Twenty years of trustworthy computing

Topic

New Reply

ISSUE 19.04 • 2022-01-24 ON SECURITY By Susan Bradley Are we more secure now? It’s been 20 years since Bill Gates wrote the “trustworthy computing” me
[See the full post at: Twenty years of trustworthy computing]

Susan Bradley Patch Lady

8 users thanked author for this post.

lmacri, SueW, Erik_S47, BobC, oldfry, abbodi86, Mele20, MHCLV941

Reply | Quote

Replies

I am always hearing about buffer overflows, even today. It seems to me that the starting place for creating more secure systems should be to eliminate these issues. This can be accomplished by changing ALL programming languages to require (not suggest) setting limits on the size of what can be input to the buffer, then either truncating the input, or rejecting it all together (a choice the developer must be required to make). I know this is a very large ask, but if this had been the thrust twenty years ago, we would not be seeing this type of security vulnerability today.

My2Cents,

Ernie

Reply | Quote

Twenty years later, are we more secure? Do you feel more secure?

If the threat environment were the same now as 20 years ago, yes, I think we would be. However, the threat environment is not the same. It’s far more complex and pervasive than it was 20 years ago. Security is a moving target, so the question really is are we gaining or losing ground? Until and unless we get a handle on ransomware in all its permutations and variations, and data breaches in general, I think we are losing ground.

When I was a kid, the only real worry was whether the Russians were going to nuke us. That became far less likely when the Cold War (version 1?) ended. Now, it’s nut jobs and fanatics shooting up schools, houses of worship, store and shopping centers; diseases that can run rampant; (Many scares (SARS and Ebola, for example) but only COVID has lived up to the early concerns. On the other hand, the smart money says there were be more of these diseases.); climate change/global warming to name just three. And we just might be seeing the beginning of version 2 of the Cold War.

My point is threats are evolving and seem to be doing so far faster than defenses and counter-offenses can be developed and deployed. Also, the attack surface has grown exponentially as information technology has become more pervasive.

Lastly, with respect to Gates’ last bullet, the Facebooks, Googles and governments of the world have run roughshod over anything remotely close to what he wrote about.

4 users thanked author for this post.

SueW, Charlie, OscarCP, Alex5723

Reply | Quote

MHCLV941: “And we just might be seeing the beginning of version 2 of the Cold War.”

I think it has been going on for some time now. If I’m right, then let’s hope that it stays cold.

But even so, what a waste of time, when we don’t really have much time left to waste!

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

I think it has been going on for some time now. If I’m right, then let’s hope that it stays cold.

So do the Ukrainians…

1 user thanked author for this post.

SueW

Reply | Quote

Bill Gates is a but if a hypocrite. I’m old enough to remember his “Open letter on piracy.” This from the man who was stealing computer time while still in high school. Now decades later, we purchase Windows (with no other viable choice) and he continues to charge us, to rob us. I love buying a $200 copy of Windows Pro from Microsoft. I am paying to have myself shopped, be bombarded by adware, malware and targeted ads – and now if you buy from the Microsoft store you are NOT given a software key to Windows but must “trust” Microsoft that if you have to reload the software they’ll recognize your machine and not have to buy the software a second time.
In my opinion Microsoft has created the pirates it initially complained about.

2 users thanked author for this post.

arbrich, Bob1515

Reply | Quote

…and let’s not forget that he tried to push through a yearly license fee for it. That he tried to put in a privacy-invading unique tracking Id for use by advertisers (which was rebuffed by a pushback similar to the BigBrotherInside counter against Intel’s similar aim). That he threatened computer makers like Gateway that they’d better include the inferior IE or they wouldn’t be allowed to use windows. That he unfairly squelched competition at every turn, so that software was worse because Gates was alive. That while Europe and some states moved against him, the feds largely didn’t because he bribed via campaign contributions. How he lied to congress that the US just didn’t have enough programmers, so he should be allowed to import more and more cheaper ones from other countries. On and on and on. All of which will be denied by his fanboys.

Reply | Quote

It’s always the general public that suffers whether digital or notsigh
Slight distraction albeit relevant is the news that
the EU Parliament approves “Digital Service Act”
early stages for now..

Keep IT Lean, Clean and Mean!

Reply | Quote

we purchase Windows (with no other viable choice)

You have at least 3 choices: buy Apple; run Linux; write your own OS. It is not Microsoft’s problem that there is “no other viable choice”.

I love buying a $200 copy of Windows Pro from Microsoft

So buy it elsewhere. An OEM license for Windows 10 Pro is $148 at a number of reputable resellers. If you’re not buying the license for a computer you are building, why are you not buying an upgrade or, for that matter, getting it for free? Free upgrades for Windows 7 and above are still available.

Reply | Quote

write your own OS. It is not Microsoft’s problem that there is “no other viable choice”.

Is there no way to block certain posters? I stopped reading on tenforums because of all the rude M$ fanboys there. Gates used every underhanded unfair business practice in the book, that’s how he got so rich – not because he is some sort of genius, which he isn’t. I don’t want to hear about how he is some sort of hero, and how the house he built is something admirable. That he got #meToo’ed out of, no less.

And btw, Gates didn’t “write his own OS” MSDOS, he very unethically ripped off an acquaintance for it. The start of many. Gates’ fans think that doing unethical business deals makes him some sort of genius.

Reply | Quote

In recent months Windows has been flagging Macrium Reflect when I try to run backups.  I have been able to get around it after some poking around with little confidence.  It’s irritating that such a reputable package is flagged by Windows 10.  Surprisingly, only the most recent time did it run without an intervention.  Did MS fix the issue or did I get it set to pass by other means.  ??

I also find it very irritating with the push to “finish the setup” after some system  updates where MS trys to get me to log in to an account to boot my system.  And, getting around it is not intuitive unless you have some history of MS workarounds.

1 user thanked author for this post.

oldfry

Reply | Quote

When you say flagging, what do you mean?  Have you updated Macrium?  I’m not seeing any flagging here?

Susan Bradley Patch Lady

Reply | Quote

Windows Security will not let it run.  Sorry, I don’t remember the given reason.  I have had to go to Win Security and give it something like an “allow” to get it to run – if I remember correctly.  I have cleared the “current threats” where I took this action to make it run so I can’t be more specific.

Ver 7.7.3906.  Checking now I see ver 8 came out 5-6 weeks ago.

Reply | Quote

The last malware I encountered on my personal PC was in the late ’90’s, and it had hitched a ride on a floppy disk given to me by an IT pro to pass along a utility.  He was embarrassed, but restoring a drive image took care of the issue.

At a business level, I worked (not in IT) for a Fortune 500 mining company with literally thousands of workstations around the globe.  The last malware issue I can recall prior to my retirement was the “I love you” malware spread by email.  The IT staff eradicated it in less than 24 hours, tightened the noose on their Exchange servers and sent out an email to all users on what happened, how it happened, and to please not be  foolishly clicking on stuff in email.

The bottom line for me is that no OS can protect one from oneself, and the foresight and preparation for “when, not if” is not the responsibility of the OS platform, it is the responsibility of the user.

Create a fresh drive image before making system changes/Windows updates, in case you need to start over!

We all have our own reasons for doing the things that we do. We don't all have to do the same things.

Computer Specs

Reply | Quote

Twenty years later, are we more secure? Do you feel more secure?

 

No. We are not more secure. The security now a days is to cause issues for good people to waste their time on or hope to find workarounds.

Hackers are able to bypass any security that is there now. There are too many flaws, buffer overflown, embedded back doors in software etc for them to use.

 

Companies put security at the bottom of the list for years. Profit is the number 1. The more money they can make the better.

There were white hat hackers in my time but I think most white hat hackers have become either gray or red hat  hackers now since companies are no focus on security I think several have turn full to black hat hackers since that is where the money is now.

 

Reply | Quote

Great column. I have just one question: what are the options for enabling logging on consumer copies of Windows 11 or Microsoft 365?

I see an option in Win11 to export logs but nothing about other logging options like extending (or knowing) the time frame covered by the logs.

Reply | Quote

Bob1515 wrote:

write your own OS. It is not Microsoft’s problem that there is “no other viable choice”.

Is there no way to block certain posters? I stopped reading on tenforums because of all the rude M$ fanboys there. Gates used every underhanded unfair business practice in the book, that’s how he got so rich – not because he is some sort of genius, which he isn’t. I don’t want to hear about how he is some sort of hero, and how the house he built is something admirable. That he got #meToo’ed out of, no less.

And btw, Gates didn’t “write his own OS” MSDOS, he very unethically ripped off an acquaintance for it. The start of many. Gates’ fans think that doing unethical business deals makes him some sort of genius.

Sorry you can’t handle folks who disagree with you. Not, actually, I’m not.

BTW, I never said Gates wrote MS-DOS. I am fully aware that he bought it though I do not share your opinion that he did so “very unethically”

What I DID say is that YOU have three options to avoid Windows: buy Apple, run Linux or write your own OS.

Reply | Quote

…and let’s not forget that he tried to push through a yearly license fee for it.

You mean Gates invented the software subscription business model? Years before LOTS of companies adopted it? I had no idea he was that far ahead of his time.

As for the rest of your screed, I didn’t deny anything. As I said, you have other options for computing; perhaps your blood pressure would be lower if you changed to one of them.

Reply | Quote

OscarCP wrote:

MHCLV941: “And we just might be seeing the beginning of version 2 of the Cold War.”

I think it has been going on for some time now. If I’m right, then let’s hope that it stays cold.

But even so, what a waste of time, when we don’t really have much time left to waste!

Agreed. Unfortunately, we are not in control over what happens. At best, we can control how we react to what happens.

Reply | Quote

bbearren wrote:

The last malware I encountered on my personal PC was in the late ’90’s, and it had hitched a ride on a floppy disk given to me by an IT pro to pass along a utility.  He was embarrassed, but restoring a drive image took care of the issue.

At a business level, I worked (not in IT) for a Fortune 500 mining company with literally thousands of workstations around the globe.  The last malware issue I can recall prior to my retirement was the “I love you” malware spread by email.  The IT staff eradicated it in less than 24 hours, tightened the noose on their Exchange servers and sent out an email to all users on what happened, how it happened, and to please not be  foolishly clicking on stuff in email.

The bottom line for me is that no OS can protect one from oneself, and the foresight and preparation for “when, not if” is not the responsibility of the OS platform, it is the responsibility of the user.

You were luckier than some, but I wonder how much of that was due to the efforts of your employer’s IT staff to keep you from seeing them. Antivirus software on the mail servers, firewalls with various active defenses, security software on your work PC, etc.

Y2K was a non-event because IT folks all over the world worked awfully hard to make sure that’s how it tuned out. The same applies to your experiences, I think.

Reply | Quote

MHCLV941 wrote:

You were luckier than some

I’m not a believer in “luck”.  I do, however, strongly believe in preparing for the inevitable.  I overcame my one case of malware by restoring a drive image.  At the time I used a Colorado Tape Backup system.  It was quite slow, but that one instance of rescue solidified my resolve to maintain a strict regimen of drive imaging.

MHCLV941 wrote:

I wonder how much of that was due to the efforts of your employer’s IT staff to keep you from seeing them. Antivirus software on the mail servers, firewalls with various active defenses, security software on your work PC, etc.

Excuse me, but isn’t that pretty much what I said?

bbearren wrote:

The IT staff eradicated it in less than 24 hours, tightened the noose on their Exchange servers and sent out an email to all users on what happened, how it happened, and to please not be foolishly clicking on stuff in email.

IT was always quite open with what they were doing to protect the IT infrastructure and instructing what individuals were to do (and not do) in order to keep that protective wrapping tight and secure.

Create a fresh drive image before making system changes/Windows updates, in case you need to start over!

We all have our own reasons for doing the things that we do. We don't all have to do the same things.

Computer Specs

Reply | Quote

Maybe “write your own Operating System” is not a very practical proposition, but yes, Macs and Linux PCs are also there, as practical options to running Windows. And with Linux on the same PCs as those running Windows, because one can even have both Windows and Linux in the same machine, installed in dual-boot. Not to put myself as a shining example, but I voted with my keyboard and mouse to begin to move to a Mac more than four years ago, and for the last two years have been a Mac user 100%. And since then, very rarely I have had to worry about what Apple is doing that might be bad for me. And in every case nothing terrible has ever happened.

The problem of security in computing, I think, ultimately is not that different if one chooses Windows, macOS, or Linux, because it is basically beyond what their developers can do to solve it for good, but with: (a) hackers that eventually either invent novel ways of compromising computers, or find a new variant of how to get around protective measures put in their way in the OS (something known as an “armaments race”), and (b) users that are not careful enough, or know how to be careful enough. This is not a judgement on the latter, by the way, but a mere statement of fact.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

MHCLV941

Reply | Quote

OscarCP wrote:

Maybe “write your own Operating System” is not a very practical proposition,

To put it mildly! But it is an option nevertheless. The inherent lack of availability of application software makes doing even less practical…

It’s long been said “Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.”

I think the same is true of cyber security.

Reply | Quote

It’s important to note that how secure you “feel” has little to do with how secure you “are”. Marketing has decidedly taken control of the “feel” and is using it to manipulate people into making decisions.

An OS could be FAR more secure in reality. All any of them would have to do would be to add managed and updated blacklists of “badware” web sites to keep computers from visiting, along with a working process to ensure mistakes get corrected. For the last 10+ years savvy geeks have achieved this kind of protection for free with things like various blacklists freely available online, browser add-ons like uBlock, etc.

Instead we’re continually led down the path of thinking “Malware will get into your system, let’s try to protect you from the inside”, which was, is, and will be always a losing battle. But it’s a battle that sells everyone on new hardware and changed expectations.

-Noel

3 users thanked author for this post.

wavy, SueW, Microfix

Reply | Quote

not forgetting firewall rulesets, my preferred.

Keep IT Lean, Clean and Mean!

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Noel Carboni wrote:

An OS could be FAR more secure in reality. All any of them would have to do would be to add managed and updated blacklists of “badware” web sites to keep computers from visiting, along with a working process to ensure mistakes get corrected.

It’s still called SmartScreen.

But no doubt you’ll continue to pretend that it doesn’t exist for a few more years yet 🙄.

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

Reply | Quote

Is SmartScreen only for Edge or does it work with all browsers ?

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

AFAIK, Smart Screen works with Microsoft Edge, but IDNK if it works with any other browsers. I used Firefox for a bit recently, and I did not see any security check on a file download, so I suspect that the answer is no.

Based on the Microsoft documentation I found at (Microsoft Defender SmartScreen Frequently Asked Questions), “Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge.”

I hope this answers your question,

Ernie

 

1 user thanked author for this post.

samak

Reply | Quote

Microsoft like the rest of the Big Tech monopolies have squelched competition and bought off politicians, leaving users with little actual choice. Linux is a false choice, a hobbyist OS, and only exists because it is free. If it was a serious competitor then MS/Apple etc would’ve killed it off already. The system stinks and won’t change until our political system changes. Oh, and the last thing Big Tech cares about is security. Everything they push in the name of ‘security’ is all about telemetry and using the computer user as a guinea pig instead of spending money on proper software development and testing.

Reply | Quote

Noel: “For the last 10+ years savvy geeks have achieved this kind of protection for free with things like various blacklists freely available online”

A potential problem with this type of screening, if made with some security software that automatically updates and then uses the blacklists to prevent connecting, or warns about connecting, to certain sites, is that it might tend to err on the side of prudence a bit too much:

I remember that Webroot had an application that when one did a Web search would put a little circle to the left of the first line of every “hit”, the color of the circle corresponding to the reliability or otherwise of that site.

This soon brought forth a formidably loud chorus of lamentations from people claiming to be honest merchants that were having their businesses branded with ominous red circles that scared away potential customers. If memory serves, eventually Webroot stopped supporting this problematic feature.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Noel Carboni wrote:

An OS could be FAR more secure in reality. All any of them would have to do would be to add managed and updated blacklists of “badware” web sites to keep computers from visiting, along with a working process to ensure mistakes get corrected. For the last 10+ years savvy geeks have achieved this kind of protection for free with things like various blacklists freely available online, browser add-ons like uBlock, etc.

Instead we’re continually led down the path of thinking “Malware will get into your system, let’s try to protect you from the inside”, which was, is, and will be always a losing battle. But it’s a battle that sells everyone on new hardware and changed expectations.

A really savvy person uses both strategies.

Reply | Quote

The downside with “throw everything at the problem” comes in when the computer’s performance goes down the tubes AND your usability tanks because you are sold this concept: “You just can’t have too much security.”

Computers from 40 years ago did useful things for us, quite often very quickly by comparison to the speeds our brains move at. Now they’re a million times faster and can store a billion times more data. Think about those numbers. Yet we still find things to wait for, sometimes for a long time. Why? Because they’re laden with inefficiency.

Something like 20 years ago I could copy a whole tree of thousands of files from one place to another on a spinning hard drive in Windows XP and the operation would complete interactively in an eyeblink, with the disk access light staying on a while after. How? RAM caching oriented to performance. Now copying or deleting ONE FILE on an SSD brings up a progress dialog for several seconds, even on hardware many times faster. Perhaps tens of thousand checks were made on that file to ensure it doesn’t contain malware. This is not real progress.

-Noel

1 user thanked author for this post.

wavy

Reply | Quote

OscarCP wrote:

Noel: “For the last 10+ years savvy geeks have achieved this kind of protection for free with things like various blacklists freely available online”

A potential problem with this type of screening, if made with some security software that automatically updates and then uses the blacklists to prevent connecting, or warns about connecting, to certain sites, is that it might tend to err on the side of prudence a bit too much:

I remember that Webroot had an application that when one did a Web search would put a little circle to the left of the first line of every “hit”, the color of the circle corresponding to the reliability or otherwise of that site.

This soon brought forth a formidably loud chorus of lamentations from people claiming to be honest merchants that were having their businesses branded with ominous red circles that scared away potential customers. If memory serves, eventually Webroot stopped supporting this problematic feature.

False positives are always a problem, no matter what is being screened. I dropped a spam call blocker on my phone because the only calls it seemed to block were ones from callers I wanted to talk to, like my insurance company, medical appointment reminders, and even some medical offices.

Reply | Quote

False positives are less an issue with Internet vs. telephone. I’ve been living the dream of site blacklisting for a long time and guess what? The number of times I’ve been blocked from doing something I really wanted/needed online can be summarized by these lists, which I have manually accumulated in my blacklist file over the years to whitelist things that were inadvertently blocked:

# *.auditude.com=0.0.0.0 # needed to watch NBC sports on the Apple TV
# *.hwcdn.net=0.0.0.0 # needed for PBS, FXX, and FOXNOW video access via the Apple TV
# *.liveperson.net=0.0.0.0 # needed to chat with Support
# *.omtrdc.net=0.0.0.0 # needed to watch NBC on the Apple TV
# *.society6.com=0.0.0.0 # needed to enable Xmas shopping for wife on iPad

# 130.211.230.53=0.0.0.0 # Invalid entry from one of the list sites
# a1284.g.akamai.net=0.0.0.0 # Needed to self-update Photoshop Elements
# assets.adobedtm.com=0.0.0.0 # Needed to download Adobe software
# auditude.com=0.0.0.0 # Needed to watch NBC sports on Apple TV
# cdn.overclock.net=0.0.0.0 # needed to see user icons on overclock.net forum
# geo.nbcsports.com=0.0.0.0 # Needed for the NBC app on Apple TV
# hwcdn.net=0.0.0.0 # needed for PBS, FXX, and FOXNOW video access via the Apple TV
# maxcdn.bootstrapcdn.com=0.0.0.0 # needed to get the page formatting on globaltuners.com
# oimg.nbcuni.com=0.0.0.0 # Needed to watch NBC sports on Apple TV
# server.iad.liveperson.net=0.0.0.0 # Needed to live chat with Comodo/InstantSSL support
# society6.com=0.0.0.0 # Needed to order trinkets
# v.w-x.co=0.0.0.0 # Needed to get the weather channel data online

-Noel

Reply | Quote

Noel Carboni wrote:

The downside with “throw everything at the problem” comes in when the computer’s performance goes down the tubes AND your usability tanks because you are sold this concept: “You just can’t have too much security.”

If you are trying to run everything on one machine, yes, you’re right. However, if the blacklists are run on a firewall or proxy server, then it is not correct.

Something like 20 years ago I could copy a whole tree of thousands of files from one place to another on a spinning hard drive in Windows XP and the operation would complete interactively in an eyeblink, with the disk access light staying on a while after. How? RAM caching oriented to performance. Now copying or deleting ONE FILE on an SSD brings up a progress dialog for several seconds, even on hardware many times faster. Perhaps tens of thousand checks were made on that file to ensure it doesn’t contain malware. This is not real progress.

Back in the day, you may have gotten control of your computer back more quickly, but the actual work was not finished and there was apparently no good way to know when it did finish or if there were problems. That was not progress.

Reply | Quote

Back in the day, you may have gotten control of your computer back more quickly

Ant that’s exactly what someone concerned with productivity needs! If you do complex work on a big system that runs continuously, you don’t want to be slowed down and have your train of thought disrupted, nor are you likely to mess things up if your operations complete immediately and you take the next action once you’re good enough at using your system to where these kinds of things matter.

Today you can set a system to do write-back caching on a volume but there is still a significant delay in pretty much anything you can do in Explorer. It’s simply more sluggish now compared to the best it’s been on even slower hardware.

I’d be happy if it were configured to be more conservative out of the box, to help new folks out and with settings I could change to turn off the dumbed down parts. But those settings have evaporated in many cases.

-Noel

Reply | Quote

Noel Carboni wrote:

False positives are less an issue with Internet vs. telephone. I’ve been living the dream of site blacklisting for a long time and guess what? The number of times I’ve been blocked from doing something I really wanted/needed online can be summarized by these lists, which I have manually accumulated in my blacklist file over the years to whitelist things that were inadvertently blocked:

Nevertheless, you have had false positives in the blacklists you use. When I ran the firewalls for my employer, I accumulated that many exceptions in about 5 years. Every 5 years.

Reply | Quote

Noel Carboni wrote:

Ant that’s exactly what someone concerned with productivity needs! If you do complex work on a big system that runs continuously, you don’t want to be slowed down and have your train of thought disrupted, nor are you likely to mess things up if your operations complete immediately and you take the next action once you’re good enough at using your system to where these kinds of things matter.

That may well be what you want. I don’t like waiting any more than I suspect you do, but I also don’t want to miss a problem precisely because I’ve moved on.

Reply | Quote

Bob1515 wrote:

he very unethically ripped off an acquaintance for it.

A matter of opinion, of course.

Tim Patterson was not coerced into selling the product. We may look at the transaction in hindsight and conclude it was not fair, but that fails to take into account the moment in time. I’ve met Patterson, and he did not seem bitter.

Besides his numerous contracts with Microsoft after the acquisition, Patterson worked for Microsoft for over ten years. I don’t know anything about his finances, but anyone working for the company during those periods would have done well.

 

Reply | Quote

In his book, Accidental Empires, Robert X Cringley says Gates paid Patterson $50,000 (about $170,000 today) for QDOS (which became MS-DOS in due course). However, this was before he had a contract with IBM and that $50 grand was pretty much a bet-the-company.

Unpaid plug: Cringley’s book is circa 1991 but well worth tracking down and reading if one is interested in not only the what but also the why and how of early Silicon Valley.

Reply | Quote

MHCLV941 wrote:

However, this was before he had a contract with IBM and that $50 grand was pretty much a bet-the-company.

I think that is an apt description of the moment in time.

Reply | Quote

In some ways, yes, in other ways, no.  Some of it, as noted elsewhere, is that security is a moving target, and it’s never as simple as a yes/no declaration, nor is it “set and forget”. We’re certainly more secure against the threats of 20 years ago, but there are plenty of new security threats that have arisen since then.

Security is always a matter of trade-offs of cost/benefit, and there will always be compromises that must be made among competing agendas.  In Microsoft’s case, I don’t know that those agendas are well-defined (especially in what is communicated to the public), much less of having any sense of how the differing agendas are weighted in their processes.

If Microsoft was set to “default to security” as the first agenda point for any decision, they would never get anything out the door, and where they would spend all the time chasing their tails around arcane holes that have no realistic security risks.  However, other agendas also have weight, and there are times when Marketing’s needs may take precedence over the needs of security.

To me, this is where Windows 11 falls over.  Although Microsoft is promoting Win 11 as a security thing, and I don’t doubt that there are some good security features there, but I believe that Win 11 is more a product to satisfy Marketing’s needs to sell than customers need to buy.

A similar thing is the release cadence of updates, whether the monthly Patch Tuesday updates or the semi-annual updates.  Marketing is what sets the calendar for those, and it’s very rare that something is significantly held up because internal processes reveal that the release is not ready.  And it doesn’t help that Home users are involuntarily are used as testers (rather than more extensive internal testing).  If testing was done correctly (including the ability to completely opt out of feature updates), then we would have far less need of the DEFCON system for evaluating patches.

On that point, I think that Microsoft fails miserably, in differentiating feature updates from security updates and bug fixes.  Even at the best of times, we still have to reboot Windows too frequently.  And if an update is disruptive, it *is* a security issue, because of the time spent diagnosing and finding fixes and work-arounds.  And the state of January Patch Tuesday updates is especially bad, causing us to have to choose between an update that fixes known holes, but has high risk of causing problems.

 

1 user thanked author for this post.

Charlie

Reply | Quote