Microsoft has just announced four more critical problems with windows. (http://story.news.yahoo.com/news?tmpl=story&cid=528&e=2&u=/ap/20031016/ap_on_hi_te/microsoft_security) Given the nearly weekly announcements from Microsoft, we are left to wonder if Windows basic software design is fundamentally flawed.

What are your thoughts.

I tend to think so, but I don't think it is limited to just M$. To make software secure, security has to be included from the very beginning. Security is part of the foundation; it is not something you can add on afterwards as decoration.

At this point, there is no reason for M$, or any other software company for that matter, to seriously include security in their products. For one thing, security just isn't easy to understand, nor is it particularly compelling. People may buy Windows when they see that it has "cool software for making movies!", but nobody knows what a buffer overrun is, nor do they know what that means in terms of security. Security works best in the consumer's eye when it is invisible, and you can't sell a product based on invisible features. But probably the biggest reason why software companies don't care about security is because there is no economic reason to do so. As long as software companies aren't liable for their products, they have no incentive to improve them. As soon as people start successfully suing M$ because their flaws in IIS or some other product led to a hacker stealing credit card information and ruining credit ratings, security will become more important.

Until then, I don't see things changing. Looks like I will be running Windows Update once again today.

They really suffer from two major design flaws.

One is their software is insecure because they have traded ease of use for security. People on home systems and even some work systems want to have full admin rights to their stuff. They don't want to be bothered with a password or a complex one. They want to use Outlook Express with auto-preview. MS will then try to secure things from this model by doing stupid stuff like making the default OE security to block nearly all file extensions. Consequently people don't use it because they want to see their stuff.

The second major flaw is that they have a bloated code base. Because of the bulky, overcomplicated stuff that they put out is extemely difficult to configure properly and even harder to secure. Notice I said configure properly. It is pretty easy to configure but hard to configure properly. Take something like Exchange, their mail server software. You can pretty easily set it up. The problem is that it is also pretty easy to set it up to be a mail relay for spammers. I spent some time recently working on an ISA proxy server. Good grief what a monster that is full of unneccessary stuff (overly complex, bulky code). All of a sudden it would just suddenly stop working. After hours of searching, installing a patch and a service pack the problem was fixed. Comparing that to squid, an open-source 'nix proxy server where there is only one config file to change, plus it works better with much lower hardware requirements. I just see too much of stuff like that with MS software.

One of these problems is bad enough, the two together can be deadly.

Let's switch history around a little and say that today, instead of Windows being the most used operating system, that MAC OS was. Do you not think that the Hackers and Virus Writers would have learned the weakness of that OS by now and we would be giving Mac down the road for security while wishing they were more like MS?

Originally posted by morriswindgate
Let's switch history around a little and say that today, instead of Windows being the most used operating system, that MAC OS was. Do you not think that the Hackers and Virus Writers would have learned the weakness of that OS by now and we would be giving Mac down the road for security while wishing they were more like MS?

Morris, I mostly agree with you, but some guy named Scott Granneman has a different opinion. (http://www.theregister.co.uk/content/56/33226.html)

Granneman was wrong too, he quotes there are 40 viruses for mac os-x, he meant to say there are 40 for mac, and not a single one that affects OS X. I did advise him of his error, but I doubt he'll retract.

Oem,

What about Granneman's general premise that OSX, commercial unix and linux (all derived from unix) are inherently safer than Windows?

Originally posted by morriswindgate
Let's switch history around a little and say that today, instead of Windows being the most used operating system, that MAC OS was. Do you not think that the Hackers and Virus Writers would have learned the weakness of that OS by now and we would be giving Mac down the road for security while wishing they were more like MS?

LMAO.. you know morris... we quite often don't agree on things.. but here's one I completely agree with you on. Its part of the American dream... be rich and successful... but here's a hint... don't be the richest and most successfull, because you come under attack.

Its called tall poppy syndrome out here.

I think the reason windows has so many sec. problems stems from its popularity. If windows was no more, and linux/unix-based were all that was left,they would have as many problems with crackers as windoze does.

If Mac OS was the top dog, things probably wouldn't be very different. The factors that result in insecure software are independent of whatever company happens to be making the most software.

However, M$ does do a lot of things to make their software less secure that they can control. Things like making default choices in its OS to be the least secure choices, for example, or allowing integration between apps and the OS without the proper security. The easily bypassed "security" of Windows 9X is totally due to M$ design, and it's not something you find in *nix; at least, it is not as easy (you can, after all, log in as root all the time, which is pretty stupid).