Windows 2000 Microsoft's most successful failure

Someone asked Pablo Picasso which of his many paintings was his favorite. His answer is: the next one. If you ask Microsoft CEO Steve Ballmer which Windows is the safest, then guess what would he answer?

I noticed that Microsoft is preparing to release the last security patch Rollup 5 for Windows 2000. It differs from the usual service patch and is more like a convenience patch - all hot fix patches since SP4 have accumulated into a large installation package. The patch will be available before Microsoft ends mainstream support for Windows 2000, before the end of this month.

Five years, has it really been such a long time? I used to be so anxious to give up NT4 and install a shiny new Windows 2000. These seem to have happened not long ago. But think about it, there have been too many things in the past five years. The Internet has changed, security has changed, and the world has changed.

I think that in the history of Microsoft's development, Windows 2000 may be one of the biggest sources of negative news for Microsoft. But it also created the status of Microsoft now. Microsoft once wanted to make Windows 2000 their safest, but in fact became an absolute security disaster. Microsoft has been trying to recover not only from that disaster, but also to turn security into a bigger capital. It turns out that Windows 2000 is Microsoft's most successful loser to date.

The situation in 2000 is different from the present. The programmer proved that the millennium bug problem did not bring much trouble. We successfully passed the January 1, 2000, and everything went smoothly. With the arrival of Windows 2000 in the first quarter, more people began to have more interest in security -- Windows is a good place to start. At the same time, some new Windows hackers have begun to appear.

In the year of Windows 2000, loopholes were constantly discovered, many of which would cause damage to IIS. Once any hacker finds that they are attacking an IIS-based site, they are sure they will find a way to break him. In other words, no matter how big the company is, you can hack into him and hack into their IIS server in a matter of minutes. This situation continued until 2001.

Is the situation so bad? indeed. Unfortunately, many intrusions are silent, and companies that have been attacked are also ignorant of this. Banks, government, military sites, and commercial sites have all been hacked. But can you really blame Microsoft completely? Most hackers are not superb, just exploiting the vulnerabilities that Microsoft has fixed, but people have not installed them to block them. At that time, no matter how hard we tried, no one seemed to accept the importance of security. It was almost impossible to sell security products at that time. I remember once asking another consultant, "What can we do to get people's attention to safety, is it necessary to black out everyone to make them understand the importance of safety?"

From 2001 The situation has changed since May. I started getting calls from companies that used to try to sell security services, but they never had an interest in it. Now they need my help because something happened. Many people's sites are smeared by such words: "fu*k US government, fu*k PoinzonBOx (a US hacker)." At that time many companies experienced worm attacks. Of course it is definitely not the last time.

The more interesting thing about the sadmind/IIS worm is that it has brought some work to the security industry, but it is incomparable with what happened in July.

I still remember very clearly that day - the network became very slow, my Intrusion Detection Device (IDS) was about to crash, and I found that many messages from Marc Maiffret appeared on different secure mailing lists. People later called it a red code. Almost everyone was infected with it at the time.

From that night on, I knew that most of us would not work as before, and that was the 911 incident of Internet security. But this is not the end, it is just the beginning of a more serious nightmare. By the end of the year, you have connected a machine with a Windows system to the network, and you may have been infected with more than a dozen viruses before you have the chance to get a recent patch. And now it doesn't take five minutes.

There was a voice of condemnation everywhere. Some people condemned security experts for revealing vulnerabilities. Looking back at the roots of every major virus, it can almost be found that it exploits vulnerabilities that are disclosed by some security experts. Some people claim that if security experts do not disclose these vulnerabilities, they will not be attacked by hackers. But this view is very weak, because some hackers already know about these vulnerabilities, whether you openly disclose them and secretly exploit them.

People condemn Microsoft, but let's take a look at the real situation: Does the system administrator really need to install an update for more than 6 months? Yes, these buggy code written by Microsoft programmers, but at that time, what is the difference between them and most programmers? Are they not a reflection of the security attitude of the entire society? A lot of code was written 5 years ago, when security was a value-added feature rather than a user-required requirement. The administrator at that time was also lazy.

The problem is that you can't simply go to the WindowsUpdate site to see which patches you need to install. You have to browse through the entire patch list one by one to confirm which ones you have not installed. To make matters worse, Microsoft has released too many bug fixes to make it impossible for administrators to install any patches quickly and alertly. I have to admit that Microsoft's patch strategy was really very confusing at the time. Everything is so uncoordinated and there is a lack of communication between each other.

However, strange things that are rarely seen in the corporate world have occurred. Microsoft has not only begun to take responsibility, but has turned their failures into their top priority patching. They stopped trying to maintain their image and began to admit that they had security issues that needed to be patched. As Bill Gates mentioned in its famous Trustworthy Computing Memorandum, "This is a challenge that only Microsoft can solve."

Most people are contemptuous of this statement. This memo sounds great, but it can't be turned into reality quickly. We really wondered what made them suddenly change their attitude and began to change from then on.

But Gates is right, and Microsoft is the only candidate who is right to solve this problem. They invested a lot of money and things started to change slowly. Microsoft is developing to start discussing the security issues they already know. Started to participate in more security meetings. The IIS server is no longer very easy to invade for anyone. Even more surprising is that when Windows XP SP2 came last year, we found that the importance of security features has outperformed all other features.

Of course Microsoft still has a lot of work to do. For the emergence of Shockwave and the SqlServer worm, let them make their own emergency response plan. When the oscillating waves appeared, they reduced their recovery time to five days, much faster than the 38 days of the shock wave. The establishment of the Microsoft Security Response Center (MSRC) allowed us to see signs of success. Of course, this is not the final victory, but they already have a certain ability to respond.

Microsoft's problem is not only to benefit Microsoft: now we are all more vigilant about security. My mother-in-law is already talking about firewall issues. My neighbor occasionally cites a phiishing attack during the conversation. Another day I heard my son explaining the troubles caused by Trojan software to his brother.

Microsoft may have to spend a decade to launch many more secure products to finally announce a victory for security issues, but they now have the infrastructure, rich experience and key elements to make these changes.