bit-tech.net

Microsoft responds to Google's security concerns

Microsoft responds to Google's security concerns

Microsoft's Brandon LeBlanc believes that Windows is "more secure than anyone else."

It hasn't taken Microsoft long to respond to Google's decision to force employees to ditch Windows over security concerns, and the software giant claims Google is just being stupid.

Microsoft's Brandon LeBlanc has posted a rebuttal on the Windows Team Blog which aims to counteract the harmful publicity the company's software is getting from Google's very public move to the Mac OS X platform for its internal systems.

Entitled "Windows and Security: Setting the Record Straight," the post opens with a pop at Google's own track record - pointing to reports of Yale University halting its move to Google Apps for Education "citing both security and privacy concerns."

LeBlanc also takes umbrage at the claims that Windows is the poor cousin of the operating system world when it comes to security, claiming that "when it comes to security, even hackers admit we're doing a better job making our products more secure than anyone else."

The post goes on to point to an Infoworld article which states that Apple's platforms are under increasing attack by malware writers - making a mockery Google's decision to concentrate on the platform to the expense of Windows for reasons of security.

LeBlanc finishes the rebuttal by pointing out the security enhancements that have made it into Windows 7 and Internet Explorer 8 - including Address Space Layout Randomisation technology to make it harder for buffer overflow attacks to work, Internet Explorer's SmartScreen Filter, and improvements to BitLocker's encryption capabilities - along with the advice that users should "enable Automatic Update to ensure they are protected from attacks."

Do you agree with LeBlanc that Google is the pot calling the kettle black with its claims of security concerns, or does the company have a very good reason for ditching Microsoft's software? Share your thoughts over in the forums.

32 Comments

Discuss in the forums Reply
Stotherd-001 3rd June 2010, 11:42 Quote
The infoworld link links to the wrong place... back to the same link as the yale one.
Gareth Halfacree 3rd June 2010, 11:45 Quote
Quote:
Originally Posted by Stotherd-001
The infoworld link links to the wrong place... back to the same link as the yale one.
Whoopsie. Updated.
Shagbag 3rd June 2010, 11:54 Quote
It didn't take them long. It just goes to show that MS are (and will continue) to find it difficult to get this 'monkey' off their back given their poor track record on security.

With every new release of MS software they trumpet how it's 'more secure', yet exploits continue to pop up. And they continue the ever-increasingly-bizarre practice of monthly updating (allowing a "Windows" of opportunity for competent crackers).

This latest 'response' from MS smacks of the old fable about the boy who cried wolf.
mi1ez 3rd June 2010, 11:58 Quote
I feel safer on Windows than I would on OSX
crazyceo 3rd June 2010, 12:57 Quote
The funny thing here is that they aren't replacing it with their own OS, what's up with that?

Anyway, back on topic. So with switching to OSX they will have to change their hardware as well as their software, since you can't have OSX without crapple gear.

So this is going to cost the company millions, just to pick a fight (which they can't win) with Microsoft.

If I was a shareholder of Google, I'd be asking some pretty hard questions as to this very bad business decision.

I don't believe for one second that ANY OS is safe and secure. Windows gets the bad press because 95% of the planet are using it. This reason stated by Google just doesn't hold up and stinks of anti-microsoft bias. No other way to explain it.
B1GBUD 3rd June 2010, 13:45 Quote
Quote:
Originally Posted by crazyceo
The funny thing here is that they aren't replacing it with their own OS, what's up with that?

Anyway, back on topic. So with switching to OSX they will have to change their hardware as well as their software, since you can't have OSX without crapple gear.

So this is going to cost the company millions, just to pick a fight (which they can't win) with Microsoft.

If I was a shareholder of Google, I'd be asking some pretty hard questions as to this very bad business decision.

I don't believe for one second that ANY OS is safe and secure. Windows gets the bad press because 95% of the planet are using it. This reason stated by Google just doesn't hold up and stinks of anti-microsoft bias. No other way to explain it.

Amen to that
raxonb 3rd June 2010, 13:56 Quote
Well said crazyceo (and awesome custom title!), I agree. Google runs Chrome, but Chrome can't run Google. If all the hackers today decided to start messing around with Macs, then what? Nothing because not enough people use them to make a difference.

Whats next? iGoogle and iChrome?
gavomatic57 3rd June 2010, 14:04 Quote
A company that "improved" Vista by making it easier to turn off UAC in 7 talking up their security?

Hmm...
Bloody_Pete 3rd June 2010, 14:27 Quote
How long does it take Apple to update or fix anything though? How long does it take them just to admit something NEEDS fixing, like the problem people were having with Macbook Pro touch pads??

I have this debate with a music playing friend once a month and it pisses me right off!!! Macs are the be-all and end-all of the computing world, they are piss poor. Ever tried to upgrade the RAM on a Macbook? Well its a pain in the ass as the damn things are so badly designed!

These is only one reason Windows has security problems, and thats because its the most popular OS in the world by a very long way. MS have alot of very skilled programmers designing and securing their software, byt the INTERNET has 1000 times as many breaking it!!

DAMN YOU INTERNET!!!!
Yslen 3rd June 2010, 14:28 Quote
Personally, I think there is no such thing as a secure OS. Windows is more vulnerable to malware from dodgy emails and websites simply because it's the major player in the OS world.

The Mac OS is only more secure in the same way people living in Britain are immune to malaria. If the climate changes, and OS X becomes bigger than Windows, Mac users are going to get bitten.

I know very little about administering a large group of computers, but I would imagine most of the security issues are not any real threat to the company as a whole, instead just crippling one machine at a time when a less-than-savvy user downloads a dodgy attachment. Using the Mac OS will probably protect them from most of this, though educating their users a little would probably have the same effect. As Symantec says, almost all modern security threats are aimed at tricking the user, not exploiting security flaws.

For the sort of security Google is probably worrying about though, the kind where a hacker attacks your system directly, I don't think OS X will serve them any better than Windows. From what I understand they may well be worse off. Microsoft has a much healthier approach to security, it seems, rather than just pretending it doesn't exist because it's not targeting them right now.
Yslen 3rd June 2010, 14:53 Quote
Quote:
Originally Posted by gavomatic57
A company that "improved" Vista by making it easier to turn off UAC in 7 talking up their security?

Hmm...

UAC isn't all that useful, as far as I can see. My mother runs vista on her laptop and despite UAC asking her to confirm every decision it's still riddled with malware. By contrast I've had zero problems in 5 years running XP.

If a user is going to download a dodgy attachment and open it, they're probably going to ignore the UAC message anyway: if they got that far without worrying about security, why is one message from Windows (that they see all the time for everything they do) going to make them stop and think?

I run 7 without UAC on. If I run into trouble I'll deal with it. If not I get a more streamlined experience. UAC could do with some tweaks, then I'd consider using it all the time. The main issues I have with it are the fact that it regards some software I use all the time as a threat just because it requires access to low-level settings (rivatuner etc) and there is no way to add this to a whitelist as far as I can tell. Also, there are some things that prompt a warning from windows AND a UAC message - surely if UAC is on the warnings should be disabled, otherwise we just have to click twice?

I do like the various levels of UAC in 7 though, that's a step forward.
Shagbag 3rd June 2010, 15:01 Quote
I continue to be surprised by those who believe in the bizarre idea that if you don't have market share your OS is not as secure. That is an insult to developers. C is C and C++ is C++.

Security is a process, not a product - but some products prevent you from performing 'the process' because they do not allow you to change the underlying source code. Instead, you are constrained to letting that product's developers making those changes for you. And this is where the economics of code changes comes into play.

Security is (in part) by design and market share has absolutely nothing to do with it. OpenBSD is proof in point.

The idea that a kernel developer is either (a) stupid, or (b) indifferent to security issues, quite frankly, speaks more about the intelligence of those who make the claim rather than the kernel developers.
Redbeaver 3rd June 2010, 15:26 Quote
one PR stunt in rebutal of another PR stunt...


nothing to see here, folks. move along.
dyzophoria 3rd June 2010, 15:28 Quote
lol for one thing, MS has been one of the fastest when dealing with patches on their system. If the day comes that the OSX share has increased and virii writers target said system. I would LOL really hard on how apple will handle their mighty OSX. I wont be suprised even on the reactions of the fan boys on how to fix their systems. really google? if you think the OS is a problem, you should have made your own. with the resources you have.
Afro_Horse 3rd June 2010, 15:40 Quote
Must admit, I would find it very ironic if google's move makes it so that more malware is created for Macs due to the added publicity and possibility that people will look at google and think that they must know what they are doing and therefore blindly following them and go out to buy a mac.
Shagbag 3rd June 2010, 16:59 Quote
Quote:
Originally Posted by dyzophoria
if you think the OS is a problem, you should have made your own. with the resources you have.
ChromeOS
robots 3rd June 2010, 17:00 Quote
Google are shady.
Sloth 3rd June 2010, 18:29 Quote
Quote:
Originally Posted by Shagbag
ChromeOS
From the article:
"including monitoring the usage patterns of some 200 Chrome OS machines used by Google employees"
As robot said quite well:
Quote:
Originally Posted by robots
Google are shady.


From viewpoint strictly regarding the PR and 'personality' of companies, Google kinda creep me out. It's strange thinking that this is a company with roots in advertisement, and now we're getting social networks (Buzz and Talk) and browsers (Chrome and Chromium) and operating systems (Andriod and Google OS) along with the myriad of other services which have branched off from the original search, such as aquiring Youtube, working with Myspace, creating Google Maps and Earth to search locations, etc. There comes a point where it gets odd thinking of just all they do, and that's true for just about every large company. Kinda scary when thinking that an innocent little search engine now holds such sway that it starts a PR war just for changing operating systems.
TheUn4seen 3rd June 2010, 20:29 Quote
Quote:
Originally Posted by crazyceo

I don't believe for one second that ANY OS is safe and secure. Windows gets the bad press because 95% of the planet are using it. This reason stated by Google just doesn't hold up and stinks of anti-microsoft bias. No other way to explain it.

This logic is flawed. First of all, servers are a far more important attack targets. Security companies would like you to think that your home pc is a target that every hacker on earth would love to hack (and only their product will prevent that), but that's just marketing. Servers are attacked constantly, and they don't fall mostly because they run OSes that were built with security in mind from the beginning.

Hacking MS Windows is easy, every a script kiddie armed with Google and primitive exploits can do it, even if you use firewalls and so on - because Windows was originally built without any security measures at all. They were sticked to it in the process of developing, but in order to retain backward compatibility they can't make Windows really secure - that would mean completely rewriting most of the system (starting from the kernel) and MS decided that backward compatibility is more important than security.

*NIX systems were built for server security right from the start, that's why they are less "user-friendly" and require a lot more knowledge - they were never intended to be used by the general (ignorant) public. You can't actually hack BSD or GNU/Linux, they're completely bombproof. Only way to hack those systems is to exploit bugs in installed software, but even that won't give you root access.

And the popular belief that "more hackers are targeting Windows because of it's popularity" is far from true. There are many Windows exploits because they're so easy, I've seen a 15-year-old with a one year experience in C++ write an exploit that brought a small Windows network to it's knees.

Aside from creating botnets and farming passwords (and that doesn't need an OS to be hacked) there isn't much to gain from hacking Windows. Most viruses are made for fun, to ruin someone's day and to prove that the author can do it. Servers are where the money is and where the serious hackers are - and even then we don't hear about many servers hacked, do we?
The_Beast 4th June 2010, 01:16 Quote
Quote:
Originally Posted by Sloth
From viewpoint strictly regarding the PR and 'personality' of companies, Google kinda creep me out. It's strange thinking that this is a company with roots in advertisement, and now we're getting social networks (Buzz and Talk) and browsers (Chrome and Chromium) and operating systems (Andriod and Google OS) along with the myriad of other services which have branched off from the original search, such as aquiring Youtube, working with Myspace, creating Google Maps and Earth to search locations, etc. There comes a point where it gets odd thinking of just all they do, and that's true for just about every large company. Kinda scary when thinking that an innocent little search engine now holds such sway that it starts a PR war just for changing operating systems.


Skynet :|
crazyceo 4th June 2010, 03:00 Quote
Quote:
Originally Posted by TheUn4seen
Quote:
Originally Posted by crazyceo

I don't believe for one second that ANY OS is safe and secure. Windows gets the bad press because 95% of the planet are using it. This reason stated by Google just doesn't hold up and stinks of anti-microsoft bias. No other way to explain it.

This logic is flawed. First of all, servers are a far more important attack targets. Security companies would like you to think that your home pc is a target that every hacker on earth would love to hack (and only their product will prevent that), but that's just marketing. Servers are attacked constantly, and they don't fall mostly because they run OSes that were built with security in mind from the beginning.

Hacking MS Windows is easy, every a script kiddie armed with Google and primitive exploits can do it, even if you use firewalls and so on - because Windows was originally built without any security measures at all. They were sticked to it in the process of developing, but in order to retain backward compatibility they can't make Windows really secure - that would mean completely rewriting most of the system (starting from the kernel) and MS decided that backward compatibility is more important than security.

*NIX systems were built for server security right from the start, that's why they are less "user-friendly" and require a lot more knowledge - they were never intended to be used by the general (ignorant) public. You can't actually hack BSD or GNU/Linux, they're completely bombproof. Only way to hack those systems is to exploit bugs in installed software, but even that won't give you root access.

And the popular belief that "more hackers are targeting Windows because of it's popularity" is far from true. There are many Windows exploits because they're so easy, I've seen a 15-year-old with a one year experience in C++ write an exploit that brought a small Windows network to it's knees.

Aside from creating botnets and farming passwords (and that doesn't need an OS to be hacked) there isn't much to gain from hacking Windows. Most viruses are made for fun, to ruin someone's day and to prove that the author can do it. Servers are where the money is and where the serious hackers are - and even then we don't hear about many servers hacked, do we?

But on this topic and the earlier Google announcement, it was purely desktop based with no mention of server OS.

The number don't lie and it is a pure case of numbers when it comes to security attacks on OS. Go to AVG, Symantec or McAfee who would probably claim to be the biggest 3 on security and read their figures.

The myth is that OSX or any distro of Linux is safe and secure. As I stated earlier, I don't believe any OS to be 100% safe and secure.

Don't forget, when you ASSUME, you make and ASS out of U and ME! but mainly U.
crazyceo 4th June 2010, 03:06 Quote
Quote:
Originally Posted by Shagbag
Quote:
Originally Posted by dyzophoria
if you think the OS is a problem, you should have made your own. with the resources you have.
ChromeOS

But why aren't Google saying they will be using it? The choice so far has been OSX or a Linux distro. Will Chrome be under that guise of Linux?
gavomatic57 4th June 2010, 09:42 Quote
Quote:
Originally Posted by crazyceo
But why aren't Google saying they will be using it? The choice so far has been OSX or a Linux distro. Will Chrome be under that guise of Linux?

When it is finished, maybe. ChromeOS is a linux distro - it is basically the Chrome browser running on a linux kernel. Indeed all a linux distribution is is a linux kernel with a chosen desktop environment - be it Gnome (looks a bit like OSX), KDE (Windows 7 copied it), XFCE or Enlightenment. You then add a package manager (APT - for Debian, RPM for Redhat etc) You then add a bunch of applications, such as Firefox or Chrome, Openoffice, Evolution email and a few card games and you are away. ChromeOS just dispenses with the apps and relies on the cloud. Anyone can make their own linux distribution - their own choice of looks and applications.

The main thing is whether ChromeOS will allow users to install development tools and compilers, or whether a full OS will be needed.
gavomatic57 4th June 2010, 10:47 Quote
Quote:
Originally Posted by Bloody_Pete


I have this debate with a music playing friend once a month and it pisses me right off!!! Macs are the be-all and end-all of the computing world, they are piss poor. Ever tried to upgrade the RAM on a Macbook? Well its a pain in the ass as the damn things are so badly designed!

Yes, actually. 8-12 screws, lift off single piece of aluminium, replace chips, screw the back on again.

Same goes for the hard disk - unscrew the little bracket holding it in, lift it out, unclip SATA cable, swap disks etc.
Unknownsock 4th June 2010, 11:19 Quote
Quote:
Originally Posted by gavomatic57
A company that "improved" Vista by making it easier to turn off UAC in 7 talking up their security?

Hmm...

That is a user choice, i for one can't stand UAC, i use third party software and have never had a problem..
You've got to ask yourself this, what are windows users doing when they actually get a virus? im sure 99% of the time its something that they shouldn't be doing or something that should be secure by other software.
blood69 4th June 2010, 12:25 Quote
Quote:
Originally Posted by Shagbag
I continue to be surprised by those who believe in the bizarre idea that if you don't have market share your OS is not as secure. That is an insult to developers. C is C and C++ is C++.

Security is a process, not a product - but some products prevent you from performing 'the process' because they do not allow you to change the underlying source code. Instead, you are constrained to letting that product's developers making those changes for you. And this is where the economics of code changes comes into play.

Security is (in part) by design and market share has absolutely nothing to do with it. OpenBSD is proof in point.

The idea that a kernel developer is either (a) stupid, or (b) indifferent to security issues, quite frankly, speaks more about the intelligence of those who make the claim rather than the kernel developers.

True, changing the source code to give more protection against hackers. But the majority of application developers don't have the time in their tight timeline projects to change it or even if they have the source code that is availiable to developers are available to hackers, so if a developer as a possible securety issue in a application and it has to change source code from some part of the OS, a subsquencial hacker that have access to the same source code can study in the base of what the application does and change someting to overpass the suposed sucurity arrangement.
Sorry about my engllkishshshs
Ramble 4th June 2010, 13:48 Quote
Quote:
Originally Posted by TheUn4seen
Hacking MS Windows is easy, every a script kiddie armed with Google and primitive exploits can do it, even if you use firewalls and so on - because Windows was originally built without any security measures at all. They were sticked to it in the process of developing, but in order to retain backward compatibility they can't make Windows really secure - that would mean completely rewriting most of the system (starting from the kernel) and MS decided that backward compatibility is more important than security.

Not true, Windows security nowadays isn't too bad. it could be made better but things like ASLR (which OS X doesn't have) help.
Quote:
Originally Posted by TheUn4seen
*NIX systems were built for server security right from the start, that's why they are less "user-friendly" and require a lot more knowledge - they were never intended to be used by the general (ignorant) public. You can't actually hack BSD or GNU/Linux, they're completely bombproof. Only way to hack those systems is to exploit bugs in installed software, but even that won't give you root access.

Wrong, *nix was never designed from the start to be secure, it was designed to be portable and simple - this has the effect of making it fairly secure from the start.
*nix doesn't require more knowledge, unix and unix-like systems form a massive array of different operating systems, I wouldn't call OS X difficult (unix) but I'd call Gentoo somewhat harder (linux).
You can certainly hack Linux or Unix, whether it's a kernel vulnerability or something else (Windows is a collection of services too, it isn't one big program). Plenty of stuff runs with root priviledges - anything that outputs under port 1000 needs root access, including HTTP and FTP daemons - you'd better put everything in a chroot jail otherwise you're at risk.
Shagbag 4th June 2010, 14:20 Quote
Quote:
Originally Posted by blood69
True, changing the source code to give more protection against hackers. But the majority of application developers don't have the time in their tight timeline projects to change it or even if they have the source code that is availiable to developers are available to hackers, so if a developer as a possible securety issue in a application and it has to change source code from some part of the OS, a subsquencial hacker that have access to the same source code can study in the base of what the application does and change someting to overpass the suposed sucurity arrangement.
Sorry about my engllkishshshs
That's just not right. The majority of vulnerabilities arise because of mistakes in the C/C++ code. Correct the mistake, re-compile the code and the vulnerability has disappeared. There is nothing any cracker can do about it.

What you're talking about is known as a 'shim'. Shims address the symptoms, not the cause. The cause (faulty C/C++ code) will always remain and there may be ways to exploit this faulty code that the shim doesn't catch. For this reason, developing shims are NOT a good security practice.
blood69 4th June 2010, 16:37 Quote
Quote:
Originally Posted by Shagbag
Quote:
Originally Posted by blood69
True, changing the source code to give more protection against hackers. But the majority of application developers don't have the time in their tight timeline projects to change it or even if they have the source code that is availiable to developers are available to hackers, so if a developer as a possible securety issue in a application and it has to change source code from some part of the OS, a subsquencial hacker that have access to the same source code can study in the base of what the application does and change someting to overpass the suposed sucurity arrangement.
Sorry about my engllkishshshs
That's just not right. The majority of vulnerabilities arise because of mistakes in the C/C++ code. Correct the mistake, re-compile the code and the vulnerability has disappeared. There is nothing any cracker can do about it.

What you're talking about is known as a 'shim'. Shims address the symptoms, not the cause. The cause (faulty C/C++ code) will always remain and there may be ways to exploit this faulty code that the shim doesn't catch. For this reason, developing shims are NOT a good security practice.

Lol, shim??
I'm a cloud developer that must be the reason why i never heard that word in my life. I'm not a Security Expert but i never been hacked with my applications, just happend once when i had Ubuntu OS in my servers, maybe it's not the best linux in therms of security but i changed to server2003 and never had any security issue.
Shagbag 4th June 2010, 18:07 Quote
It's an engineering term that's been taken up by the software industry. Check out 'kludge' as well.
blood69 4th June 2010, 18:16 Quote
Quote:
Originally Posted by Shagbag
It's an engineering term that's been taken up by the software industry. Check out 'kludge' as well.

Ye, now did you mention Solution to a problem or "klumsy, lame, ugly, dumb, but good enough, or klutzy, lashup, under, going, engineering" because in software i do the 2 things and i don't belive you don't do the same. If not you are a perfect program writer who had never did a little "Cowboy" programing to maintain a Deadline.
darren263 8th June 2010, 08:21 Quote
Excellent list! I've learned more from this forum in about 2 days than I have at any other forum community.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums