That's like judging the Blue Angles pilots to be the worst in the world, based upon the fact that they have the highest death rate per flight hour. The judgement should be a bit more nuanced than that.
It's fair to say Microsoft doesn't have a great track record over the last several decades with security of their flagship OS. A lot of the nightmares customers have suffered are a direct result of this, either inherent bugs or failing to nudge developers on their platform in the right direction with well thought out, friction-free best practices and tooling.
For sure they have a lot of insight to share but it would be nice to see them address before touting their laurels. (Yes they've gotten a lot better, but in my opinion still nowhere near as bulletproof as it should be).
> It's fair to say Microsoft doesn't have a great track record over the last several decades with security of their flagship OS.
Nope, not fair or accurate at all. Their track record has been great, and it's likely you are judging them for transparency mixed with a reputation from >20 years ago. They have a good record of patching security holes; if we all assumed that more patches = worse security, it would only incentivize companies to be quiet.
As for development, again over the past decade, they've been completely different from the past, and are fully embracing and pushing best practices. As other commenters like to point out, this is not your grandpa's microsoft.
> but in my opinion still nowhere near as bulletproof as it should be).
Assuming that security should be bulletproof is a misunderstanding of how security works.
I would agree, the Windows OS has really matured since XP, from a security perspective at least.
I would definitely expect better than this from a tech giant like MS. When was the last time Google, Meta, or Apple got breached like this?
Edited to add, I think them open sourcing some security training is good, it benefits everyone whether or not MS themselves are a great example of a secure company.
The slingshot penetrating your tank armor is not a helpful failure. Except for telling you that your processes are so wildly off base that you need to start over.
People who claim this kind of failure is useful are clueless. Failures are interesting in exploratory processes and useful when occurring within a predicted failure regime (i.e testing to failure). Unexpected failures in predicted success regimes just indicate process weaknesses. Repeated and continuous failures in similar fashions do not indicate strength, they indicate structural process deficiencies despite what cybersecurity bozos would like you to believe.
Yes, but people forget faster than they blink.
And all the ransomware putting down utilities is attributed to user error, not to the OS happily running every URL from the internet.
Look at the number of vulnerabilities introduced by Windows version. It's good that they're fixing them frequently, but the fact that they need to do so in the first place (and there's more and more of them with each new version) is itself a problem.
Can you even link to a single technically competent offensive specialist that states a Microsoft system would be difficult to break into? Just to make it concrete, let’s go with a really low bar like one skilled person over one year.
For that matter, can you link to anybody technically competent at Microsoft who would dare to make a claim like that and then actually back it up with experimental evidence? No point listening to the blather of the Microsoft PR team when the silence of the technical team tells you all you need to know.
their flagship OS has an administrative culture of "ClickOps" and effective security is built around practices that are antithetical to that sort of culture.
Microsoft does take security pretty seriously with windows. There have been times they make mistakes, but historically, they are doing better now than they were in the early 2000s before Bill Gates sent a memo noting that they needed to take security seriously. You could argue they take security as serious as any major play like apple and google, seeing they touch a lot of private user data.
