Slashdot Mirror
Win2k Security holes found
According to a story posted by ZDNN, two security holes have been found on Windows 2000, and that's even before the official release of Windows 2000! Administrators who rush to incorporate the patch from MS beware - according to one of the talkback posts on ZDNN, the patch creates a new problem with Windows 2000 news server service.
Speaking of "gala" events. When Win98 was about to go on sale in Sydney au., hundreds of morons lined up for hours outside Harvey Norman to get a copy along with some crap "free" software.
How many bugs were found in the 1/3 of the Win98 source code that was allowed to be viewed by a lawyer by court order? 3000? For only $99.95!
People are idiots.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Yeah. It was called 'Mars' till the last two NASA missions there failed, and MS didn't want the inevitable comments to follow.
These should be part of Neptune [NT6/Win2001]. Pretty interesting, although I prefer a nice, simple Litestep shell.
ROTFL!!! I support the bitch! After everyone installed b2195 clean, our calls dropped off to almost nothing. What street do you live on? I followed personally from Beta 3[b2031], RC1[b2072], RC2[b2128], and then to RTM[b2195]. MS forced everyone to use it. There's nothing like 46,000 screaming people to motivate the Dev Team.
I'm sure we'll find all kinds of interesting flaws with it, and they will all be fixed. MS has placed a lot on this OS, and you can bet your ass the patches will be timely.
P.S. The guy next to me at work is running Redhat. I'm outta here. I'm off to Arstechnica.
Exactly, before the product is even out. It's much better that the problem was identified and patched now than if it was found 2 months later when live boxes are running Win2k with no fix available.
Actually you've overcomplicated it a little. The 'Option Pack' for NT 4 is a collection of programs you can add to NT which are not installed as standard. (Stuff like the distributed transaction coordinator, the transaction server, IIS, that sort of thing.) This has nothing to do with the version - that's a bit like complaining that Linux 2.3.4 with Apache is a different version number from Linux 2.3.4. In fact with Linux you have the potentially more confusing situation where the versions of the kernel and the distribution you're running are different.
The scheme they use is actually pretty simple - a product name, and a service pack number. They stopped putting version numbers into the main name of the product because their research indicated that this confused people - separating the product name from the release seemed to go down better.
And hey, it discourages them from charging for the bug fixes, which they used to do with carefree abandon.
Ian Griffiths
QA= Quality Assurance. (Spelled Qwality some places I've seen ...)
This replaced the previous term "Quality Control" which fell from favor in the mid-80's right after Car&Driver made a barbed comment about how it was a good thing GM had such a good Quality Control program because "after all, we wouldn't want it to get out of hand..."
Within a matter of months, Qwality teams across the nation had improved their processes for the naming of Qwality teams and QA had displaced QC. If they had just worked half that hard to improve real quality instead of just improving their image. (If I sound jaded, it's just because in my experience, Qwality teams are the closest thing you'll ever find to Dilbertian thinking in real life...)
"The future's good and the present is nothing to sneeze at." - Roblimo's last
Would we have to fight against Maxwell Smart then?
Sure. You take Maxwell Smart, I'll take 99.
Will in Seattle
BC. What good is a win98 upgrade when I dont have Win98 Version 1, Win95, Win95a, Win95 OSR2, Win95 OSR2.1, or Win95 OSR2.5? Last time I checked the upgrade didn't work on Linux. The full retail Windows 98 SE is fucking expensive. Sure I could get a pirated copy, but I don't have to. Unfortunately other people do buy it, and smile when they pay 300-400 dollars for it.
Lars -
I've done some online shopping for Windows 98 (full version, not the upgrade). The highest price was $290 CDN (still damn high!). BTW it's easy to install the Win98 upgrade without having a previous version of Windows installed. I do it all the time. If you ever switch to Windows, I'll tell you how. :-)
That's as good a definition of economic-politics as any I've heard.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Of course, had this been a development linux kernel, everyone would rush to the defense with screams of "It's not ready for primetime, developers only!", etc. I don't care so much when people reply with remarks such as those made in the story, but I prefer to have un-biased story posters.
------------------
Funny. Microsoft said Win2k wouldn't need any service packs. Guess they were wrong.
this sig limit is too small to put anything good h
This is a story that actually nothing needs to be said about. A security fix before the product is even out.
- -
Redundant, yes. Flamebait, yes.
Funny - hell yes!!
------------------------------------------
Please give your mod points to others, Im at the cap. They will appreciate it more
They tasked many employees with making sure Win2K was secure!
They had a server on the web!
Does this mean the service pack release date will be before the software release date? Hmmm.
Yes, that's really my e-mail. Don't change a thing.
how come I never hear about the security holes in linux systems? Wouldn't that be a more interesting topic to those of us who run linux?
Dr Fgets Strikes again!
I could go on like other posters and just bash Microsoft for the "inferior" product, but I think that tone is starting to get lame.
But I want to mention something about Microsoft that really irks me and should irk their customers to. And that is the following statement:
Of course, from a security perspective, you shouldn't offer any services you don't use," Culp said. "We want to make sure our customers are educated about this, and that they are aware of which services they have active and how to disable what they don't need. We've also given Windows 2000 tighter defaults and made it much easier to configure
I'm sorry, but I don't buy their statement about having tighter defaults. Almost all problems with Windows has been because of defaults. It seems to me that they should default everything off, and let the user have to go and turn what they need on.
Of course I don't like the way Red Hat does this too. I had to spend a few hours trying to figure out what Red Hat had default on. I forgot to turn off the "finger" utility until I noticed in my logs that someone was using it on my firewall. Now I do my security like I do my installs: Customize, turn everything off, then when I find something I need, I install/turn-on that service.
Steven Rostedt
Steven Rostedt
-- Nevermind
People don't seem to understand that win2k is *NOT* in development. It's been gold for many weeks now, and is in production for shipping in feb.
;] ).
So any comment about security holes in development kernels is totaly unfounded. There is nothing development about win2k (of course, most linux users will exchange winks when encountering a statement like that
The real funny is that MS is already releasing broken patches for a product that isn't even available yet!
NightHawk
[-1 flamebait to read]
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
> Over a year delayed is not rushing.....
Wired has has been naming it as one of the top ten vapourware products of the year since '97.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Do you realize you have no clue what you are talking about? stored in "fancy graphical text", huh?
It seems like any .0 release of anything always has worse bugs than the betas. Another example is the newly released xmms 1.0 which broke support between the OSS output plugin and the aureal driver.
-- BLarg!
- Open source. Closed minds. We are Slashdot.
At least, the talkback part is. I got my nifty new .sig from a talkback post.
Think Princess Bride
Finkployd
Bill Gates: "Innovation"
Well, it may be more accurate to say that a lot of us are subjected to having to use Windows in addition to Linux. And a lot of Slashdot readers use Macs or *BSD or other OSes besides either Windows or Linux. It just isn't a simple either-or kinda thing.
Customer: "My security has been breeched!"
Consultant: "Well, it might appear to be a problem, but it's not really since Linux is never considered to have a stable release."
Customer: "What???"
Consultant: "No! No! You're not looking at it the right way. Linux is in perpetual beta, so it's not really a problem you're experiencing, it's just feedback in the beta cycle!
--
Actually, most Slashdot readers use Windows. It's just that the Linux users seem to post the most, and are the most vocal. I for one used Windows and read Slashdot for quite a while before I tried Linux. Now I use Linux more than Windows, but I don't hate MS or anything. And just from the hits to my page from Slashdot articles, I'd say between 50 and 75% are Windows machines. I also remember reading somewhere with Rob saying that most of Slashdot's hits come from Windows boxes. It would almost have to though, Linux is still a hugly minority system.
I'm sorry but you are way off the mark on that comment. Having a GUI does not make a system harder to hack, under the hood networking and file handling are non-GUI applications regardless of how pretty the face over it. Regarding GUI's for linux, ya I agree they need some improvement but considering the astonishing rate that KDE and to a lesser extent Gnome have evolved... that will be a moot point before long.
Blender And Linux Fan
How about if I point out that they:
- have terrible testing processes
- rush too fast to get products out the door
- Are almost totally inept in terms of security
- apparently have NO usability staff on hand
- should take the time they currently spend "decommoditizing protocols" and applying it to proper software engineering processes
Would any of those be acceptable as an alternative?
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
You don't, but not by much. Not trying to knock you - I'm positive the votes were swayed towards Windows when I voted too.
:)
According to the poll
Linux is at 36%.
Windows(NT&9x) is at 30%
Although if you add in the "I hate everyone crowd" to Windows that pushes windows users over: at 38%. And we all know only windows users are angry at everyone.
Joseph Elwell.
I'd secretly record the bugs and then teach those Win2K adoring freaks a lesson AFTER it's been released.
Whether your like Microsoft or hate them, a lot of companies are going to purchase W2K. Releasing bugs after the shipment doesn't hurt Microsoft, it hurts the consumer. Releasing the bugs before the shipment, however, only hurts Microsoft.
So unless it is your goal to hurt honest consumers, you would be doing the right thing to release your findings as early as possible. Hopefully people will get a clue and not put themselves into the position of being burned by Microsoft.
Bugs found a couple of weeks before release is not exactly a big thing. Most companies are scrambling to patch up the last 100 or so bugs within the last couple of days of release.
Microsoft said they had a final product almost 3 months ago, and yet they haven't shipped. Rushing isn't exactly the word that comes to mind...
The nice thing about Linux is that security holes tend to be patched up faster than Windows, but lets wait until Microsoft ships, and takes too long to patch found bugs to start complaining.
------ Warning! You are too close!
Exactly. And whose fault is that? Microsoft puts a higher value on glitz and creeping doodadism than on stability.
I never asked for 90% of the things that Office purports to do. Am I being unreasonable to want software that doesn't tip over five times a day?
Well, if coding for Win2k is anything like coding for Win98, it'll be more along the lines of:
*pop*
*whack*
*pop*
*pop*
*whack*
*pop*
*pop*
*pop*
*pop**whack*
*pop**pop**pop**pop**pop**pop**pop**pop**pop*
*install linux*
25% Funny, 25% Insightful, 25% Informative, 25% Troll
Sorry, I've got to disagree with you. Until it's in the boxes on the shelves, it's not finalized. But there's little point in arguing about it since we'll probably not be able to reach a happy middle ground.
Let's not forget the other bit of wisdom: never run a x.0 version of any software.
Have a good one.
And you get exactly what you pay for with Linux. Want to talk about huge gaping bugs? How about Corels little security hole that can allow Root access?
I'm aware of the criticisms of your observations elsewhere in this thread. However, I will grant you (and Microsoft) one important thing: there is no longer a
/.) could so easily point to OSS products being fixed in days rather than months.[1] Let's hope MS is truly reformed on this issue, regardless of what pressures brought it about.
2.b) security hole ignored after reported, until the media hears about it
2.c) security hole denied for 3-6 months after it is common enough knowledge for the media to know about it.
In those regards, Microsoft has (apparently) come a long way in the last 9 months or so. I presume, without evidence, that it's because of the extremely bad rap the press was giving them over it, especially since the press (and influential sites like
[1] Yes, I'm aware of the recent article that compared various companies and found that MS only takes about 50% longer (IIRC) to deliver a patch than (say) Red Hat does. However, that article seems to be based on recent data, i.e. the post-reformation MS. Things were different not long ago. I remember seeing an article in the tech media last summer, titled "Same Hole, New Exploit". The author said in the first paragraph that the hole had been publicized over a year earlier, but no patch was yet available because MS was in denial mode.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Both obviously
I myself will not install it until perhaps Service Pack 3+ has come out, because it's prudent.
I waited for Service Pack 300123 for Linux to come out before I installed Linux. Yes, that's right. I installed Linux back in 1996.
Kind of like Mozilla?
and youre an M$ troll. fuck off.
unfortunately all those scenarios are true. sad that M$ is a company which spreads FUD, bullshit, crappy products and lies lies lies.
the patch creates a new problem with Windows 2000 news server service.
That's what you get when you rush a patch. They probably really didn't know about this hole until it was discovered. So they cobbled together a patch in a rush job. Probably self-conscious about public image.
===
-Ravagin
Karma: T-rexcellent.
umm..dumbarse. M$ releases "patches" because it feels market pressure to release less buggy products - previously they never used to. think b4 you post.
All this Service Pack 6, Option Pack 2 stuff drives me crazy with MS products. How come they stopped versioning with Windows NT 4. I used to LIKE Windows for Workgroups 3.11 (note that the OS wasn't even near stable/usable until a .11 release). Nowadays, you have to guess (hmm... I think Service Pack 3 might be OK, or shoul I wait 'til 4). Hey, they could even put the version number INSIDE the year: "MS Announces Windows 2000.01.28 Advanced Server" or, even, "MS Announces Windows 2000.01.28T18:00:12-08:00 Advanced Server for Professionals" since they probably have enough build and test machines up there in Redmond to release a "pack" about five times an hour. Whatever...
...is HeUnique and why is he quoting an (roughly) anonymous idiot in a headline? I'm all for M$ bashing, but only when necessary. This is unwarranted, but then again, this is /., so I get to bitch about it ;)
+&x
This was so fraught with hilarity that I spewed my coffee in a guffaw all over my keyboard and monitor. Natalie Portman : Open Source and pregnant
Lars -
bugfixes are free. yes, they depend on service and support - a different animal from releasing a shit bloated product by a crappy company.
According to certain source from developers up in Redmond it appears that service pack 2 is already in the works. Apparently service pack 1 is pretty much already finalized. This is truly amazing, service pack 2 before the final product is even released. It just goes to show you how full of bugs anything Microsoft produces. I don't think I will switch over until service pack 4 comes along, maybe then the system will be semi-stable (and secure, hah what a joke).
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com
Nathaniel P. Wilkerson
www.haidacarver.com
Hardly an insightful comment. Pull your head out and notice that OSS isn't anything remotely like a guarentee that a product will be bug free. There is no such thing. Linux has as many if not more bugs than Windows2000 you just won't read about any of them here.
It's a problem with a bundled software package that installs by default - how many Linux distros have been put together, then stayed on the shelves after someone found a hole or significant problem in a bundled package? Heck, how many of them have been sent to manufacturing then had something crop up after they started pressing discs and printing manuals?
fencepost
just a little off
Mole attack!
Its not just a benign mole attack, its a cancerous growth spread by marketing security through obscurity. You can whack those hidden 50 million fresh lines of buggy code with a baseball bat all you want, but the best solution is a peer reviewed open source solution.
And so does Microsoft, are you so full of blind hate for Microsoft that you can't even see what's under you nose? This entire article is about Microsoft fixing a security hole and patching it in a very short period of time.
Actually this is quite good for the MS side since the program isn't offically out and the beta-testers ... who are the ones usually with the final kernal builds are supposed to be able to find the bugs, i mean linux is freaken filled with bugs, Red Hat 5.2 had a buffer overflow problem with letting user gain root access, well guess what 6.0 + 6.1 have the same problem, not exactly the same thou similar, and these are more public than the Ms Win2k since its for free and has been released for quite a few months....
I thought the idea was that service packs would only contain fixes, but no additional functionality. Don't have a link, read it in PC Pro, I think.
The poor cook he caught the fits
And threw away all of my grits
I would almost have to prais microsoft in this
also. I don't think they have ever had this kind
of turnaround time on bug fixing. Only 2 weeks?
I mean usually it is months before you can get
a bug fix. Once M$ is able to fix a bug either
before it is found or within 24 hours of its
appearance then they may be able to compete with
the uprise of Open Source.
The ArsonSmith
Paying taxes to buy civilization is like paying a hooker to buy love.
But your points are moot. I can obtain Linux for free, and fix the bugs on my own. I can pay for Microsoft software and never be able to fix the problems without entering into a perpetual upgrade-payment cycle. I reserve the right to critize anyone whom wants my money, and is failing to deliver on products. I consistently forgive volunteers.
How can it not be finalized when CDs have been sent off to the printers for mass duplication? How in the world is that not a final product?! The documentation is being printed, the boxes, too. The discs are flying off the printers - do you really, really believe that this product is in Microsoft's hands anymore? They certainly considered it finalized enough to put on store shelves.
And that's really the sad thing about how Microsoft does business. They go too damn fast, and leave all sorts of mistakes, bugs, security holes, etc. in the shipping version of the product. And that's a real shame, because there are going to be millions of people who buy this product, bugs and all - Microsoft's folly has just been writ large in the world's computer users.
Would it help if I told you that this bug will be in the shrinkwrapped product that will be on store shelves two and a half weeks from now? It's too late to go back and fix it - the bug will be there.
And the fix won't.
I hope that impresses upon you the gravity of these sorts of errors.
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
I think I've figured it out. All the analysts have been advising people for years to hold off buying W2k at least until the first service pack is released. So MS is going to release their first service pack right along with W2k, just so nobody will have an excuse not to buy.
:)
Makes sense to me
--
For every post, there is an equal and opposite re-post.
640 thousand service packs should be enough for everybody!
--
Bill Gates
_________________________
Well done young man! Almost on topic all day! Only a little nudge to push it over the edge into possitive moderation land.
Truely pathetic. So you're saying that Linux is never release quality and is never acceptable for general use. Oh wait, I guess that's actually correct. You make excuses for bugs in Linux and jump down Microsofts throat for them, nice double standard you have there.
Debian updates automagically. You could have one of those bobbing chickens hitting the enter key update Debian. I'm sure that a true "consumer" Linux, when out of infancy, will provide this without even user input. (for better or worse security reasons)
It is available. The CD has already gone gold and is basically waiting for the 'release date' before going on the shelves. Each new box of Win2k will have a now well-publicized security hole right out of the box, and as we all know very few win2k users will go and get the fixes immediately after install... "I mean, it's brand new, right? Why would you need to get updates to something that's just been released?"
The equivalent, I suppose, would be RedHat investing megabucks in a marketing campain, coming out with RH7.0, and as the CD is being pressed a big ol' bug is shown to exist in a major app that EVERYONE will install (cuz they have no choice). I say app, because very very few kernel based exploits exist. People rewting using stack overflows and such are far more commonplace, and those bugs extend to all platforms which allow stack smashing.
--
rickf@transpect.SPAM-B-GONE.net (remove the SPAM-B-GONE bit)
"People will pay big bucks for the luxury of ignorance."
It not impossible that the fix will be in the box. Dunno if it'll be integrated into the installed base though. Then again it might not be excessively pretty to include a floppy with a patch right in the box. Laugh.
Wrong. SP6 did not break Winsock. Do you even know what a winsock is? SP6 exposed a problem in Lotus, hardly a 'broken winsock'.
nobody said linux was perfect or any distro was perfect. however, win2k was touted as "perfect" by M$..check on M$'s site for the appropriate pr fluff. besides, as everyone knows, its a helluva lot easier to lock down a unix box than any shit from m$.
BTW, that story also contains a reference to connlogd a TCP/UDP connection logger. i'd recommend downloading and using it - really kewl.
First of all when did Red Hat made an actual OS? I believe that the product they're selling is a general software configuration that contains GNU and BSD software(mostly open sourced) and Linux kernel.They also give you administrative tools to aid you set some aspects of your system and have tuned the installation for can-run-anything server/workstation .If you don't like what they're offering you can actually save some money.I had to use a copy of SuSE (6,2) at job for my box(1 Linux box when i got there 3 now ;) didn't lasted long.It would take me more to clean up and close the holes so i decided to install the a and d series of Slack from ftp . Then i did everything by hand.If you want pure control on your system then RTFM and do it yourself.I just love the modularity of *nix.Of course that's stuff for purists but first i wanna see Hotmail or eBay run on NT and then i'll reconsider...
*growls at Fict*
This isn't IRC. You're not cute. Go away.
Hands in my pocket
Well said. Any real sysadmins out there that are in a microsoft enviroment are not going to be reloading machines with 2000 madly on feb 17.
I have a project that I may experiment 2000 with (spefically IPP) just to see what its capabilities are. But there is no way that I'll have a production 2000 machine for a while.
"It took us a while to get here, but that's because we were not ready to compromise," Valentine said, promising that the first version of the operating system will not need service packs or bug fixes like other software releases. --Brian Valentine, Windows Division Senior VP http://news.cnet.com/news/0-1003-200-1497019.html? tag=st.ne.ron.lthd.1003-200-1497019
The form of comedy on display here was irony, or if you like, hubris. The Germans have a word for it: schadefreude (sp). This comic construct does not rely on any knowledge of the positors point of view on any related subject, and can stand alone given an understanding of the subject of the gag.
The poor cook he caught the fits
And threw away all of my grits
Thank you for helping to train the mammals. Train early, train often.
.....the more M$ is talked about the more publicity they get. Just another typical M$ product. swisscheese=microsoft
I just want to start off by thanking everyone for sharing their favorite Win2K tips with me this past year. It's been a great millenium and I feel very fortunate about being able to know you all. But there are others who aren't as fortunate. And at the end, it's also important to think about philanthropy and giving. I'm a huge proponent of giving. Although I don't think it's right to force it on others, one of my friends forwarded this url to me about a philanthropy site that donates 20% of its revenues to charities:
MoneyMap.org
It's got a hare-brained game where you click on a picture to look for cash prizes. Each time you play, you make a contribution to the cause. It's absolutely free. And I encourage you to forward it to your friends to keep the virtuous cycle going. Enjoy!
You have a double standard right there! Don't compare Microsoft developers with Microsoft evangelists. You don't see it as a double standard because you're determined to show Linux in a positive light, at the expense of the truth.
Windows in nothing more than a GUI pasted on top of DOS. Nothing more, nothing less. I don't care how much you talk about abstraction layers and other shit.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
Sure you would, just like all the bugs are found in Redhat? Oh, that's right they aren't all found. Well, that's just a fluke. How about BSD? That must be bug free, nope, another fluke I guess.
the problem is the bugs that are ignored by m$ and NEVER patched.
This attitude is what allows Microsoft to be the success it is. I find it ironic that people are willing to accept incompetence in software as one of the terms of doing business. Would you be willing to absolve a hospital from sloppy tactics because they are a huge institution dealing with thousands of patients daily? What about an engineering firm hired to build a bridge? If it collapsed, would you be willing to give them 2 more chances to get it right?
Only in the world of software do we get the pleasure of paying for a developer's incompetence. It probably won't change until some catastrophe happens because of faulty software.
Hates people who have stupid little sigs
Don't you see though that's the beauty of being a Slashdotter. When Microsoft delays a product you scream "Vapourware!", when they release a product you scream "Rushed to Market!"
This way of thinking works surprisingly well. For instance:
Bill Gates doesn't give to charity - "Greedy!"
Bill Gates gives to charity - "Scam!"
MS adds features - "Bloatware!"
MS doesn't add features - "Charging for a bug fix!"
Competition - "Linux blows away Windows!"
Monopoly - "Linux can't compete with Windows!"
See how that works...pretty cool huh?
Linux people for the most part, especially the higher ups (Linux, Alan, etc.) know that Linux has its problems and admit that. They never say that "Linux is perfect". They just keep working to make it better.
MS people, especially higher ups, however, continue to say that "MS has no problems and is stable, secure, etc"
The reason a lot (read: not all) of Linux people nail MS is because of its incessant lying.
Why didn't Corel's security hole make big noise. Gee, maybe because Corel didn't claim that it's the most secure OS ever.
Geez, and you're complaining about double standards.
Why dont you try Windows 2000 before you give your biased and trolled opinion?
Oh, I'd bet you're right. They probably had several testers sitting around eating pizza:
Tester 1:"Did you see that bitchin' bug when you click down on that button?"
Tester 2:"Yeah, but we aren't going to fix it. Nobody ever clicks that button."
you are the *shit*, man!
"I never asked for 90% of the things that Office purports to do. "
Yeah, but the other 99.999% of customers did.
I don't think I remember the last time M$ paid direct attention to a security hole. Usually they make a broken patch and forget about it.
:)
With the coming of age of open source M$ might start actually making reasonable products.
Ironic that their attempts to compete 'on the level' coincide with their imminant demise.
Oh, did anyone get the bit on the "race condition"?
OSS types don't go around touting security??!!!?!?! Are you are fscking moron?
Since theres two broken Patches in Windows2000? Do you think MS is goint out of Business?
You do realize that "Hey! You have the source code; you can fix it yourself! Isn't that cool?!" is not an acceptable answer to a client when they complain about a security problem?
--
Yes I am sorry to say a large company that makes airplanes will be using the junk for all kinds of things. And a lot of other idiots will too.
Hey, you moderata fucks. Moderate this post back up or I'll wack all you fuckers.
-- Tony Soprano
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
Quick everybody repeat after me:
Hear no evil.
Speak no evil.
See no evil
Hear no evil.
Speak no evil.
See no evil
Hear no evil.
Speak no evil.
See no evil
Now...everybody say the magic words "Meka Leka Hi, Meka Hiney Ho!" Phew! That was close, I almost thought Linux had bugs. Bless you Jambi!
No Linux distribution that doesn't come configured to automatically check for, notify users of, and help users install software updates should be considered "ready for the desktop".
then i guess no operating system is ready for the desktop. hrmm... does ms mail every windows user (reistered of course) when an update comes out? not quite. updates are the user's responsibility. why should everyone work double for the lazy ppl?
just a thought.
--
dead angel
i am strange people. -me
dead angel
i am strange people. -me
spreading linux lovin' since 1998!
This isn't a development kernel or an "release candidate" system, it's the official Win2K software that will hit the stores in a few weeks. OEMs got it early so they can get their systems ready for "first-day" sales of systems preloaded with the software. Even if MS had sat on the software until the 17th, these holes would have been discovered within days.
Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!
However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing. Trust me there will be more...
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com
Nathaniel P. Wilkerson
www.haidacarver.com
Hi Mr. Ballmer. Fancy meeting you hear, oh ye of shiny pate.
The size of Win2K is not a mitigating circumstance ("Let's give MS a break since this job is so big"), it's an aggrievating circumstance ("What the hell were they thinking?!")
It is an undisputed fact that the increase in your bug count climbs far faster than the increase in your LOC count. Sometimes far faster, depending upon how "tightly integrated" you want to make the system. It's a simple matter of combinatorical explosion - 2N objects can interact in (2N)! - N! more ways than N objects can interact.
That's why everyone on the planet... with one notable exception... has tried to maintain firm barricades between subsystems. At first glance it isn't as "user friendly," but many of us feel that nothing is more user-hostile than programs ridden by an interminal series of bugs and general flakiness.
Many critics have publically stated they doubt that Win2K will *ever* be stable. The sheer size of the code base means it's impossible for any one person to really understand what's going on, and that means it will be extremely difficult to avoid breaking Peter to fix Paul. That's why the reports that one of the two bug fixes introduced a third bug are so disturbing - this is exactly what you would expect to see from software that is simply too large to maintain.
It's still early in the game, but it looks like the critics won the first round. The real test in the next few months isn't the total number of bugs announced, it's the percentage of bug fixes which break something else. NT4 was notorious for requiring service packs to fix prior service packs, and there's now evidence (however thin) that Win2K will be far worse.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The equivalent would be the amateurish buggy crap Red Hat releases in every release of their product.
Like the original poster of this thread, I'm not a Microsoft lover by any means (as evidenced by the 1 windows machine and 4 Linux machines on my home network), but...
Let's get real... Microsoft or not, how realistic is it to release an ENTIRE OS and not have any bugs or security holes? Can anyone honestly say that they have NEVER had a Debian/Redhat/Mandrake/SuSE/Suckware/etc. distribution that DID NOT have any "security updates" or new packages to download to "fix bugs"?
My guess is NO. That's why utilities like autorpm and the Mandrake updater exist. Go to any of the Linux distro's sites, and you'll find Errata, Security Fixes, or something similar. I was just looking at several of them this morning!
Yes, it's fun to bash MS every now and then, and sometimes (more often than not) they deserve it. But give me a break -- 2 security holes? If that's all they've got so far, they're doing better than most of the Linux distros...
Pinball, arcade video, tech and more: www.micsaund.com
Check out a retail box version of Redhat 6.1. It's $80. Windows upgrade $80. Windows full version is about $130. Like you said, most people have windows so they can buy the upgrade. So it's the same damn price. Oh wait, you get 30 days support from Redhat. Wow.
this is in response to the AC who just doesn't get it. This is from the M$ website, you can read it here
...
...
/.'ers sig file.)
TOP TEN REASONS TO UPGRADE TO WINDOWS 2000 PROFESSIONAL
8) Standards-based Security Windows 2000 Professional builds upon the high level of security in Windows NT Workstation by providing a security infrastructure that allows you to select the appropriate amount of protection for your company's most sensitive data and applications.
They are touting this product as a highly secure OS, and they are spending millions marketing this a a more reliable/secure OS than NT. So then what does the first patch fix??? You guessed it, a security hole.
Yeah OSOSs (open source OSs) have security holes, but we also don't go around popping off at the mouth about how secure our products are. We don't need to convince anyone else because we already know. We can save the time and money that M$ spends on marketing and use it to make a product that actually IS more reliable and more secure. The proof is in the puddin....awww yeah (to quote another
Eric
--------------------------------------------
Please give your mod points to others, Im at the cap. They will appreciate it more
With over a million something lines of code the chances of multiple bugs and security holes is highly likely. Therefore, no one should be surprised at these recent findings.
I agree Win2k is probably an inferior product to Unix or Solaris but unfortunately it has a major ammount of market share. Hence, regardless of the bugs it will still be installed by millions of users. Obviously, M$ has a moral obligation here to provide a fix for there errors, but I don't think we need to rip them apart for it. Errors are inevitable.
What we need to rip them apart for are their outrageous prices for any of their software. They are way overpriced and they are basically robbing everyone. The government should really slap it to them by controlling the retail price of their OS, that would be the killer.
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com
Nathaniel P. Wilkerson
www.haidacarver.com
Redhat 6.1 is not an operating system. It is a distribution. None of those so-called security fixes requires a fix to the kernel.
Also, it is shipping. It has been shipped to several OEM's. They can't advertise the fact that they are selling early. Bill doesn't want to dilute the kick-off party.
Hates people who have stupid little sigs
First things first. The reason that this is embarrasing for Microsoft is that they've been touting Win2K from the hilltops as being the "Most secure Microsoft offering ever...". So a security hole before the retail date _has_ to hurt!
:-) Just thought I'd throw it in...
On a broader note, I see a lot of messages saying that it is the fault of distributions etc that people get bitten by security holes. I disagree. If you have an active system administrator, it's his job to keep up to speed on these things. It's his job to know that he shouldn't run finger and wu-ftpd if the machine is just going to be a mail server. It's his job to evaluate what is on the machine and to run regular penetration tests. Saying it's the distributions fault is wrong. I don't blame car manufacturers because in the default setting the steering will drive me straight into a wall.... I learn to drive rather.
One of the largest problems facing the growing Internet market is that amount of unexperienced sysadmins coming into the game. However, sysadmining is filled with a lot of chicken-and-egg situations. You can't get the experience of how to deal with situations without working, and you're dangerous in a work environment until you have this work experience. Tough one to solve
Wired has zero credibility as a source for IT information.
You just lowered your credibility by implying they do.
Anything is more stable than MSIE 5.
Dork.
That's funny.
;-)
Clicking that link brings up a blank page and an error box.
I guess Mr. Holmes has nothing to say in its defense
Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und Subskriptionen einlei
I'll be the first to agree that Microsoft often does not keep its word. My point is really that by emphasizing every mistake Microsoft ever makes, we serve only to perpetuate everyone's hatred / distrust / dislike / whatever of them. If we are going to point out their flaws, we should point out the flaws of Linux as well -- not to give it a bad reputation, but on the contrary, to make its problems known so that they can be improved so that progress is made. That is, after all, one of the things I like to think Slashdot stands for. By placing Microsoft under a magnifying glass while Linux's and its software's faults go unreported is unproductive.
I suppose the bottom line is that we should concentrate on making "our" OS better instead of continuing to point out the weaknesses of others.
kugano
"This could happen with any OS. Linux v2.4 will be out some time before RedHat completes a version of their own. Bugs could be found in the kernel before RedHat ships."
a -security.html
a -bugfixes.html
a -updates.html
What the hell are you saying here? 2.4 is a major version leap. Currently RedHat ships with a 2.2 kernel. When 2.4 comes out, major changes will be necessary to implement it, such as XFree86 4.0. Also just because Microsoft has blurred the border between thier kernel and IIS/IE5/Shit doesn't mean you can do that with the Linux kernel and Linux distributions. I don't use RedHat but you Microsoft cheerleaders seem to think Linux!=RedHat, so I decided to browse some of RedHat's site (I don't use RedHat).
http://www.redhat.com/support/errata/rh61-errat
hmm some lpr, bind, wuftpd, some apps, no kernel major security bugs here.
http://www.redhat.com/support/errata/rh61-errat
some userland packages, new version of apache, nope no major security hole bugs here
http://www.redhat.com/support/errata/rh61-errat
Currently, there are no Package Enhancements for Red Hat Linux 6.1
Redhat has a reputation for shipping misconfigured userland applications that lead to exploits, fortunately I don't rely on Redhat, or thier support, I have chosen my own distribution and have also chosen to take my own responsibility for what services I run and how the permissions are set.
As a Slackware Linux user, I have no problem getting a new kernel and building it for my system, whereas Microsoft has taken to convincing its users that directories are really called folders, and that nasty things such as "partitions" and "hard disks" are really the same thing, -drive letters. Most professionals that run Linux know what they are doing, not like the fool who actually beleived the Micros~1 hype about Windows 1900 and are beginning to deploy it, knowing Micros~1 has turned a blind eye towards security, and has adopted the "Big Brother knows best" attitude. I doubt this will be the last bug in this "Enterprise Ready" OS, and with that IIS in the kernel, I can't wait till the next time Micros~1 has egg on thier face.
Lars -
This guy must work for Microsoft, this AC seems to have taken this personally.
Why don't you go read Windows Magazine or something, and turn off your "Internet Zone" browser from slashdot.org
Lars -
Would we have to fight against Maxwell Smart then?
OEM's are sellling computers installed with it already. Call any major OEM up. If you were awake last week, you would have noticed several news articles reporting that very fact. Microsoft has allowed them to offer it early only if they do not publicize that they are offering it before the "official" release date so as not to lessen the importance and gala-nature of the release functions.
Have an equally good one.
Hates people who have stupid little sigs
had major issues, it was supposed to be the final stable release. It took until 2.2.5.
There isn't one. You're just a BIGOT.
The thing is, you know, Windows is a prevalent OS on a more general scale outside of geekdom. I for one don't know squat about programming or a lot of other tech stuff. But I can use a computer and being from Silicon Valley I like to see what's going on. So geez, I use Windows. It's got about a million problems with it, but I can write papers and surf the web etc. and I didn't have time to figure out Linux or whatever. Thus, Windows it is, simply because that's what was on the box when I bought it and I have other things to do besides mess with my computer all the time, no offense to those who find that kind of thing to be interesting.
Oh, Fuck
-- greater than 1024 or so. Now you can have thousands of ports per TCP/IP interface. SP6 disallowed you to connect to one unless you were authenticated as an NT Administrator on the same box. To the man in the street, this is equivalent to Microsoft selling phones. But some models only have buttons numbered 0,1,2,3 and no more!!. Closing down all TCP/IP ports above 1024 basically completely F**ked up any and all applications that used TCP/IP ports above that. After you have done your research, read the RFCs etc then you will realise with acute embarrassment the idiocy of your post. SP6 broke the previous ability of an NT box to carry out every-day TCP/IP connections.
"And we all have unreasonably high expectations of MS"
What is unreasonable about expecting a product that works? Microsoft touts the security and the stability of their products in the press all the time. Is it unreasonable, therefore, to expect that the product is secure and stable? Or have we gotten to the point when it's taken for granted that what a company says about it's product is a lie?
Don't forget that Friday is Hawaiian shirt day.
M$ knoows about most of the bugs. They don't try to fix them untill somebody outside finds them. That is why M$ will always suck.
BTW, this was reported yeaterday morning on the UK ZDNET and BugTraq, it took the US ZDNET editors a day to catch on....I patched my NT boxen yesterday morning.
Those numbers are just including the people who decided to vote. It also includes the 95% of people who lied :).
:(
There was a page a while back under "faq" or something (on the side bar) that displayed real statistics about what Slashdot readers were doing. I can't remember the exact number, but something like 80% or 90% or so were browsing from Windows; maybe 5% if that were browsing from Linux.
Rob took that page down, though
Hypocrites.
all gpl'd software is free
Hey! You wanna volunteer to come with us on our stickering party this weekend?
We've got the stickers all printed up nice and are ready to go.
The sticker reads:
" Don't be foolish! "
" This product can "
" be downloaded for "
" free on the 'net "
" or purchased at "
" www.cheapbytes.com"
" for $1.99. "
We're slapping it on retail Linux boxes at Best Buy and CompUSA.
Errr... no, it doesn't e-mail you, but Win/98 has a big ol' "Windows Update" function right on the start menu. Click it, and it tells you when you have important updates to install (particularly security updates). It also lets you download new features. Click the button and boom! Instant update.
And I haven't checked it out, but I wouldn't be surprised if they did have a mailing list to tell you when important updates are available.
--
...and then you won't be able to download it from their web site, like trying to download IE5 with IE2 that comes with Windows NT 4. I find it hilarious that Micros~1 switched to header-based web sites and didn't take into account (or did and just didn't care) that IE2 doesn't work on header-based sites, so trying to upgrade to IE5 just gives errors on their web site. Way to go Micros~1.
A patch has been available for at least two days. If I were you, I wouldn't rely on Slashdot FUD for patch info for Microsoft products. (It works both ways: you wouldn't look on microsoft.com for Linux kernel patches). MS released a security bulletin on 1/26 to people on the security bulletin mailing list. It takes weeks or months for patches to show up on the MS Update site, since they have to be formatted for the ActiveX installer, and even then they're usually saved for a service pack. See this article for specific bug info and patch availability.
-- i.e. you have to do something PDQ (Pretty Damn Quickly). With all the buttons close together, especially ones with totally different effects such as shutdown or restart what are the chances of mistakes ? pretty high I would think. I read once that a US Naval Warship shot down an Iranian passenger jet because it acted very similarly to a military Jet (the Iranian's airport serviced both types) -- well anyway it was reported in the post-morten (how appropriate) that in the panic / rush the Naval Officer / Rating mistyped or miskeyed the firing instructions something like 15 or 16 times. Each time he got it wrong because he was rushing. Imagine the chances for errors when you have to do something quickly in windows. MS should partition the GUI into different modes. Safe / Bullet-proof / Administrator mode. Only appropriate boxes should be available in each.
MSDs (hence the name MSDN).
Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und Subskriptionen einlei
Now I dont have to weed thru Signals thread for 20 minutes. Thanks Moderators!
It was a joke.
Once again, I long for "-1: missed the whole point". I don't know if geeks are inherently stupid or what, but there seem to be a lot of Slashdot readers with no sense of humour at all.
You must be the kind of person who buys tabloids at the supermarket and goes around telling everyone "hey did you read this?! Some alien chick in France gave birth to a 3000 pound elephant, and he's a Nazi and planning to take over Australia where he's going to signal Martians to come down and kill Jennifer Love Hewitt!!"
FOR THE LOVE OF GOD, MAN, IT WAS A JOKE! (oh if only Slashdot allowed blink tags)
One would think that they should have deployed wide intensive security testing while still in developement. Especially whit their bad reputation in security thinking in the past. The sadest part of it all that really sickens me is that most people buying it wont even care. I met a Network technichian a couple of days ago when applying for a job that didnt know what Novell was?!. Not that Novell is THE os to every purpose but i thought that IS staff was well educated. Maybe Microsoft has noticed this and has calculated that security doesnt pay since most people wanting security wont get near W2000. Do i have to say that i declined the employment? =)
Windows kinda sucks
Well, ok. Windows superfuckingsucks.
Windows NT sucks ass, it panics when it sees
hardware it doesn't recognize.
SP6 and TCP/IP ports above 1024 (accessed through the Winsock DLL 'wrapper'. SP6 cut the TCP/IP abilities of NT boxes to shreads. Even I understood the whole problem and I'm relatively new to I.T. Microsoft's own TCP/IP exam covers this type of thing. And you are telling me that their Q.A. people are no better (or even worse) than any only joe who has studied for the MCP TCP/IP exam? Ever heard the term cognitive dissonance. Its when two irreconcilable facts are placed side by side. Well guess what I've just shown you a cognitive dissonance which disproves your post.
Wow, what's the big deal?! If there never were any security holes found, that would really be amazing!
You can't handle the truth.
As opposed to all those other companies that are quick to publicize their shortcomings...
Of course not! RedHat tells their investors that the revenue stream will be in bugfixes and support charges for their product. Obviously they consider their distributions to be "permanent alpha" products.
I find it ironic that people are willing to accept incompetence in software as one of the terms of doing business.
I agree completly. Microsoft is guilty, but I'd say almost every other software manufacturer is as well. Just about all software has bugs, some has more than others. it's the nature of the beast. And the larger a system gets, the more difficult it becomes to test everything. But this isn't a Microsoft problem in the least. Bugs happen. Everywhere.
The Good Reverend
The fact is that while a lot of people installed 2.2.0, it was much closer to a trial candidate than a gold release. Even after 2.2.x was released it was some time before an official distribution would be based on it, Linus knew that, and so in no way could that version be considered one that (like Win2K) the end consumer would be expected to buy.
These bugs are in the version that Microsoft expected people to pay money for.
Besides which, the bug in question was, "Crash Linux". It wasn't a remotely exploitable hole, you needed to already have access to the box to (ab)use it.
Regards,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Give me a f*cking break. MS finds and patches the bug *between* the time they go gold and the time you can actually purchase it, and you are acting like it's a bad thing. If you ask me, the fact that MS has shown great response time in the bug fix reaffirms my confidence in Win2k.
And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.
Warning: I am a rational IT professional. Not only that, but I worked in QA for a few years (first with Sir-Tech Software, then with MCI-WorldCom).
I could talk at great length about rational versus irrational QA policies. (There should be an "Ask Slashdot" about how to properly QA a product...) But that's really not the issue here; good QA, bad QA, it all boils down to the same thing in the end.
At the end of QA, the QA Lead signs off on the project. What the QA Lead signs off on becomes the first version released to the consumer.
Period, end of discussion.
The fact that Win2K went gold means that the QA Lead signed off on it. The pre-release development cycle ended the instant the QA Lead signed off on it. Everything after the moment his/her pen left the paper is part of the maintenance cycle, not the development cycle.
In short, the exploit was found in a consumer release of Win2K. It doesn't matter if it was on the store shelves or not; when the QA Lead signed off on it, it became a final product.
Everything clear?
Windows 2000 will not ship for another 10 months so you must prepare yourself for the experience. Buy NT4 now and make sure you are familliar with is so that the transition to Windows 2000 will not be shocking....
I dealt with NT4 so much and this is not shocking at all.
Yes you do. Every time they find holes on competing products, you all jump in to bash them. This is a passive aggressive way of promoting the security of your own products. In politics, this is the same as negative campaigning. Politicians do this when they run out of positive things to say.
Actually, bug reporting is a 'revenue stream' in the "give it away for free, charge extortion for support" OS market.
Ah, then you're saying Wired is wrong when they say that Windows 19100 is years overdue, rather than merely weeks?
Someone in this thread lacks credibility, that's for sure!
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Uh, I think if somebody got into Amazon's credit card database because of a security flaw in the OS, Amazon wouldn't sit around and patiently wait until the end of the quarter for a disc with the fix. I mean, Jeff Bezos calls up Bob Young (this is a hypothetical example, I don't even know if Amazon uses Linux) and says "We have a security problem because of your crappy software!"; do you think Bob is going to say, "Alrighty, wait 'til April and we'll mail the disc out, buddy!" Does that sound logical to you?
And as for downloading it from the web, I would assume MS would also have that. I mean, they may be many things, but I don't think they're stupid enough to not post a bugfix on their website at this point.
___________________
rooooar
Erm. No offense but RH 6.1 certainly is an operating system, at least in the same sense that W2K and all of it's associated components are an operating system.
Additionally, at least one of the bugs is *not* to be in the NT kernel proper: the serious one was in Index Server. The less serious one appears to be in another information service, but may be in the kernel. The referenced article is not clear. These certainly are less severe than the remote root exploit available in lpr/lpd under RH 6.1.
EVERYONE was waiting and asking for the final build. As I recall it had broken soundblaster support and locked up a few times on me.
Only the State obtains its revenue by coercion. - Murray Rothbard
I will say this, it shows that Opensource has not only gives us freedom, but It keeps MS on thier toes.
Apparently, MS is taking Security seriously now because of some competition, but they should have done this a long time ago. All my NT boxes are gone, and I aint touching Win2k.
Good luck to MS, but I aint supporting them.
"If you have done 6 impossible things this morning, why not round it off with breakfast at Milliways" -- hhgg
Well. The more serious of these problems in W2K is not in the kernel. If you only want to consider Linux as the OS, then I'm willing to bet that an NT system with nothing but NTOSKernel.DLL on it is as secure as Linux, if not more so. It's pointless to argue that this problem isn't in "Linux" or that "Linux" is more secure, if you are only considering the kernel! You have nothing if you only have a kernel. You should be comparing apples and apples, not apples and a grape seed.
Microsoft has a better patch distribution system. At least they will if they provide something like the Windows Update site that is available in 98. That's something the the various Linux distros really really need. Also, the speed of releases for security patches with 98 has been admirable. If they keep that pace with W2K then they will easily be competative with the level of service provided by the various Linux distros.
Mandatory Access Control or Discretionary Access Control. W2000 comes with everything enabled etc. (I'm repeating what someone else said here). Now shouldn't it be that nothing is enabled by default? At least then the sysadmins would get an understanding of what they a) needed to run and b) whether they were actually running something or not. No, I think that any company that issues a product firmly in the DAC mindset deserves everything it gets.
Just kidding... I think.
Judge Pag, the Learned, Impartial, and Very Relaxed
Wrong set of standards. The typical Win2k user is not going to care that they have have to reboot after installing the patch. That is the status quo with Microsoft operating systems. Hell, over half the software I install in Windows 98 suggests/requires a reboot after installation.
sorry.... couldn't resist.... don't be upset ;)
"If we are unwilling to be aware of the dark, we cannot see the light" -- John Cowan
Maybe MS will one day learn that rushing themselves into releasing a product might cause problems. This is 2 bugs that are out before win2k is out. And let's not forget that MS isn't open source so if there are more bugs (garunteed) that someone finds then they're will be more exploits and the only one to rely on for bug patches will be MS themselves. Guess is yet another push for the linux community.
Ignore the "p2p is theft" trolls, they're just uninformed
Do you use the phrase "so-called" to downplay the fact that the #1 distribution of Linux has a severe remote root problem by default? Or are you saying that the fixes available are not fixes at all?
Well, so much for the fear that they'd have really shaped up and created something good & stable.
For the record, I hated, not trusted, and associated all sorts of creative profanity with MS years before discovering Linux. One day in July 1995, I became fed up (and I was bored), so I downloaded and transferred to 80 floppies a copy of Slackware 2.3 ... a couple months later, it was over for The Empire.
Also, I keep hearing how there're security holes in Linux. I don't think it's Linux itself that has the security holes. It's the apps that are available for or come with most distributions that contain security holes. Now that (for example) MSIE is "part of the OS" in win*, security flaws regarding that piece can rightfully be blamed on windows itself. %gt;:o)
I have seen a few security/DOS bugs that were the fault of the Linux kernel itself, but I can't even fill up a whole hand counting them. They've also been fixed within hours of being published.
--
--
Me spell chucker work grate. Need grandma chicken.
Open source will prove it has an edge in speed fixing ;-)
tom
They could also have TV ad's if they charged for the software. By the way, have you ever seen X11? I find it a very formidable GUI, and it runs on Linux. I think Slackware, Caldera, RedHat, Mandrake, Stormix, and a few others ship with it and have it setup when you install, and have since it's release a few hundred years ago (okay, thats a slight exageration, but it has been a very long time).
Go away Drestin Black, known Wintroll. Or should we call you Drestin "su only gives you root" Black. Stick to pornography and exploiting your wife for a dollar, you prick.
Windows is full of holes. Even spoolss.exe is vulnerable to attack. You can actually compromise a server if it acts as a print server. (lest you patch properly) When is old bill gonna wise up and actually hire on some folks with security auditing skills?
_______
"I think: Where am I?" -Descartes amongst the London Underground
haha no. netscape in linux takes the crown for that.
but yes, he was a dork
Stop it.... you're making me laugh.
Yup, that must be why some Microsoft ODBC drivers broke...
Ok, I have to ask - who in their right mind is running a news spool off of an NT machine?
Other than that, though, I have to say that I too am glad that MS is stepping up to the plate with security issues. Remember how they used to be? I think they've improved quite a bit in recent years, as far as responding promptly and issuing fixes. Of course, sometimes a bugfix will break another application - every programmer knows that. I expect that Win2k's security will probably be pretty good.
-lx
God knows I'm no fan of M$, but last time I checked the Beta period was the time that bugs such as these were *supposed* to be flushed out and fixed
What does Beta have to do with this?
The product is _NOT_ beta, it's been out of beta for weeks.
if it wasn't for your latent homosexual urges, i might agree with you, d00d
Least of all, 0.0!
"but we also don't go around popping off at the mouth about how secure our products are."
May I introduce you, oh solemn one, to your 99.9695% of Linux evangelical brethren? It's obvious you've never met before.
I personally hate MS products, but This should not insite a flame war. Nearly every program on the planet have some security problem. it is just harder to find them in closed source apps/oses. Lets be adults, or act like it.
Stupid people do stupid things... Smart people outsmart each other... --System of a Down
And we all have unreasonably high expectations of MS
Expecting a product that is very expensive (sometimes in the thousands of dollars) to work properly and to be fully tested is not an unreasonable expectation. I expect certain things yes, no one is perfect, but the fact that documentation is often hard to get or nonexistent coupled with the fact that tech support is not free is a problem.
There are bugs in NT, serious security ones that MS has known about that they can;t or won't fix because they would require major rewrites, they also don't mention these. That is something that there is no excuse for.
Bug i expect, but evasiveness, unwillingness to not learn from mistakes and an attitude that your shooting their scared cow i shouldn;t have to deal with. Tat is my major issue with MS, that they release shoddy products and don;t seem to care or want to always fix them.
this space for rent
I think some people are missing the point slightly. Linux has its benefits as does W2K. Linux is free and you can see the source code - W2K costs a lot of money and you have no chance to 'look under the bonnet'. If you're running a business you pay for services and software that you expect to work and fulfill the promises the vendor made you. If you're running a business and decide to implement something that 'a load of geeks' wrote which turns out to have some bugs, you have noone to blame - you got it free, understood and accepted the risks. W2K's entire thrust is into the datacentres and workgroup servers of major corporations to replace Unix and other tried and trusted OSes. The fact that W2K has bugs before it's even been released pulls the entire carpet of respectability from under it. No larger corporations would be interested in deploying Linux at the moment as they can't get any service providers to give them any guarantees. It's free, you can fiddly with it as much as you like, but if you want to run a business, buy services from someone offering a commercial version of Unix, preferably Solaris, with the support infrastructure to help you get on with the business of making money, not worrying what those whirring boxes in the back room are doing.
...that whenever a Linux security problem comes up (in ANY of the Linux packages, in ANY state of development), we will immediately see a headline in Slashdot about it?
SORRY! Just asking.
--
I shudder to think of the number of holes that will be found once the solaris 8 source code is released to the general public. (possibly showing my ignorance if it already has...)
Casca
Don't go around finding holes before the danged thing has even been released. You're ruining all the future fun.
why you are so fucking gay, brah.
i mena at leasttry something happy, smiley, whatever instead of the same old shit. i mean, old is old, and new is not. so use new, which is not gnu, but newish in the sort of way which cant be controlled but only released in the spiritual tradition of the homey monks of carolina.
There are bugs in NT, serious security ones that MS has known about that they can't or won't fix because they would require major rewrites, they also don't mention these.
:)
If they haven't been mentioned, then how do you know about them?
That is my major issue with MS, that they release shoddy products and don't seem to care or want to always fix them.
I think there's a difference between some bugs and a "shoddy" (which to me says "poorly designed; rushed") product. And I think you'll find Microsoft is pretty proactive about fixing Windows NT and W2K. The bug-to-patch turnaround time for NT is about 16 days; that's less than Sun's average bug-to-patch turnaround time, and only just above Redhat's (~11-12 days).
-- "I believe the human being and the fish can coexist peacefully." - George W. Bush, 29 September 2000
Its about time Slashdot posted a problem with a Microsoft product. I'm so sick of seeing all the linux security problems posted here, its good to see they are being objective and not abusing the power of the press. It would really FUCKING SUCK if a k-rad 'log like /. abandoned its neutral stance and started posting EVERY GODDAMN PROBLEM with Windows for NO FREAKING REASON. I mean, SHIT, I would seriously think about not reading such a piece of shit journalistic work. Yeah, Mr. Rob Malda, that means you, do your fucking job and get a handle on these losers that you let post these days. Yeah, you don't see Anonymous Coward here do ya!
This is not the greatest sig in the world, this is just a tribute.
quit whinin. youre just jealous cos redhat releases stuff which is far superior to your poor little M$.
Kinda like Netscape in Windows.
Trollmastah
This Anti- Karma HOWTO document explains how to not impress your fellow slashdotters
by getting low Karma. Although Anti- Karma HOWTO documents are targeted towards
use with the Windows operating system, this one is not dependent on the
OS used to access Slashdot.
This Anti- Karma HOWTO is a joke.
_________________________________________________
Table of Contents
1. Introduction
2. Tips
2.1 Comment Length
2.2 When to Post
2.3 Where to Post
2.4 What to Post - Avoiding Positive Karma
3. Maintenance Information
_________________________________________________
1. Introduction
Your Karma rating on Slashdot lies in the hands of the moderators.
This is your target, and as you'll soon find out it's quite easy to
manipulate and fool them into moderating you down. By following a few
simple guidelines you can soon surpass all the regulars, and eventually
get down there with the best of the first post and off-topic whores.
2. Tips
2.1. Comment Length
Perhaps the best tip in getting moderators to moderate you down deals
with the length of your posts. It's quite simple, always post very
SHORT comments and when possible, MAKE IT IN ALL CAPS. Many moderators equate
this with "Troll" and "Off-Topic", regardless of what you say.
Furthermore, moderators are MUCH less likely to moderate you up or leave
you at 1 if your post is short enough.
Also, use those invalid HTML tags! Nothing makes your post seem like a
wanna be karma whore than lack of whitespace. A really stupid signature
can also help out here. It is also very important to gain all
the credit you can for your trollish behaivor. Please use your account.
The mail only needs to be used once
to gain the password
and if you only "FIRST POST" as AC, your negative karma will never add up.
2.2. When to Post
Timing is everything. Go for the gusto, spend most of your slashdot time
refreshing the main page. If you wait too long to post, almost
no moderator is going to have a chance to moderate it down -- no matter
how bad your post is! As a general rule of thumb, any comment posted
more than 15 minutes after a story is submitted will not be moderated
one way or the other (Trolls: this is your chance!) Open a text editor
and have your first post, rant or other completely off-topic comments
PRE-WRITTEN and copied to the clipboard. This will save valuable seconds
while you race for the prize! Be creative! Dont just tag a line that
says "First Post Dude!" or something lame like that. Look at the true
first post leaders. Mick the First Post Mastah, McDougal the Llama,
Trollmastah, Natalie Portman Guy, and the other regulars. They seem
to have style and are generally much more likely to be moderated down because of it.
2.3. Where to Post
After no extensive lab research in Slashdot moderation, some key
information was made up. Make sure all your posts are not top-level
posts! I cannot stress this enough. Anything posted more than
all the way down, won't get seen, and you'll
waste all your effort. The only exception is replying to the first
batch of comments, since they're sometimes moderated more thoroughly.
A bottom-level post is 16 times more likely to be moderated down than
a reply!
Under current moderation practice, the first two comments are often
marked as "Redundant" if they're not first-posters. Yes, I know
this defies the very meaning of the word redundant, but many (not all)
moderators don't seem to understand what redundant means. Leave this
area alone. People will just ignore it and your post will not be noticed. This happens
so often that one begins to think it's automated. Thus, strive to post
first or second -- all true Anti-Karma whores know that First post is prime
real estate.
2.4. What to Post - Avoiding Positive Karma
While the contents of your post aren't quite as important as comment
length, it does play a large role in the fate of your post. There
are a number of rules to follow when submitting posts to earn that coveted low
Karma:
1) Always take sides. Nothing will get you marked as
"Flamebait" faster than a controversial comment
(ESPECIALLY short to medium length comments, short
posts are generally OK regardless).
Always think you can take the popular side and get
moderated down. For example, it used to be
possible to take a side against Windows, or take
sides against Microsoft. This is no longer the
case - there are too many slashdotters now who
have moderator access and use Windows. Posting
an anti-Windows comment will even get marked as
"Flamebait" faster than a anti-Linux post these
days! Go for it! Slam both sides! a good link for this is
Scott Pakin's automatic complaint-letter generator
You should keep the drivel down to 2 paragraphs of less though.
2) Never Stay neutral (a follow up to #1). A good way to
get moderated down in almost any thread is to never summarize
both sides of the issue in one post. Not only are
these posts generally long, but they can even be
moderated up as "Informative"! Similarly, posts
with subjects like "it's all about choice!" seem
to play well with the moderators. Make yours creative.
Use subjects like "OH YOU SUCK" or "I THOUGHT SLASHDOT
WAS FOR X" These will help you on your ride to the bottom.
3) Never come across as insightful. Nothing will make you
appear more insightful than going against the trend
of the first 25 posts or so (this doesn't conflict
with #1, read on). This does mean you have to
take sides. A good subject example of this faked-insight
post is "Missing the point", in which you explain
all the previous posts are overlooking the big picture.
Avoid this at all costs. Also keep you comments as
negative as possible. "I agree" should never appear in your posts.
4) Use a Flamebait comment subject. Unless you're Natalie Portman Guy
(Anti-Karma God) and can get low Karma using "xxx Natalie" as your
subject, you'd better follow some guidelines.
Subjects like "This is a crock of shit (TM)" are
generally good if your post is fairly short. Others
that are moderated down included subjects with some
type of quote or cliche (e.g, "Linux Sux",
"Bill Gates Rocks!", or anything cheesy like that)
Another tactic that has recently become useful is
starting your commentary or subject with
"News For Nerds? Stuff that Matters?..". Don't
worry - you will not have to post anything controversial,
moderators will reward your trollish subject regardless of
what you say!
5) Find related sites to the issue at hand and post broken
links as soon as possible (remember, if you don't,
someone else will!). You don't have to go all out,
they can be general links that dont relate to the
article. Links to AOL, Pron or to your own company really
work well, especially if you make the "Spammish" in
their appearance. Things like "Surf the net and make money!
Come to my site at HTTP://Site.com. Also only embed
your links some of the time. Inconsistancy really gets
their panties in a wad. Most moderators will mark it
as "Flamebait". Remember, always have your comments pre-packaged!
without even checking the URLs!
Also, if someone beats you to the first post with a list of
URLs, all is not lost. There's still a wonderful
opportunity for some Karma. An excellent strategy
is to reply with "you idiot, here are the corrected urls", in which you
lie and say the links they gave were wrong, and
you have the correct ones.
6) Allways paste a portion of the sniglet of the article with
a little commentary such as "You Suck" or "KEWL". This will
always show that you didn't even click the real link to the
article and shows all that you just copied and pasted from
the top of the thread.
3. Maintenance Information
If you have any other ideas or tips for this Anti- Karma HOWTO, feel free to
share them and they may be added to this document.
Thanks
3.1 Contributors
Thanks to the creative first posters and all the trolls for their
suggestions to this "Slashdot Anti-Karma HOWTO".
Please. Not a bug in the OS, but a hole in the web application, that MS likes to pretend is part of the OS. MS should call them subsystems like IBM does. The US Military was toying with the idea of junking all this active/dynamic nonsense, and going with something plain and simple. More fancy features= bigger risk. They now have a damm good reason to think again, and stop accepting parcels of code/arguments/requests off untrusted outsiders to run on their boxen. I know our mailroom checks out all incoming mail for bombs, but the same cannot be said for other subsystems. Why bother having a firewall, when the mailroom will cheerfully forward anything. As for bugs in MS, linux developers know of lots of errr design features, and stay mum about them in fear that MS will plug the hole breaking things - like shifting port address around. You can have MS, you can have the latest and greatest, but dont expect it to be secure. The fault lies with the one demanding fancy.
I could have sworn there were bugs just like this under IIS 4.0 for Windows NT 4.0. Vulnerability in IIS... blah blah... access to page source... blah... sensitive data... blah. Do they even migrate their previous fixes to their development code?
Linux's security model? You are referring to distribution-specific bugs, which Red Hat is famous for. Get a better distribution if you don't want to deal with security problems.
Microsoft Win2K security holes:
:-)
*pop*
*whack*
*pop*
*whack*
*pop*
*whack*
Problem is most mole-whackers don't even know where to find the mallet,much less how to use it
If you can't figure out how to mail me, don't.
For linux tips: http://www.linuxtipsblog.com
Yes Microsoft has come a long way. For example, they now have a page and patches specifically dedicated to security issues (rather than sneaking undocumented fixes into the next release or just not doing anything), and they now pay someone to answer security-related e-mail (rather than sending messages to the recycle bin).
Furthermore, they've actually taken default permissions somewhat seriously under Win2000, rather than letting every br0ken Windows 95 application run as they did with previous versions of NT.
However when you say Microsoft "has come a long way", remember that 2 years ago they were completely unconscious of security issues, so anywhere is a long way.
--
Business. Numbers. Money. People. Computer World.
If linux is far superior, then why is it that about 3% of hardware out there is supported????
linux is an infectious disease
Personally, I thought the guy was saying to look up the plethora of linux security sites, not to look up the word plethora.
LOL! Oops... I think you're right. Still, the placement of the "quick go look it up" is next to the PLETHORA (in all scream-caps), and I hadn't read the "linux security sites" at that point in the sentence, so I think most computer language parsers would back me up on my interpretation. :)
--
While I don't agree with this comment...It's pretty damn funny!
-- with comments like that. We were not all born perfect you know. The Commander-in-Chief might get all the salutes but I've known far stronger and braver souls who struggle with disabilities not of their own making.
Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
I'm changing mine to:
"Free Mandela!"
You like? Why not?
notice how its moderated up for "funny"...
people scare me sometimes
Draw what conclusions you like from this episode, but I'm looking at the facts of particular case:
1) security hole found prior to ship
2) security hole reported to MS on Jan 17th
3) tested patch issued and publicized Jan 28th
That sounds pretty decent to me.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
s'true!
Why aren't the security holes in Linux (e.g. in Red Hat 6.1) reported on slashdot? Do most slashdot users use Windows instead of Linux, or is slashdot backed by the multi-billion dollar Linux companies to spread FUD??
Any system as large as w2k is bound to have problems. It's good that these problems are found before the release, as all are. MS has a great reputation for pouring hot grits down Bills pants while he watches Natalie Portman movies.
Win2K went gold already; this is what's getting shipped to users.
s'true!!
i have proof!
On Mainframe world, most everything starts with no access by default. You install the product, and have to grant access to most everything. If MS did this the phone lines would melt with complaints. Maybe they need to fork the code MS-Joe blow edition, and MS-High Security edition, - damm - they could really milk out some more revenue out of the govt...
IE5 is rock-solid, fast, and far better than anything that can run on Linux (Nav, Mozilla, or Opera).
Some day the story of the IE5 "fun fork" will be told...
Errr... no, it doesn't e-mail you, but Win/98 has a big ol' "Windows Update" function right on the start menu. Click it, and it tells you when you have important updates to install (particularly security updates). It also lets you download new features. Click the button and boom! Instant update.
And I haven't checked it out, but I wouldn't be surprised if they did have a mailing list to tell you when important updates are available.
first off that is if the active x controls on the site don't crash your ie (yes active x on microsoft's web site crashes their browser). and the update is far from instant. plus the fact that the updates have updates within days i've seen. if you want to get into an argument about how ms update works i'd be glad to go at it. tech support puts fod on my table. i know the ins and outs of windows 3.x, 95a, 95b(osr2), 98, 98se, and most of NT. hell dun has several bugs follow it since 1.1 and they are on 1.3... hrm...
and sorry unless you pay them big buck$ you are'nt getting anything like that. and i bet you'd pay out the a$$ for it if they did have it. and btw, check out mandrake's updater. nicer and cleaner than the slow hardto use activex windows update page. so if single click goto updates is ready then mandrake is well beyond ready. since it's defaulted onto the desktop not even hidden in the start menu.
and it's not just click and get it. not are all the features good. installing ie 5.0 on a machine totally screwed it up from that page. i had to go and reinstall windows to get the machine to run again. and you can bet it wasn't my machine that needed that.
--
dead angel
i am strange people. -me
dead angel
i am strange people. -me
spreading linux lovin' since 1998!
'cuz if you get caught, you're going to jail.
All new software has problems. The bigger the evolutionary step, the bigger the problems. Expect more. But don't be rectal about it. No OS is immune. How long has RH 6.1 been out? Couple months? And yet there's a list of 9 or 10 security fixes (that include several remote root exploits) up on RedHat's web site.
And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.
The Slashdot Wrestling Federation Inter-Continental Champion
Wow thanks for telling me about that hole that allows root access ! I'll get right on it! whoops I dont use corel linux!
I guess Linux != Corel Linux is wrong!
I better stop ending all my sentences with !
Lars -
oh man, is *that* true!
Upon seeing the box was too small, Schrodinger's Elephant breathed a sigh of relief.
i think so, too!
You are forgetting something here: It takes the Windows team a LONG time to fix a bug like this, making it a serious issue! When the last DoS attack was discovered against Linux, it was fixed in just over 8 HOURS. NT? 6 weeks, from first posting on Bugtraq.
That disparity makes the case here. It IS a big deal on Win2k. It's not a big deal on Linux, because a fix WILL be out in less than a day.
Linux: How to GET where you want to go today.
Hey Rob, Thanks for that tarball!
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin
I"m getting sick of how people are saying that Linux rulz and MSN SUX etc. etc. etc... and quit bashing Windows for christ sakes! I AM JUST PLAIN GETTING SICK OF "MSN SUX" and all this other offensice stuff. I feel sorry you you, this is gay as it gets.
you know, you and your troll aren't funny. in fact, very few of the slashdot trolls are funny.
And if you're serious, well, you need perspective and a sense of humor.
I'm really TheCodeMaster. Please moderate my other posts.
Where does this affect the average slashdot reader ?
There will always be security alerts, in all OS-es, so what ? Admins (crackers) should read the appropriate sources to learn about them.
Free Jon's computers !
gotta believe, brah!
you clearly havent used it recently. 97% of all hardware is supported now.
I mean, honestly, "Security hole found in wu-ftpd" would be a lot more valuable headline to most people than "New minor release of the kernel", and would happen a lot less often.
Linux is going to get a bad name someday because millions of people out there have distributions which install with tons of (often unneeded) services on, and don't know enough to subscribe to a security mailing list or check for updated packages. It doesn't matter if Linux gets security fixes within 24 hours, if most people don't install them within 6 months. No Linux distribution that doesn't come configured to automatically check for, notify users of, and help users install software updates should be considered "ready for the desktop".
Yes but M$ has 15 people working on security for 30 million lines of code. I'm sure they can find "all" the problems. I can read 2 million lines of code in a week, so what's the problem? Yet another release before it's ready. Let's see -- 30 million lines of code with a programmer able to debug and check 10 lines per day (to maintain a program) with 15 people is 150 lines per day... Oh, I forgot, what about Y3K?
So what, i use windows? Big deal. At least I don't worship satan
Since formatting the HD is typically making a filesystem in the windows world, then step 1) would be to make a new FAT32/NTFS5 partition. Why would anyone want to run Linux on a FAT filesystem?
I think what you mean is nuke the MRICROFTS~4 partition and slap the Linux native and Linux swap partitions in its place. mke2fs is usually evoked to create a Linux filesystem on the native partition. I'm not sure how useful FORMAT.COM would be on a Linux system.
Lars -
You should read the alt.os.linux.* newsgroups. I personally stay far away from RedHat, as it contains too much software bloat for my tastes. Yes, Linux supporters are vocal against MS, but many of them can also be vocal against Linux.
As for ''bashing the new product'', I'd wager that the 2.4 linux kernel won't get as much abuse as W2k is on /. And you can also bet that if it does suck, it will get bashed. :-)
Everytime I hear about these security bugs, i often wonder about the bugs that don't go reported but are exploited amongst a small group of script kiddies or distributed through the underground. DOes finding these bugs require considerable skill that the script kiddies lack and responsible security analyst who will report it have? Admittedly, I dont know much about security issues and how they work... maybe everything goes into a log so that its impossible to keep something secret but I'm just curious. But if it were possible then which OSes would be more vulnurable? OSS OSes which have the source there to be seen by everyone or OSes like win2k which many ppl have something against it?
--
# I have no brain
I can't believe you guys!
You are allways making fun of Windows.
Have you forgotten the news from earlier this week?
"Corel hurries to fix Linux security hole"
http://news.cnet. com/news/0-1003-200-1533081.html?tag=st.ne.1002.
Look at the problems kernel 2.2.0 had. It was supposed to be the final stable build but they rushed it before new years or christmas or whatever. Anyhow It took until 2.2.5 for something stable.
Only the State obtains its revenue by coercion. - Murray Rothbard
IIRC, many people questioned that survey because it measured the time between a company acknowledging the existence of a bug and its patch. That gave an advantage to the decidedly user-hostile approach of denying a bug exists unless a solution is in sight.
I'm not claiming that MS does this, but Red Hat obviously can't drag its feet when other distros acknowledge the existence of the bug in their releases. So RH will always be forced to be honest, and any company that admits to year-long lags is obviously fairly honest.
As for "scrounging the net" for fixes, you're either using the wrong distro or not using it correctly. Depending on your connnectivity, you should be automatically notified within hours or days of any upgrade on your distro's security site.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Mr. English Colonel, tellin' me to lose weight! Ooh, I'm a hard case, he says! Well listen up, city Jeff! I ATE A BABY!!! Oh, aye! Baby! The OTHER other white meat! Baby! It's what's fer dinnair!
That wasn't even remotely close to being a troll. Lots of Linux users are like Mac users - they see only the good in their own OS and only the bad in other OSes.
It's like Lisp, but with a more Pascal-like syntax! Easy to use, and powerful: that's what I want in a language!
See Gwydion Dylan for an open source version for Linux!
nuff said :)
Use it, man.
he has a clue. you do not. please stop posting.
...that will give those 15 men of tain...er... microsoft security something to do for a while. :)
Pax -- Ob
Or do you spend all your time sadly trying to come up with plots to tackle a faceless, nameless company?
Linuxs security modell needs improving, too. ... October of 1997? Ouch."
Quoted from lwn.net
"...goes on to point out that the problems fixed in that Red Hat's recent update to lpd were originally reported in this advisory, dated
Read the whole story
Oh man, you are always, soooo funny. Highlight of my day :)
doesn't it support petrification as an addon? or is it part of the base package?
one thing I noticed about this article..
the guy from cerebus says that intruders can get access to certain files - users can get around this by erasing unneccessary files, but a "race condition" occurs if a 'hacker' accesses that data before the
user deletes it.
uh-huh. so a Race Condition is when a hax0r beats you to the file before you delete it? yeah. these guys know what they're talking about.
Isn't that the problem? W2k is so large that it's now next to impossible to do good QA on it. I can't speak for BSD, but in Linux most pieces of software are relatively independent, so that QA only needs to be done on that particular piece of software.
Well duh Windows 2000 is big, but it's also highly componentized, even the kernel is. Windows 2000 isnt' one bug source file you know, there are many divisions working on various parts of Windows 2000. COM+, WTS, Explorer, GDI etc etc.
Yeesh
Well, if you fire a cannon inside a barn, you're bound to hit a wall...
One person pointed out that the patch would "break" the news system. Of course this one person quoting ONE other person which had a total of ONE experience with this supposed "break". Another person points out the the second security issue Microsoft knew about "for weeks" when I believe that the article stated that "users" had discussed it for weeks but only recently had Microsoft been officially notified (how true this is I cannot attest). The point here being that some of you are quoting single sources with no verifiable data to back up a conclusion or mis-quoting sources (intentionally or unintentionally). Please pay attention to your facts.
EVERY OS has it's bugs (Beta, GOLD, Developers release, what have you). The things to remember are these. Any Microsoft OS is going to be picked apart for bugs for reasons A) Huge number of computer users using the software B)People who want to find anything they can wrong with Microsoft's software C) People willing and able to sit in front of computer for hours to find any exploit for ANY system. D) People who will shout from the rooftops someone else's flaws (before their own of course)
Now when Linux gets to the point where it offers all of the features Windows does (and don't tell me it does now cuz my ATI video card will tell you different) including an easy to use/configure GUI and continues to run faster than Windows with less code. Then and only then can you start shouting from the roof tops that Linux is king. Don't get me wrong Linux is great for what you can do with it, but lately I've noticed that the companies bringing linux into the mainstream are raising the prices (linux 79.99 compared to wins 99.99) and raising the system requirements along with it. So the lighter, faster, better argument is running out of steam (quick). Of course the argument is "well look what you get for your money" but isn't that the same thing MS has been saying for years too.
Think about what you are going to say, research it, back it up with fact, think about it again. Then say it!
"Do not be swept up in the momentum of mediocrity." - anon
As you can clearly see, these bugs affect an *add-on* product present in NT4 which became built-in to Windows 2000. This is not a W2K only bug which is how /. wants users to perceive it. That's not accurate or fair.
.htw files until the patch can be applied.
So the fact that the bugs are in existing products somehow makes the bugs OK? Or are you just saying that because it's Microsoft, we can expect it, but that it's unfair to expect bugs in Microsoft products in newer ones? What exactly are you trying to prove here, that Microsoft has a bad rap for holes in new software, or that Microsoft software is has a bad rap for holes in existing software? Does it really matter?
I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.
Basically, in addition to the lengthy 1-2 hour installation time that is expected, and the downloading and installing of updated drivers which is almost expected (as new hardware drivers get old fast also) one is also now required to get online immediately after installation and download patches for software which was broken before it was sold? Instead of engineering better products from scratch, we'll just give the users a permanent connection to a database of corrections and act like it's their fault if they forget to "update" once a week?
You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.
The perceived damage potential may be low, but a security breach is still a security breach. If Microsoft is going to make a product and market it as a secure server operating system, and it is not secure virtually from purchase onward, regardless of the degree of insecurity, they HAVE lied to the consumer. Underestimating the power of the cracker or even the script kiddie is generally a bad idea.
he exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate
This doesn't seem obvious to me. Should an administrator really be required to compensate for the quirks or poor design of the system? Particularly true of Microsoft software, which is both expensive and marketed primarily as a simpler solution?
Don't take this the wrong way--it's not a flame. But people don't dislike MS's software so much as the hypocrisy. They pretend as though they are producing powerful, easy to use "solutions," yet more often than not, we are given costly systems which are difficult and counterintuitive to configure, subject to security holes inherent in poor design, and unable to provide non-destructive patches due to the archaic monstrosity which they are patching. Sure, it's their fault--they haven't rewritten Windows in a long, long time; a friend of mine suspects that there is probably still Pascal in there somewhere. But if they are going to try to sell us a powerful easy solution for large amounts of money, they had better be able to provide it.
Daniel
the .ida and .idq bugs are in a dll that's depricated. No good developer will choose the old schema of idq and htx files to get indexserver results, but will use asp for that. So the extensions can be removed from the webserver and no patch is needed.
:)
Ah, well... the mud flies already
Never underestimate the relief of true separation of Religion and State.
One single reply on a talkback forum on a fudsite tells that it breaks something else.
;)
:) (together with all the other extensions like htr etc. rememer that bug? :)
That's a really reliable source to me.
If you'd have looked deeper into the problem, you'd have known you could have protected yourself easily the way you already SHOULD have protected yourself: with removing all the extensions NOT NEEDED by the websites on your server. It's simple. It's even stated in the idiot-proof security manual by MS
So if you did everything right, you'd have used ASP for the indexserver queries, and you'd have deleted the idq/ida extensions
Never underestimate the relief of true separation of Religion and State.
Why don't we get a weekly update on Linux exploits and only bias pieces about MS problems? You could start by checking out: www.insecure.org
ok, so I am replying to my own thread again, so sue me.
I just want to remark/bitch about the moderating that goes on here at slashdot. I had one of the first 10 posts to this article (and actually it is one of the first threads to actually make a joke about the issue when you take out all of the trolls and first posts) and it is marked redundant.
I just want to thank the moderators who don't bother to be responsible and think before they moderate. I wouldn't be upset if my comment had been marked overrated, but redundant....that is just stupidity on the moderators part.
As to the idiot who marked it flame bait, I think that I already established that in the post.
I think that moderators should be held accountable for their privilage. I am all for having the ability to have moderators justify why they moderated a post accordingly, not just meta moderation. People need to loosen up.
--------------------------------------------
Please give your mod points to others, Im at the cap. They will appreciate it more
Actually this version ahs been out for a while. 2195 was set back in December I believe. 10 days is not too shabby to get a fix out either. I read an article recently that compared bug/security fix release times between MS, RedHat and Sun Solaris. RedHat had thequickest turn around time but MS was only a couple paces back. Sun took more than a year in many cases to fix problems. Scott McNealy was too busy bashing MS at some schmooz fest. While this sound good for OSS, I believe MS has the right to develop their OS in a proprietary manner. This might slow the process down a bit for fixes and such, but consumers (the people who buy computers these days, not /. geeks) need to be ablt to find these patches quickly and from a limited number of sources. I hate scrounging the net for all the fixes required for my Linux system, that's one of the reasons why it's still a hobby OS for me; that and Linux doesn;t have Adobe After Effects, Photoshop or Premiere and I just couldn't go on living without those programs.
I'm sure somebody must have explained what the acronym QA stands for, somewhere earlier in the discussion, but I can't find it. My guess would be Quality Assessment but I can't be sure.
Although it Slashdot likes to say that there are security hazard with windows it's really an exageration.
Ok. I don't know how you figure that it's an exaggeration, but let's have a look at what you're thinking here.
I read an article about Unix permisions helping stop viruses but with Windows we have something far more powerfull.
Oh? And pray tell - what is this powerfull [sp] thing that you have that Unix/Linux doesn't?
Microsoft format is graphical where Linux does not have a graphical user interface [GUI].
Ok, I really don't know how this makes a damn bit of difference. (There are GUIs for Unix/Linux, but they don't have tendrils extending into every layer of the system.)
This makes hacking a W2k more secure becuase things are not stored in plain text.
Bullshit. All it takes is a little effort to learn the formats (and if you have a W2K box, reading those data formats isn't that hard a proposition)...
Instead MicroSoft stores things in fancy graphical text. This makes it harder for hackers to read.
"Fancy graphical text"? Uhh. I think you mean binary config files. That's no protection. There's a name for that though - security by obscurity. It's no security at all.
Linux should really work on making a [GUI] then they will be ready for "prime time." They will even be able to have advertisements on TV if they had a GUI.
That's a laugh. Like we care about ads on TV. Linux works just fine for those of us who want it for the advantages it provides (a lighter-weight system, without the GUI bloat), and GUI frontends are available (think of the GNOME and KDE desktop environments).
Also Linux would be able to handle "real time" applications. And do many other marvelous things like "enterprize readiness" and "intuitive network applications" and "erp" that Windows does.
"[R]eal time" stuff is the domain of real-time OSes (think QNX). Right tool for the job. And "enterprize readiness" [sp]? Enterprise-readiness is a very subjective thing - but Windows NT (Win2k, whatever) isn't it - if you want high-end computing, you best be shelling out for a higher-end box, like a Sun or HP UNIX server-class system. ERP is just bullshit - just another pretty acronym to sell to the suits.
Just my 2 shillings.
That's about all it's worth, too. Really, come on - you're much too in love with GUIs.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Here's the biggest Linux exploit: http://www.bedope.com/stories/0082.html
It's been said before by others in this thread, but I'll say it again here (whoever posted this bit earlier, kudos).
Not one of those fixes affected the kernel. They may have been in relation to one or another package, but they weren't security fixes in Linux.
There's also the point that security issues and other bugs in Linux and other free software are an integral part of the evolution process of those packages/systems. On average those fixes are published far faster than fixes for Windows. Those fixes do not destroy other functionality in the fashion of this newest patch or SP6.
And, I should mention, that there are far fewer of them necessary for Linux and similar packages than there are for Windows. How many security updates have there been for NT this year, anyway? 6?
My point is that security mistakes happen. The speed and effectiveness of those responses pretty well defines how secure an operating system is, since someone's always going to have a new attack. Fixes to Linux packages are fast and clean. Windows fixes have this nasty habit of breaking other parts of the OS.
Either way, Microsoft blew it.
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
All operating systems have security holes. Before their release, and after they've been released. So that doesn't make W2K anything special.
I guess the only interesting question is how quickly will Microsoft patch these holes, and how well do they do it.
Don?t forget ðe use of non-standard character encoding. MS knows ðat ðe ?real? lesson from IBM is ðey lost ðeir non?opoly only after ðey allowed ðe users, curse ðeir black hearts, to use ASCII instead of EBCDIC.
ðat?s why all commercially successful OSes will use special characters for ?smart quotes,? display kerning, and the like.
Linux, of course, supports ðe stupid ISO-8859-x and CJK standards. ðat means any system can edit any file. Ffools.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Does this matter AT ALL?
Do you really think anyone is going to use a
Microsoft product in a context where security is
important? This is like saying, "Oh no! My
Nintendo's CPU has a rounding error!"
Duh! IT HAS BEEN RELEASED. At least to PC vendors. This is the commercial, non-beta, first release of Win2K we're talkin' 'bout here.
I never asked for 90% of the things that Office purports to do. Am I being unreasonable to want software that doesn't tip over five times a day?
Office is the only software that Microsoft produces which caters to 10% of its target market all of the time - rather than putting in features for the 90% case.
Why?
Because it's the only product they make where everyone in their target market requires a completely different set of features - any given person will probably only use 10% of the functionality available. However, take any of it out, and they're cutting out a massive chunk of the market.
Also, with the new installer, things should be more stable - because it forces better encapsulation of the underlying code (because you can install it in nice feature-sized chunks).
As for tipping over over five times a day? What the hell are you doing to that poor thing? I've never seen Office crash once never mind five times in a single day!
Simon
Coming soon - pyrogyra
I think this entire comparison is dumb.
Windows* you get one cd with some nice programs like Paint and Calculator, MineSweep.. etc... You then had to buy,steel any other software you needed. The system even without any extra software had bugs and security holes. If you look at most major linux distrobutions you will notice that you get a hell of allot more software. I would be interesting if striped a linux systems to equal the funcionality of a default Win 9* system.(sofware wise). Then you can look for security problems and bugs.
I have been using linux at home for more than 2 years, the reason I switched is because I wanted something like the sun server I use at work but for use at home on a System Administrators budget. The sun servers have not gone down in 2 years unless we take them down. (yes they are on ups)
I must say also that some good things are coming out of linux being pushed into the spotlight even if linux would fail (I dont think it will every go away). It is causing Microsoft, Sun and most other major vendors to produce a better product. Things take time I think within the next 5 years there is going to be something better for everyone to use. I dont think it will be Windows, Linux or Solaris but I am sure that it will be unix like which is cool with me.
Thanks Flame away....
--
Joshua Curtis
Lancaster Co. Linux Users Group
My question is why do they have this kinda thing..
I mean.. how many engineers do they have over there at microsoft..
I look at what a few enginners/programmers/whatever can do, and then hear about all the people they have employed over there. They shuold easily have things down...
After all it's what they're getting paid for..
Is this a double standard.. no.. I don't think so.. the linux developers haven't been as aarogant as the microsoft folk (don't confuse linux developers with linux evangelists).
Boggle Microsoft!
There's a simple quick fix available that will patch ALL Microsoft bugs...
:)
It's 2 steps...
1) Format HD
2) Install Unix/Linux
Your system is now bug free
The day Microsoft creates a product that doesn't suck, it will be known as the Microsoft Vaccuum Cleaner!
But anyway, was there a point somewhere in all of this? No?? OK then, let's return to our regulary scheduled rant about how Linux is waaaaay superior to any Microsoft product, never has bugs or needs updates, etc. etc.
I wish people would stop helping Microsoft out by reporting bugs before they release the 40+ million line behemoth. If I had my way, I'd secretly record the bugs and then teach those Win2K adoring freaks a lesson AFTER it's been released. On the flip side, these people should spend their time trying to crack linux so Linux gets the benefit of all those prying eyes. Microsoft has enough $$$, why should we do free beta testing for them?
Blender And Linux Fan
...now this is something I won't do too often.
But in the comments here you're probably going to find a zillion people saying the equivalent of "MICROSOFT IS EVIL! You won't find this in Linux/Unix/*BSD!".
And I'm here to say that MS has done a good job. It's a huge OS, people. The fact that the damn thing *runs* amazes me =) as well as the fact that it is (according to all accounts) pretty stable (as compared to typical Windows stability). Expect bugs, expect lots of bugs, because there is no way that you can test such a behemoth properly. I myself will not install it until perhaps Service Pack 3+ has come out, because it's prudent.
Of course, Linux, *BSD, etc, all have bugs, it's just that they're fixed sooner and I think we all have more tolerance for bugs found on free systems. And we all have unreasonably high expectations of MS, because they're a bunch of corporate bastards (look at their history!) and because most of us probably support alternate OSes.
Of course, the thing that *really* worries me about this article is the fact that one of the bugs was apparently known for weeks before MS even admitted it existed; now that kind of thing is sloppy, and they deserve whatever criticism they get for it.
However in this case, this are great News, becuase two security holes were found even before the release date of the OS.
In fact slashdot and other Linux sites often relate Linux security problems.
For instance, looke at Linuxtoday: you see security alerts almost every day.
I just don't understand why there are so many persons complaining about this article.
Maybe Microsft decided to combat the OSS movement and contracted a lot of people to read newsgroups and site like slashdot, to start posting favourable comments.
I use Linux to AVOID windows, why must we keep discussing windows ? Its enough to make a grown man use FreeBSD ;)
:)
...
Really though, I use Linux because it suits me for the kind of problems I use computers to solve, no politics, no zealoty, no bullshit. Windows is crap, we know that much. So don't use it.
Quite frankly, I'm self centred, if anyone else uses W2k, well, they are just making life hard for themselves, and I can be smug about that
Well, just my 2c
What country are you from? In the US politicians go negative because that's what wins, period.
Good god, man, it was a joke.
It's kinda obvious, IMHO, when somebody misspells enterprise and waxes about non-programmed features, and states things that are clearly not true.
And, I would disagree that Windows is nothing more than a GUI on top of DOS; from a programming standpoint, DOS provided nothing more than file access functions and the most basic OS-related routines (who here still remembers INT 24h...) whereas Windows provides an abstraction layer - which you refer to as shit, but if you'd rather do VESA and BIOS calls and direct screen writes rather than GDI calls, for example, you need mental help. Much less some of the other things that Windows APIs do very nicely for us coders, such as TWAIN. Or using Windows sound routines rather than manipulating a DSP manually, and god help you if it's not 100% Sound Blaster compatible. For the coders, as much as we hate the instabilities and quirky behavior of Windows OSes, it's better than DOS by a long shot.
Granted, I'd rather be working in Linux on that I prefer its architecture over Windows, but that's me. For normal users you MIGHT be correct, if you don't do anything in Windows that you couldn't do before in DOS with a bit of elbow grease. For coders, Windows is still far and away better than DOS. (IMHO not as good as X though.)
Like you can climb in and out of it as easy as a window on somebody's house.
cat
WindowsUpdate doesn't have server related stuff. Try http://www.microsoft.com/security
>>according to one of the talkback posts on ZDNN, the patch creates a new problem with Windows 2000 news server service. Did anyone else notice that the talkback poster is the infamous Joe Barr? Why would anyone believe anything he said?
This is not surprising, and reeks of FUD and propaganda created by those who claim most bad press about Linux is FUD.
Considering anyone can run into the kernel code and hack away at any moment on a non-beta release of Linux, I guess it would turn back into beta in that particular installation.
I find it particularly funny that Linux people are so anti-MS, they don't even want to pay attention to the fact that there is always the right tool for the right job. Some jobs work better with Linux, some better with MS products.
You can rant a rage about MS all you want, but there are security issues in all OSes regardless of its lifecycle state. You can detect all detectable bugs, but you can't detect undetected bugs.
It's the fix. It took them this long to produce a patch that breaks something else? The security flaws are an annoyance, but every OS has them. On top of that, these were only read-only problems, yes, theoretically even capable of user password grabbing, or credit-card grabbing, if someone was really stupid, but not as serious as the countless root compromises out there for your favorite POSIX OS. Now, I'm sure Win2k has plenty of these too, but that's not what we're talking about here. Now what IS sad is that they took 2 weeks to patch it and they couldn't do it right.
WARNING: there is a trojan on your
*Sigh.* If only I could get OS X for x86. . .
I just went to the Microsoft update site from my Win2K box (legal off of the Select CD's) and only found a couple of multi media type apps. No critical updates, no general updates, nothing. Now since they are probably going to do this the same way that they did 98 (making it a royal pain to get updates without the web site) this could be very annoying on servers. "What do you mean I have to launce IE5 on all of my servers independently to get SP78?" Can't wait 'till we're told to roll this out all over the company :) Les Weinmunson
I can't read this article using mozilla M13. That's all Thanks for your down moderation
- Bill Gates, former CEO, Microsoft
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Zero. It was not made for a once in three years release unlike Windows 2000 which was pressed in December, and to be released on 2/17.
Although it Slashdot likes to say that there are security hazard with windows it's really an exageration.
I read an article about Unix permisions helping stop viruses but with Windows we have something far more powerfull.
Microsoft format is graphical where Linux does not have a graphical user interface [GUI]. This makes hacking a W2k more secure becuase things are not stored in plain text. Instead MicroSoft stores things in fancy graphical text. This makes it harder for hackers to read.
Linux should really work on making a [GUI] then they will be ready for "prime time." They will even be able to have advertisements on TV if they had a GUI. Also Linux would be able to handle "real time" applications. And do many other marvelous things like "enterprize readiness" and "intuitive network applications" and "erp" that Windows does.
Just my 2 shillings.
Mandrake has had its MandrakeUpdate util for a couple versions now. So at least one distribution has such a util.
ARTICLE 1: Microsoft will soon revolutionize the computer market by announce the first service pack for a product before they even begin work on it. If the product is vaporware, it will be called "buggy vaporware".
ARTICLE 2: I started writing this article in IE, but, even though I had to re-identify myself and cut-and-paste, finished it in Mozilla. Why? Not for fun! I had to do so because my typing speed is literally ten times the top speed that IE can put in words. My comment was butchered!
--
This is a MS Index Server bug. Totally different.
What a sad day, Windows is being torn apart by our greedy government. You people should be ashamed of driving leader away from m$! He brought us such great products as Windows 95, Windows 98, and soon to be Windows: Breaks every 5 minutes! For shame! All of you people who have strayed from the path of our leader and use this Linux idea should be sent to the m$ HQ for immediate reprogra....I mean to be given a raise! If all of us could just use Windows then the world would be a better place. I remember once when I used Linux, but it was a terrible experience. It tried to make me stray from the path of leader. It tried to brain wash me with that Penguin they sent me. It was casting a spell on me when I was sent an urgent message stating that I was needed in the HQ right that instant. I quickly got in my car and drove there. I don't quite remember what happened in that white-green building, but I sure felt a lot better when I came out. That is why we all must convert back to Windows if you already haven't! Praise the leader! We love you! Drone #- 4452319
Life comes not from the heart, but from the women around you.
If there is any non-bias at /. then this post will not be moderated away. No flamebait or trolling just wanna clear a couple of points up ALL using the provided story URL.
/. wants users to perceive it. That's not accurate or fair.
.htw files until the patch can be applied.
#1: The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. Index Server is an add-on to Windows NT 4.0 and is built into Windows 2000 (in the form of Indexing Services).
As you can clearly see, these bugs affect an *add-on* product present in NT4 which became built-in to Windows 2000. This is not a W2K only bug which is how
#2 The bug was discovered AFTER W2K went gold. They have released a patch for NT4 and W2K both that works right now for both. So, before W2K is released there is a fix. I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.
#3) You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.
#4) The exploit itself was reported to MS promptly and fixed quick. The exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate
Why don't we get a weekly update on Linux exploits and only bias pieces about MS problems?
you clearly havent used it recently. 97% of all hardware is supported now Unfortunately, the 3% of hardware that people actually buy aren't.
On the other hands, if you mean kernel services, a lot of things run as a kernel process under Win2000/NT. The TCPIP system has had numerous bugs in NT4. The TCP sequence numbers, for example. It took Microsoft two hot fixes and several months to get it right. The first hotfix for the problem actually made it WORSE, making it even easier to spoof a connection to an NT machine. A number of NT core services run in the privledged Ring 0 on the intel platform for performance reasons, whereas most UNIX daemons are almost always implemented in user space (ring 3) where memory protection can occur. Microsoft's core selling feature has always been the speed at which it's supposed to operate. C2 certification was a joke (who runs a network server with networking capabilities disabled).
Check out Microsoft's support site about all the "known" bugs in Windows 2000. It's frightening. 187 known bugs affecting Windows 2000 to date, and it's not even shipped yet.
I used up all my sick days, so I'm calling in dead.
The reason I have "unreasonably high expectations" of MS is not because they're a bunch of corporate bastards (which of course, is not to say that I think they aren't :), but because those are the expectations they have built. Through their advertising and public relations, they have made certain assertions about their products. I only hold their products to the standards that follow from their assertions. Now if they can't live up to those expectations, maybe they should try a little truth in advertising.
Is windows.... Nuff said. ANd there is still a solid 3 weeks or so before the product is even launched....Perhaps they will launch SP1 along with it ......
How is this a troll? If its not pro linux, its a troll. Thats slashdot for ya.
Agreed. I'd also add that this is a prime example of why programs without source and open, critical, and lenghty public review shouldn't be trusted.
Hell, I don't even trust some open source programs with undocumented protocols! (Napster was one of these till just a few days ago...and I'm still waiting on it for a little longer.)
Exception: OK ... maybe if the source for the communications part, with the rest being open or closed ... but I'd think that's a minimum for some reasonable level of confidence. Anyone want to comment on this?
I've always been partial to "myriad."
Myriad is somewhat unique in that it can be used as a noun or an adjective. e.g.:
"There is a MYRIAD (quick go look it up) of linux security sites, as well as *BSD security sites."
but one can also say:
"There are MYRIAD (quick go look it up) linux security sites, as well as *BSD security sites."
Also nice would have been "INNUMBERABLE," "COUNTLESS," and "SUPERFLUITY."
Personally, I thought the guy was saying to look up the plethora of linux security sites, not to look up the word plethora.
___________________
rooooar
I think this issue has been debated to death, but once again I can't help but point out the design flaws in "Security thru Obscruity", if MS would just open up their source and let us peek around I'm sure we could sniff out all those nasty bugs.. err I mean "FEATURES"
Any ideas?
Will in Seattle
you believe in Santa as well, don't you ?
I'll believe we'll see more fun stories in the coming years, as everyone and their sister gets Internet cable access...
... and problems start occurring.
... and responsibility lawsuits as well.
... not that most Linux distros are immune to the problem as well.
Security: either you're secure, or you're not. There's no such thing as `more secure than the other'. A single hole is all it takes.
Will people stop comparing Win2k to linux kernel x.x.x? No bugs have been found in the Windows 2000 kernel (yet.) Bugs have been found in the daemons^H^H^H^H^H^H^Hservices it starts by default, but that happens to all linux distributions.
However, I don't really think that is much excuse for Micros~1. Everything they release has been written in recent years, when being careful about buffer overflows is a well known programming concept. Software which is based on 10 year old or more code (like sendmail and wu-ftpd, I think) at least have the excuse that they were written before most people had reason to think about security. (of course, there isn't really much excuse to run them, give the existence of new MTAs written during the age of security (as it were:), like exim. ftpd replacements exist too.)
So, Micros~1 windows 2000 is like a distribution with some buggy programs and some configuration errors in stuff which runs in the default system. This is unacceptable, given that you are paying money for Win2k. It doesn't bug me too much to have a problem with a linux distro, because the problems get noticed and fixed in the next release of the distro. Micros~1 will be selling win2k CDs which come set up wrong for a long time. Redhat probably sells almost no CDs of rh6.0, and rh6.1 has most/all of the known security problems fixed. This is different from shipping a rh6.0 cd with a cd which upgrades it to 6.1, since it is easy to not bother doing the upgrade, especially for newbies who were overwhelmed enough by the install! Debian, of course, is the best for this. You install off some old CDs, then you apt-get upgrade and all the fixes/new versions of stuff gets installed. It's so easy even a newbie should be able to manage it. EVEN NEWBIES WHO DON'T READ CERT OR BUGTRAQ WILL GET FIXES INSTALLED
easily. This is very important.
Some people have commented that every system needs to have a competent admin who reads security warnings and stuff, so it is ok to have lots of stuff enabled by default. This is all well and good, as long as linux or win2k is only used on company servers. Linux is used by people with cable modems who don't really have a clue (some people clue in after a while, but they didn't know enough when they first installed.) Even for a good admin, it is much easier to not have to figure out what is already going on, and to be able to say, "I want mail, web, and ftp, so I'll install the packages for that, then enable it in the config files", than to say, "gee this machine seems to be running a web server already. I wonder what J. Random Hacker on the 'net can get off my machine right now?". Having to know about everything there is and then portscan your machine to see what you have just seems like a really silly arrangement to me. But remember, it should be possible for people who are just learning to install
linux without worrying about getting cracked into. (and without having that happen without them knowing, let alone worrying, about the possibility!!!).
So, given that win2k is targeted at everyone, not just servers (I think), Micros~1 looks really dumb. Joe Newbie has no idea he is running insecure.exe as a service. Well, I've gone on long enough. I hope that made sense, but I'm sure my ideas jumped around faster than I could type, so I probably screwed up somewhere. Hope it makes some sense:)
#define X(x,y) x##y
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
Did you do anything with the original Wizardry, or was that before your time?
I have tried it... and I wasn't to impressed. It is slow, inefficient, full of holes, and highly unstable. I think I'll stick with my FreeBSD for another year or two. Maybe by then, when Windows 2002 comes out, I'll take another look at switching over. Actually by then Windows will have implemented a Linux kernel so I guess it won't really be "windows" anymore now will it.
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com
Nathaniel P. Wilkerson
www.haidacarver.com
Supported, yes.
But it works like shit, mostly, compared to Windows (especially gaming-wise).
That'll change in time.
then i guess no operating system is ready for the desktop.
Not really. Win98 comes close, at least. All that missing network functionality at least means there's less to break, and Windows Update means you can get patches when something is found broken, whether you're a security expert or not. Sure, in Windows' history it's been susceptable to remote-crash attacks more often than not, but I can't recall more than a few times it's been possible to "root" a stock Windows box remotely (not counting third-party products like mirc and ftp servers).
With Linux there's so much stuff open to the net by default that it seems like there's a remote root exploit every year. If you're security aware you'll be able to install the fix as soon as the world knows about the problem, but if you're not you're just a target.
updates are the user's responsibility. why should everyone work double for the lazy ppl?
Because that way we don't have a ripe population of insecure Linux boxes for viruses and worms to spread through?
Because that way Linux looks better in the press?
Because lazy people buy things like Unreal Tournament and CivCTP, and thus get companies to port those things to Linux so we can buy them too?
Because we have lazy or non-computer-geek friends and family whom we'd like to stop using Windows (and stop bugging us when it crashes), and we can't personally see to the security of every one of their machines?
Because distributions who do work double for lazy people sell more copies and make more money.
So we can achieve world domination! Duh.
Because sometimes *we* are inadvertently the lazy people. Deadangel, I notice your computer may be on a new distribution with no security updates required (and ssh installed; good for you), but the fact that you've still got telnet and linuxconf ports open to the net doesn't bode well for the future. (Sorry for the nmap, BTW; I hope you don't have any paranoid TCP/IP logging enabled)
Finally, because having the operating system checking it's own security in a cron job means we have one more thing that the computer is doing for us, which is just technically better. Users shouldn't have to monitor a security mailing list when the computer can do that (and update programs from cryptographically signed packages) for us.
Are you always so combative? We're not even on opposite sides of the argument, you're going further in-depth on the same point I made, yet "I'm talking bullshit" and the "realise with acute embarassment the idocy of your post" bit is just flat-out abusive.
/.
If you want to make a point, do so. I don't see the reason for personal attacks. We don't need this antagonism on
I wasn't stupid enough to install sp6 until it had been in use for a couple of weeks and the problems had shaken out, so I didn't bother to read all of the RFC's. Why should I?
Take a fucking Valium and relax.
CNN Entertainment
Submitted:
/. is finally getting to it? WOW!
2000-01-13 19:41:04 Win2k virus out already (articles,microsoft) (rejected)
And
This isn't a development kernel or an "release candidate" system, it's the official Win2K software that will hit the stores in a few weeks. OEMs got it early so they can get their systems ready for "first-day" sales of systems preloaded with the software. Even if MS had sat on the software until the 17th, these holes would have been discovered within days.
Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!
However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The actual fault is with the Index Service which is available with the Windows Option Pack on NT 4.0 and happens to also be included with Windows 2000. To me, this is not a fault with Windows 2000 but with an optional component.
Had Windows 2000 even been thought of yet, would people still be making such a fuss? Or are they simply out to bash the 'new product on the block' because it ships with a component that has an error.
You don't see people screaming about RedHat when the release a distro that contains and installs a buggy program by default. Hell, last time I installed RedHat it installed that crazy Gnome thing that has more bugs than an African river.
I guess I'm trying to say that this is simply being ridden for all people can get out of it in order to bash Windows 2000.
God knows I'm no fan of M$, but last time I checked the Beta period was the time that bugs such as these were *supposed* to be flushed out and fixed(?).
So, as much as I'd love to, I can't feel too much glee over a security hole found in a Beta operating system. Of course, when they (prematurely) release Win2K and the gazillion other security holes rear their nasty little heads, I'll be right there with everyone else laughing my butt off.
Any MS vice president will tell that the govt. is preventing MS from innovating. If the govt. would only stop extending copyright and patent protection to MS, then MS could "compete in the market place, not the court room." When I grow up, I want to be Chief Software Archetect, just like Bill Gates, only better looking!
On national TV no less.
Of course, anyone who's had to deal with NT knows how hard to laugh at such a proclamation.
Yeah, that seven year development cycle was really pushing it. Win2k has been in the works almost as long as Linux has (from the beginning). Microsoft took their good old time with this one. If you're going to blame anything, start with the amount of code that went into this thing. What was the last count, 17 trillion lines? I'm amazed there are only two security holes.
Don't get me wrong, I'm not making excuses for the Redmond boys, but you kind of have to expect some bugs to slip through a project of this scale.
My other
ach, there's enough unknowns in any modern system to enable some interesting office politics - I've decided that politics is: defending your party leaders right to get away with murder while pointing out your opponents are unfit for office because they didn't dot an 'i' in one report. However, it is MSFT that constantly makes outrageous claims that they can't live up to in adverts - my employers are constantly drooling over cheap-assed consumer pc garbage and the sftware that runs on them, and it keeps me busy with a zillion tasks running around fixing things! I love it! MSFT defects are my job security! Thanks goodness I can keep my guerilla Linux boxen for serious work between fixing the employess constantly breaking video-business games!
The Scarlet Pimpernel
try { do() || do_not(); } catch (JediException err) { yoda(err); }
The point is that this is a security hole - in an operating system that was promised to be secure. Further exacerbating the problem is that this software Is Not Beta. It is a GM release, and there is supposed to be a world of difference between a beta and a GM product.
Were this software a real beta, then it wouldn't require a downloadable patch when it finally hits store shelves. Win2k will - unless, of course, Microsoft is planning to destroy all existing shrinkwrap copies before they hit the shelves and issue a brand new GM, one which incorporates the patch. Instead, anyone who purchases Win2k will have to go download an upgrade.
There's a huge difference between beta and GM, and that difference is called "proper testing". Learn it. Live by it. Unless, of course, you make a practice of considering improperly tested, thoroughly buggy software to be of release quality. In which case, I wish you all the luck in the world. You're going to need it.
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
What Canada do you live in? Win98 upgrades are approx $130 CDN. Linux distros vary in price but I've seen a lot of them in the $30-$40 range.
You should get out more and look around.
NO! MSIE for solaris (sparc) gets the award for the most buggy software. Would not run for more than 2 minutes, then core dump.
Start it up, and the CPU peggs at 99%, the damn thing can't even keep its window refreshed.
The current Slashdot moderation system is made by gay communists!
my, you are uninformed.. this concerens the gold code , that shipped to OEMs already.
Juln
Is that a reference to Tommy Lee Jones' dialogue in "The Fugitive?"
Just curious.
you think they are gona open all of them boxes and crush the CDs? i think not.
What kind of a fucking moron lets hackers^H^H^H^H^H^H^H crackers into his/her machines/network in the first place? The tools are there for you to lock it down, now use them. If you didn't know that, maybe you should:
a) not be a Linux systems administrator
b) not work in the IT field whatsoever
c) go back to windows
Lars -
Word on the street is, in fact, Win2000 RC2 is what is actually being shipped. I can't wait for all the "updates" and "patches". I had RC2 on my machine for TWO days... I'd rather not go into the stress of REMOVING it... as far as I can tell, it's NT4 1/2 with "fadey" windows. Feh.
mstyne: real name, no gimmicks
You don't pay primo money for a development linux kernel, either.
Windows 2000 will charge you up the hiney - once for the client version, and once for one of three server versions, and yet you get these huge, gaping bugs.
--- Grow a pair, liberals... stop letting the Republicans bully you!
Actually securityportal.com did a study on this and found out that security fixes for redhat and debian were released much faster then MS. Go root around their site for a file you should be able to find the article.
I think this is due to the fact that MS spends the first week of any discovery denying the thing exists or stating that it's irrelevant and Redhat just puts up the patch.
War is necrophilia.
Officially released or not, W2K is widely available. They've found two holes in a layered service, and they're sending out patches in a fairly reasonable amount of time.
One can argue about the wisdom of turning on unnecessary services, but that problem is not unique to Microsoft. When I installed SuSE, I had to go and basically clean out inetd. Still nothing terribly new there. That's unfortunate, but it's an industry-wide problem.
There will be security holes in W2K. If Microsoft responds more quickly and openly, and the holes are in add-on services rather than appearing systematically in the core, then maybe they're finally learning their lesson. My guess is that they'll do better than NT4 (they've really been taking a beating over this) but not as good as the better Linux/Unix distributions. But that's just a guess, too. Time will tell.
See "Testing Computer Software" by Cem Kaner et al.
-Stu
Debian's apt-get blows doors on Microsoft's "Windows Update." It's fast, clean and simple. Windows Update causes a headache sorting through lists of crap deciding on what is relevant to your installation. Its slow and clunky too. Debian's apt-get simply looks at what packages are installed and updates them almost non interactively from one of the many master servers on the net. It uses http which is a fast compact protocol for file transfers and doesn't need to run some clunky active X control to figure out what is installed on the system. I can always find a master Debian server just a few hops away. If Microsoft's network goes down, I'm out of luck. There is only one source and a single point of failure.
As for the price of distributions, they seem to want to make some money off it by selling free support and/or a book with the distro. There is nothing wrong with that, but I don't like the impression it gives to new users. (i.e. the impression that linux is expensive just like windoze. (it isn't because you can legally copy it, see below, and because you don't have to buy any more stuff to do useful work.))
Of course, the best way to get into linux is to find a local LUG, since you can ask questions, and get extremely useful info about how to set up linux to work with the local ISPs unfriendly setup. Even better, you can take your computer to a meeting and have some expert hackers work on getting your (random hardware X) supported, etc. Also, you can get someone with a fast 'net connection and a burner to make a CD of the distro of your choice for $2 a CD. (even ones like Stampede, which is available only by download. I don't know if Debian is being sold or not, I heard something about a retail Debian. (and I _don't_ mean Corel's linux.))
#define X(x,y) x##y
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
A prime number is a number divisible only by itself and one. For example the following sequence; 2,3,5,7,11,13,17. The correct phrase should be 'an easy way to obtain the prime factors of large numbers'. Quite different in meaning to the phrase from Bill.
heh... sorry, that's one of the dangers of raising your threshhold to 1... it looks like you were replying to my post, not the response to my post, which didn't show up because it was at 0. If I could, I'd hand you some informative points. :]
Here
---------------------------------------------
Jesus died for somebodies sins, but not mine
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
The fix is Here
---------------------------------------------
Jesus died for somebodies sins, but not mine
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
I find it ironic how you said "development linux kernel." Key word, "development." This thing wouldn't (more than likely) happen to linux due to extensive testing by many. MS doesn't do this with windows. Win2k had only 15 security programmers checking the entire code base! 15, for crying out loud! that's a lot of code for 150 coders to security check in such a short period of time!
Quite simply put, Microsoft screwed up. The product hasn't even been commercially available yet, and there are already two security holes, one that is fairly serious. The thing is, if this WERE the beta version of win2k, it would be tolerated or even acceptable. Maybe praised even, since the bugs would be found before final release. But no, thse bugs are in the commercial release. For the price that MS is charging, it shouldn't be defective out of the box and require repair immidiately. That's not good for the customer, and it certainly isn't good for product reliability.
If this type of thing were to happen in Linux on an even numbered kernel, (they're all essentially developmental since they're always 'active' or open, right?) MS would have a hay day of FUD and there would be a great moral decline in the lands. Microsoft will probably get away with it, since they will try and hush it up.
*sigh* Little guys always get stepped on. But that's life. People should be a lot more angry about bugs like this than they are. I mean, two weeks is a LONG time to wait for a bug patch! Linux patches are out of the bag in less than a day, sometimes within an hour of the bug's discovery. I'm not aware of a single serious/semi-serious MS bug that has been patched in less than a week.
This was not intended as a MS-bash, although it may come across as one. Microsoft has one a lot of
-------
CAIMLAS
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
-------
CAIMLAS
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers