Microsoft is actually decent at security now. The AV they released for free was actually on par with a few commercial products out there (all AV at the moment is pretty bad though, if you're curious). The really difficulty with Microsoft and security is countering their reputation for bad security that they earned over the past several years.
That's because Microsoft is good at anything that they throw resources at. Unfortunately, we haven't thrown enough resources at determining what to throw resources at.
Here's a hint: throw resources at supporting web standards in internet explorer. Seriously that is the main reason I hate Microsoft and around here I'd wager I'm far from alone.
IE's fuckedness is inexcusable. If you actually fixed it, 90% of the reasons I hate Microsoft would just melt away that instant.
And until you fix IE, it's just "DOS Ain't Done til Lotus Won't Run", Web Edition, as far as I'm concerned.
Well, Microsoft has no strategic interest in helping the web, as that would interfere with their desktop products. This is well established. IE was just a big Trojan to slow (yes, slow) and mess the Web world.
Well, yeah, obviously. And the trojan is still doing damage.
Which is why I can't take astroturfing douchebag shills like snprbob86 et al and their promises of a happy happy fun fun friendly new MS seriously. A leopard can't change its spots. And until I see IE change - MS is the worst company in tech and everyone who works for them is culpable.
Regarding astroturfing: I work for Microsoft. It's no secret.
Regarding promises of a happy happy fun fun friendly new MS: I have no illusions. All I'm saying is assume incompetence, not malace. I'm also going further to say assume there are lots of smart, well intentioned people working hard on things that involve problems and complexities beyond the understanding of an engineer who has never worked on anything the scale of the Windows ecosystem.
For the record: I don't have Windows installed at home. I run Ubuntu on my desktop and Snow Leopard on my Macbook. I have an iPhone and primarily use Google web services. Hell, I was an intern at Google.
Personally, I'm at Microsoft to work on Xbox/Gaming. Among my co-workers I'm known as that guy who won't shut up about open source software, startups' web services, and Apple's great taste. You can call me culpable if you want, but I'm part of the solution, not the problem.
He was fucking linking to the IE site - how much more blatant do you want it?
Paid shills are douchebags and I am utterly unrepentant in saying that. Just because someone has an account here doesn't transform them into a paragon of integrity and virtue. You work for the bad guys, you take the criticism, that's how it works. Or are you suggesting there should be no social penalty whatsoever for contributing to the crippling of the WWW? How much damage have they done? How much is 5 years of progress worth?
I will never tone down my attacks on these pricks. It's my honest opinion and I'm going to say it. I feel no need to maintain a "professional" demeanour or keep up appearances. I hate those motherfuckers, and I want them to know it.
Despite the somewhat inflammatory ad hominem remark (I had to look up "astroturfing".. yay urbandictionary), I do agree with what is likely a controversial sentiment:
Well, good enough at least. ;-) Honestly the AV was a good move. Give stuff like that away for free for long enough and the public perception of Microsoft and security may change.
On the other hand, over the years people have hated them and filed antitrust claims against them for including free stuff in their releases. Norton used to make a file manager before the Windows one was any good...now their AV product faces a built in competitor.
Hrm, interesting. I didn't know that Microsoft was leading the industry in security. If we're talking about the commercial OS market, I suppose that makes sense because you're pretty much only comparing them with Apple.
Well, it's tough, right? SE and Trusted both have lots of kernel hardening features that Win7 doesn't have. And even base Linux and FreeBSD are "simpler" (until you add OpenSSH, Apache, and the NFS stack). Win7 has baggage; MSFT is still paying for the DCOM mistake.
You have to counter that, though, with the hundreds of thousands of dollars Microsoft spends on security testing every functional unit of the shipping product. It is not unpossible that they paid someone at Leviathan, iSEC, or IOActive to spend a week auditing Minesweeper (they haven't paid us to do that).
They don't just audit their code. A couple times a year, they do a little internal conference called "Blue Hat" (pace Black Hat), which, as the beauty pageant for all their consulting vendors, tends to get the best researchers from those firms as speakers. They highlight trends and findings for execs, and try to get some of the benefit of the audits spread across multiple projects.
There's also an entire layer of researchers, testers, and project managers on top of the security tests. Some of those people (like Leblanc and Howard) are actively turning the results into curricula for training, or for new code standards, or even changes in the shipping VC++ config. Other people develop automated testing tools. Still others develop better, more secure APIs.
When you think of the resources Google has, you assume that the best developers there all have access to a MapReduce cluster that will run their "hello world" test programs against the corpus of the entire Internet as of I dunno 3 weeks ago. Only Google has that resource. Microsoft has more ongoing security test results than any other company in the world --- even moreso because they had so. much. catching. up. to. do. from the late '90s. That has to be a killer resource for them.
So, we'll see. I wouldn't run a Microsoft OS as a server, for a lot of reasons. But I have more respect for the work they're doing --- and the intentionality of that work --- than I do for a lot of Unix security projects.
Everything OpenBSD did to fix NetBSD's security in the '90s, Microsoft adopted on a massive scale, and then spent tens of millions of dollars to improve.
Sorry for the long comment, I just don't want to come off like I'm sniping at you, or trying to start an OS war.
Sorry for the long comment, I just don't want to come off like I'm sniping at you, or trying to start an OS war.
Actually, the long comment is much appreciated. It's a very interesting subject for me. I wasn't trying to say that I doubted you, just that I'm no expert. :)
