft, we'll never hear about it.

      Security is only as good as the people who maintain the machines.
      There are many factors affecting security. The people maintaining them are one factor, and probably far from being the most important factor. Making a system inherently insecure and then blaming the people maintaing them does not make for credible security.

    • by xeno-cat ( 147219 ) on Sunday November 23, 2003 @12:50AM (#7540523) Homepage
      Oh those MS guys are'nt bad people their just misunderstood!

      For some reason you wrote:
      "Realisticly, what is the point of trying to exploit linux? Why exploit the little guy when you can go after the big fish?"

      Apache is the single most prevalent web server on the internet. Why then is it that hackers "target" IIS? Maybe because it's easier?

      and decided to continue:
      " they do employ some of the best and brightest in the world. I imagine some of you may not believe that, but I do."

      Have you seen Balmer lately? The problem with working for MS is that, even though you may be smart your just wasting your time. Who cares that you can give a lecture on some brilliant way to link corporate data to business users if your entire architecture needs to fit into a proprietary MS 5 year plan for the enterprise?

      MS has had 20 years and billions in funding and the best they can come up with is Windows XP. XP solves problems that Unix, Apple, X, NeXT, Amiga, et als. solved a decade ago. MS produces over architected under engineered gaming consoles that are'nt even compatable with themselves.

      If your looking for "fair and balanced" where are you going to go? Read a frigin Windows rag if you want to "balance" Slashdot. I'm sure there are plenty of fine articles on .NET just waiting to provide you with hour of fun filled and objective learning experiences.

      Kind Regards

  • from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?)

    Smart cards are much cheaper than $50 each. For development work I get them (for this device [ncipher.com]) for under $10 each in quantities of 10 and that's expensive. In large quantities they are available for a few dollars each. I'm sure MS buys them in quantities to ensure some sort of discount is applied.
  • 300k node? (Score:2, Interesting)

    That seems a bit excessive. Especially since only 50k workers work there since the last time I looked.

    Not to sound old fashioned, but I wonder if using several large systems and dumb terminals would help lower costs and problems?

    This was the standard motto in the early 80's when pc's were considered toys.

    But 300k nodes sounds like an administrative nightmare.

    I wonder if we would all be using network computers and thin clients now if MS never existed. They put all sorts of fud and raised the price of cli
    • Re:300k node? (Score:4, Informative)

      by vample ( 30259 ) on Sunday November 23, 2003 @12:07AM (#7540368) Homepage

      No, its not really excessive. When I worked there, I usually had 4 machines for myself, in my office, and I did development work. Oh, and I had a laptop as well. Testers often used, many, many more machines.

      Then add the build machines, servers, a laptop for many people, machines for temp/consultants, people VPN'ing in from home, and it easily makes 300k.

      • Funny, I do all those tasks (including running two Windows virtual machines) on a single Linux system.

        Maybe that is why they bought virtualpc?
  • by Anonymous Coward on Saturday November 22, 2003 @11:16PM (#7540135)
    And don't you forget that. Microsoft DOES have people with considerable technical skill and knowledge. I'm guessing that the probability of a security breach was calculated by the people who know what they're doing.

    The problem is that you don't get to be the biggest software company in the world without selling products. (And Microsoft is arguably the most important software company - although I think overall Linux is more important in it's potential as an equalizer - there is no one single Linux company).

    Selling products implies marketing. This is where it goes wrong. The second that product development is driven by marketing telling customers what features they want - things explode. I mean, really - half the crap in Windows and Office was never wanted by customers in the first place.

    I'd still prefer to be using BeOS (I loved 5.0, but lack of support for new hardware meant I had to move on), so Windows 2000 is a pretty good compromise for my needs.
  • by Saint Stephen ( 19450 ) on Saturday November 22, 2003 @11:20PM (#7540153) Homepage Journal
    Nobody uses Microsoft technology like Microsoft. Unfortuately, nobody uses Microsoft technology like Microsoft.

    The reason? Only Microsoft has the source code and "really understands" Windows. Everybody elses corporate networks running Windows are dogshit -- but Microsoft really does just use the crap the way they tell you to use it, and it works wonderfully. Unfortunately, they are the *only* example of such a user on the planet!
    • Everybody elses corporate networks running Windows are dogshit

      Really now. When was the last time you saw my network that you can make such a sweeping, generalizing statement?

      • I worked at Microsoft for 3 years and as a developer consultant have had accounts at several Fortune 500 companies. Sure, networks *work*. But, trust me, there is a WORLD of difference between a typical gigantic corporate network and Microsoft's corpnet.

        I can't explain it to you if you've never experienced it. You are the proverbial man chained in the cave only seeing shadows cast on the wall.

        Get a blue badge at Microsoft and then everything I'm saying will become perfectly clear to you
        • You are the proverbial man chained in the cave only seeing shadows cast on the wall.

          That's nice, but first off, I have no way to verify that you ever worked at MSFT. Or for that matter, that you've played chess with the Dalai Lama. Second, I've had SIE (maybe you'll know what that is) do evaluations on existing systems and come off impressed, actually interested in seeing some of the stuff we'd done with some of their own technologies.

          That *some* companies are handicapped by the lack of skilled employee

  • by b17bmbr ( 608864 ) on Saturday November 22, 2003 @11:34PM (#7540206)
    damn, 300,000 desktops, 4200 servers. holy crap, they hvae to pay a ton in license fees. i wonder if they have looked to open source alternatives. well, maybe they bought software assurance.
  • ...of a High Value attack being reality instead of taking the pompous approach that your software is hack-proof. I can find 10 ignorant Linux users who think their system impregnable for every Microsoft user who thinks the same. At least Microsoft is willing to admit that yes, sometime in the future, shit is bound to happen.
  • by JimmytheGeek ( 180805 ) <jamesaffeld@yaho ... m minus math_god> on Sunday November 23, 2003 @03:02AM (#7540898) Journal
    When I was a contractor/whore a colleague in development showed netstat connections from the PRC, where MS had no development. Not in our project, anyway.

    Totally owned. MS netsec had no interest. The report impugned their competence. I have no idea if things are any better now. Maybe there was a shakeup after Code Red infected the very web servers that distribute patches for us all.
  • by Nom du Keyboard ( 633989 ) on Sunday November 23, 2003 @03:15AM (#7540937)
    deployment of 65,000 smart cards

    You'll be getting a letter from Direct TV's lawyers Monday morning.

  • Unless Microsoft has implemented MLSA, which is atmittedly tough to do, or they have implemented a physically separated network for their high-value stuff (without internet access!!), they will indeed at some point see a compromise that touches their high-value stuff. Unfortunately for the rest of the slashdot-crowd, this equally applies to them as well :)

    Also, I don't see any references to a document classification level system, plus the proper controls to implement them. We know for the halloween documen
  • I saw the title and read "Microsoft security wallpaper"

    I though "Yeah, just like them - now lusers will associate their wallpaper with security" /me changes backdrop to goatse.cx to stop hackers
  • by nurb432 ( 527695 ) on Sunday November 23, 2003 @09:54AM (#7541800) Homepage Journal
    Regardless of who we are talking about, they are predicting a successful attack on the largest company on the planet. And they DO know what they are talking about, they have a better idea of internal security issues then any of us here on the outside.

    That's rather scary if you ask me... as that leaves all the smaller companies that cant afford to keep up wide open too..

    We could see a really bad year in 04 for attacks and break-ins.. Even worse impact on our industry than the 'litigious 03'...

Technology is dominated by those who manage what they do not understand.

Working...