Marc Canter snickers that Microsoft can't write secure code.
Marc don't gloat too much. Other operating systems, even open source ones, have had their own troubles this week with attacks -- read the article, it's not funny on the anti-Microsoft side of the fence either.
Building secure and trustworthy computing systems, is NOT just a Microsoft problem. It's an industry-wide problem. It just looks like it's a Microsoft one, because of our market share and industry dominance (and, let's be honest, because our systems haven't been built in the past with security as a major priority).
Lots of people write me and gloat "heh, I won't get hit with a virus cause I use a Mac" or "open source has fewer viruses." If you look at Cert's critical incidents, you'll see that neither statement is true (although, because those two OS's have far less market share than we do, it makes it look like they are completely secure in comparison -- the article above shows that to be false on its face). Computing systems that have millions of lines of code have vulnerabilities. All of them. Anyone who says they are 100% sure that their system has no security flaws is lying. Flat out lying.
People are laughing at me this week cause I got the worm (people have told that to my face this week). Hey, I know it's funny when employees of the world's largest software company get hit with their own problems.
Fixing security in Windows is an extremely tough problem. Microsoft has, what, 50+ million lines of code? It's a very difficult problem to test every piece of code when it's put together as a system. Security is job #1 here (our stock price goes down everytime there's a security flaw found -- you think we're not motivated to fix these things?).
You think any of our employees enjoy weeks like these when our customers are feeling an immense amount of pain (not to mention that our own families and friends are getting hit as well)? You do realize that our executives are compensated now based on how happy our customers are, right? Believe me, our "happiness score" isn't very high right now.
Ever try to read someone else's source code? It's not easy. Now, imagine that you have millions of lines of code that was written by someone else (who you might not be able to discuss it with), and you need to go through and make sure it all is kosher. Not to mention you have to make sure that when thousands of pieces of code get put together that one of them doesn't expose a weakness in another.
This is not a simple problem.
We are working on it. I've seen huge strides over the last "critical incident." Before I was a Microsoft employee, I took Microsoft to task because they didn't work to get the word out well enough about how to fix these types of issues. This time Microsoft had a patch out before the bad stuff got released. We had a ton of response. A ton of warnings. And a ton of information that continues even today. Many Microsoft webloggers have now been asked to post a pointer to the Blaster web site. Microsoft's security team is holding chat sessions. Posting a ton of info. Working the newsgroups 24 hours a day. And even setting up temporary phone pools over the weekend where tons of employees will be available to help. That's a huge change in response to these issues than even a couple of years ago.
But, like, Scott Charney (our head of security) said, we have more to do.
As for Canter's claim that Bill Gates' problem is his employees. Um, there are 55,000 people working here and trying to do the right thing -- let's say half write code. Let's say they write an average of 100 lines of code a day. Let's say they all write one bug a day too. Now do you understand the scale of the problem? How many of you think you can write completely bug-free code? Hey, we're hiring!
I believe this is the first critical issue found in Windows Server 2003, for instance (we've had, I believe, five security issues over all found in our newest operating system -- which is the first released after we spent a month just fixing security issues). Only one of those is a critical problem. Let's see, thousands of people worked on this software for three or four years, and so far only one critical issue has been found? Out of 50+ million lines of code? That means that one guy made a mistake in his code. Out of 55,000 employees.
I wonder, how many people/companies make only one mistake in 50 million lines?
Software is done by humans. I'm not perfect. Neither are any of my coworkers. Well, maybe Anders is. But, we only have one of him. :-)
So, snicker away Marc. But, does that help us learn? Is that how you manage your own employees? Should I snicker when you make a mistake? Why not? [The Scobleizer Weblog]
8:23:04 AM 
|
