Slashdot Mirror

> I'm not sure how many people have used internet explorer...

How many windows installs are there? There's your answer...

> if you go to the wrong website, not click on anything, simply go there...

List of unpatched IE vulns.

Just one? Here are thirteen in Internet Explorer alone ...

From The Relevance of Adam Smith by Robert L. Hetzel.
With added commentary by yours truly...

MONOPOLY AND GOVERNMENT SUBSIDIES: The principal theme set forth in The Wealth of Nations is that a country most effectively promotes its own wealth by providing a framework of laws that leaves individuals free to pursue the interest they have in their own economic betterment. This self-interest motivates individuals? propensity to truck, barter, and exchange one thing for another and thereby leads them to meet the needs of others through voluntary cooperation in the market place:

...man has almost constant occasion for the help of his brethren, and it is in vain for him to expect it from their benevolence only. He will be more likely to prevail if he can interest their self-love in his favour, and shew them that it is for their own advantage to do for him what he requires of them. Whoever offers to another a bargain of any kind, proposes to do this. Give me that which I want, and you shall have this which you want, is the meaning of every such offer; and it is in this manner that we obtain from one another the far greater part of those good offices which we stand in need of. It is not from the benevolence of the butcher, the brewer, or the baker, that we expect our dinner, but from their regard to their own interest. We address ourselves, not to their humanity but to their self-love, and never talk to them of our own necessities but of their advantages. (p. 14)

Smith also argues that the harmony between private goals and larger socially desirable goals promoted by voluntary cooperation between individuals in the market place is interfered with by monopoly and government subsidies. In contrast to competition, monopoly and government subsidies cause individuals to devote either too few or too many resources to particular markets:

....the private interests and passions of individuals naturally dispose them to turn their stock towards the employments which in ordinary cases are most advantageous to the society. But if from this natural preference they should turn too much of it towards those employments, the fall of profit in them and the rise of it in all others immediately dispose them to alter this faulty distribution. Without any intervention of law, therefore, the private interests and passions of men naturally lead to divide and distribute the stock of every society, among all the different employments carried on in it, as nearly as possible in the proportion which is most agreeable to the interest of the whole society.

All the different regulations of the mercantile system, necessarily derange more or less this natural and most advantageous distribution of stock. (pp. 594-5)
Every derangement of the natural distribution of stock is necessarily hurtful to the society in which it takes place; whether it be by repelling from a particular trade the stock which would otherwise go to it, or by attracting towards a particular trade that which would not otherwise come to it. (p. 597)

Smith describes the actions of monopolists as follows:

The monopolists, by keeping the market constantly under-stocked, by never fully supplying the effectual demand, sell their commodities much above the natural price, and raise their emoluments, whether they consist in wages or profit, greatly above their natural rate. (p. 61)

The natural price is the lowest which the sellers can commonly afford to take, and at the same time continue their business. (p. 61) Today we would use the word competitive for natural. The effectual demand is the demand of those who are willing to pay the natural price of the commodity. (p. 56) Monopoly, as well as a governmentally subsidized activity, contrasts with a competitive market where a commodity is...sold precisely for what it is worth, or for what it really costs the person who brings it to market. (p. 55)
The Wealth of Nations contains three general kinds of criticism of monopolies. The first is that the higher prices in a monopolized market reduce the welfare of consumers:

If...capital is divided between two different grocers, their competition will tend to make both of them sell cheaper, than if it were in the hands of one only; and if it were divided among twenty, their competition would be just so much the greater, and the chance of their combining together, in order to raise the price, just so much the less. Their competition might perhaps ruin some of themselves; but to take care of this is the business of the parties concerned, and it may safely be trusted to their discretion. It can never hurt either the consumer, or the producer; on the contrary, it must tend to make the retailers both sell cheaper and buy dearer, than if the whole trade was monopolized by one or two persons. (pp. 342-3)
In every country it always is and must be the interest of the great body of the people to buy whatever they want of those who sell it cheapest. The proposition is so very manifest, that it seems ridiculous to take any pains to prove it; nor could it ever have been called in question, had not the interest sophistry of merchants and manufacturers confounded the common sense of mankind. Their interest is, in this respect, directly opposite to that of the great body of the people. As it is the interest of the freemen of a corporation to hinder the rest of the inhabitants from employing any workmen but themselves, so it is the interest of the merchants and manufacturers of every country to secure to themselves the monopoly of the home market. (p. 461)

The second criticism of monopoly is that it engenders inefficient management:

Monopoly...is a great enemy to good management, which can never be universally established but in consequence of that free and universal competition which forces everybody to have recourse to it for the sake of self-defence. (p. 147)

The third criticism of monopoly is that it is inequitable because it increases arbitrarily the inequality in individuals? incomes:

...The policy of Europe occasions a very important inequality in the whole of the advantages and disadvantages of the different employments of labour and stock, by restraining the competition in some employments to a smaller number than might otherwise be disposed to enter into them. (pp. 118-19)

Monopoly has always been a contentious issue in debates on public policy in the United States. It is interesting to examine the way in which the ideas of Smith appear in current debates over monopoly. In general, proponents of government intervention in the market place argue that monopoly is endemic in capitalism and that its elimination requires significant intervention by the government in the market place. An opposing group argues that free markets effectively restrain monopoly power and that it is in fact government intervention in the market place that is chiefly responsible for monopoly. The first group assumes that large size, fewness of firms, and operation over an extensive geographic area automatically imply monopoly power and thus supports its position by citing the existence of industries dominated by a few large firms and the existence of multinational corporations. The opposing group supports its position by trying to show that where monopoly power exists it is made possible by particular governmental actions, e.g., in the United States by marketing orders that fix the price of milk above what it would be otherwise, or FCC regulations restricting the growth of cable TV, thereby preventing competition with the established networks.

The view of the world suggested in The Wealth of Nations is that monopoly power cannot persist without the assistance of government. The specific examples of monopoly that Adam Smith attacked required the police power of the state for their maintenance. These monopolies were of three kinds. One kind of monopoly depended upon the mercantilistic system of laws which England used to monopolize trade with its colonies: Monopoly of one kind or another, indeed, seems to be the sole engine of the mercantile system. (p. 595) Another kind arose from the monopoly power granted guilds (referred to by Smith as corporations), which allowed them exclusive rights to produce a given commodity:

The exclusive privilege of an incorporated trade necessarily restrains the competition, in the town where it is established, to those who are free of the trade. To have served an apprenticeship in the town, under a master properly qualified, is commonly the necessary requisite for obtaining this freedom. The bye-laws of the corporation regulate sometimes the number of apprentices which any master is allowed to have, and almost always the number of years which each apprentice is obliged to serve. The intention of both regulations is to restrain the competition to a much smaller number than might otherwise be disposed to enter into the trade. The limitation of the number of apprentices restrains it directly. A long term of apprenticeship restrains it more indirectly, but as effectually, by increasing the expence of education. (p. 119)
The government of towns corporate was altogether in the hands of traders and artificers; and it was the manifest interest of every particular class of them, to prevent the market from being overstocked, as they commonly express it, with their own particular species of industry; which is in reality to keep it always understocked. (p. 124)

A final kind of monopoly depended upon tariffs and quotas that prevented foreign producers from competing with domestic producers:

The superiority which the industry of the towns has every-where in Europe over that of the country, is not altogether owing to corporations and corporation laws. It is supported by many other regulations. The high duties upon foreign manufactures and upon all goods imported by alien merchants, all tend to the same purpose. Corporation laws enable the inhabitants of towns to raise their prices, without fearing to be under-sold by the free competition of their own countrymen. Those other regulations secure them equally against that of foreigners. (p. 127)

Competitive markets restrain monopoly because the above-average profits associated with the exercise of monopoly power attract new producers who increase output and thereby lower prices:

When by an increase in the effectual demand, the market price of some particular commodity happens to rise a good deal above the natural price, those who employ their stocks in supplying that market are generally careful to conceal this change. If it was commonly known, their great profit would tempt so many new rivals to employ their stocks in the same way, that, the effectual demand being fully supplied, the market price would soon be reduced to the natural price.... Secrets of this kind, however, it must be acknowledged, can seldom be long kept; and the extraordinary profit can last very little longer than they are kept. (p. 60)

Monopolists can preserve their favorable position only if the government prevents potential competitors from entering the monopolized activity:

The exclusive privileges of corporations, statutes of apprenticeship, and all those laws which restrain, in particular employments, the competition to a smaller number than might otherwise go into them, have the same tendency...They...may frequently, for ages together, and in whole classes of employments, keep up the market price of particular commodities above the natural price, and maintain both the wages of the labour and the profits of the stock employed about them somewhat above their natural rate.

Such enhancements of the market price may last as long as the regulations of police which give occasion to them. (pp. 61-2)

Free markets make the formation of monopoly difficult because monopoly requires the adherence of all actual and potential sellers in a market. Self-interest makes achievement of such adherence difficult because each seller has an incentive to undercut the monopoly price in order to increase his share of the market. Monopoly power is increased or made possible if enforced by the government. In the following passage Smith refers to the guilds, or corporations, of his day:

An incorporation...makes the act of the majority binding upon the whole. In a free trade an effectual combination cannot be established but by the unanimous consent of every single trader, and it cannot last longer than every single trader continues of the same mind. The majority of a corporation can enact a bye-law with proper penalties, which will limit the competition more effectually and more durably than any voluntary combination whatever. (p. 129)

Smith?s ideas appear in current public debate over monopoly. Advocates of deregulating the transportation and communications industries by eliminating or reducing the power of Federal regulatory agencies argue that these agencies promote monopoly by limiting the entry of new firms and by fixing prices for all producers. Government regulations enforced upon all firms in an industry have the effect of allowing producers to eliminate competition and to raise prices. At the same time, lack of competition reduces incentives for efficient production.

> Yeah, ever since i switched to IE, i never come across any!

Yeah and I feel sorry for your stupidity: http://pivx.com/larholm/unpatched/

You are not funny moron!

Yes, I know the parent was sarcastic.

Oh yes, and I bet you love every single one of the security holes built into IE?

Unpatched IE security holes

If you're using IE, you're running a piece of software *on your machine* which is advertising and providing the ability for a web page to basically screw your system up. If precisely this happens...well, you should have tried another browser. :-)

At any given time there are a dozen or so security holes in Internet Explorer. Right now there are 19 security holes in the latest version of Internet Explorer, with all patches and service packs applied.

La la la la exploit, la la la la description of exploit, la la la la list of many other unpatched IE holes, some are over a year old. This one in particular is over 4 months old.

Unpatched IE security holes scared yet?

Go ahead, use IE and I'll laugh my ass off when you get infected with some systemfucking virus or get otherways anally screwed.

Microsoft decided to not provide an UI to define default font size in the Internet Explorer. Consider this being equivalent to a TV set without an option to adjust volume. Some web "designers" feel that they have to compensate the fact that the MS engineer decided to specify "too large" default font size.

I'm so SICK of hearing people bitch about this. Maybe you morons should use a different browser if your current shitty one doesn't support such rudimentary features.

Uh? Perhaps you should reread my post? The word "some" doesn't include me. You might be speaking about yourself in 3rd person but I don't do that. I was bitching about the fact that because MSIE is buggy and it has many users some web "designers" feel that they must break some rules to make a web page to compensate some of those bugs. Nevermind the fact that those "fixes" break any standards-compiliant browser. I don't use MSIE, I don't support it and I always try to code according to the recommended spec--but there're many others doing something else.

I hope you don't touch the font-size. Or at least specify it as "100%" or "1em". This is important because otherwise correctly configured browsers display the characters too small.

Way too many websites use styles like p {font-family: verdana, sans-serif; font-size: 85%;}. This rule is saying that the author of the page thinks that the page looks best when viewed with font face called "verdana" with a font size of 85% of the size the user has selected she is comfortable with. I'm ok with suggesting a font face but no way normal text should be made smaller than I've set in the preferences. This situation is caused by two reasons:

• Microsoft decided to not provide an UI to define default font size in the Internet Explorer. Consider this being equivalent to a TV set without an option to adjust volume. Some web "designers" feel that they have to compensate the fact that the MS engineer decided to specify "too large" default font size. (MSIE does have view-text size menu but it has only 5 choices and in addition the feature has many bugs.)
• Verdana looks better with small font sizes. The problem is, verdana looks bigger than most other fonts so the font-size "has to" be modified to be much smaller for verdana to look good. This results to really small fonts if user's system cannot provide font face called "verdana" or it's different from the one distributed by Microsoft

The above issues, joined with the fact that MSIE is the most common browser and verdana is distributed alongside MSIE practically guarantee that change to the better isn't going to happen unless majority of web "designers" get a clue. I've already lost faith that majority of the users would have some clue (MSIE with all the latest patches applied: still 11 security holes with publicly available exploits. Scary, eh?).

Fortunately, Mozilla does have minimum font-size setting. Unfortunately, some web sites define such a small font sizes that my minimum of 9px is hit with H1 level headers--so all headers look the same and paragraph text is the same size as all the headers.

[sales] And here we have our 300 series machine
[cust ] Neat! (opens IE)
[cust ] It seems a little slow opening up a browser; I thought you said it was fast?
[sales] It is! It just appears slow because we're maxing out the processor.
[cust ] Why would you do that on a display machine that's supposed to be showing off the machine's strengths?
[sales] We make $0.03/hour crunching numbers in the background.
[cust ] (on cellphone) Honey.. sell the Gateway stock. They're obviously in trouble.

Oh please! Seems quite clear to the rest of us who the worst actually is.

Sure. Minor. A dozen lines of javascript on an untrusted site can do quite literally anything (within the permissions the user has, which tends to be pretty lax on NT), and it's minor.

Well, I guess it's a good thing there Aren't very many of these minor bugs.

This link on unpatched security holes did not work in the post above. Sorry.

I didnt say that I never update my system- most weeks I don't have to though.

Imagine what life would be like if they actually kept up with security issues!

That number has been above 30 for several months, AFAIK. Imagine if the code was opened, or if that list included other aspects of the operating system besides the browser, etc.

Even if Windows installation/maintenance was as easy as you claim (which it most definitely isn't -- anyone claiming otherwise hasn't used it enough, or on enough different hardware), I still wouldn't use it. They've proven time and time again that they shouldn't be trusted with your data.

Here's a link. On November 6, 2002, there were 31 security vulnerabilities in Microsoft Internet Explorer

The link is taken from: Windows XP Shows the Direction Microsoft is Going.. If Spanish is your native language: Windows XP muestra la dirección que Microsoft está tomando.

IE has 31 unpatched public vulnerabilities at the moment. Not long ago it was 32. Imagine how many would be discovered if we had even a small portion of the IE source code. ;)

MONOPOLY AND GOVERNMENT SUBSIDIES: The principal theme set forth in The Wealth of Nations is that a country most effectively promotes its own wealth by providing a framework of laws that leaves individuals free to pursue the interest they have in their own economic betterment. This self-interest motivates individuals? propensity to truck, barter, and exchange one thing for another and thereby leads them to meet the needs of others through voluntary cooperation in the market place:

...man has almost constant occasion for the help of his brethren, and it is in vain for him to expect it from their benevolence only. He will be more likely to prevail if he can interest their self-love in his favour, and shew them that it is for their own advantage to do for him what he requires of them. Whoever offers to another a bargain of any kind, proposes to do this. Give me that which I want, and you shall have this which you want, is the meaning of every such offer; and it is in this manner that we obtain from one another the far greater part of those good offices which we stand in need of. It is not from the benevolence of the butcher, the brewer, or the baker, that we expect our dinner, but from their regard to their own interest. We address ourselves, not to their humanity but to their self-love, and never talk to them of our own necessities but of their advantages. (p. 14)

Smith also argues that the harmony between private goals and larger socially desirable goals promoted by voluntary cooperation between individuals in the market place is interfered with by monopoly and government subsidies. In contrast to competition, monopoly and government subsidies cause individuals to devote either too few or too many resources to particular markets:

....the private interests and passions of individuals naturally dispose them to turn their stock towards the employments which in ordinary cases are most advantageous to the society. But if from this natural preference they should turn too much of it towards those employments, the fall of profit in them and the rise of it in all others immediately dispose them to alter this faulty distribution. Without any intervention of law, therefore, the private interests and passions of men naturally lead to divide and distribute the stock of every society, among all the different employments carried on in it, as nearly as possible in the proportion which is most agreeable to the interest of the whole society.

All the different regulations of the mercantile system, necessarily derange more or less this natural and most advantageous distribution of stock. (pp. 594-5)
Every derangement of the natural distribution of stock is necessarily hurtful to the society in which it takes place; whether it be by repelling from a particular trade the stock which would otherwise go to it, or by attracting towards a particular trade that which would not otherwise come to it. (p. 597)

Smith describes the actions of monopolists as follows:

The monopolists, by keeping the market constantly under-stocked, by never fully supplying the effectual demand, sell their commodities much above the natural price, and raise their emoluments, whether they consist in wages or profit, greatly above their natural rate. (p. 61)

The natural price is the lowest which the sellers can commonly afford to take, and at the same time continue their business. (p. 61) Today we would use the word competitive for natural. The effectual demand is the demand of those who are willing to pay the natural price of the commodity. (p. 56) Monopoly, as well as a governmentally subsidized activity, contrasts with a competitive market where a commodity is...sold precisely for what it is worth, or for what it really costs the person who brings it to market. (p. 55)
The Wealth of Nations contains three general kinds of criticism of monopolies. The first is that the higher prices in a monopolized market reduce the welfare of consumers:

If...capital is divided between two different grocers, their competition will tend to make both of them sell cheaper, than if it were in the hands of one only; and if it were divided among twenty, their competition would be just so much the greater, and the chance of their combining together, in order to raise the price, just so much the less. Their competition might perhaps ruin some of themselves; but to take care of this is the business of the parties concerned, and it may safely be trusted to their discretion. It can never hurt either the consumer, or the producer; on the contrary, it must tend to make the retailers both sell cheaper and buy dearer, than if the whole trade was monopolized by one or two persons. (pp. 342-3)
In every country it always is and must be the interest of the great body of the people to buy whatever they want of those who sell it cheapest. The proposition is so very manifest, that it seems ridiculous to take any pains to prove it; nor could it ever have been called in question, had not the interest sophistry of merchants and manufacturers confounded the common sense of mankind. Their interest is, in this respect, directly opposite to that of the great body of the people. As it is the interest of the freemen of a corporation to hinder the rest of the inhabitants from employing any workmen but themselves, so it is the interest of the merchants and manufacturers of every country to secure to themselves the monopoly of the home market. (p. 461)

The second criticism of monopoly is that it engenders inefficient management:

Monopoly...is a great enemy to good management, which can never be universally established but in consequence of that free and universal competition which forces everybody to have recourse to it for the sake of self-defence. (p. 147)

The third criticism of monopoly is that it is inequitable because it increases arbitrarily the inequality in individuals? incomes:

...The policy of Europe occasions a very important inequality in the whole of the advantages and disadvantages of the different employments of labour and stock, by restraining the competition in some employments to a smaller number than might otherwise be disposed to enter into them. (pp. 118-19)

Monopoly has always been a contentious issue in debates on public policy in the United States. It is interesting to examine the way in which the ideas of Smith appear in current debates over monopoly. In general, proponents of government intervention in the market place argue that monopoly is endemic in capitalism and that its elimination requires significant intervention by the government in the market place. An opposing group argues that free markets effectively restrain monopoly power and that it is in fact government intervention in the market place that is chiefly responsible for monopoly. The first group assumes that large size, fewness of firms, and operation over an extensive geographic area automatically imply monopoly power and thus supports its position by citing the existence of industries dominated by a few large firms and the existence of multinational corporations. The opposing group supports its position by trying to show that where monopoly power exists it is made possible by particular governmental actions, e.g., in the United States by marketing orders that fix the price of milk above what it would be otherwise, or FCC regulations restricting the growth of cable TV, thereby preventing competition with the established networks.

The view of the world suggested in The Wealth of Nations is that monopoly power cannot persist without the assistance of government. The specific examples of monopoly that Adam Smith attacked required the police power of the state for their maintenance. These monopolies were of three kinds. One kind of monopoly depended upon the mercantilistic system of laws which England used to monopolize trade with its colonies: Monopoly of one kind or another, indeed, seems to be the sole engine of the mercantile system. (p. 595) Another kind arose from the monopoly power granted guilds (referred to by Smith as corporations), which allowed them exclusive rights to produce a given commodity:

The exclusive privilege of an incorporated trade necessarily restrains the competition, in the town where it is established, to those who are free of the trade. To have served an apprenticeship in the town, under a master properly qualified, is commonly the necessary requisite for obtaining this freedom. The bye-laws of the corporation regulate sometimes the number of apprentices which any master is allowed to have, and almost always the number of years which each apprentice is obliged to serve. The intention of both regulations is to restrain the competition to a much smaller number than might otherwise be disposed to enter into the trade. The limitation of the number of apprentices restrains it directly. A long term of apprenticeship restrains it more indirectly, but as effectually, by increasing the expence of education. (p. 119)
The government of towns corporate was altogether in the hands of traders and artificers; and it was the manifest interest of every particular class of them, to prevent the market from being overstocked, as they commonly express it, with their own particular species of industry; which is in reality to keep it always understocked. (p. 124)

A final kind of monopoly depended upon tariffs and quotas that prevented foreign producers from competing with domestic producers:

The superiority which the industry of the towns has every-where in Europe over that of the country, is not altogether owing to corporations and corporation laws. It is supported by many other regulations. The high duties upon foreign manufactures and upon all goods imported by alien merchants, all tend to the same purpose. Corporation laws enable the inhabitants of towns to raise their prices, without fearing to be under-sold by the free competition of their own countrymen. Those other regulations secure them equally against that of foreigners. (p. 127)

Competitive markets restrain monopoly because the above-average profits associated with the exercise of monopoly power attract new producers who increase output and thereby lower prices:

When by an increase in the effectual demand, the market price of some particular commodity happens to rise a good deal above the natural price, those who employ their stocks in supplying that market are generally careful to conceal this change. If it was commonly known, their great profit would tempt so many new rivals to employ their stocks in the same way, that, the effectual demand being fully supplied, the market price would soon be reduced to the natural price.... Secrets of this kind, however, it must be acknowledged, can seldom be long kept; and the extraordinary profit can last very little longer than they are kept. (p. 60)

Monopolists can preserve their favorable position only if the government prevents potential competitors from entering the monopolized activity:

The exclusive privileges of corporations, statutes of apprenticeship, and all those laws which restrain, in particular employments, the competition to a smaller number than might otherwise go into them, have the same tendency...They...may frequently, for ages together, and in whole classes of employments, keep up the market price of particular commodities above the natural price, and maintain both the wages of the labour and the profits of the stock employed about them somewhat above their natural rate.

Such enhancements of the market price may last as long as the regulations of police which give occasion to them. (pp. 61-2)

Free markets make the formation of monopoly difficult because monopoly requires the adherence of all actual and potential sellers in a market. Self-interest makes achievement of such adherence difficult because each seller has an incentive to undercut the monopoly price in order to increase his share of the market. Monopoly power is increased or made possible if enforced by the government. In the following passage Smith refers to the guilds, or corporations, of his day:

An incorporation...makes the act of the majority binding upon the whole. In a free trade an effectual combination cannot be established but by the unanimous consent of every single trader, and it cannot last longer than every single trader continues of the same mind. The majority of a corporation can enact a bye-law with proper penalties, which will limit the competition more effectually and more durably than any voluntary combination whatever. (p. 129)

Smith?s ideas appear in current public debate over monopoly. Advocates of deregulating the transportation and communications industries by eliminating or reducing the power of Federal regulatory agencies argue that these agencies promote monopoly by limiting the entry of new firms and by fixing prices for all producers. Government regulations enforced upon all firms in an industry have the effect of allowing producers to eliminate competition and to raise prices. At the same time, lack of competition reduces incentives for efficient production.

Huh lets see Windows Players ?

1- Mighty Netbios ( Most secure protocol invented since '95! )

2- Unicode File Traversal Vulnerability. Appeared like 1-1.5 year ago. Still some servers vulnerable

3- Melisa & IloveYou & others countlessly many Ms Word worms

4- Nimda & CodeRed variants. Millions of computers got intruded in one day.

5- Internet Explorer got 20 unfixed vulnerabilites today according to http://www.pivx.com/larholm/unpatched

6- Windows XP UPnP Vulnerability got public after the week XP was released....

Now come on doesnt matter how clueless you are Windows is not *really* engineered for security!

If you are using IE, your computer is vunerable to numerous security breaches

Yes. If you're not downloading security updates.

"2 October 2002: There are currently 20 unpatched vulnerabilities." - tho it looks like that's counting a few that are patched in 6 but not 5.5, which is rather strange. I mean why would you keep 5.5 if you're patching everything?

Sounds like a Microsoft sales person is influencing the University. Here are some reasons why Windows XP is less than perfect: Windows XP Shows the Direction Microsoft is Going.

What is interesting, and unfortunate, is that Windows XP's faults are mostly avoidable. It seems that the problems are sociological, rather than technical. Microsoft seems to have become self-destructive, like Tyco and Enron. (Okay, even more self-destructive.)

By far the best marketing for Linux and BSD is Microsoft. It doesn't have to be that way. The cost to a corporation for someone working at a desk with a computer is so high that the cost of Windows is not a deciding factor. Linux is beginning to win, not because of the price, but because people don't like to be abused, and don't like the ridiculous security risks: (from the article)

"... as of September 9, 2002, there are 19 security vulnerabilities in Microsoft Internet Explorer [pivx.com]. (On August 8, 2002, there were 22, so some progress is being made.) This is a terrible record for a company that has $40 billion in the bank. Obviously, with that kind of money, Microsoft could fix the bugs if it wanted to fix them."

Being a Unix admin just requires a higher level of understanding what's going on in your computer, so, Unix admins are usually smarter than their Windows colleagues. Exceptions may occur.

> ...is that the bug has apparently been a known one for months, and still hasn't been repaired.

Oh, give me a break. This flaw is so minor that I am not even going to bother to install the fix (I will wait for the next Mozilla release).

This bug allows a website to see the URL of the next site you are going to. It is little different from what all browsers have always done, when they provide the URL of the site you came from. If either one worries you, then just click on "home" before typing in a URL.

So how "disturbed" should you be? Let's put this case into perspective. Let's look at some of the IE security holes that Microsoft is currently sitting on, in some cases for over six months...

There are currently _19_ unpatched security holes in IE.

Here are some samples:

> Who framed Internet Explorer
> Description: Cross-protocol scripting, arbitrary command execution, local file reading, cookie theft, website forging, sniffing https, etc.

> MS JVM native method vulnerabilities
> Description: A collection of at least 10 different vulnerabilities in the MS JVM, escaping the sandbox, local file reading, silent delivery and execution of arbitrary programs, etc.

> WMP Stench
> Description: Silent delivery and installation of an executable on a target computer

> Java XMLDSO base tag
> Description: Arbitrary local file reading.

> delegated SSL authority
> Description: HTTPS spoofing, man-in-the-middle attacks, etc.

> document.domain parent DNS resolver
> Description: Improper duality check leading to firewall breach

> CTRL-key file upload focus
> Description: Local file reading, downloading and executing arbitrary code.

> IE https certificate attack
> Description: Undetected SSL man-in-the-middle attacks, decrypting SSL-encrypted traffic in realtime.
> Published: December 22 2001 ( Stefan Esser )
> Published: June 6 2000 ( ACROS )
> Status: Initially fixed in IE4 and early IE5s by MS00-039, re-introduced by a later patch.

Arbitrary command execution? Local file reading? Escaping the sandbox? HTTPS spoofing? Firewall breach? Decrypting SSL-encrypted traffic? Yikes!!!

Of the nineteen open security holes in IE, nine of them allow binary executable code to be run on your computer.

Compared to that, this Mozilla bug is so minor that it barely deserves mentioning.

The poster asks:

> But why is it when its an IE bug, its a "Severe Security Exploit", and when its a Mozilla bug, its a "Privacy Leak"...

And it is currently rated as "Score:5, Insightful".

I fear that Slashdot's moderation facility is being used by Microsoft as another FUD tool. While some posters try to moderate honestly, Microsoft astroturfers moderate each others' posts up, thus increasing their karma, and giving themselves more power to moderate.

There is no objective basis by which the above post could be considered "insightful".

In fact, the above post is completely stupid.

The post suggests there is something wrong when some IE vulnerabilities have been rated "Severe", while this Mozilla vulnerability is just rated as a "Privacy Leak".

Let's consider that.

Should this Mozilla problem be considered as "severe"? Hardly. As others have pointed out, providing the URL of the site you are going to is not that different from what all browsers have always done when they provide the URL of the site you came from. In fact, the problem is so minor that I am not even going to bother installing the fix until the next browser release comes out. When referring to this problem, the words "Privacy Leak" are, if anything, too strong.

On the other hand, let's consider some of the _19_ currently unpatched security holes in IE.

Here are some samples:

> Who framed Internet Explorer
> Description: Cross-protocol scripting, arbitrary command execution, local file reading, cookie theft, website forging, sniffing https, etc.

> MS JVM native method vulnerabilities
> Description: A collection of at least 10 different vulnerabilities in the MS JVM, escaping the sandbox, local file reading, silent delivery and execution of arbitrary programs, etc.

> WMP Stench
> Description: Silent delivery and installation of an executable on a target computer

> Java XMLDSO base tag
> Description: Arbitrary local file reading.

> delegated SSL authority
> Description: HTTPS spoofing, man-in-the-middle attacks, etc.

> document.domain parent DNS resolver
> Description: Improper duality check leading to firewall breach

> CTRL-key file upload focus
> Description: Local file reading, downloading and executing arbitrary code.

Arbitrary command execution? Local file reading? Escaping the sandbox? HTTPS spoofing? Firewall breach? Should any of those be considered "severe"? You betcha!

In fact, of the nineteen open security holes in IE, nine of them allow binary executable code to be run on your computer.

So clearly, the original poster is an idiot. Objectively, his post should be rated "Score:-1, Troll".

I would say that the posters who moderated his post up are even bigger idiots, but I don't believe that to be the case. Instead, I figure they're probably professional liars, being paid by Microsoft.

You are correct, but it's just a matter of time until MS's glacial turn around time, and outright refusal to fix certain bugs, combined with a "windows update" that often doesn't apply all the needed fixes, or installs patches that undo other patches.... I could go on...

Anyway, it's going to bite them, in a big way. Recently some "combination attacks" have formed, i.e. a series of non-critical security flaws that can be combined to gain total system access.

This is combined with their aggressive end-of-life program which EOLs software that is still in widespread use, completely dropping even critical security bugfix support for said software. As Windows 2000 nears EOL in a couple years, that is when we will really see the shit hit the fan. Hell, my girlfriend got a contract job to migrate systems from NT4 to 2000 last week. With no compelling reasons to upgrade, a lot of people are going to be running unpatchable systems in a couple years. Of course this is MS's whole strategy, to force people to upgrade their software just to get critical bugfixes.

I hope you enjoy being rooted by Chinese script kiddies. Don't believe me? 18 gaping holes in MS's pride and joy, IE. That's what you get for not using a Gecko-based browser or Opera.

It is not only Microsoft that is to blame for the creation of faulty software, said Chandra Mugunda, a software consultant with Dell Computer in Round Rock, Texas, who attended Valentine's presentation here. "It's an industry-wide problem, it's not just a Microsoft problem," he said. "But they're the leaders, and they should take the lead to solve these problems"

Valentine, too, took the opportunity to point out the widespread bugs that have been discovered in competing operating products such as Linux and Unix.

"Every operating system out there is about equal in the number of vulnerabilities reported," he said. "We all suck."

The result is that is far easier to exploit an easy, scriptable vulnerability in a Microsoft system, that has no patch for months, than to exploit a difficult, binary hole in a LInux/BSD system that has a patch within days.

Even with full access to the Mozilla source code, over the same time duration, only one single similar vulnerability was discovered in Mozilla. The fix was in the CVS source code within hours of the notifcation and new Mozilla binaries were avaliable within FOUR WORKING DAYS - Not MONTHS in the case of Microsoft's "Trustworthy" efforts.

Of course being a total anti-Microsoft comment, this little tidbit was conveniently left out.

>The fact of the matter is Windows is the most common target of hackers. They occasionall find stuff, it gets fixed.

No, the fact of the matter is that the oldest security hole still present in internet explorer is over...

2 years and 2 months old.

Look, if they ACTUALLY fixed their OS (and by OS I mean browser, which MS says is the OS) we wouldn't care. But, you see, since they don't care to fix their OS (and if you can't fix it in 2 years then you are one very pathetic uncaring company) then we will care to explain to others that they don't care.

Get it?

You can apply every security patch in the world, but IE is still lets any site read:

- Any and all of your files
- Run any code they please
- Upload files of their choosing
- Modify files they want to
- Delete files they want to
- Delete your BIOS so you can't boot up your computer
- Make your computer dial 911 constantly, tying up emergency systems
- Install viruses on your computer
- Make your computer do DDOS attacks
- Make your computer email bomb threats to the president under your name

All without warning you. And any amount of patching won't affect it.

Is that not serious enough? Do they need to set your computer on fire to make it serious enough? Does your computer have to reach out and throttle you before you see how serious it is?

Sheesh.

One interesting IE security resource happens to be PivX Solutions' "Unpatched IE Security Holes." Extensive information about many of the vulnerabilities addressed by this patch was available there months ago.

My original title (which was edited by michael for purposes of clarity, I'm assuming) failed to mention Office; the CNN story and Microsoft TechNet article didn't seem to coincide. However, it's entirely possible that a few shared components may be vulnerable. ;)

Ok, it's good that they are at least finding and fixing these, but how many ways to execute code through IE can there possibly be?!?

There already are 16 unpatched security holes in IE, and now there are even more holes. While these ones have patches out there, think about how many Windows users actually do patch their systems; it's not very many. For most home Windows users, there might as well not be a patch available, since they won't patch IE anyway.

In the mean time, I'm more than happy to keep using OpenOffice and Mozilla and know that arbitrary code won't be executed on my system if I click the "back" button. Thanks, Microsoft, for giving us yet another reason to use Mozilla.

An anonymous reader writes "A flaw in Apache 2.0's interpretation of the backslash delimiter allows for a remote r00ting on NetWare, Windows, and OS/2. InfoWorld has an overview; the attack was discoverd by PivX's Auriemma Luigi, and he describes it in this technical document. I don't know whether there is such a thing as an OS/2 shop anymore, and most Microsoft shops probably run IIS, but Apache now ships as the default web server for NetWare 6, so Novell shops: Take note. A patch is available from Apache, and Luigi describes a workaround in his article."

It's sad to say, but given all those unpatched bugs in Internet Explorer, this flaw is a minor issue. Why bother with DNS Spoofing etc., when you just can install and start any executable you want on your victim's computer?

It's funny that Microsoft always comments publicly on the minor bugs, but ignores the serious ones, just until they release a patch.

As an aside, Microsoft doesn't own the rights to Internet Explorer

Running out of phone numbers, bar-codes, melodies, and trademarks. I suddenly feel like the work has become a whole lot smaller, Thank godzilla we'll never run out of bugs!

• Unpatched IE vulnerabilities. The mere fact that the browser is so tightly integrated to the operating system makes this browser potentially more vulnerable.
• Mozilla tabbed browsing. 'nuff said
• Mozilla pop-up blocking
• Mozilla cookies management, tho it's also a good feature on IE5 for the mac, IE5 for the PC doesn't let you easily manage your existing cookies, I dunno if IE6 fixes this.

I completely disagree with your statement. While JavaScript might serve only aesthetic purposes when creating Web sites, it is an absolute necessity for creating Web-based applications.

To analogize JavaScript to a C++ compiler is pure sensationalism. JavaScript in its current iteration is designed to securely execute unknown and therefore potentially malevolent code. There are no flaws in the specification of the language, only in various implementations. Your statement that brand X Web browser is broken doesn't make your analogy any more relevant, as software from that company tends to be that way. If you're after security, I suggest upgrading your browser to one developed by folks who tend to be more careful in building their product and have a better history of responding to security issues.

If you want to avoid the annoyances of JavaScript, I suggest that you just don't visit sites with annoying ads. iVillage, Inc., being a for-profit corporation, isn't getting rid of pop-up advertising to improve your Internet experience, they are doing it to gain and keep visitors.

1. Application Layer Gateway Service (Requires server rights.)
2. Fax Service
3. File Signature Verification
4. Generic Host Process for Win32 Services (Requires server rights.)
5. Microsoft Application Error Reporting
6. Microsoft Baseline Security Analyzer
7. Microsoft Direct Play Voice Test
8. Microsoft Help and Support Center
9. Microsoft Help Center Hosting Server (Wants server rights.)
10. Microsoft Management Console
11. Microsoft Media Player (tells Microsoft the music you like)
12. Microsoft Network Availability Test
13. Microsoft Volume Shadow Copy Service
14. MS DTC Console program
15. Run DLL as an app
16. Services and Controller app
17. Time Service, sets the time on your computer from Microsoft's computer.
18. Microsoft Office keeps a number in each file you create that identifies your computer. Microsoft has never said why.
19. Microsoft mouse software has reduced functionality until you let it connect to Microsoft computers.

And what's all the fuss about "Zero Day" viruses? As far as I can tell via Google, "Zero Day" was 1/1/2000. So what's a "Zero Day virus"?

Well, ten years ago when I hung out with warez d00dz, "zero-day warez" meant bootleg software that had been cracked (the copy prevention routines removed) and released to BBSes by a cracker group on the same day it was released commercially. Surpassing that were "negative-day warez", where the software had been leaked from the manufacturer during mastering, and the cracked version was out before the "real" one. The sysop of one BBS I frequented had internal builds of a Microsoft product called "Chicago" in 1993; that product became what you may know as Windows 95.

In any event, the same terminology can apply to attacks. A "zero-day worm" is a worm written to exploit a vulnerability on the same day that the vulnerability is released (i.e. made public). In fact, this is not a very useful expression, for two reasons:

1. First, it implies that such a worm would be worse, or indeed more notable in any way, than a worm using an older vulnerability. Given that the most potent worms we have seen -- Code Red, Nimda, and Klez -- have used attacks that were known and patched for months at the time of the worms' release, this is an unfounded implication.
2. Second, it implies that the publishing of the vulnerability is necessary for the writing of a worm, or leads naturally to the writing of a worm -- and therefore that publishing is a bad thing. In fact, most published vulnerabilities are never widely exploited, and worms are written for only a tiny fraction. Moreover, a truly aggressive worm-writer would go out and discover new, unpublished holes, and write worms for those.

The worms we have seen recently have actually been a net benefit to security. They have shown us what is possible with old vulnerabilities on unpatched Microsoft systems, and their payloads have been, all in all, relatively mild. Sure, Code Red II spread a backdoor, and Sircam sent your files around -- but consider the damage if they had instead altered figures in spreadsheets or databases, or just gone writing random numbers to random sectors of your disk, like some of the old DOS viruses did. DoS floods go away; data corruption can take years to discover.

So it isn't the zero-day worms I'm worried about. It's the negative-day worms with real payloads. After all, unlike that from some vendors, the software I use has an established reputation for zero-day patches ....

> For the average person, Linux is completely worthless because it can't run the applications that they want.

You know that for a fact, huh? Just straight out? Linux is _worthless_ for the average person?

The arrogance of your statement astounds me.

Well, I consider myself to be an average computer user, and Linux does what I want on the desktop.

My sister and her husband are also average users, who don't know anything about computers, and Linux is doing everything they want as well.

My sister surfs the net, and sends e-mail, their daughter does school reports, and her husband maintains a "database" of baseball cards for trading. They all use Mozilla (formerly Netscape) and OpenOffice (formerly StarOffice), and the baseball card collection is tracked using the same tool that would have been used on Windows, namely, a spreadsheet.

If you were being more objective, then you would realize that Linux will do the job for many "average" users, while others, because of special application needs not yet met on Linux, must use Windows. Of course, there are still others who must use a Mac, or even an old Amiga.

> But if mom wants to run that off-the-shelf blackjack game [Linux has many card games, which very likely includes blackjack, or Linux users can run Mozilla and Java to access web-based blackjack], or recipe filing program [I'd have to check], etc, she is totally out of luck. [again with the arrogance]

> Even with Wine she is totally out of luck, since there is no way she would be able to install the program to run with Wine.

I wouldn't know, since I don't use Wine. I have not found the need to run any Windows software.

> Let's not even talk about setting up a home network with NAT,

I had no problem setting up my home network with Linux, and, when she asks, I will do the same for my sister (if she were running Windows, she would still ask me).

As to Network Address Translation, I assume you mean so that many computers can share the same Internet connection. Again, I had no problem taking an old 486, and installing a version of Linux intended for firewalls, and a little reading allowed me to set up the IPTables.

In the end, I feel much more secure about my home network, than I would if I were running Windows. Don't forget that IE currently has 19 unpatched vulnerabilities, some of which would allow an outsider to bypass your firewall and get to your home network:

http://www.pivx.com/larholm/unpatched/

> or installing new hardware.

Actually, I think Linux has the advantage here. While Windows 98 may be the king in terms of supporting the most peripherals, Linux supports more hardware that NT, 2000, or XP.

Plus, I can't tell you how many times I have installed new hardware (say a SCSI card) under Windows, just to watch Windows go into auto-detect hell, followed by something being broken (e.g. my mouse won't work).

> The typical consumer is unaware of Linux because Linux is a worthless solution to them.

Again with the arrogance. You are absolutely certain of that? No matter who the user is, Linux is _worthless_ to them? You have amazing psychic abilities.

> That will never change until Linux becomes a useful solution, and I have my doubts that that will ever change,

Oh, so now you can see into the future as well. Amazing!

> because the people who work on Linux have no motivation to make easy what John Q. Public considers important.

That is the opposite to what I have observed.

Linux developers are motivated to do what is right for Linux users, because the developers are also the users.

Contrast that with what Microsoft has done.

Do you think the Geoworks users really wanted Geoworks to stop working when they installed the next version of DOS? (Geoworks was the most popular application for home users at the time.)

Do you think the Ami Pro users really wanted Ami Pro to stop working when they installed Windows 95? (Ami Pro was the fastest growing word processor at the time, having already captured 20% of the market.)

Do you really think that Office 95 users wanted it to be impossible to trade documents with Office 97 users? (Who do you think benefitted from that, the user, or Microsoft?)

Do you really think that Netscape and WordPerfect users want to have most of IE and MS Office preloaded into memory?

Do you really think Microsoft officials were serving the public when they wrote the following:

> "I have heard it said that we want to allow our top 50 ISVs to be able to innovate on Windows as their primary platform, and port back onto their Unix platforms, but we don't want it to work too well." [Bristol vs Microsoft]

Or this:

> "at this point its [sic] not good to create MORE noise around our win32 java classes. Instead we should just quietly grow j++ share and assume that people will take advantage of our classes without ever realizing they are building win32-only java apps." [Sun vs Microsoft]

Or this:

> "Apple let us down on the browser by making Netscape the standard install." Gates then reported that he had already called Apple's CEO [Gil Amelio] to ask "how we should announce the cancellation of Mac Office...." [DOJ vs Microsoft]

Or this:

> "It's pretty clear we need to make sure Windows 3.1 only runs on top of MS DOS or an OEM version of it," and "The approach we will take is to detect dr 6 and refuse to load. The error message should be something like 'Invalid device driver interface,'" and "What the guy is supposed to do is feel uncomfortable, and when he has bugs, suspect that the problem is dr-dos and then go out to buy ms-dos. or decide to not take the risk for the other machines he has to buy for in the office." [DR-DOS vs Microsoft]

Whenever it was to their advantage, Microsoft has coldly stabbed the user in the back. You won't find Linux developers doing that.

> Your pathological hatred of Microsoft...

Actually, if anyone is demonstrating a pathology here, it would appear to be you. You seem to be so stuck on your position, that you have done no research, and have thrown facts and logic aside, in order to make huge sweeping statements about what is right for _every_ user.

It is OTHER governments to which this comment applies. If you are an official of the French government, what must you think about the virtual certainty that the U.S. government is spying on the French government using unpatched security holes in Microsoft Internet Explorer or, possibly, back doors put into Windows on order of the U.S. government.

Would the U.S. government use any means to spy on other countries? Well, the U.S. has killed more than 3,000,000 people in the last 33 years partly by bombing 14 countries. Does anyone believe that people who think killing is acceptable suddenly become moral when they think about spying using computers?

For documentation of U.S. government activities from some of the world's most respected news agencies, see What Should be the Response to Violence?

> If not, you're vulnerable to a worm that's been going around that is similar to Code Red (hijacks your server and turns it into a DDoS platform). I know at least 4-5 people who were hit by this in the 2 days it took the fix to get into security.debian.org.

If you are going to lie, you have to be smarter about it than that. Remember your training: don't embellish. Microsoft should penalize you a day's pay.

You can't possibly know 4-5 people who were infected while waiting for a fix to reach Debian, because during that time the only exploit that existed was a _BSD_ exploit. There were no Linux exploits during that period.

Besides, I don't know what you are gloating about. Unlike the constantly-vulnerable IIS, this is the first major exploit to hit Apache in years. In fact, according to this article, Apache has gone "four and a half years without a serious vulnerability":

http://online.securityfocus.com/columnists/91

By the way, the Apache worm has been a total flop. Because the fix got out so quickly, and because Linux and Apache are so easy to keep up-to-date, the vast majority of Apache servers are now immune.

Contrast that with Windows and IIS. Code Red and Nimda are a year old, yet they are still making the rounds.

It is a sad fact that, even with current patches applied, Microsoft software is still full of holes. As evidence, note that there are currently 19 unpatched IE security holes:

http://www.pivx.com/larholm/unpatched/

swank.ca exploits today's new Internet Explorer bug to pop-open sol.exe on unpatched IE/Windows systems!

Now confirmed, a worm nicknamed 'Scalper' is spreading that exploits the week old Apache HTTP Server chucked encoding vulnerability. The new worm was first seen after it attacked a honeypot in Lithuania hosted by MicroLink, and seemingly has dDoS objectives in mind. Luckily, the worm has not picked up much steam yet, so take this opportunity to patch your servers.

I saw this on the TechTV message boards, some pivix has created a program to patch it. I got it from http://www.pivx.com/gopher_smoker.html hahahah! they said 'we clean up microsoft's mess again!'