Slashdot Mirror
Win2k Security holes found
According to a story posted by ZDNN, two security holes have been found on Windows 2000, and that's even before the official release of Windows 2000! Administrators who rush to incorporate the patch from MS beware - according to one of the talkback posts on ZDNN, the patch creates a new problem with Windows 2000 news server service.
Speaking of "gala" events. When Win98 was about to go on sale in Sydney au., hundreds of morons lined up for hours outside Harvey Norman to get a copy along with some crap "free" software.
How many bugs were found in the 1/3 of the Win98 source code that was allowed to be viewed by a lawyer by court order? 3000? For only $99.95!
People are idiots.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Actually you've overcomplicated it a little. The 'Option Pack' for NT 4 is a collection of programs you can add to NT which are not installed as standard. (Stuff like the distributed transaction coordinator, the transaction server, IIS, that sort of thing.) This has nothing to do with the version - that's a bit like complaining that Linux 2.3.4 with Apache is a different version number from Linux 2.3.4. In fact with Linux you have the potentially more confusing situation where the versions of the kernel and the distribution you're running are different.
The scheme they use is actually pretty simple - a product name, and a service pack number. They stopped putting version numbers into the main name of the product because their research indicated that this confused people - separating the product name from the release seemed to go down better.
And hey, it discourages them from charging for the bug fixes, which they used to do with carefree abandon.
Ian Griffiths
QA= Quality Assurance. (Spelled Qwality some places I've seen ...)
This replaced the previous term "Quality Control" which fell from favor in the mid-80's right after Car&Driver made a barbed comment about how it was a good thing GM had such a good Quality Control program because "after all, we wouldn't want it to get out of hand..."
Within a matter of months, Qwality teams across the nation had improved their processes for the naming of Qwality teams and QA had displaced QC. If they had just worked half that hard to improve real quality instead of just improving their image. (If I sound jaded, it's just because in my experience, Qwality teams are the closest thing you'll ever find to Dilbertian thinking in real life...)
"The future's good and the present is nothing to sneeze at." - Roblimo's last
Would we have to fight against Maxwell Smart then?
Sure. You take Maxwell Smart, I'll take 99.
Will in Seattle
BC. What good is a win98 upgrade when I dont have Win98 Version 1, Win95, Win95a, Win95 OSR2, Win95 OSR2.1, or Win95 OSR2.5? Last time I checked the upgrade didn't work on Linux. The full retail Windows 98 SE is fucking expensive. Sure I could get a pirated copy, but I don't have to. Unfortunately other people do buy it, and smile when they pay 300-400 dollars for it.
Lars -
That's as good a definition of economic-politics as any I've heard.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Of course, had this been a development linux kernel, everyone would rush to the defense with screams of "It's not ready for primetime, developers only!", etc. I don't care so much when people reply with remarks such as those made in the story, but I prefer to have un-biased story posters.
------------------
This is a story that actually nothing needs to be said about. A security fix before the product is even out.
- -
Redundant, yes. Flamebait, yes.
Funny - hell yes!!
------------------------------------------
Please give your mod points to others, Im at the cap. They will appreciate it more
how come I never hear about the security holes in linux systems? Wouldn't that be a more interesting topic to those of us who run linux?
Dr Fgets Strikes again!
I could go on like other posters and just bash Microsoft for the "inferior" product, but I think that tone is starting to get lame.
But I want to mention something about Microsoft that really irks me and should irk their customers to. And that is the following statement:
Of course, from a security perspective, you shouldn't offer any services you don't use," Culp said. "We want to make sure our customers are educated about this, and that they are aware of which services they have active and how to disable what they don't need. We've also given Windows 2000 tighter defaults and made it much easier to configure
I'm sorry, but I don't buy their statement about having tighter defaults. Almost all problems with Windows has been because of defaults. It seems to me that they should default everything off, and let the user have to go and turn what they need on.
Of course I don't like the way Red Hat does this too. I had to spend a few hours trying to figure out what Red Hat had default on. I forgot to turn off the "finger" utility until I noticed in my logs that someone was using it on my firewall. Now I do my security like I do my installs: Customize, turn everything off, then when I find something I need, I install/turn-on that service.
Steven Rostedt
Steven Rostedt
-- Nevermind
People don't seem to understand that win2k is *NOT* in development. It's been gold for many weeks now, and is in production for shipping in feb.
;] ).
So any comment about security holes in development kernels is totaly unfounded. There is nothing development about win2k (of course, most linux users will exchange winks when encountering a statement like that
The real funny is that MS is already releasing broken patches for a product that isn't even available yet!
NightHawk
[-1 flamebait to read]
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
> Over a year delayed is not rushing.....
Wired has has been naming it as one of the top ten vapourware products of the year since '97.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
It seems like any .0 release of anything always has worse bugs than the betas. Another example is the newly released xmms 1.0 which broke support between the OSS output plugin and the aureal driver.
-- BLarg!
- Open source. Closed minds. We are Slashdot.
At least, the talkback part is. I got my nifty new .sig from a talkback post.
Think Princess Bride
Finkployd
Bill Gates: "Innovation"
Well, it may be more accurate to say that a lot of us are subjected to having to use Windows in addition to Linux. And a lot of Slashdot readers use Macs or *BSD or other OSes besides either Windows or Linux. It just isn't a simple either-or kinda thing.
Customer: "My security has been breeched!"
Consultant: "Well, it might appear to be a problem, but it's not really since Linux is never considered to have a stable release."
Customer: "What???"
Consultant: "No! No! You're not looking at it the right way. Linux is in perpetual beta, so it's not really a problem you're experiencing, it's just feedback in the beta cycle!
--
Actually, most Slashdot readers use Windows. It's just that the Linux users seem to post the most, and are the most vocal. I for one used Windows and read Slashdot for quite a while before I tried Linux. Now I use Linux more than Windows, but I don't hate MS or anything. And just from the hits to my page from Slashdot articles, I'd say between 50 and 75% are Windows machines. I also remember reading somewhere with Rob saying that most of Slashdot's hits come from Windows boxes. It would almost have to though, Linux is still a hugly minority system.
I'm sorry but you are way off the mark on that comment. Having a GUI does not make a system harder to hack, under the hood networking and file handling are non-GUI applications regardless of how pretty the face over it. Regarding GUI's for linux, ya I agree they need some improvement but considering the astonishing rate that KDE and to a lesser extent Gnome have evolved... that will be a moot point before long.
Blender And Linux Fan
How about if I point out that they:
- have terrible testing processes
- rush too fast to get products out the door
- Are almost totally inept in terms of security
- apparently have NO usability staff on hand
- should take the time they currently spend "decommoditizing protocols" and applying it to proper software engineering processes
Would any of those be acceptable as an alternative?
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
You don't, but not by much. Not trying to knock you - I'm positive the votes were swayed towards Windows when I voted too.
:)
According to the poll
Linux is at 36%.
Windows(NT&9x) is at 30%
Although if you add in the "I hate everyone crowd" to Windows that pushes windows users over: at 38%. And we all know only windows users are angry at everyone.
Joseph Elwell.
I'd secretly record the bugs and then teach those Win2K adoring freaks a lesson AFTER it's been released.
Whether your like Microsoft or hate them, a lot of companies are going to purchase W2K. Releasing bugs after the shipment doesn't hurt Microsoft, it hurts the consumer. Releasing the bugs before the shipment, however, only hurts Microsoft.
So unless it is your goal to hurt honest consumers, you would be doing the right thing to release your findings as early as possible. Hopefully people will get a clue and not put themselves into the position of being burned by Microsoft.
Bugs found a couple of weeks before release is not exactly a big thing. Most companies are scrambling to patch up the last 100 or so bugs within the last couple of days of release.
Microsoft said they had a final product almost 3 months ago, and yet they haven't shipped. Rushing isn't exactly the word that comes to mind...
The nice thing about Linux is that security holes tend to be patched up faster than Windows, but lets wait until Microsoft ships, and takes too long to patch found bugs to start complaining.
------ Warning! You are too close!
Well, if coding for Win2k is anything like coding for Win98, it'll be more along the lines of:
*pop*
*whack*
*pop*
*pop*
*whack*
*pop*
*pop*
*pop*
*pop**whack*
*pop**pop**pop**pop**pop**pop**pop**pop**pop*
*install linux*
25% Funny, 25% Insightful, 25% Informative, 25% Troll
Sorry, I've got to disagree with you. Until it's in the boxes on the shelves, it's not finalized. But there's little point in arguing about it since we'll probably not be able to reach a happy middle ground.
Let's not forget the other bit of wisdom: never run a x.0 version of any software.
Have a good one.
I'm aware of the criticisms of your observations elsewhere in this thread. However, I will grant you (and Microsoft) one important thing: there is no longer a
/.) could so easily point to OSS products being fixed in days rather than months.[1] Let's hope MS is truly reformed on this issue, regardless of what pressures brought it about.
2.b) security hole ignored after reported, until the media hears about it
2.c) security hole denied for 3-6 months after it is common enough knowledge for the media to know about it.
In those regards, Microsoft has (apparently) come a long way in the last 9 months or so. I presume, without evidence, that it's because of the extremely bad rap the press was giving them over it, especially since the press (and influential sites like
[1] Yes, I'm aware of the recent article that compared various companies and found that MS only takes about 50% longer (IIRC) to deliver a patch than (say) Red Hat does. However, that article seems to be based on recent data, i.e. the post-reformation MS. Things were different not long ago. I remember seeing an article in the tech media last summer, titled "Same Hole, New Exploit". The author said in the first paragraph that the hole had been publicized over a year earlier, but no patch was yet available because MS was in denial mode.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Both obviously
There was a CNET article here.
Not a direct MS quote though, just the CNet reporter paraphrasing Brian Valentine, senior vice president of the Windows Division. Saying that "the first version of the operating system will not need service packs or bug fixes like other software releases". Probably a case of sloppy journalism.
Q.
the patch creates a new problem with Windows 2000 news server service.
That's what you get when you rush a patch. They probably really didn't know about this hole until it was discovered. So they cobbled together a patch in a rush job. Probably self-conscious about public image.
===
-Ravagin
Karma: T-rexcellent.
All this Service Pack 6, Option Pack 2 stuff drives me crazy with MS products. How come they stopped versioning with Windows NT 4. I used to LIKE Windows for Workgroups 3.11 (note that the OS wasn't even near stable/usable until a .11 release). Nowadays, you have to guess (hmm... I think Service Pack 3 might be OK, or shoul I wait 'til 4). Hey, they could even put the version number INSIDE the year: "MS Announces Windows 2000.01.28 Advanced Server" or, even, "MS Announces Windows 2000.01.28T18:00:12-08:00 Advanced Server for Professionals" since they probably have enough build and test machines up there in Redmond to release a "pack" about five times an hour. Whatever...
...is HeUnique and why is he quoting an (roughly) anonymous idiot in a headline? I'm all for M$ bashing, but only when necessary. This is unwarranted, but then again, this is /., so I get to bitch about it ;)
+&x
This was so fraught with hilarity that I spewed my coffee in a guffaw all over my keyboard and monitor. Natalie Portman : Open Source and pregnant
Lars -
According to certain source from developers up in Redmond it appears that service pack 2 is already in the works. Apparently service pack 1 is pretty much already finalized. This is truly amazing, service pack 2 before the final product is even released. It just goes to show you how full of bugs anything Microsoft produces. I don't think I will switch over until service pack 4 comes along, maybe then the system will be semi-stable (and secure, hah what a joke).
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com
Nathaniel P. Wilkerson
www.haidacarver.com
It's a problem with a bundled software package that installs by default - how many Linux distros have been put together, then stayed on the shelves after someone found a hole or significant problem in a bundled package? Heck, how many of them have been sent to manufacturing then had something crop up after they started pressing discs and printing manuals?
fencepost
just a little off
I thought the idea was that service packs would only contain fixes, but no additional functionality. Don't have a link, read it in PC Pro, I think.
The poor cook he caught the fits
And threw away all of my grits
I would almost have to prais microsoft in this
also. I don't think they have ever had this kind
of turnaround time on bug fixing. Only 2 weeks?
I mean usually it is months before you can get
a bug fix. Once M$ is able to fix a bug either
before it is found or within 24 hours of its
appearance then they may be able to compete with
the uprise of Open Source.
The ArsonSmith
Paying taxes to buy civilization is like paying a hooker to buy love.
But your points are moot. I can obtain Linux for free, and fix the bugs on my own. I can pay for Microsoft software and never be able to fix the problems without entering into a perpetual upgrade-payment cycle. I reserve the right to critize anyone whom wants my money, and is failing to deliver on products. I consistently forgive volunteers.
How can it not be finalized when CDs have been sent off to the printers for mass duplication? How in the world is that not a final product?! The documentation is being printed, the boxes, too. The discs are flying off the printers - do you really, really believe that this product is in Microsoft's hands anymore? They certainly considered it finalized enough to put on store shelves.
And that's really the sad thing about how Microsoft does business. They go too damn fast, and leave all sorts of mistakes, bugs, security holes, etc. in the shipping version of the product. And that's a real shame, because there are going to be millions of people who buy this product, bugs and all - Microsoft's folly has just been writ large in the world's computer users.
Would it help if I told you that this bug will be in the shrinkwrapped product that will be on store shelves two and a half weeks from now? It's too late to go back and fix it - the bug will be there.
And the fix won't.
I hope that impresses upon you the gravity of these sorts of errors.
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
I think I've figured it out. All the analysts have been advising people for years to hold off buying W2k at least until the first service pack is released. So MS is going to release their first service pack right along with W2k, just so nobody will have an excuse not to buy.
:)
Makes sense to me
--
For every post, there is an equal and opposite re-post.
640 thousand service packs should be enough for everybody!
--
Bill Gates
_________________________
Truely pathetic. So you're saying that Linux is never release quality and is never acceptable for general use. Oh wait, I guess that's actually correct. You make excuses for bugs in Linux and jump down Microsofts throat for them, nice double standard you have there.
Debian updates automagically. You could have one of those bobbing chickens hitting the enter key update Debian. I'm sure that a true "consumer" Linux, when out of infancy, will provide this without even user input. (for better or worse security reasons)
It is available. The CD has already gone gold and is basically waiting for the 'release date' before going on the shelves. Each new box of Win2k will have a now well-publicized security hole right out of the box, and as we all know very few win2k users will go and get the fixes immediately after install... "I mean, it's brand new, right? Why would you need to get updates to something that's just been released?"
The equivalent, I suppose, would be RedHat investing megabucks in a marketing campain, coming out with RH7.0, and as the CD is being pressed a big ol' bug is shown to exist in a major app that EVERYONE will install (cuz they have no choice). I say app, because very very few kernel based exploits exist. People rewting using stack overflows and such are far more commonplace, and those bugs extend to all platforms which allow stack smashing.
--
rickf@transpect.SPAM-B-GONE.net (remove the SPAM-B-GONE bit)
"People will pay big bucks for the luxury of ignorance."
nobody said linux was perfect or any distro was perfect. however, win2k was touted as "perfect" by M$..check on M$'s site for the appropriate pr fluff. besides, as everyone knows, its a helluva lot easier to lock down a unix box than any shit from m$.
BTW, that story also contains a reference to connlogd a TCP/UDP connection logger. i'd recommend downloading and using it - really kewl.
*growls at Fict*
This isn't IRC. You're not cute. Go away.
Hands in my pocket
"It took us a while to get here, but that's because we were not ready to compromise," Valentine said, promising that the first version of the operating system will not need service packs or bug fixes like other software releases. --Brian Valentine, Windows Division Senior VP http://news.cnet.com/news/0-1003-200-1497019.html? tag=st.ne.ron.lthd.1003-200-1497019
The form of comedy on display here was irony, or if you like, hubris. The Germans have a word for it: schadefreude (sp). This comic construct does not rely on any knowledge of the positors point of view on any related subject, and can stand alone given an understanding of the subject of the gag.
The poor cook he caught the fits
And threw away all of my grits
.....the more M$ is talked about the more publicity they get. Just another typical M$ product. swisscheese=microsoft
Windows in nothing more than a GUI pasted on top of DOS. Nothing more, nothing less. I don't care how much you talk about abstraction layers and other shit.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
This attitude is what allows Microsoft to be the success it is. I find it ironic that people are willing to accept incompetence in software as one of the terms of doing business. Would you be willing to absolve a hospital from sloppy tactics because they are a huge institution dealing with thousands of patients daily? What about an engineering firm hired to build a bridge? If it collapsed, would you be willing to give them 2 more chances to get it right?
Only in the world of software do we get the pleasure of paying for a developer's incompetence. It probably won't change until some catastrophe happens because of faulty software.
Hates people who have stupid little sigs
Don't you see though that's the beauty of being a Slashdotter. When Microsoft delays a product you scream "Vapourware!", when they release a product you scream "Rushed to Market!"
This way of thinking works surprisingly well. For instance:
Bill Gates doesn't give to charity - "Greedy!"
Bill Gates gives to charity - "Scam!"
MS adds features - "Bloatware!"
MS doesn't add features - "Charging for a bug fix!"
Competition - "Linux blows away Windows!"
Monopoly - "Linux can't compete with Windows!"
See how that works...pretty cool huh?
Linux people for the most part, especially the higher ups (Linux, Alan, etc.) know that Linux has its problems and admit that. They never say that "Linux is perfect". They just keep working to make it better.
MS people, especially higher ups, however, continue to say that "MS has no problems and is stable, secure, etc"
The reason a lot (read: not all) of Linux people nail MS is because of its incessant lying.
Why didn't Corel's security hole make big noise. Gee, maybe because Corel didn't claim that it's the most secure OS ever.
Geez, and you're complaining about double standards.
Oh, I'd bet you're right. They probably had several testers sitting around eating pizza:
Tester 1:"Did you see that bitchin' bug when you click down on that button?"
Tester 2:"Yeah, but we aren't going to fix it. Nobody ever clicks that button."
"I never asked for 90% of the things that Office purports to do. "
Yeah, but the other 99.999% of customers did.
You do realize that "Hey! You have the source code; you can fix it yourself! Isn't that cool?!" is not an acceptable answer to a client when they complain about a security problem?
--
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
No Linux distribution that doesn't come configured to automatically check for, notify users of, and help users install software updates should be considered "ready for the desktop".
then i guess no operating system is ready for the desktop. hrmm... does ms mail every windows user (reistered of course) when an update comes out? not quite. updates are the user's responsibility. why should everyone work double for the lazy ppl?
just a thought.
--
dead angel
i am strange people. -me
dead angel
i am strange people. -me
spreading linux lovin' since 1998!
This isn't a development kernel or an "release candidate" system, it's the official Win2K software that will hit the stores in a few weeks. OEMs got it early so they can get their systems ready for "first-day" sales of systems preloaded with the software. Even if MS had sat on the software until the 17th, these holes would have been discovered within days.
Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!
However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing. Trust me there will be more...
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com
Nathaniel P. Wilkerson
www.haidacarver.com
The size of Win2K is not a mitigating circumstance ("Let's give MS a break since this job is so big"), it's an aggrievating circumstance ("What the hell were they thinking?!")
It is an undisputed fact that the increase in your bug count climbs far faster than the increase in your LOC count. Sometimes far faster, depending upon how "tightly integrated" you want to make the system. It's a simple matter of combinatorical explosion - 2N objects can interact in (2N)! - N! more ways than N objects can interact.
That's why everyone on the planet... with one notable exception... has tried to maintain firm barricades between subsystems. At first glance it isn't as "user friendly," but many of us feel that nothing is more user-hostile than programs ridden by an interminal series of bugs and general flakiness.
Many critics have publically stated they doubt that Win2K will *ever* be stable. The sheer size of the code base means it's impossible for any one person to really understand what's going on, and that means it will be extremely difficult to avoid breaking Peter to fix Paul. That's why the reports that one of the two bug fixes introduced a third bug are so disturbing - this is exactly what you would expect to see from software that is simply too large to maintain.
It's still early in the game, but it looks like the critics won the first round. The real test in the next few months isn't the total number of bugs announced, it's the percentage of bug fixes which break something else. NT4 was notorious for requiring service packs to fix prior service packs, and there's now evidence (however thin) that Win2K will be far worse.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Like the original poster of this thread, I'm not a Microsoft lover by any means (as evidenced by the 1 windows machine and 4 Linux machines on my home network), but...
Let's get real... Microsoft or not, how realistic is it to release an ENTIRE OS and not have any bugs or security holes? Can anyone honestly say that they have NEVER had a Debian/Redhat/Mandrake/SuSE/Suckware/etc. distribution that DID NOT have any "security updates" or new packages to download to "fix bugs"?
My guess is NO. That's why utilities like autorpm and the Mandrake updater exist. Go to any of the Linux distro's sites, and you'll find Errata, Security Fixes, or something similar. I was just looking at several of them this morning!
Yes, it's fun to bash MS every now and then, and sometimes (more often than not) they deserve it. But give me a break -- 2 security holes? If that's all they've got so far, they're doing better than most of the Linux distros...
Pinball, arcade video, tech and more: www.micsaund.com
this is in response to the AC who just doesn't get it. This is from the M$ website, you can read it here
...
...
/.'ers sig file.)
TOP TEN REASONS TO UPGRADE TO WINDOWS 2000 PROFESSIONAL
8) Standards-based Security Windows 2000 Professional builds upon the high level of security in Windows NT Workstation by providing a security infrastructure that allows you to select the appropriate amount of protection for your company's most sensitive data and applications.
They are touting this product as a highly secure OS, and they are spending millions marketing this a a more reliable/secure OS than NT. So then what does the first patch fix??? You guessed it, a security hole.
Yeah OSOSs (open source OSs) have security holes, but we also don't go around popping off at the mouth about how secure our products are. We don't need to convince anyone else because we already know. We can save the time and money that M$ spends on marketing and use it to make a product that actually IS more reliable and more secure. The proof is in the puddin....awww yeah (to quote another
Eric
--------------------------------------------
Please give your mod points to others, Im at the cap. They will appreciate it more
Redhat 6.1 is not an operating system. It is a distribution. None of those so-called security fixes requires a fix to the kernel.
Also, it is shipping. It has been shipped to several OEM's. They can't advertise the fact that they are selling early. Bill doesn't want to dilute the kick-off party.
Hates people who have stupid little sigs
First things first. The reason that this is embarrasing for Microsoft is that they've been touting Win2K from the hilltops as being the "Most secure Microsoft offering ever...". So a security hole before the retail date _has_ to hurt!
:-) Just thought I'd throw it in...
On a broader note, I see a lot of messages saying that it is the fault of distributions etc that people get bitten by security holes. I disagree. If you have an active system administrator, it's his job to keep up to speed on these things. It's his job to know that he shouldn't run finger and wu-ftpd if the machine is just going to be a mail server. It's his job to evaluate what is on the machine and to run regular penetration tests. Saying it's the distributions fault is wrong. I don't blame car manufacturers because in the default setting the steering will drive me straight into a wall.... I learn to drive rather.
One of the largest problems facing the growing Internet market is that amount of unexperienced sysadmins coming into the game. However, sysadmining is filled with a lot of chicken-and-egg situations. You can't get the experience of how to deal with situations without working, and you're dangerous in a work environment until you have this work experience. Tough one to solve
That's funny.
;-)
Clicking that link brings up a blank page and an error box.
I guess Mr. Holmes has nothing to say in its defense
Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und Subskriptionen einlei
I'll be the first to agree that Microsoft often does not keep its word. My point is really that by emphasizing every mistake Microsoft ever makes, we serve only to perpetuate everyone's hatred / distrust / dislike / whatever of them. If we are going to point out their flaws, we should point out the flaws of Linux as well -- not to give it a bad reputation, but on the contrary, to make its problems known so that they can be improved so that progress is made. That is, after all, one of the things I like to think Slashdot stands for. By placing Microsoft under a magnifying glass while Linux's and its software's faults go unreported is unproductive.
I suppose the bottom line is that we should concentrate on making "our" OS better instead of continuing to point out the weaknesses of others.
kugano
"This could happen with any OS. Linux v2.4 will be out some time before RedHat completes a version of their own. Bugs could be found in the kernel before RedHat ships."
a -security.html
a -bugfixes.html
a -updates.html
What the hell are you saying here? 2.4 is a major version leap. Currently RedHat ships with a 2.2 kernel. When 2.4 comes out, major changes will be necessary to implement it, such as XFree86 4.0. Also just because Microsoft has blurred the border between thier kernel and IIS/IE5/Shit doesn't mean you can do that with the Linux kernel and Linux distributions. I don't use RedHat but you Microsoft cheerleaders seem to think Linux!=RedHat, so I decided to browse some of RedHat's site (I don't use RedHat).
http://www.redhat.com/support/errata/rh61-errat
hmm some lpr, bind, wuftpd, some apps, no kernel major security bugs here.
http://www.redhat.com/support/errata/rh61-errat
some userland packages, new version of apache, nope no major security hole bugs here
http://www.redhat.com/support/errata/rh61-errat
Currently, there are no Package Enhancements for Red Hat Linux 6.1
Redhat has a reputation for shipping misconfigured userland applications that lead to exploits, fortunately I don't rely on Redhat, or thier support, I have chosen my own distribution and have also chosen to take my own responsibility for what services I run and how the permissions are set.
As a Slackware Linux user, I have no problem getting a new kernel and building it for my system, whereas Microsoft has taken to convincing its users that directories are really called folders, and that nasty things such as "partitions" and "hard disks" are really the same thing, -drive letters. Most professionals that run Linux know what they are doing, not like the fool who actually beleived the Micros~1 hype about Windows 1900 and are beginning to deploy it, knowing Micros~1 has turned a blind eye towards security, and has adopted the "Big Brother knows best" attitude. I doubt this will be the last bug in this "Enterprise Ready" OS, and with that IIS in the kernel, I can't wait till the next time Micros~1 has egg on thier face.
Lars -
This guy must work for Microsoft, this AC seems to have taken this personally.
Why don't you go read Windows Magazine or something, and turn off your "Internet Zone" browser from slashdot.org
Lars -
Would we have to fight against Maxwell Smart then?
OEM's are sellling computers installed with it already. Call any major OEM up. If you were awake last week, you would have noticed several news articles reporting that very fact. Microsoft has allowed them to offer it early only if they do not publicize that they are offering it before the "official" release date so as not to lessen the importance and gala-nature of the release functions.
Have an equally good one.
Hates people who have stupid little sigs
The thing is, you know, Windows is a prevalent OS on a more general scale outside of geekdom. I for one don't know squat about programming or a lot of other tech stuff. But I can use a computer and being from Silicon Valley I like to see what's going on. So geez, I use Windows. It's got about a million problems with it, but I can write papers and surf the web etc. and I didn't have time to figure out Linux or whatever. Thus, Windows it is, simply because that's what was on the box when I bought it and I have other things to do besides mess with my computer all the time, no offense to those who find that kind of thing to be interesting.
Oh, Fuck
-- greater than 1024 or so. Now you can have thousands of ports per TCP/IP interface. SP6 disallowed you to connect to one unless you were authenticated as an NT Administrator on the same box. To the man in the street, this is equivalent to Microsoft selling phones. But some models only have buttons numbered 0,1,2,3 and no more!!. Closing down all TCP/IP ports above 1024 basically completely F**ked up any and all applications that used TCP/IP ports above that. After you have done your research, read the RFCs etc then you will realise with acute embarrassment the idiocy of your post. SP6 broke the previous ability of an NT box to carry out every-day TCP/IP connections.
"And we all have unreasonably high expectations of MS"
What is unreasonable about expecting a product that works? Microsoft touts the security and the stability of their products in the press all the time. Is it unreasonable, therefore, to expect that the product is secure and stable? Or have we gotten to the point when it's taken for granted that what a company says about it's product is a lie?
Don't forget that Friday is Hawaiian shirt day.
BTW, this was reported yeaterday morning on the UK ZDNET and BugTraq, it took the US ZDNET editors a day to catch on....I patched my NT boxen yesterday morning.
Those numbers are just including the people who decided to vote. It also includes the 95% of people who lied :).
:(
There was a page a while back under "faq" or something (on the side bar) that displayed real statistics about what Slashdot readers were doing. I can't remember the exact number, but something like 80% or 90% or so were browsing from Windows; maybe 5% if that were browsing from Linux.
Rob took that page down, though
Errr... no, it doesn't e-mail you, but Win/98 has a big ol' "Windows Update" function right on the start menu. Click it, and it tells you when you have important updates to install (particularly security updates). It also lets you download new features. Click the button and boom! Instant update.
And I haven't checked it out, but I wouldn't be surprised if they did have a mailing list to tell you when important updates are available.
--
...and then you won't be able to download it from their web site, like trying to download IE5 with IE2 that comes with Windows NT 4. I find it hilarious that Micros~1 switched to header-based web sites and didn't take into account (or did and just didn't care) that IE2 doesn't work on header-based sites, so trying to upgrade to IE5 just gives errors on their web site. Way to go Micros~1.
A patch has been available for at least two days. If I were you, I wouldn't rely on Slashdot FUD for patch info for Microsoft products. (It works both ways: you wouldn't look on microsoft.com for Linux kernel patches). MS released a security bulletin on 1/26 to people on the security bulletin mailing list. It takes weeks or months for patches to show up on the MS Update site, since they have to be formatted for the ActiveX installer, and even then they're usually saved for a service pack. See this article for specific bug info and patch availability.
Whenever it becomes necessary? Or sometime after they are available?
Yes, I know that you could get all the service packs and IE 5 free online to "upgrade" your Windows 98 to Windows 98 SE, it was possible.
Microsoft never provided a simple list of all those things that would make Windows 98 into Windows 98 SE. They never provided an inexpensive media upgrade that the Enterprise users could use to make sure they had the latest and they didn't point out on the Windows 98 SE box that pretty much everything you needed to make Windows 98 into Windows 98 SE was available free on the net.
I'm sure they sold plenty of copies of Windows 98 SE to people who didn't know any better.
-Jordan Henderson
MSDs (hence the name MSDN).
Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und Subskriptionen einlei
It was a joke.
Once again, I long for "-1: missed the whole point". I don't know if geeks are inherently stupid or what, but there seem to be a lot of Slashdot readers with no sense of humour at all.
You must be the kind of person who buys tabloids at the supermarket and goes around telling everyone "hey did you read this?! Some alien chick in France gave birth to a 3000 pound elephant, and he's a Nazi and planning to take over Australia where he's going to signal Martians to come down and kill Jennifer Love Hewitt!!"
FOR THE LOVE OF GOD, MAN, IT WAS A JOKE! (oh if only Slashdot allowed blink tags)
One would think that they should have deployed wide intensive security testing while still in developement. Especially whit their bad reputation in security thinking in the past. The sadest part of it all that really sickens me is that most people buying it wont even care. I met a Network technichian a couple of days ago when applying for a job that didnt know what Novell was?!. Not that Novell is THE os to every purpose but i thought that IS staff was well educated. Maybe Microsoft has noticed this and has calculated that security doesnt pay since most people wanting security wont get near W2000. Do i have to say that i declined the employment? =)
Wow, what's the big deal?! If there never were any security holes found, that would really be amazing!
You can't handle the truth.
I wouldn't even go so far as to say win2k is inferior overall. It has its good points and bad points, like any other OS. The reason, I think, that the thing was posted to /. (aside from the fact that /.ers have a lot of fun slapping down MS) is that this announcement came RIGHT on the tail end of the 'commitment to security' announcement, and we do love our ironies.
I'll agree with you on the price thing though... for what they ship, they're definately charging a premium... which in and of itself wouldn't be so bad, except they also have a tendancy to charge even more for the bug fixes they're supposed to provide FoC. Ah well.
--
rickf@transpect.SPAM-B-GONE.net (remove the SPAM-B-GONE bit)
"People will pay big bucks for the luxury of ignorance."
As opposed to all those other companies that are quick to publicize their shortcomings...
I find it ironic that people are willing to accept incompetence in software as one of the terms of doing business.
I agree completly. Microsoft is guilty, but I'd say almost every other software manufacturer is as well. Just about all software has bugs, some has more than others. it's the nature of the beast. And the larger a system gets, the more difficult it becomes to test everything. But this isn't a Microsoft problem in the least. Bugs happen. Everywhere.
The Good Reverend
The fact is that while a lot of people installed 2.2.0, it was much closer to a trial candidate than a gold release. Even after 2.2.x was released it was some time before an official distribution would be based on it, Linus knew that, and so in no way could that version be considered one that (like Win2K) the end consumer would be expected to buy.
These bugs are in the version that Microsoft expected people to pay money for.
Besides which, the bug in question was, "Crash Linux". It wasn't a remotely exploitable hole, you needed to already have access to the box to (ab)use it.
Regards,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.
Warning: I am a rational IT professional. Not only that, but I worked in QA for a few years (first with Sir-Tech Software, then with MCI-WorldCom).
I could talk at great length about rational versus irrational QA policies. (There should be an "Ask Slashdot" about how to properly QA a product...) But that's really not the issue here; good QA, bad QA, it all boils down to the same thing in the end.
At the end of QA, the QA Lead signs off on the project. What the QA Lead signs off on becomes the first version released to the consumer.
Period, end of discussion.
The fact that Win2K went gold means that the QA Lead signed off on it. The pre-release development cycle ended the instant the QA Lead signed off on it. Everything after the moment his/her pen left the paper is part of the maintenance cycle, not the development cycle.
In short, the exploit was found in a consumer release of Win2K. It doesn't matter if it was on the store shelves or not; when the QA Lead signed off on it, it became a final product.
Everything clear?
Windows 2000 will not ship for another 10 months so you must prepare yourself for the experience. Buy NT4 now and make sure you are familliar with is so that the transition to Windows 2000 will not be shocking....
I dealt with NT4 so much and this is not shocking at all.
Ah, then you're saying Wired is wrong when they say that Windows 19100 is years overdue, rather than merely weeks?
Someone in this thread lacks credibility, that's for sure!
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
Uh, I think if somebody got into Amazon's credit card database because of a security flaw in the OS, Amazon wouldn't sit around and patiently wait until the end of the quarter for a disc with the fix. I mean, Jeff Bezos calls up Bob Young (this is a hypothetical example, I don't even know if Amazon uses Linux) and says "We have a security problem because of your crappy software!"; do you think Bob is going to say, "Alrighty, wait 'til April and we'll mail the disc out, buddy!" Does that sound logical to you?
And as for downloading it from the web, I would assume MS would also have that. I mean, they may be many things, but I don't think they're stupid enough to not post a bugfix on their website at this point.
___________________
rooooar
Erm. No offense but RH 6.1 certainly is an operating system, at least in the same sense that W2K and all of it's associated components are an operating system.
Additionally, at least one of the bugs is *not* to be in the NT kernel proper: the serious one was in Index Server. The less serious one appears to be in another information service, but may be in the kernel. The referenced article is not clear. These certainly are less severe than the remote root exploit available in lpr/lpd under RH 6.1.
I will say this, it shows that Opensource has not only gives us freedom, but It keeps MS on thier toes.
Apparently, MS is taking Security seriously now because of some competition, but they should have done this a long time ago. All my NT boxes are gone, and I aint touching Win2k.
Good luck to MS, but I aint supporting them.
"If you have done 6 impossible things this morning, why not round it off with breakfast at Milliways" -- hhgg
Well. The more serious of these problems in W2K is not in the kernel. If you only want to consider Linux as the OS, then I'm willing to bet that an NT system with nothing but NTOSKernel.DLL on it is as secure as Linux, if not more so. It's pointless to argue that this problem isn't in "Linux" or that "Linux" is more secure, if you are only considering the kernel! You have nothing if you only have a kernel. You should be comparing apples and apples, not apples and a grape seed.
Microsoft has a better patch distribution system. At least they will if they provide something like the Windows Update site that is available in 98. That's something the the various Linux distros really really need. Also, the speed of releases for security patches with 98 has been admirable. If they keep that pace with W2K then they will easily be competative with the level of service provided by the various Linux distros.
Just kidding... I think.
Judge Pag, the Learned, Impartial, and Very Relaxed
Wrong set of standards. The typical Win2k user is not going to care that they have have to reboot after installing the patch. That is the status quo with Microsoft operating systems. Hell, over half the software I install in Windows 98 suggests/requires a reboot after installation.
sorry.... couldn't resist.... don't be upset ;)
"If we are unwilling to be aware of the dark, we cannot see the light" -- John Cowan
Maybe MS will one day learn that rushing themselves into releasing a product might cause problems. This is 2 bugs that are out before win2k is out. And let's not forget that MS isn't open source so if there are more bugs (garunteed) that someone finds then they're will be more exploits and the only one to rely on for bug patches will be MS themselves. Guess is yet another push for the linux community.
Ignore the "p2p is theft" trolls, they're just uninformed
For the record, I hated, not trusted, and associated all sorts of creative profanity with MS years before discovering Linux. One day in July 1995, I became fed up (and I was bored), so I downloaded and transferred to 80 floppies a copy of Slackware 2.3 ... a couple months later, it was over for The Empire.
Also, I keep hearing how there're security holes in Linux. I don't think it's Linux itself that has the security holes. It's the apps that are available for or come with most distributions that contain security holes. Now that (for example) MSIE is "part of the OS" in win*, security flaws regarding that piece can rightfully be blamed on windows itself. %gt;:o)
I have seen a few security/DOS bugs that were the fault of the Linux kernel itself, but I can't even fill up a whole hand counting them. They've also been fixed within hours of being published.
--
--
Me spell chucker work grate. Need grandma chicken.
They could also have TV ad's if they charged for the software. By the way, have you ever seen X11? I find it a very formidable GUI, and it runs on Linux. I think Slackware, Caldera, RedHat, Mandrake, Stormix, and a few others ship with it and have it setup when you install, and have since it's release a few hundred years ago (okay, thats a slight exageration, but it has been a very long time).
Stop it.... you're making me laugh.
Ok, I have to ask - who in their right mind is running a news spool off of an NT machine?
Other than that, though, I have to say that I too am glad that MS is stepping up to the plate with security issues. Remember how they used to be? I think they've improved quite a bit in recent years, as far as responding promptly and issuing fixes. Of course, sometimes a bugfix will break another application - every programmer knows that. I expect that Win2k's security will probably be pretty good.
-lx
What's the difference? Well, for one thing, I didn't pay for it. And I won't ever have to... unless you want to factor in the cost of a blank CD.
Of course, a pathetic, whiney little troll like yourself would rather just point fingers and bitch and complain when people don't fall into line with your steaming pile of dogma.
Make that pathetic, whiney little ANONYMOUS troll.
--
rickf@transpect.SPAM-B-GONE.net (remove the SPAM-B-GONE bit)
"People will pay big bucks for the luxury of ignorance."
"but we also don't go around popping off at the mouth about how secure our products are."
May I introduce you, oh solemn one, to your 99.9695% of Linux evangelical brethren? It's obvious you've never met before.
I personally hate MS products, but This should not insite a flame war. Nearly every program on the planet have some security problem. it is just harder to find them in closed source apps/oses. Lets be adults, or act like it.
Stupid people do stupid things... Smart people outsmart each other... --System of a Down
And we all have unreasonably high expectations of MS
Expecting a product that is very expensive (sometimes in the thousands of dollars) to work properly and to be fully tested is not an unreasonable expectation. I expect certain things yes, no one is perfect, but the fact that documentation is often hard to get or nonexistent coupled with the fact that tech support is not free is a problem.
There are bugs in NT, serious security ones that MS has known about that they can;t or won't fix because they would require major rewrites, they also don't mention these. That is something that there is no excuse for.
Bug i expect, but evasiveness, unwillingness to not learn from mistakes and an attitude that your shooting their scared cow i shouldn;t have to deal with. Tat is my major issue with MS, that they release shoddy products and don;t seem to care or want to always fix them.
this space for rent
I think some people are missing the point slightly. Linux has its benefits as does W2K. Linux is free and you can see the source code - W2K costs a lot of money and you have no chance to 'look under the bonnet'. If you're running a business you pay for services and software that you expect to work and fulfill the promises the vendor made you. If you're running a business and decide to implement something that 'a load of geeks' wrote which turns out to have some bugs, you have noone to blame - you got it free, understood and accepted the risks. W2K's entire thrust is into the datacentres and workgroup servers of major corporations to replace Unix and other tried and trusted OSes. The fact that W2K has bugs before it's even been released pulls the entire carpet of respectability from under it. No larger corporations would be interested in deploying Linux at the moment as they can't get any service providers to give them any guarantees. It's free, you can fiddly with it as much as you like, but if you want to run a business, buy services from someone offering a commercial version of Unix, preferably Solaris, with the support infrastructure to help you get on with the business of making money, not worrying what those whirring boxes in the back room are doing.
...that whenever a Linux security problem comes up (in ANY of the Linux packages, in ANY state of development), we will immediately see a headline in Slashdot about it?
SORRY! Just asking.
--
I shudder to think of the number of holes that will be found once the solaris 8 source code is released to the general public. (possibly showing my ignorance if it already has...)
Casca
There are bugs in NT, serious security ones that MS has known about that they can't or won't fix because they would require major rewrites, they also don't mention these.
:)
If they haven't been mentioned, then how do you know about them?
That is my major issue with MS, that they release shoddy products and don't seem to care or want to always fix them.
I think there's a difference between some bugs and a "shoddy" (which to me says "poorly designed; rushed") product. And I think you'll find Microsoft is pretty proactive about fixing Windows NT and W2K. The bug-to-patch turnaround time for NT is about 16 days; that's less than Sun's average bug-to-patch turnaround time, and only just above Redhat's (~11-12 days).
-- "I believe the human being and the fish can coexist peacefully." - George W. Bush, 29 September 2000
I could have sworn there were bugs just like this under IIS 4.0 for Windows NT 4.0. Vulnerability in IIS... blah blah... access to page source... blah... sensitive data... blah. Do they even migrate their previous fixes to their development code?
Microsoft Win2K security holes:
:-)
*pop*
*whack*
*pop*
*whack*
*pop*
*whack*
Problem is most mole-whackers don't even know where to find the mallet,much less how to use it
If you can't figure out how to mail me, don't.
For linux tips: http://www.linuxtipsblog.com
Yes Microsoft has come a long way. For example, they now have a page and patches specifically dedicated to security issues (rather than sneaking undocumented fixes into the next release or just not doing anything), and they now pay someone to answer security-related e-mail (rather than sending messages to the recycle bin).
Furthermore, they've actually taken default permissions somewhat seriously under Win2000, rather than letting every br0ken Windows 95 application run as they did with previous versions of NT.
However when you say Microsoft "has come a long way", remember that 2 years ago they were completely unconscious of security issues, so anywhere is a long way.
--
Business. Numbers. Money. People. Computer World.
Personally, I thought the guy was saying to look up the plethora of linux security sites, not to look up the word plethora.
LOL! Oops... I think you're right. Still, the placement of the "quick go look it up" is next to the PLETHORA (in all scream-caps), and I hadn't read the "linux security sites" at that point in the sentence, so I think most computer language parsers would back me up on my interpretation. :)
--
Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
I'm changing mine to:
"Free Mandela!"
You like? Why not?
Draw what conclusions you like from this episode, but I'm looking at the facts of particular case:
1) security hole found prior to ship
2) security hole reported to MS on Jan 17th
3) tested patch issued and publicized Jan 28th
That sounds pretty decent to me.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
Why aren't the security holes in Linux (e.g. in Red Hat 6.1) reported on slashdot? Do most slashdot users use Windows instead of Linux, or is slashdot backed by the multi-billion dollar Linux companies to spread FUD??
Win2K went gold already; this is what's getting shipped to users.
I agree that simpler and componentized equals more secure and easier to maintain.
Microsoft deserves to be ripped on this -- Index Server, complete with huge security hole, gets installed and enabled by default on every IIS server since version 3.0. (Even though it would only take someone 10 seconds of pointing and clicking to enable it, if in fact they really needed it.)
Whether or not it's part of the "OS" is a muddy issue. Microsoft likes to call anything that comes inside of the shiny box that says "Windows" part of the OS, and whatever happens (good or bad), "Windows" takes the credit.
Linux users, on the other hand, like to point at lpd and wuftpd and even though they came in the shiny "RedHat" box, and were enabled by default, the spin is to say "That's just a user application, not part of the (holy) Linux kernel, and therefore is not a serious problem (and won't get posted to slashdot, etc)." Not what someone running a RedHat box wants to hear.
--
Business. Numbers. Money. People. Computer World.
Errr... no, it doesn't e-mail you, but Win/98 has a big ol' "Windows Update" function right on the start menu. Click it, and it tells you when you have important updates to install (particularly security updates). It also lets you download new features. Click the button and boom! Instant update.
And I haven't checked it out, but I wouldn't be surprised if they did have a mailing list to tell you when important updates are available.
first off that is if the active x controls on the site don't crash your ie (yes active x on microsoft's web site crashes their browser). and the update is far from instant. plus the fact that the updates have updates within days i've seen. if you want to get into an argument about how ms update works i'd be glad to go at it. tech support puts fod on my table. i know the ins and outs of windows 3.x, 95a, 95b(osr2), 98, 98se, and most of NT. hell dun has several bugs follow it since 1.1 and they are on 1.3... hrm...
and sorry unless you pay them big buck$ you are'nt getting anything like that. and i bet you'd pay out the a$$ for it if they did have it. and btw, check out mandrake's updater. nicer and cleaner than the slow hardto use activex windows update page. so if single click goto updates is ready then mandrake is well beyond ready. since it's defaulted onto the desktop not even hidden in the start menu.
and it's not just click and get it. not are all the features good. installing ie 5.0 on a machine totally screwed it up from that page. i had to go and reinstall windows to get the machine to run again. and you can bet it wasn't my machine that needed that.
--
dead angel
i am strange people. -me
dead angel
i am strange people. -me
spreading linux lovin' since 1998!
'cuz if you get caught, you're going to jail.
All new software has problems. The bigger the evolutionary step, the bigger the problems. Expect more. But don't be rectal about it. No OS is immune. How long has RH 6.1 been out? Couple months? And yet there's a list of 9 or 10 security fixes (that include several remote root exploits) up on RedHat's web site.
And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.
Wow thanks for telling me about that hole that allows root access ! I'll get right on it! whoops I dont use corel linux!
I guess Linux != Corel Linux is wrong!
I better stop ending all my sentences with !
Lars -
Upon seeing the box was too small, Schrodinger's Elephant breathed a sigh of relief.
You are forgetting something here: It takes the Windows team a LONG time to fix a bug like this, making it a serious issue! When the last DoS attack was discovered against Linux, it was fixed in just over 8 HOURS. NT? 6 weeks, from first posting on Bugtraq.
That disparity makes the case here. It IS a big deal on Win2k. It's not a big deal on Linux, because a fix WILL be out in less than a day.
Linux: How to GET where you want to go today.
Hey Rob, Thanks for that tarball!
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin
He'd hate it. The truth always hurts.
I mean, honestly, "Security hole found in wu-ftpd" would be a lot more valuable headline to most people than "New minor release of the kernel", and would happen a lot less often.
Linux is going to get a bad name someday because millions of people out there have distributions which install with tons of (often unneeded) services on, and don't know enough to subscribe to a security mailing list or check for updated packages. It doesn't matter if Linux gets security fixes within 24 hours, if most people don't install them within 6 months. No Linux distribution that doesn't come configured to automatically check for, notify users of, and help users install software updates should be considered "ready for the desktop".
Since formatting the HD is typically making a filesystem in the windows world, then step 1) would be to make a new FAT32/NTFS5 partition. Why would anyone want to run Linux on a FAT filesystem?
I think what you mean is nuke the MRICROFTS~4 partition and slap the Linux native and Linux swap partitions in its place. mke2fs is usually evoked to create a Linux filesystem on the native partition. I'm not sure how useful FORMAT.COM would be on a Linux system.
Lars -
You should read the alt.os.linux.* newsgroups. I personally stay far away from RedHat, as it contains too much software bloat for my tastes. Yes, Linux supporters are vocal against MS, but many of them can also be vocal against Linux.
As for ''bashing the new product'', I'd wager that the 2.4 linux kernel won't get as much abuse as W2k is on /. And you can also bet that if it does suck, it will get bashed. :-)
Everytime I hear about these security bugs, i often wonder about the bugs that don't go reported but are exploited amongst a small group of script kiddies or distributed through the underground. DOes finding these bugs require considerable skill that the script kiddies lack and responsible security analyst who will report it have? Admittedly, I dont know much about security issues and how they work... maybe everything goes into a log so that its impossible to keep something secret but I'm just curious. But if it were possible then which OSes would be more vulnurable? OSS OSes which have the source there to be seen by everyone or OSes like win2k which many ppl have something against it?
--
# I have no brain
I can't believe you guys!
You are allways making fun of Windows.
Have you forgotten the news from earlier this week?
"Corel hurries to fix Linux security hole"
http://news.cnet. com/news/0-1003-200-1533081.html?tag=st.ne.1002.
IIRC, many people questioned that survey because it measured the time between a company acknowledging the existence of a bug and its patch. That gave an advantage to the decidedly user-hostile approach of denying a bug exists unless a solution is in sight.
I'm not claiming that MS does this, but Red Hat obviously can't drag its feet when other distros acknowledge the existence of the bug in their releases. So RH will always be forced to be honest, and any company that admits to year-long lags is obviously fairly honest.
As for "scrounging the net" for fixes, you're either using the wrong distro or not using it correctly. Depending on your connnectivity, you should be automatically notified within hours or days of any upgrade on your distro's security site.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Mr. English Colonel, tellin' me to lose weight! Ooh, I'm a hard case, he says! Well listen up, city Jeff! I ATE A BABY!!! Oh, aye! Baby! The OTHER other white meat! Baby! It's what's fer dinnair!
Microsoft Windows Update (p1 of 3)
o ft.com/default.htm" & top.location.search) End If e s")=0)) Then document.cookie = "page=nothing; a tes") ElseIf (InStr(dc, "page=cun") AND e s")0))Then document.cookie = "page=nothing; a tes") ElseIf Instr(dc, i ces") ElseIf document.cookie="" Then T o_W2KB3.htm") End If ElseIf Instr(VarUsrAgt, "msie
/=search [delete]=history list
0 Then top.location.href = "R346/V31Site/x86/w98/en/thanksstart.htm" Else If
Instr(LCase(navigator.userAgent), "windows 95") > 0 And (Left(LCase(navigator.systemLanguage), 2) =
"ar" Or Left(LCase(navigator.systemLanguage),2) = "he") Then top.location.href =
"R346/V31Site/x86/w98/en/thanksW98ME.htm" End If If (LCase(top.location.hostname)
"windowsupdate.microsoft.com") Then
top.location.replace("http://windowsupdate.micros
Dim GblProductSync, GblConfirmSync, GblSuccessSync, GblPSuccessSync, GblProgressSync, GblFailureSync,
GblSync Dim bIsEngineReady, GblLock, g_bIsWinUpdate, g_bRebootRequired, g_strLocaleID, sAcceptLang
GblSync = "" GblLock = FALSE bIsEngineReady = FALSE g_bIsWinUpdate = TRUE g_bRebootRequired = False
dc = LCase(document.cookie) If ((Instr(dc, "page=productupdates") 0) AND
(InStr(LCase(location.search),"&sec=criticalupdat
path=/" top.location.replace("default.htm?Page=productupd
(InStr(LCase(location.search),"&sec=criticalupdat
path=/" top.location.replace("default.htm?Page=productupd
"page=memberservices") 0 Then document.cookie = "page=nothing; path=/"
top.location.replace("default.htm?Page=memberserv
document.cookie = "page=nothing; path=/" End If On Error Resume Next End If Sub Window_OnLoad() On
Error Resume Next Dim VarQuery, VarUsrAgt, VarOS, VarCPU, VarLang, fIE_oldbeta fIE_oldbeta = FALSE
VarUsrAgt = LCase(Navigator.userAgent) If Instr(VarUsrAgt, "windows 95") > 0 Then VarOS = "w95"
ElseIf Instr(VarUsrAgt, "nt 5.0") > 0 OR Instr(VarUsrAgt, "windows 2000" ) > 0 Then VarOS = "nt5"
ElseIf Instr(VarUsrAgt, "windows nt") > 0 Then VarOS = "nt4" ElseIf Instr(VarUsrAgt, "nt") > 0 Then
VarOS = "nt5" ElseIf Instr(VarUsrAgt, "millennium") > 0 Then VarOS = "mil" ElseIf Instr(VarUsrAgt,
"win 9x 4.90") > 0 Then VarOS = "mil" ElseIf Instr(VarUsrAgt, "win 9x 5.") > 0 Then VarOS = "nep"
ElseIf Instr(VarUsrAgt, "windows 98") > 0 Then VarOS = "w98" End If Dim clCap, IEid set clCap =
document.all("idClCap") IEid = clCap.getComponentVersion("htmlfile","ProgID") If Instr(VarUsrAgt,
"msie 4.0") > 0 Then If (InstrRev(VarUsrAgt, "compat") > 0) AND (InstrRev(VarUsrAgt, "compat")
Instr(VarUsrAgt, "compat")) Then VarBrowser = "Ie5" Else VarBrowser = "Ie4" End If ElseIf
Instr(VarUsrAgt, "msie 5.0b1") > 0 OR Instr(VarUsrAgt, "msie 5.0b2") > 0 OR
VersionCompare(IEid,"5,0,2014,0215") = -1 Then VarBrowser = "Ie5" If Instr(VarUsrAgt, "nt 5") = 0 AND
Instr(VarUsrAgt, "windows 2000") = 0 Then fIE_oldbeta = TRUE Else
location.replace("R346/V31Site/x86/nt5/en/Upgrade
5.") > 0 Then VarBrowser = "Ie5" End If If LCase(Navigator.cpuClass) = "x86" Then VarCPU = "x86"
ElseIf LCase(Navigator.cpuClass) = "alpha" Then VarCPU = "Alpha" End If VarLang = Replace( getLang(),
"-", "" ) If fIE_oldbeta Then top.location.href = "R346/V31Site/" & VarCPU & "/" & VarOS & "/" &
VarLang & "/ieupdate.htm" Exit Sub End If Err.clear If wupdinfo.IsDisabled Then If Err.Number = 0
Then top.location.replace "R346/V31Site/" & VarCPU & "/" & VarOS & "/" & VarLang & "/thankscorp.htm"
Exit Sub End if End if Window.Frames("FrmContent").Location.replace "blank.htm"
Window.Frames("FrmToolbar").Location.replace "R346/V31Site/" & VarCPU & "/" & VarOS & "/" & VarLang &
Microsoft Windows Update (p2 of 3)
"/" & VarBrowser & "/Toolbar.htm" Dim s s = LCase(top.location.href) If InStr(s,
"page=productupdates" & GblPUCritUpdts) Then Window.Frames("FrmNavigator").Location.replace
"R346/V31Site/" & VarCPU & "/" & VarOS & "/" & VarLang & "/" & VarBrowser &
"/Navigator.htm?productupdates" ElseIf InStr(s, "page=productupdates") Then
Window.Frames("FrmNavigator").Location.replace "R346/V31Site/" & VarCPU & "/" & VarOS & "/" & VarLang
& "/" & VarBrowser & "/Navigator.htm?Page=ProductUpdates" ElseIf InStr(s, "page=memberservices") Then
Window.Frames("FrmNavigator").Location.replace "R346/V31Site/" & VarCPU & "/" & VarOS & "/" & VarLang
& "/" & VarBrowser & "/Navigator.htm?Page=MemberServices" Else
Window.Frames("FrmNavigator").Location.replace "R346/V31Site/" & VarCPU & "/" & VarOS & "/" & VarLang
& "/" & VarBrowser & "/Navigator.htm" End If End Sub function VersionCompare(strVer1,strVer2) aryVer1
= split(strVer1,",") aryVer2 = split(strVer2,",") VersionCompare = 0 for i = 0 to 3 if
CInt(aryVer1(i)) > CInt(aryVer2(i)) then VersionCompare = 1 Exit For elseif CInt(aryVer1(i)) 0 ) Then sAcceptLang = Left (
sAcceptLang, index - 1 ) arrLang = Array ( _ Array( "en", "en", "0409" ), _ Array( "en-us", "en",
"0409" ), _ Array( "en-au", "en", "0C09" ), _ Array( "en-nz", "en", "1409" ), _ Array( "en-za", "en",
"1C09" ), _ Array( "en-tt", "en", null ), _ Array( "en-gb", "en", "0809" ), _ Array( "en-ca", "en",
"1009" ), _ Array( "en-ie", "en", "1809" ), _ Array( "en-jm", "en", "2009" ), _ Array( "en-bz", "en",
null ), _ _ Array( "ja", "ja", "0411" ), _ _ Array( "de", "de", "0407" ), _ Array( "de-ch", "de",
"0807" ), _ Array( "de-at", "de", "0C07" ), _ Array( "de-lu", "de", "1007" ), _ Array( "de-li", "de",
"1407" ), _ _ Array( "zh", "zhcn", null ), _ Array( "zh-tw", "zhtw", "0404" ), _ Array( "zh-cn",
"zhcn", "0804" ), _ Array( "zh-hk", "zhcn", "0C04" ), _ Array( "zh-sg", "zhcn", "1004" ), _ Array(
"zhtw", "zhtw", "0404" ), _ Array( "zhcn", "zhcn", "0804" ), _ _ Array( "es", "es", "040A" ), _
Array( "es-mx", "es", "080A" ), _ Array( "es", "es", "0C0A" ), _ Array( "es-gt", "es", "100A" ), _
Array( "es-cr", "es", "140A" ), _ Array( "es-pa", "es", "180A" ), _ Array( "es-do", "es", "1C0A" ), _
Array( "es-ve", "es", "200A" ), _ Array( "es-co", "es", "240A" ), _ Array( "es-pe", "es", "280A" ), _
Array( "es-ar", "es", "2C0A"), _ Array( "es-ec", "es", "300A" ), _ Array( "es-cl", "es", "340A" ), _
Array( "es-uy", "es", "380A" ), _ Array( "es-py", "es", "3C0A" ), _ Array( "es-bo", "es", "400A" ), _
Array( "es-sv", "es", null ), _ Array( "es-hn", "es", null ), _ Array( "es-ni", "es", null ), _
Array( "es-pr", "es", null ), _ Array( "ca", "en", "0403"), _ Array( "eu", "en", "042D"), _ _ Array(
"fr", "fr", "040C" ), _ Array( "fr-be", "fr", "080C" ), _ Array( "fr-ca", "fr", "0C0C" ), _ Array(
"fr-ch", "fr", "100C" ), _ Array( "fr-lu", "fr", "140C" ), _ _ Array( "it", "it", "0410" ), _ Array(
"it-ch", "it", "0810" ), _ _ Array( "ko", "ko", "0412" ), _ _ Array( "ar", "ar", "0401" ), _ Array(
"ar-sa", "ar", "0401" ), _ Array( "ar-eg", "ar", "0C01" ), _ Array( "ar-dz", "ar", "1401" ), _ Array(
"ar-tn", "ar", "1C01" ), _ Array( "ar-ye", "ar", "2401" ), _ Array( "ar-jo", "ar", "2C01" ), _ Array(
"ar-kw", "ar", "3401" ), _ Array( "ar-bh", "ar", "3C01" ), _ Array( "ar-iq", "ar", "0801" ), _ Array(
"ar-ma", "ar", "1801" ), _ Array( "ar-om", "ar", "2001" ), _ Array( "ar-sy", "ar", "2801" ), _ Array(
"ar-lb", "ar", "3001" ), _ Array( "ar-ae", "ar", "3801" ), _ Array( "ar-qa", "ar", "4001" ), _ Array(
"ar-ly", "ar", "1001" ), _ _ Array( "no", "no", "0414" ), _ Array( "pl", "pl", "0415" ), _ Array(
Microsoft Windows Update (p3 of 3)
"pt", "pt", "0816" ), _ Array( "pt-br", "pt-br", "0416" ), _ Array( "ru", "ru", "0419" ), _ Array(
"ru-mo", "ru", "0819" ), _ Array( "nl", "nl", "0413"), _ Array( "nl-be", "nl", "0813" ), _ Array(
"el", "el", "0408" ), _ Array( "he", "he", "040D" ), _ Array( "hu", "hu", "040E" ), _ Array( "sk",
"sk", "041B" ), _ Array( "sl", "sl", "0424" ), _ Array( "sv", "sv", "041D" ), _ Array( "fi", "fi",
"040B" ), _ Array( "cs", "cs", "0405" ), _ Array( "da", "da", "0406" ), _ Array( "th", "en", "041E"
), _ Array( "tr", "tr", "041F" ), _ _ Array( "ts", "en", "0431" ), _ Array( "sb", "en", "042E" ), _
Array( "sx", "en", "0430" ), _ Array( "et", "en", "0425" ), _ Array( "fo", "en", "0438" ), _ Array(
"fa", "en", "0429" ), _ Array( "hr", "en", "041A" ), _ Array( "tn", "en", "0432" ), _ Array( "bg",
"en", "0402" ), _ Array( "be", "en", "0423" ), _ Array( "hi", "en", "0439" ), _ Array( "rm", "en",
"0417" ), _ Array( "ro", "en", "0418" ), _ Array( "ro-mo", "en", "0818" ), _ Array( "gd", "en", null
), _ Array( "gd-ie", "en", null ), _ Array( "is", "en", "040F" ), _ Array( "in", "en", "0421" ), _
Array( "lv", "en", "0426" ), _ Array( "lt", "en", "0427" ), _ Array( "mk", "en", "042F" ), _ Array(
"ms", "en", null ), _ Array( "mt", "en", "043A" ), _ Array( "sz", "en", "043B" ), _ Array( "sr",
"en", "081A" ), _ Array( "uk", "en", "0422" ), _ Array( "ur", "en", "0420" ), _ Array( "ve", "en",
"0433" ), _ Array( "vi", "en", null ), _ Array( "xh", "en", null ), _ Array( "ji", "en", null ), _
Array( "is", "en", "040F" ), _ Array( "zu", "en", "0435" ) _ ) Dim vlang vlang = left(sAcceptLang, 2)
If Left(LCase(navigator.browserLanguage), 2) = "en" And (Left(LCase(navigator.systemLanguage), 2) =
"ar" Or Left(LCase(navigator.systemLanguage),2) = "he") And VarBrowser = "Ie4" Then If vlang = "ar"
Or vlang = "he" Then sAcceptLang = "en" End If End If for i = 0 to UBound( arrLang ) if arrLang(i)(0)
= sAcceptLang then getLang = arrLang(i)(1) if ( getLang = sAcceptLang ) then g_strLocaleID = "0x0000"
& arrLang(i)(2) exit function else for j = 0 to UBound( arrLang ) if arrLang(j)(0) = getLang then
g_strLocaleID = "0x0000" & arrLang(j)(2) exit function end if next end if exit for end if next
getLang = "en" g_strLocaleID = "0x00000409" End Function -->
You have tried to visit Windows Update with a browser that does not support Frames or ActiveX®
technology. To learn more about browsers that do support these technologies, please visit the
Microsoft Web site.
FRAME: FrmContent
Commands: Use arrow keys to move, '?' for help, 'q' to quit, '-' to go back.
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
H)elp O)ptions P)rint G)o M)ain screen Q)uit
It seems thier "windoh's update" doesn't work well with non-Internet Explorer internet browsers.
Lars -
That wasn't even remotely close to being a troll. Lots of Linux users are like Mac users - they see only the good in their own OS and only the bad in other OSes.
I'd love to counter this, but I'm afraid that I'm not familiar with that particular form of entertainment. Or something.
Obviously you have not seen the Red Hat errata list. There are already ten security flaws in Red Hat 6.1. These bugs which were shipped with Red Hat 6.1 will allow an outsider to gain root access if the patch is not applied. It is OK for Red Hat to a buggy and insecure OS, but not for Microsoft?
I tried it (the "pro" version) out on a 266mhz machine, 64 mb of ram.
My conclusiuons:
-The interface is even more dumbed down than Win9x, if you can beleive it.
-It took a long long time to install and configure itself, however hardware detection was 100% right, this never happened in any previous MS-OS that I have seen.
-Regular boot up takes at least twice as long as Windows NT4 on the same machine.
-It feels slower than NT4 on the same machine.
-The dumbed down interface really pissed me off.
-I nuked it after about 35 minutes.
Now that I have "tried" it, I can voice my opinion that it is an overpriced toy. I don't like it one bit.
Lars -
That's funny, I don't remember ever seeing that posted from MS. Do you have the link to back up your claims?
Um, no... any NT core products are in fact NOT running DOS. That's the whole point. Thanks for the FUD, though. Now if only I had a garden to spread it over.
...that will give those 15 men of tain...er... microsoft security something to do for a while. :)
Pax -- Ob
Ummm, it's already patched. Didn't you read the article?
Um, if you don't want to pay for the full Redhat distribution, you can always download it for free from their ftp site. Sure, you don't get official support, but you still get the full system, plus all the documentation available in the box set. Last time I checked, Microsoft didn't offer anything close to that.
Disclaimer: The opinions expressed are not necessarily my own, as I've not yet had my medication today.
Isn't that the problem? W2k is so large that it's now next to impossible to do good QA on it. I can't speak for BSD, but in Linux most pieces of software are relatively independent, so that QA only needs to be done on that particular piece of software.
Well duh Windows 2000 is big, but it's also highly componentized, even the kernel is. Windows 2000 isnt' one bug source file you know, there are many divisions working on various parts of Windows 2000. COM+, WTS, Explorer, GDI etc etc.
Yeesh
One person pointed out that the patch would "break" the news system. Of course this one person quoting ONE other person which had a total of ONE experience with this supposed "break". Another person points out the the second security issue Microsoft knew about "for weeks" when I believe that the article stated that "users" had discussed it for weeks but only recently had Microsoft been officially notified (how true this is I cannot attest). The point here being that some of you are quoting single sources with no verifiable data to back up a conclusion or mis-quoting sources (intentionally or unintentionally). Please pay attention to your facts.
EVERY OS has it's bugs (Beta, GOLD, Developers release, what have you). The things to remember are these. Any Microsoft OS is going to be picked apart for bugs for reasons A) Huge number of computer users using the software B)People who want to find anything they can wrong with Microsoft's software C) People willing and able to sit in front of computer for hours to find any exploit for ANY system. D) People who will shout from the rooftops someone else's flaws (before their own of course)
Now when Linux gets to the point where it offers all of the features Windows does (and don't tell me it does now cuz my ATI video card will tell you different) including an easy to use/configure GUI and continues to run faster than Windows with less code. Then and only then can you start shouting from the roof tops that Linux is king. Don't get me wrong Linux is great for what you can do with it, but lately I've noticed that the companies bringing linux into the mainstream are raising the prices (linux 79.99 compared to wins 99.99) and raising the system requirements along with it. So the lighter, faster, better argument is running out of steam (quick). Of course the argument is "well look what you get for your money" but isn't that the same thing MS has been saying for years too.
Think about what you are going to say, research it, back it up with fact, think about it again. Then say it!
"Do not be swept up in the momentum of mediocrity." - anon
As you can clearly see, these bugs affect an *add-on* product present in NT4 which became built-in to Windows 2000. This is not a W2K only bug which is how /. wants users to perceive it. That's not accurate or fair.
.htw files until the patch can be applied.
So the fact that the bugs are in existing products somehow makes the bugs OK? Or are you just saying that because it's Microsoft, we can expect it, but that it's unfair to expect bugs in Microsoft products in newer ones? What exactly are you trying to prove here, that Microsoft has a bad rap for holes in new software, or that Microsoft software is has a bad rap for holes in existing software? Does it really matter?
I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.
Basically, in addition to the lengthy 1-2 hour installation time that is expected, and the downloading and installing of updated drivers which is almost expected (as new hardware drivers get old fast also) one is also now required to get online immediately after installation and download patches for software which was broken before it was sold? Instead of engineering better products from scratch, we'll just give the users a permanent connection to a database of corrections and act like it's their fault if they forget to "update" once a week?
You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.
The perceived damage potential may be low, but a security breach is still a security breach. If Microsoft is going to make a product and market it as a secure server operating system, and it is not secure virtually from purchase onward, regardless of the degree of insecurity, they HAVE lied to the consumer. Underestimating the power of the cracker or even the script kiddie is generally a bad idea.
he exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate
This doesn't seem obvious to me. Should an administrator really be required to compensate for the quirks or poor design of the system? Particularly true of Microsoft software, which is both expensive and marketed primarily as a simpler solution?
Don't take this the wrong way--it's not a flame. But people don't dislike MS's software so much as the hypocrisy. They pretend as though they are producing powerful, easy to use "solutions," yet more often than not, we are given costly systems which are difficult and counterintuitive to configure, subject to security holes inherent in poor design, and unable to provide non-destructive patches due to the archaic monstrosity which they are patching. Sure, it's their fault--they haven't rewritten Windows in a long, long time; a friend of mine suspects that there is probably still Pascal in there somewhere. But if they are going to try to sell us a powerful easy solution for large amounts of money, they had better be able to provide it.
Daniel
the .ida and .idq bugs are in a dll that's depricated. No good developer will choose the old schema of idq and htx files to get indexserver results, but will use asp for that. So the extensions can be removed from the webserver and no patch is needed.
:)
Ah, well... the mud flies already
Never underestimate the relief of true separation of Religion and State.
*** WRONG ***
FOR A FACT: Internet connection sharing was NOT available for 98, you had to buy 98SE to get that feature!
FOR A FACT: You get EVERYTHING else if you download them from windowsupdate, or buy the cheep cd they put out.
Hey Rob, Thanks for that tarball!
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin
One single reply on a talkback forum on a fudsite tells that it breaks something else.
;)
:) (together with all the other extensions like htr etc. rememer that bug? :)
That's a really reliable source to me.
If you'd have looked deeper into the problem, you'd have known you could have protected yourself easily the way you already SHOULD have protected yourself: with removing all the extensions NOT NEEDED by the websites on your server. It's simple. It's even stated in the idiot-proof security manual by MS
So if you did everything right, you'd have used ASP for the indexserver queries, and you'd have deleted the idq/ida extensions
Never underestimate the relief of true separation of Religion and State.
Why don't we get a weekly update on Linux exploits and only bias pieces about MS problems? You could start by checking out: www.insecure.org
ok, so I am replying to my own thread again, so sue me.
I just want to remark/bitch about the moderating that goes on here at slashdot. I had one of the first 10 posts to this article (and actually it is one of the first threads to actually make a joke about the issue when you take out all of the trolls and first posts) and it is marked redundant.
I just want to thank the moderators who don't bother to be responsible and think before they moderate. I wouldn't be upset if my comment had been marked overrated, but redundant....that is just stupidity on the moderators part.
As to the idiot who marked it flame bait, I think that I already established that in the post.
I think that moderators should be held accountable for their privilage. I am all for having the ability to have moderators justify why they moderated a post accordingly, not just meta moderation. People need to loosen up.
--------------------------------------------
Please give your mod points to others, Im at the cap. They will appreciate it more
I'm sure somebody must have explained what the acronym QA stands for, somewhere earlier in the discussion, but I can't find it. My guess would be Quality Assessment but I can't be sure.
Although it Slashdot likes to say that there are security hazard with windows it's really an exageration.
Ok. I don't know how you figure that it's an exaggeration, but let's have a look at what you're thinking here.
I read an article about Unix permisions helping stop viruses but with Windows we have something far more powerfull.
Oh? And pray tell - what is this powerfull [sp] thing that you have that Unix/Linux doesn't?
Microsoft format is graphical where Linux does not have a graphical user interface [GUI].
Ok, I really don't know how this makes a damn bit of difference. (There are GUIs for Unix/Linux, but they don't have tendrils extending into every layer of the system.)
This makes hacking a W2k more secure becuase things are not stored in plain text.
Bullshit. All it takes is a little effort to learn the formats (and if you have a W2K box, reading those data formats isn't that hard a proposition)...
Instead MicroSoft stores things in fancy graphical text. This makes it harder for hackers to read.
"Fancy graphical text"? Uhh. I think you mean binary config files. That's no protection. There's a name for that though - security by obscurity. It's no security at all.
Linux should really work on making a [GUI] then they will be ready for "prime time." They will even be able to have advertisements on TV if they had a GUI.
That's a laugh. Like we care about ads on TV. Linux works just fine for those of us who want it for the advantages it provides (a lighter-weight system, without the GUI bloat), and GUI frontends are available (think of the GNOME and KDE desktop environments).
Also Linux would be able to handle "real time" applications. And do many other marvelous things like "enterprize readiness" and "intuitive network applications" and "erp" that Windows does.
"[R]eal time" stuff is the domain of real-time OSes (think QNX). Right tool for the job. And "enterprize readiness" [sp]? Enterprise-readiness is a very subjective thing - but Windows NT (Win2k, whatever) isn't it - if you want high-end computing, you best be shelling out for a higher-end box, like a Sun or HP UNIX server-class system. ERP is just bullshit - just another pretty acronym to sell to the suits.
Just my 2 shillings.
That's about all it's worth, too. Really, come on - you're much too in love with GUIs.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Here's the biggest Linux exploit: http://www.bedope.com/stories/0082.html
They tasked many employees with making sure Win2K was secure!
:P
15 or 25 people wasn't it?
It's been said before by others in this thread, but I'll say it again here (whoever posted this bit earlier, kudos).
Not one of those fixes affected the kernel. They may have been in relation to one or another package, but they weren't security fixes in Linux.
There's also the point that security issues and other bugs in Linux and other free software are an integral part of the evolution process of those packages/systems. On average those fixes are published far faster than fixes for Windows. Those fixes do not destroy other functionality in the fashion of this newest patch or SP6.
And, I should mention, that there are far fewer of them necessary for Linux and similar packages than there are for Windows. How many security updates have there been for NT this year, anyway? 6?
My point is that security mistakes happen. The speed and effectiveness of those responses pretty well defines how secure an operating system is, since someone's always going to have a new attack. Fixes to Linux packages are fast and clean. Windows fixes have this nasty habit of breaking other parts of the OS.
Either way, Microsoft blew it.
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
All operating systems have security holes. Before their release, and after they've been released. So that doesn't make W2K anything special.
I guess the only interesting question is how quickly will Microsoft patch these holes, and how well do they do it.
Don?t forget ðe use of non-standard character encoding. MS knows ðat ðe ?real? lesson from IBM is ðey lost ðeir non?opoly only after ðey allowed ðe users, curse ðeir black hearts, to use ASCII instead of EBCDIC.
ðat?s why all commercially successful OSes will use special characters for ?smart quotes,? display kerning, and the like.
Linux, of course, supports ðe stupid ISO-8859-x and CJK standards. ðat means any system can edit any file. Ffools.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I never asked for 90% of the things that Office purports to do. Am I being unreasonable to want software that doesn't tip over five times a day?
Office is the only software that Microsoft produces which caters to 10% of its target market all of the time - rather than putting in features for the 90% case.
Why?
Because it's the only product they make where everyone in their target market requires a completely different set of features - any given person will probably only use 10% of the functionality available. However, take any of it out, and they're cutting out a massive chunk of the market.
Also, with the new installer, things should be more stable - because it forces better encapsulation of the underlying code (because you can install it in nice feature-sized chunks).
As for tipping over over five times a day? What the hell are you doing to that poor thing? I've never seen Office crash once never mind five times in a single day!
Simon
Coming soon - pyrogyra
I think this entire comparison is dumb.
Windows* you get one cd with some nice programs like Paint and Calculator, MineSweep.. etc... You then had to buy,steel any other software you needed. The system even without any extra software had bugs and security holes. If you look at most major linux distrobutions you will notice that you get a hell of allot more software. I would be interesting if striped a linux systems to equal the funcionality of a default Win 9* system.(sofware wise). Then you can look for security problems and bugs.
I have been using linux at home for more than 2 years, the reason I switched is because I wanted something like the sun server I use at work but for use at home on a System Administrators budget. The sun servers have not gone down in 2 years unless we take them down. (yes they are on ups)
I must say also that some good things are coming out of linux being pushed into the spotlight even if linux would fail (I dont think it will every go away). It is causing Microsoft, Sun and most other major vendors to produce a better product. Things take time I think within the next 5 years there is going to be something better for everyone to use. I dont think it will be Windows, Linux or Solaris but I am sure that it will be unix like which is cool with me.
Thanks Flame away....
--
Joshua Curtis
Lancaster Co. Linux Users Group
There's a simple quick fix available that will patch ALL Microsoft bugs...
:)
It's 2 steps...
1) Format HD
2) Install Unix/Linux
Your system is now bug free
The day Microsoft creates a product that doesn't suck, it will be known as the Microsoft Vaccuum Cleaner!
But anyway, was there a point somewhere in all of this? No?? OK then, let's return to our regulary scheduled rant about how Linux is waaaaay superior to any Microsoft product, never has bugs or needs updates, etc. etc.
it says that the patch even creates news problems. maybe they will have to release another to patch it.
I wish people would stop helping Microsoft out by reporting bugs before they release the 40+ million line behemoth. If I had my way, I'd secretly record the bugs and then teach those Win2K adoring freaks a lesson AFTER it's been released. On the flip side, these people should spend their time trying to crack linux so Linux gets the benefit of all those prying eyes. Microsoft has enough $$$, why should we do free beta testing for them?
Blender And Linux Fan
...now this is something I won't do too often.
But in the comments here you're probably going to find a zillion people saying the equivalent of "MICROSOFT IS EVIL! You won't find this in Linux/Unix/*BSD!".
And I'm here to say that MS has done a good job. It's a huge OS, people. The fact that the damn thing *runs* amazes me =) as well as the fact that it is (according to all accounts) pretty stable (as compared to typical Windows stability). Expect bugs, expect lots of bugs, because there is no way that you can test such a behemoth properly. I myself will not install it until perhaps Service Pack 3+ has come out, because it's prudent.
Of course, Linux, *BSD, etc, all have bugs, it's just that they're fixed sooner and I think we all have more tolerance for bugs found on free systems. And we all have unreasonably high expectations of MS, because they're a bunch of corporate bastards (look at their history!) and because most of us probably support alternate OSes.
Of course, the thing that *really* worries me about this article is the fact that one of the bugs was apparently known for weeks before MS even admitted it existed; now that kind of thing is sloppy, and they deserve whatever criticism they get for it.
Yeah, it's $150.00, but that's equivalent to Windows NT server which cost you $680.00. The professional version gets a license of the RSA Encryption required for use in e-commerce if you want to provide secure web pages via SSL.
Jeff
Opinions expressed are my own and not necessarily those of my employer.
Good god, man, it was a joke.
It's kinda obvious, IMHO, when somebody misspells enterprise and waxes about non-programmed features, and states things that are clearly not true.
And, I would disagree that Windows is nothing more than a GUI on top of DOS; from a programming standpoint, DOS provided nothing more than file access functions and the most basic OS-related routines (who here still remembers INT 24h...) whereas Windows provides an abstraction layer - which you refer to as shit, but if you'd rather do VESA and BIOS calls and direct screen writes rather than GDI calls, for example, you need mental help. Much less some of the other things that Windows APIs do very nicely for us coders, such as TWAIN. Or using Windows sound routines rather than manipulating a DSP manually, and god help you if it's not 100% Sound Blaster compatible. For the coders, as much as we hate the instabilities and quirky behavior of Windows OSes, it's better than DOS by a long shot.
Granted, I'd rather be working in Linux on that I prefer its architecture over Windows, but that's me. For normal users you MIGHT be correct, if you don't do anything in Windows that you couldn't do before in DOS with a bit of elbow grease. For coders, Windows is still far and away better than DOS. (IMHO not as good as X though.)
Did MS make it clear that the most everything that Windows 98 SE had that Windows 98 didn't was available for free? Most people won't use Internet Connection Sharing.
-Jordan Henderson
Like you can climb in and out of it as easy as a window on somebody's house.
cat
This is not surprising, and reeks of FUD and propaganda created by those who claim most bad press about Linux is FUD.
Considering anyone can run into the kernel code and hack away at any moment on a non-beta release of Linux, I guess it would turn back into beta in that particular installation.
I find it particularly funny that Linux people are so anti-MS, they don't even want to pay attention to the fact that there is always the right tool for the right job. Some jobs work better with Linux, some better with MS products.
You can rant a rage about MS all you want, but there are security issues in all OSes regardless of its lifecycle state. You can detect all detectable bugs, but you can't detect undetected bugs.
It's the fix. It took them this long to produce a patch that breaks something else? The security flaws are an annoyance, but every OS has them. On top of that, these were only read-only problems, yes, theoretically even capable of user password grabbing, or credit-card grabbing, if someone was really stupid, but not as serious as the countless root compromises out there for your favorite POSIX OS. Now, I'm sure Win2k has plenty of these too, but that's not what we're talking about here. Now what IS sad is that they took 2 weeks to patch it and they couldn't do it right.
WARNING: there is a trojan on your
*Sigh.* If only I could get OS X for x86. . .
I just went to the Microsoft update site from my Win2K box (legal off of the Select CD's) and only found a couple of multi media type apps. No critical updates, no general updates, nothing. Now since they are probably going to do this the same way that they did 98 (making it a royal pain to get updates without the web site) this could be very annoying on servers. "What do you mean I have to launce IE5 on all of my servers independently to get SP78?" Can't wait 'till we're told to roll this out all over the company :) Les Weinmunson
- Bill Gates, former CEO, Microsoft
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Naaah... They learned their lesson long ago on that one. You can't continue to have record quarters if you give away Betas (Win2K betas cost quite a bit more than media cost), or give away patches/service releases (Win98 Special Edition).
They'll collect up the top 10 patches and put out Windows 2000 Special Edition and charge you full price.
-Jordan Henderson
you don't have to use redhat, you don't have to use microsoft. you have to pay for microsoft, but all gpl'd software is free. shouldn't you expect more if you buy software? now, if there were ten big security bugs in every dist. than i might consider siding with you. but no one forces you to use either
Although it Slashdot likes to say that there are security hazard with windows it's really an exageration.
I read an article about Unix permisions helping stop viruses but with Windows we have something far more powerfull.
Microsoft format is graphical where Linux does not have a graphical user interface [GUI]. This makes hacking a W2k more secure becuase things are not stored in plain text. Instead MicroSoft stores things in fancy graphical text. This makes it harder for hackers to read.
Linux should really work on making a [GUI] then they will be ready for "prime time." They will even be able to have advertisements on TV if they had a GUI. Also Linux would be able to handle "real time" applications. And do many other marvelous things like "enterprize readiness" and "intuitive network applications" and "erp" that Windows does.
Just my 2 shillings.
Mandrake has had its MandrakeUpdate util for a couple versions now. So at least one distribution has such a util.
ARTICLE 1: Microsoft will soon revolutionize the computer market by announce the first service pack for a product before they even begin work on it. If the product is vaporware, it will be called "buggy vaporware".
ARTICLE 2: I started writing this article in IE, but, even though I had to re-identify myself and cut-and-paste, finished it in Mozilla. Why? Not for fun! I had to do so because my typing speed is literally ten times the top speed that IE can put in words. My comment was butchered!
--
What a sad day, Windows is being torn apart by our greedy government. You people should be ashamed of driving leader away from m$! He brought us such great products as Windows 95, Windows 98, and soon to be Windows: Breaks every 5 minutes! For shame! All of you people who have strayed from the path of our leader and use this Linux idea should be sent to the m$ HQ for immediate reprogra....I mean to be given a raise! If all of us could just use Windows then the world would be a better place. I remember once when I used Linux, but it was a terrible experience. It tried to make me stray from the path of leader. It tried to brain wash me with that Penguin they sent me. It was casting a spell on me when I was sent an urgent message stating that I was needed in the HQ right that instant. I quickly got in my car and drove there. I don't quite remember what happened in that white-green building, but I sure felt a lot better when I came out. That is why we all must convert back to Windows if you already haven't! Praise the leader! We love you! Drone #- 4452319
Life comes not from the heart, but from the women around you.
If there is any non-bias at /. then this post will not be moderated away. No flamebait or trolling just wanna clear a couple of points up ALL using the provided story URL.
/. wants users to perceive it. That's not accurate or fair.
.htw files until the patch can be applied.
#1: The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. Index Server is an add-on to Windows NT 4.0 and is built into Windows 2000 (in the form of Indexing Services).
As you can clearly see, these bugs affect an *add-on* product present in NT4 which became built-in to Windows 2000. This is not a W2K only bug which is how
#2 The bug was discovered AFTER W2K went gold. They have released a patch for NT4 and W2K both that works right now for both. So, before W2K is released there is a fix. I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.
#3) You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.
#4) The exploit itself was reported to MS promptly and fixed quick. The exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate
Why don't we get a weekly update on Linux exploits and only bias pieces about MS problems?
On the other hands, if you mean kernel services, a lot of things run as a kernel process under Win2000/NT. The TCPIP system has had numerous bugs in NT4. The TCP sequence numbers, for example. It took Microsoft two hot fixes and several months to get it right. The first hotfix for the problem actually made it WORSE, making it even easier to spoof a connection to an NT machine. A number of NT core services run in the privledged Ring 0 on the intel platform for performance reasons, whereas most UNIX daemons are almost always implemented in user space (ring 3) where memory protection can occur. Microsoft's core selling feature has always been the speed at which it's supposed to operate. C2 certification was a joke (who runs a network server with networking capabilities disabled).
Check out Microsoft's support site about all the "known" bugs in Windows 2000. It's frightening. 187 known bugs affecting Windows 2000 to date, and it's not even shipped yet.
I used up all my sick days, so I'm calling in dead.
Errors are inevitable, but it's the number of errors in microsoft products that cause great concern. How long has microsoft been putting out operating systems? You'd think after all this time, they'd get it right. Hell, it's still running under DOS. Like it or not windows is just a nice GUI front end for DOS.
Every time Microsoft puts out a new version of windows we're promised it will be more stable, more secure, and faster than the previous version. based on this I can't believe that to be true. Remember when WIN98 blue screened while Bill was demonstrating it?
I'm not saying Linux doesn't have it's security holes too. But lets take a look at how fast they're fixed:
Linux:
New version released, hole found in 2 or 3 days, hole fixed within 24 hours.
Windows:
New version releases, hole found in 2 or 3 days, after 2 or 3 months of screwing around patch released, hole in patch found, 2 or 3 months later...
OR
Hole found before release, hole fixed 2 to 3 weeks after first notification.
and Microsoft is charging $200-$300 for this crap. yet linux remains free.
How many programers are involved in writing windows?
How many programers are involved in writing Linux?
something to think about
"Happiness in intelligent people is the rarest thing I know."
-- Ernest Hemingway
How is this a troll? If its not pro linux, its a troll. Thats slashdot for ya.
I've always been partial to "myriad."
Myriad is somewhat unique in that it can be used as a noun or an adjective. e.g.:
"There is a MYRIAD (quick go look it up) of linux security sites, as well as *BSD security sites."
but one can also say:
"There are MYRIAD (quick go look it up) linux security sites, as well as *BSD security sites."
Also nice would have been "INNUMBERABLE," "COUNTLESS," and "SUPERFLUITY."
Personally, I thought the guy was saying to look up the plethora of linux security sites, not to look up the word plethora.
___________________
rooooar
I think this issue has been debated to death, but once again I can't help but point out the design flaws in "Security thru Obscruity", if MS would just open up their source and let us peek around I'm sure we could sniff out all those nasty bugs.. err I mean "FEATURES"
Any ideas?
Will in Seattle
Will people stop comparing Win2k to linux kernel x.x.x? No bugs have been found in the Windows 2000 kernel (yet.) Bugs have been found in the daemons^H^H^H^H^H^H^Hservices it starts by default, but that happens to all linux distributions.
However, I don't really think that is much excuse for Micros~1. Everything they release has been written in recent years, when being careful about buffer overflows is a well known programming concept. Software which is based on 10 year old or more code (like sendmail and wu-ftpd, I think) at least have the excuse that they were written before most people had reason to think about security. (of course, there isn't really much excuse to run them, give the existence of new MTAs written during the age of security (as it were:), like exim. ftpd replacements exist too.)
So, Micros~1 windows 2000 is like a distribution with some buggy programs and some configuration errors in stuff which runs in the default system. This is unacceptable, given that you are paying money for Win2k. It doesn't bug me too much to have a problem with a linux distro, because the problems get noticed and fixed in the next release of the distro. Micros~1 will be selling win2k CDs which come set up wrong for a long time. Redhat probably sells almost no CDs of rh6.0, and rh6.1 has most/all of the known security problems fixed. This is different from shipping a rh6.0 cd with a cd which upgrades it to 6.1, since it is easy to not bother doing the upgrade, especially for newbies who were overwhelmed enough by the install! Debian, of course, is the best for this. You install off some old CDs, then you apt-get upgrade and all the fixes/new versions of stuff gets installed. It's so easy even a newbie should be able to manage it. EVEN NEWBIES WHO DON'T READ CERT OR BUGTRAQ WILL GET FIXES INSTALLED
easily. This is very important.
Some people have commented that every system needs to have a competent admin who reads security warnings and stuff, so it is ok to have lots of stuff enabled by default. This is all well and good, as long as linux or win2k is only used on company servers. Linux is used by people with cable modems who don't really have a clue (some people clue in after a while, but they didn't know enough when they first installed.) Even for a good admin, it is much easier to not have to figure out what is already going on, and to be able to say, "I want mail, web, and ftp, so I'll install the packages for that, then enable it in the config files", than to say, "gee this machine seems to be running a web server already. I wonder what J. Random Hacker on the 'net can get off my machine right now?". Having to know about everything there is and then portscan your machine to see what you have just seems like a really silly arrangement to me. But remember, it should be possible for people who are just learning to install
linux without worrying about getting cracked into. (and without having that happen without them knowing, let alone worrying, about the possibility!!!).
So, given that win2k is targeted at everyone, not just servers (I think), Micros~1 looks really dumb. Joe Newbie has no idea he is running insecure.exe as a service. Well, I've gone on long enough. I hope that made sense, but I'm sure my ideas jumped around faster than I could type, so I probably screwed up somewhere. Hope it makes some sense:)
#define X(x,y) x##y
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
disclaimer: I haven't done my homework on this, so I might be wrong.
/usr/{share,}/doc/package and see what changed, too.)
Does the redhat problem let people without accounts on the machine get root? no.
Therefore, it is a much less severe problem, IMHO. Presumably, you at least have some idea who your users are, and if not then you are probably a big site with professional admins who will be very suspicious about _every_ suid binary, etc. RedHat comes with a whole lot of SUID shit (yes, shit. normally I don't curse stuff, but rh has way too much suid stuff. I haven't looked at how complicated any of the programs are, but just the number of them seems risky.)
Did RedHat themselves write the buggy software? If so, or if the author has a fix which RH didn't get, then thumbs down to RH.
Does RedHat brag about how secure their distribution is? no. Does Micros~1? yes. Now who do we laugh at when old unfixed security problems are found in each.
Also, keep in mind that RedHat is not the only linux distro. Debian rocks. Debian gets fixed fast if there is a problem, and you don't have to dig through security reports if you don't want to. (you should, but you are more or less safe if you apt-get update; apt-get upgrade every now and then, AFAIK. You can read the changelog in
#define X(x,y) x##y
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
I have tried it... and I wasn't to impressed. It is slow, inefficient, full of holes, and highly unstable. I think I'll stick with my FreeBSD for another year or two. Maybe by then, when Windows 2002 comes out, I'll take another look at switching over. Actually by then Windows will have implemented a Linux kernel so I guess it won't really be "windows" anymore now will it.
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com
Nathaniel P. Wilkerson
www.haidacarver.com
then i guess no operating system is ready for the desktop.
Not really. Win98 comes close, at least. All that missing network functionality at least means there's less to break, and Windows Update means you can get patches when something is found broken, whether you're a security expert or not. Sure, in Windows' history it's been susceptable to remote-crash attacks more often than not, but I can't recall more than a few times it's been possible to "root" a stock Windows box remotely (not counting third-party products like mirc and ftp servers).
With Linux there's so much stuff open to the net by default that it seems like there's a remote root exploit every year. If you're security aware you'll be able to install the fix as soon as the world knows about the problem, but if you're not you're just a target.
updates are the user's responsibility. why should everyone work double for the lazy ppl?
Because that way we don't have a ripe population of insecure Linux boxes for viruses and worms to spread through?
Because that way Linux looks better in the press?
Because lazy people buy things like Unreal Tournament and CivCTP, and thus get companies to port those things to Linux so we can buy them too?
Because we have lazy or non-computer-geek friends and family whom we'd like to stop using Windows (and stop bugging us when it crashes), and we can't personally see to the security of every one of their machines?
Because distributions who do work double for lazy people sell more copies and make more money.
So we can achieve world domination! Duh.
Because sometimes *we* are inadvertently the lazy people. Deadangel, I notice your computer may be on a new distribution with no security updates required (and ssh installed; good for you), but the fact that you've still got telnet and linuxconf ports open to the net doesn't bode well for the future. (Sorry for the nmap, BTW; I hope you don't have any paranoid TCP/IP logging enabled)
Finally, because having the operating system checking it's own security in a cron job means we have one more thing that the computer is doing for us, which is just technically better. Users shouldn't have to monitor a security mailing list when the computer can do that (and update programs from cryptographically signed packages) for us.
Are you always so combative? We're not even on opposite sides of the argument, you're going further in-depth on the same point I made, yet "I'm talking bullshit" and the "realise with acute embarassment the idocy of your post" bit is just flat-out abusive.
/.
If you want to make a point, do so. I don't see the reason for personal attacks. We don't need this antagonism on
I wasn't stupid enough to install sp6 until it had been in use for a couple of weeks and the problems had shaken out, so I didn't bother to read all of the RFC's. Why should I?
Take a fucking Valium and relax.
This isn't a development kernel or an "release candidate" system, it's the official Win2K software that will hit the stores in a few weeks. OEMs got it early so they can get their systems ready for "first-day" sales of systems preloaded with the software. Even if MS had sat on the software until the 17th, these holes would have been discovered within days.
Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!
However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The actual fault is with the Index Service which is available with the Windows Option Pack on NT 4.0 and happens to also be included with Windows 2000. To me, this is not a fault with Windows 2000 but with an optional component.
Had Windows 2000 even been thought of yet, would people still be making such a fuss? Or are they simply out to bash the 'new product on the block' because it ships with a component that has an error.
You don't see people screaming about RedHat when the release a distro that contains and installs a buggy program by default. Hell, last time I installed RedHat it installed that crazy Gnome thing that has more bugs than an African river.
I guess I'm trying to say that this is simply being ridden for all people can get out of it in order to bash Windows 2000.
God knows I'm no fan of M$, but last time I checked the Beta period was the time that bugs such as these were *supposed* to be flushed out and fixed(?).
So, as much as I'd love to, I can't feel too much glee over a security hole found in a Beta operating system. Of course, when they (prematurely) release Win2K and the gazillion other security holes rear their nasty little heads, I'll be right there with everyone else laughing my butt off.
Any MS vice president will tell that the govt. is preventing MS from innovating. If the govt. would only stop extending copyright and patent protection to MS, then MS could "compete in the market place, not the court room." When I grow up, I want to be Chief Software Archetect, just like Bill Gates, only better looking!
On national TV no less.
Of course, anyone who's had to deal with NT knows how hard to laugh at such a proclamation.
Yeah, that seven year development cycle was really pushing it. Win2k has been in the works almost as long as Linux has (from the beginning). Microsoft took their good old time with this one. If you're going to blame anything, start with the amount of code that went into this thing. What was the last count, 17 trillion lines? I'm amazed there are only two security holes.
Don't get me wrong, I'm not making excuses for the Redmond boys, but you kind of have to expect some bugs to slip through a project of this scale.
My other
ach, there's enough unknowns in any modern system to enable some interesting office politics - I've decided that politics is: defending your party leaders right to get away with murder while pointing out your opponents are unfit for office because they didn't dot an 'i' in one report. However, it is MSFT that constantly makes outrageous claims that they can't live up to in adverts - my employers are constantly drooling over cheap-assed consumer pc garbage and the sftware that runs on them, and it keeps me busy with a zillion tasks running around fixing things! I love it! MSFT defects are my job security! Thanks goodness I can keep my guerilla Linux boxen for serious work between fixing the employess constantly breaking video-business games!
The Scarlet Pimpernel
try { do() || do_not(); } catch (JediException err) { yoda(err); }
The point is that this is a security hole - in an operating system that was promised to be secure. Further exacerbating the problem is that this software Is Not Beta. It is a GM release, and there is supposed to be a world of difference between a beta and a GM product.
Were this software a real beta, then it wouldn't require a downloadable patch when it finally hits store shelves. Win2k will - unless, of course, Microsoft is planning to destroy all existing shrinkwrap copies before they hit the shelves and issue a brand new GM, one which incorporates the patch. Instead, anyone who purchases Win2k will have to go download an upgrade.
There's a huge difference between beta and GM, and that difference is called "proper testing". Learn it. Live by it. Unless, of course, you make a practice of considering improperly tested, thoroughly buggy software to be of release quality. In which case, I wish you all the luck in the world. You're going to need it.
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
NO! MSIE for solaris (sparc) gets the award for the most buggy software. Would not run for more than 2 minutes, then core dump.
Start it up, and the CPU peggs at 99%, the damn thing can't even keep its window refreshed.
The current Slashdot moderation system is made by gay communists!
That's more support than you ever get from microsoft. And whether or not redhat is screwing people is besides the point, as everyone should be using debian anyway.
Let the flaming begin!!!!!
The current Slashdot moderation system is made by gay communists!
my, you are uninformed.. this concerens the gold code , that shipped to OEMs already.
Juln
you think they are gona open all of them boxes and crush the CDs? i think not.
You should try buying Windows 98 in Canada, its fucking overpriced. Somewhere between 300 and 400 dollars. Off-the-shelf linux tends to sell for around $69, although I'm not sure who is buying it.
Lars -
Word on the street is, in fact, Win2000 RC2 is what is actually being shipped. I can't wait for all the "updates" and "patches". I had RC2 on my machine for TWO days... I'd rather not go into the stress of REMOVING it... as far as I can tell, it's NT4 1/2 with "fadey" windows. Feh.
mstyne: real name, no gimmicks
You don't pay primo money for a development linux kernel, either.
Windows 2000 will charge you up the hiney - once for the client version, and once for one of three server versions, and yet you get these huge, gaping bugs.
--- Grow a pair, liberals... stop letting the Republicans bully you!
Actually securityportal.com did a study on this and found out that security fixes for redhat and debian were released much faster then MS. Go root around their site for a file you should be able to find the article.
I think this is due to the fact that MS spends the first week of any discovery denying the thing exists or stating that it's irrelevant and Redhat just puts up the patch.
War is necrophilia.
Officially released or not, W2K is widely available. They've found two holes in a layered service, and they're sending out patches in a fairly reasonable amount of time.
One can argue about the wisdom of turning on unnecessary services, but that problem is not unique to Microsoft. When I installed SuSE, I had to go and basically clean out inetd. Still nothing terribly new there. That's unfortunate, but it's an industry-wide problem.
There will be security holes in W2K. If Microsoft responds more quickly and openly, and the holes are in add-on services rather than appearing systematically in the core, then maybe they're finally learning their lesson. My guess is that they'll do better than NT4 (they've really been taking a beating over this) but not as good as the better Linux/Unix distributions. But that's just a guess, too. Time will tell.
See "Testing Computer Software" by Cem Kaner et al.
-Stu
As for the price of distributions, they seem to want to make some money off it by selling free support and/or a book with the distro. There is nothing wrong with that, but I don't like the impression it gives to new users. (i.e. the impression that linux is expensive just like windoze. (it isn't because you can legally copy it, see below, and because you don't have to buy any more stuff to do useful work.))
Of course, the best way to get into linux is to find a local LUG, since you can ask questions, and get extremely useful info about how to set up linux to work with the local ISPs unfriendly setup. Even better, you can take your computer to a meeting and have some expert hackers work on getting your (random hardware X) supported, etc. Also, you can get someone with a fast 'net connection and a burner to make a CD of the distro of your choice for $2 a CD. (even ones like Stampede, which is available only by download. I don't know if Debian is being sold or not, I heard something about a retail Debian. (and I _don't_ mean Corel's linux.))
#define X(x,y) x##y
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
A prime number is a number divisible only by itself and one. For example the following sequence; 2,3,5,7,11,13,17. The correct phrase should be 'an easy way to obtain the prime factors of large numbers'. Quite different in meaning to the phrase from Bill.
heh... sorry, that's one of the dangers of raising your threshhold to 1... it looks like you were replying to my post, not the response to my post, which didn't show up because it was at 0. If I could, I'd hand you some informative points. :]
Here
---------------------------------------------
Jesus died for somebodies sins, but not mine
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
The fix is Here
---------------------------------------------
Jesus died for somebodies sins, but not mine
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
I find it ironic how you said "development linux kernel." Key word, "development." This thing wouldn't (more than likely) happen to linux due to extensive testing by many. MS doesn't do this with windows. Win2k had only 15 security programmers checking the entire code base! 15, for crying out loud! that's a lot of code for 150 coders to security check in such a short period of time!
Quite simply put, Microsoft screwed up. The product hasn't even been commercially available yet, and there are already two security holes, one that is fairly serious. The thing is, if this WERE the beta version of win2k, it would be tolerated or even acceptable. Maybe praised even, since the bugs would be found before final release. But no, thse bugs are in the commercial release. For the price that MS is charging, it shouldn't be defective out of the box and require repair immidiately. That's not good for the customer, and it certainly isn't good for product reliability.
If this type of thing were to happen in Linux on an even numbered kernel, (they're all essentially developmental since they're always 'active' or open, right?) MS would have a hay day of FUD and there would be a great moral decline in the lands. Microsoft will probably get away with it, since they will try and hush it up.
*sigh* Little guys always get stepped on. But that's life. People should be a lot more angry about bugs like this than they are. I mean, two weeks is a LONG time to wait for a bug patch! Linux patches are out of the bag in less than a day, sometimes within an hour of the bug's discovery. I'm not aware of a single serious/semi-serious MS bug that has been patched in less than a week.
This was not intended as a MS-bash, although it may come across as one. Microsoft has one a lot of
-------
CAIMLAS
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
-------
CAIMLAS
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers