Slashdot Mirror
Win2k Security holes found
According to a story posted by ZDNN, two security holes have been found on Windows 2000, and that's even before the official release of Windows 2000! Administrators who rush to incorporate the patch from MS beware - according to one of the talkback posts on ZDNN, the patch creates a new problem with Windows 2000 news server service.
And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.
Warning: I am a rational IT professional. Not only that, but I worked in QA for a few years (first with Sir-Tech Software, then with MCI-WorldCom).
I could talk at great length about rational versus irrational QA policies. (There should be an "Ask Slashdot" about how to properly QA a product...) But that's really not the issue here; good QA, bad QA, it all boils down to the same thing in the end.
At the end of QA, the QA Lead signs off on the project. What the QA Lead signs off on becomes the first version released to the consumer.
Period, end of discussion.
The fact that Win2K went gold means that the QA Lead signed off on it. The pre-release development cycle ended the instant the QA Lead signed off on it. Everything after the moment his/her pen left the paper is part of the maintenance cycle, not the development cycle.
In short, the exploit was found in a consumer release of Win2K. It doesn't matter if it was on the store shelves or not; when the QA Lead signed off on it, it became a final product.
Everything clear?
Draw what conclusions you like from this episode, but I'm looking at the facts of particular case:
1) security hole found prior to ship
2) security hole reported to MS on Jan 17th
3) tested patch issued and publicized Jan 28th
That sounds pretty decent to me.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
Yeah but you probably didn't know that win2k is "ready for prime time" microsoft put out gold cd's already. The final version of win2k is out to those who have managed to get their hands on it. A friend of mine actually managed to get a copy. This is not a development copy this is the real thing. its just not for sale yet. so the only way to get it is to work for microsoft, have microsoft send it to you, or some illegall means.
It has been statistically shown that helmets increase the risk of head injury.
All new software has problems. The bigger the evolutionary step, the bigger the problems. Expect more. But don't be rectal about it. No OS is immune. How long has RH 6.1 been out? Couple months? And yet there's a list of 9 or 10 security fixes (that include several remote root exploits) up on RedHat's web site.
And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.
...now this is something I won't do too often.
But in the comments here you're probably going to find a zillion people saying the equivalent of "MICROSOFT IS EVIL! You won't find this in Linux/Unix/*BSD!".
And I'm here to say that MS has done a good job. It's a huge OS, people. The fact that the damn thing *runs* amazes me =) as well as the fact that it is (according to all accounts) pretty stable (as compared to typical Windows stability). Expect bugs, expect lots of bugs, because there is no way that you can test such a behemoth properly. I myself will not install it until perhaps Service Pack 3+ has come out, because it's prudent.
Of course, Linux, *BSD, etc, all have bugs, it's just that they're fixed sooner and I think we all have more tolerance for bugs found on free systems. And we all have unreasonably high expectations of MS, because they're a bunch of corporate bastards (look at their history!) and because most of us probably support alternate OSes.
Of course, the thing that *really* worries me about this article is the fact that one of the bugs was apparently known for weeks before MS even admitted it existed; now that kind of thing is sloppy, and they deserve whatever criticism they get for it.
- Linux 2.1.* Security Hole (February 9, affecting the development-series kernels at the time)
- Bind security problem (April 16, affecting all known distros at the time)
- New Linux Security Holes (January 15, affecting the stable-series kernels at the time)
I picked these up by doing a search for "Linux security" using the search widget on the bottom of the Slashdot main page. These are just off the first page of results. Doubtless there are several stories about security problems in daemons which weren't turned up by this search (because they didn't contain the string "Linux").In other words, security holes in Linux (and other free software) are reported on Slashdot. Your statement appears to be a misleading one intended to incite others to fear, be uncertain about, or doubt the honesty of the Slashdot editors. Isn't that what FUD is all about?
Further, keep in mind that while Microsoft thinks itself to be hurt by the reporting of security holes in its products, Linux is not hurt by the reporting of security holes in Linux-related software. Bug-reporting is a threat to the proprietary-software model, but it is an element of the success of the free-software model.
This isn't a development kernel or an "release candidate" system, it's the official Win2K software that will hit the stores in a few weeks. OEMs got it early so they can get their systems ready for "first-day" sales of systems preloaded with the software. Even if MS had sat on the software until the 17th, these holes would have been discovered within days.
Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!
However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken