Ah, I was just about to post this. MS also to roll out in the next 11 years: Loyal, Helpful, Friendly, Courteous, Kind, Obedient, Cheerful, Thrifty, Brave, Clean, and Reverent Computing, then plans to sue the Boy Scouts of America for trademark infringement.
posted by plinth at 4:42 AM on January 17, 2002

what a hilarious bit of pr lip service to something Msoft has ignored for years. the only really good thing about this story is that it indicates that their poor security must actually be costing the Redmond dirtballs money, or they would continue to be indifferent. maybe that'll help them develop software that isn't completely buggy and fuull of security holes. but i ain't holding my breath.
posted by zoopraxiscope at 4:46 AM on January 17, 2002

Look for security and privacy to be redefined by the Beast from Redmond. Already M$ says that the Windows Media Player "super cookie" is NOT a security issue. Go figure.
posted by nofundy at 4:51 AM on January 17, 2002

go read 1984. ms pr uses that book like an operations manual. their tv ads tout precisely that which they do not have: reliability, security and interoperability. this is always the case. ms is master of the big lie. ms ALWAYS claims, loudly and persistently, EXACTLY WHAT IS NOT SO, all the time, it is in the corporate culture, it will not change. people probably think i'm just being typically silly when i make bombastic statements like 'gates and ballmer belong in prison'. people are wrong. ms is the absolute worst that the free enterprise system has produced in my lifetime.
posted by quonsar at 5:21 AM on January 17, 2002

And how is our favorite monopolist going to do this? They're already facing increasing user resistance to continuous upgrades (new versions, service packs, hot fixes, etc.), how will they get poeple to download and install more of the same, no matter what the end result?
posted by tommasz at 5:36 AM on January 17, 2002

From the story: "Every developer is going to be told not to write any new line of code," Mr. Allchin said, "until they have thought out the security implications for the product."

This is probably just lip service, but otherwise, it's about freaking time. The biggest security hassles caused by Microsoft products are due to its inability to consider the security implications of new features. Gates should have recognized something was wrong years ago when the company first shipped an e-mail client that let incoming e-mail contain executable scripts that could take control of the program.
posted by rcade at 6:07 AM on January 17, 2002

It's just P.R. lip service. Security is hard to do right. They have consistently tried and failed to give the industry what it wants (a stable, robust, secure operating system). Next thing you know, they'll be claiming that closed-source makes a product more secure because "hackers can't look at the source code to see the bugs".

Fiddlesticks. This is nothing more than a thinly veiled attempt to boost XP sales after a lot of negative press regarding remote exploits and globally unique identifiers. On the good side, perhaps they will start shipping an ssh client with the OS.
posted by leapfrog at 6:39 AM on January 17, 2002

He said the company was trying to change the culture of its software developers, who have been putting their emphasis on adding features to the company's software to increase its value

Yeah, like it was a developer who thought up that bastard paperclip.

While buffer overruns are evidence of shoddy work by your actual code monkey, the sheer total systemic fuckedness of outlook smacks of the marketing department to me. I don't see how putting developers though a quality course is going to solve that.

In the short term it's going to do just the opposite:
Suddenly stopping all 7000 developers for a month, wipes over a million development hours from project plans. That's a million hours that have to be made up somewhere to meet MS's ship-or-die release dates. If they do it by whipping the slaves harder, the coders are going to make more mistakes. Inevitably some of those mistakes are going to be security-related.
posted by muppetfiend at 6:44 AM on January 17, 2002

Oops, sorry for the patronising tone of that last para. I've been writing documentation all week and the small-words-for-the-hard-of-thinking style seems to be leaking over into everything...
posted by muppetfiend at 7:01 AM on January 17, 2002

From the Times article:
"The company also plans to re-examine all of its Windows operating system code in an effort to find security flaws."

"Effort" is the operative term here. A BusinessWeek article from this summer put XP at 45 million lines of code. How could all that code possibly be properly reviewed, patched, re-reviewed, tested, etc. without grinding the wheels of progress to a total halt?

The more likely outcome of this directive from Bill is that new stuff will be written better. Hopefully for Microsoft and for all of us that must use their software, they'll focus their efforts on enterprise-class stuff - especially anything that has to do with .NET and Microsoft's proposed moves into authentication and commerce applications. That would be welcome.
posted by dammitjim at 7:40 AM on January 17, 2002

Here's a wild and crazy statement: I don't think MS software is particularly buggy. No more so than anybody else's, anyway.

The problem is that the MS strategy of having every piece of software work so closely with every other piece of MS software, including the operating system, leaves room for unexpected interactions between those pieces of software to be very dangerous.

It's a great strategy, from a sales point of view. Once a customer gets hooked on a particular MS product, he's got lots of incentive to keep buying MS software and lots of incentive to not buy any non-MS software. But it means that a weakness in one piece of software becomes, implicitly, a problem with all of the software, and therefore much more dangerous. (The supercookie is a perfect example: if Windows Media Player were a standalone product, its ID code would be harmless (or at least minimized to when you're actually using WMP). But since it's part of the windows family of products, the bad guys can use it to track your web browser as well.)

It's too much to hope that this announcement means that MS is going to revisit that strategy -- but it does sound like they're at least (at last!) admitting that it has its problems...
posted by ook at 9:19 AM on January 17, 2002

Previously, MS has had ABSOLUTELY NO security policy for developers. No official guidelines or training on how to write secure code at all -- completely unprofessional.

Now that developers are held responsible for the bone-headed decisions that they make, we probably won't see new projects that are designed insecurely, like Outlook. However, expect more holes like the Universal PnP one; they're bound to happen unless MS devotes half of their employees to continuous code review.
posted by Llama-Lime at 9:29 AM on January 17, 2002

that bastard paperclip

Maybe you don't realize that you can change the paperclip to an adorable kitten named Links?
posted by Zurishaddai at 11:58 AM on January 17, 2002

Yeah, like it was a developer who thought up that bastard paperclip.

"... The researcher, Eric Horvitz, and a small group of Microsoft colleagues did the original development work on the set of technologies that were intended to alert computer users when they were at junctures where they might need specific help in understanding complicated features of Microsoft's software. Indeed, while for many computer users the clip soon became an examplar of Microsoft's heavy-handed and boorish approach to software design, Mr. Horvitz maintains that this happened as a result of a poor carrying out of his original research."

More here...
posted by kindall at 12:28 PM on January 17, 2002