Slashdot Mirror
Office Assistant: Yet Another Security Hole
A lot of people have been submitting the news from ZD-Net concerning the security hole found in the Microsoft Office Assistant, Satan the Paper-Clip. Er...rather, "Clippy". Dildog, of @Stake, found the hole, which is quite similar to the recent Outlook security that allows for automatic scripting.
Thank you slashdot, these stories make my day. Everybody where I work uses office for everything. I get unformatted text attachments created in word e-mailed to me all the time. I run star-office to read them only to find out that it's just plain text that could have been put right in the body of the message. Hurt those people badly.
Sheldon
My Mom loves that little paper clip guy. She sent me email about how to turn him on and all the 'cute' things he says. (groan....)
Who has to bail her out with an hour of support over the phone when something f*cks up? You and me, baby. Multiply that by how many middle aged mom secretary-types there are in all the offices across this nation...
The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk
The House Between - Original Sci-Fi Series
Microsoft states in their FAQ:
Is this a vulnerability in the Active
technology? No. This vulnerability results
because of a manual error in marking the
particular control at issue.
Manual error? But why then does the "Show Me" function need to be disabled to negate this threat? Or was this entire funcionality the result of a "manual marking error"? Or might it be that ActiveX does not offer fine-grained control over who is allowed to do what to which data? In other words, a "design problem" with ActiveX?
--frank[at]unternet.org
I gots a pocketful o' Goobers. And three Mike 'n' Ikes. Plus one piece of Double Bubble.
ooh, maybe then you could sell your hoarded karma on e-bay!
Too many w's on your url - www.microsith.com is the right one.
tangent - art and creation are a higher purpose
postmoderncore - art and creation are a higher purpose
iMac owners need not apply.
Actually, the iMac has a similarly shaped button used for hard resets. When the damn thing locks up again to the point where the soft-power buttons don't work anymore, it's either that or pull the power cable...
Did I mention I hate soft-power buttons? There you go.
I strongly believe that trying to be clever is detrimental to your health. -- Linus Torvalds
It sends subliminal messages, visually, and if you have a sound card, aurally! Those little bounces and shapes it makes are just a cover for what it's really doing!
This was the line along which Microsoft Europe responded to the ILOVEYOU virus.
I think this is basically a wrong metaphor. A more apt one would be to compare Microsoft to the builder of your house. Not only did he build it on a foundation of quicksand, but he also connected your mailbox directly to your safe. Anybody can get your valuables out, and also anybody can slip anything in.
You open the door of your safe: Suprise!!!
Empty, save for a silly paperclip holding a note: ILOVEYOU
Lyon
...Dildog, of @Stake, found the hole, which is quite similar to the recent Outlook security that allows for automatic scripting.
At first read, I thought Dildog was one of the office assistants!
Gah
Because of this?
Keep in mind that until January this year, MSFT was always going in the same direction. Notice also the little arrows that indicate stock splits.
Up until a few months ago, MSFT stock options would look pretty sweet.
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Do I have to worry about the Vigor Assistant too?
oink!
Is this what you're looking for?
;)
I strongly believe that trying to be clever is detrimental to your health. -- Linus Torvalds
Then there was the copy protect diskwiping trojan horse someone at MS put into ? Excel ? eons ago. Me thinks they drink a bit too much caffeine in Redmond.
ZDNet uses the word "power" several times in their description of Office Assistant.
#define powerful unemcumbered_by_security_restrictions
p.s. -- Guys, the lameness filter is lame. The above string was too long before. I fixed it, then it told me I had to wait 70 seconds before posting.
Save the whales. Feed the hungry. Free the mallocs.
Closed Operating Systems have many of these, hope the public never finds them, security holes.
What I really wonder about is, is using a closed OS like Windows considered reasonable security under the law. If I were to leave the doors unopened to my car the law would car little for my stole property, unless I went to a reasonable effort to secure my car. People who "lock" away data without all the information, or worse yet, without even asking for all the information, are they somewhat to blame. In the USA, it's a buyer be ware market. The buyer has, in this case, purchased a product wich they were less than informed about.
I don't see as Microsoft has to do anything about this. The only reason to issue any patch is to save the customer base. But are they in any way required to release a patch?
Well in any case, you get what you ask for more often then what you pay for it seems. If Microsoft was well aware of these latest security holes (it would seem they would have to be), who is to blame for the damaged product? Microsoft or the consumer who failed to understand just what they were paying for?
-- James Dornan AKA TigerSmile "Long live the PORK!"
-- Prepared at the direction of, or to be sent to Legal Counsel, in anticipation of litigation. Attorney Client Pri
I can't believe that such a simple little (HA HA, you should see the RAM hit for this guy) window can pose too much of a security risk, unless it is badly coded by M$ of course!
Q: When will M$ stop producing naff code and write something decent? A: The day it joins the OpenSource revolution!
Come on Microsoft, remove that stick from your anus and join the revolution, it can only do you good.
corarc
Although I'm keeping my Win98SE installation on my Dell for work-related reasons for the time being, I'm going to run 98Lite to strip out IE from my Windows setup and make a note never to run any Office app while I'm online. These bugs are driving me nuts!!
If BG wants to innovate for the customers' and stockholders' benefit, more power to him. I just wish to h-e-double-toothpicks he and his minions would make all this stuff WORK RIGHT.
"How many light bulbs does it take to change a person?" --BMcC-->
I don't expect you or anyone else to believe what I have to say. I wouldn't have believed it myself a few years ago. Still, it is a bit disheartening to have one's opinions dismissed without even the courtesy of a good rebuttal.
To each his/her own, I suppose. Still, for your sake, I hope you realize that the world is not a pretty place with rosy tints. Behind the flashy, eye-catching facades lurks a dangerous, manipulative world of faceless entities engaged in complex struggles to no easily-discernible end. All we know is that they want power. Maybe this doesn't bother you. I know it bothers me.
www.alarmist.org
I don't have to see a "boogie man" around every corner to know that there are forces in the world that will treat me as a mere resource to be exploited. Some of them want my money. Some of them want my votes. Some of them just want to be able to tell me what to do because they enjoy controlling people.
;-)
o/~ Some of them want to use you...
Some of them want to get used by you...
Some of them want to abuse you...
Some of them want to be abused... o/~
Sorry, this popped into my head as I was reading, and it seemed apropriate
v2sw7CUPhw5ln6pr5Pck4ma7u7LFw0m6g/l7Di5e6t5Ab6TH.
http://samovarawards.com/
"Free Speech" award
goes to.. Microsoft. Yes, we all know that story when the monster
published essential piece of Kerberos interoperability specifications
under trade secret notice in hope to compromise Samba developers with
illegal knowledge and to establish a new legal precedent of "nobody can
implement those specs".
But, one of obvious outcome of the antitrust battle is the required openness of all Microsoft
API's. That's what will be too late to protect in the High Court - once the bird is out of the
cage, you can't put it back. Please, help me to write a list of young fellows waiting to kick the
behemoth's butt: Netscape/Mozilla, Samba, RealNeworks, StarOffice, CorelOffice, etc.
Andrew
Sometimes I wonder, people always have a go at the paper clip (and he is annoying) but I have a friend who refuses to go near the cat because it 'acts like it owns the place'- shureley M$ only decent attempt at AI?
Cat AI? what next, rabbits?
***Please wait whilst Windows procreates rapidly**
doom is coming, mark my words...
You fsck long and you fsck slow But you fsck like a walrus smoking blow
[sincerest apologies to Edgar Alan Poe,
who will be turning in his grave and
the unrecognised author of this gem (not me that's for sure)]
Once upon a weeknight dreary,
while I coded, weak and bleary,
Over many a quaint and curious system
of my SeQueL calls,
While I nodded, nearly napping,
suddenly there came a tapping,
As of typing, gentle rapping,
tapping through my cube's grey wall
"Tis some worker still," I muttered
"typing in this office floor --
Only this, and nothing more."
Ah, distinctly I remember
it was in the bright December,
And each product, documented
cast it's shadow on the floor.
Eagerly I wished the morrow;
-- vainly I had sought to borrow
From my work surcease of sorrow
-- sorrow using 'net Explorer --
For the slow and ponderous creature
whom Bill Gates has named Explorer --
In PCs for evermore.
And the dull and muted creaking
of the gentle sounds of typing
Thrilled me -- filled me with fantastic
terrors never felt before;
So that now, to still the ranting
of my mind, I stood still chanting
"'Tis some worker typing emails
on their PC through the wall --
Some late worker coding softly
in their cube just through the wall; --
This it is, and nothing more."
Presently my soul grew stronger;
hesitating then no longer,
"Sir," called I, "or Madam,
truly your forgiveness I implore;
But the fact is I was napping,
and so gently you sat typing,
And so faintly came your tapping,
tapping through my cube's grey wall,
That I scarce was sure I heard you
-- here I stood and looked next door; --
Darkness there and nothing more.
Deep into that darkness peering,
long I stood there wond'ring, fearing,
Doubting, dreaming dreams
no mortal ever dared to dream before;
But the silence was unbroken,
and the darkness gave no token,
And the only word there spoken
was the whispered word, "Explore!"
This I whispered, and an echo
murmured back the word, "Explore!" --
Merely this, and nothing more.
Sinking back in my cube turning,
all my soul within me burning,
Soon I heard again a tapping
somewhat louder than before.
"Surely," said I, "surely that is something
at my neighbour's keyboard;
Let me see, then, what the threat is,
here behind my office wall --
Let my heart be still a moment
and this mystery explore;--
'Tis a person, and nothing more!"
Slowly here I pushed my chair back,
as my hard drive seeked a new track,
Up there popped an MS agent
appearing in an icon form,
Not a cancel button had he;
nor a way to kill or maim he;
But with bubble speech just like a cartoon,
perched above my web explorer;
Perched upon a window showing off a page
of witty speech galore --
Perched, and sat, and nothing more.
Then this paperclip sat beguiling
my sad fancy into smiling,
Fixed it's gaze and stared intently,
through my soul it tried to bore,
"Though thou merely animation,
thou" I said "are a creation,
In PCs across the nation,
upgrade free from Redmond's door --
Tell me what thy process name is,
thou art here, pray tell, wherefore?"
Quoth the speakers "Nevermore."
Much I marvelled this "assistant"
was to closing quite resistant,
Though it's purpose little useful
-- giving hints unask-ed for;
Nothing farther then he uttered
-- not a pixel then he fluttered --
Till I scarcely more than muttered
"Others have yet crashed before --
On the morrow _he_ will leave me,
as the rest have crashed before."
Then the thing said "Nevermore."
Then, methought, the screen grew denser,
blanked out by an unseen censor
Blacking out the non-work emails
sitting in my outbox drawer.
"Gates," I cried, "thy spawn hath lent thee
-- by these programs thou hath sent me
Millions -- upon millions of the dollars
over which we all do fork;
For this vile and odious creature
you have conjured with explorer;
From my speakers "Nevermore."
"Icon!" said I, "thing of evil!
-- process still if code or devil! --
Whether patched remotely
or by other means installed,
Pixelled beast art undaunted
by my clicking -- still you taunt me --
Which foul beast hath built thy sources
-- tell me truly I implore --
Is there -- _is_ there yet a way to kill you?
-- tell me -- TELL ME, I implore!"
Quoth the Icon "Nevermore".
"Icon!" said I, "thing of evil!"
-- process still if code or devil! --
By that network spans between us
-- by the protocols galore --
Tell this soul with caffiened terror
if, without a system error,
there is yet a way to exit
from this process I abhor --
can I kill the evil icon
of this process I abhor?
Quoth the Icon "Nevermore".
"Be that word our sign of parting,
paperclip!" I shrieked, upstarting --
"I shall pull the plug and then
you shall appear no more!
Leave my system yet unbroken
and take thy visage, evil token!
Go with no more words a-spoken
-- thou invoke no evil lore!
Take thy clip from off my screen,
and take thy code from off my core!"
Quoth the Icon "Nevermore".
And the icon, never quitting,
still is sitting, still is sitting
On the glowing screen of phosphor
just above my net Explorer;
And his eyes have all the seeming
of a demon's that is dreaming,
And the cursor o'er him streaming
throws a shadow on Explorer;
And my work into that shadow
that lies over my explorer
Shall be lifted -- nevermore!
I don't know, if they wanted to spy on you why put the spy code in something as obvious as Satan's favorite paper clip? Something of the James Bond effect here. That is, a spy who acted like James Bond, seducing women, throwing money around and driving fast cars would draw too much attention to himself and get his cover blown. It's the quiet accountant who lives in a modest house who always turns out the be the one. The analogy to that would be a nice quiet little program that nobody ever saw because it didn't even tell you it was running and the process accounting system had been rigged not to show it. That's the problem with closed source OSs they're like Gump's box of chocolates. You never know what yer gonna git.
Was that enough movie references or what...
--
Nothing to see here. Mooooove along...
Marissa
I'm not really an elf, I just play one in AD&D.
The recent redhat fiasco where the default password was left at "q" or something like that?
Only the State obtains its revenue by coercion. - Murray Rothbard
Is it just me, or is there something terribly funny about the irony of this.
Even a 'feature' that no one wanted has bugs, and worse, security holes.
What's next? Playing the flight-sim Easter Egg in Excel gives you Administrator rights?
-- What you do today will cost you a day of your life.
Yes, like just two weeks ago when ILOVEYOU was out, right? MS had the patch out "before serious exploits," right?
Let's be real here. Microsoft's concern for security could fit in one thimble along with Dilbert's enthusiasm. If they really cared about it they would have fixed the "every-user-is-root" problem years and years and years ago.
No company that says their latest software release will be bug-free (while having a list of 63,000 bugs they knew about at release time) can be taken seriously when it comes to security. No company that has to be goaded by bad press into fixing Outlook Express can be taken seriously. No company that denies that its customers care about bugs can be taken seriously.
DFL
Never send a human to do a machine's job.
Indeed, a miscreant could bend them and use them to pick a lock. It's not a bug, Micro$oft is just attempting to be make their tools very similar to their real world equivalents.
Say no to software patents.
""Because its abilities are marked 'safe for scripting,' anything is possible," said the security researcher that found the hole, a
hacker known as "Dildog" who works for the security firm @Stake Inc."
Wow...@Stake buys L0pht, and suddenly they are not some seedy "hackers", but "security researchers" who work at a "security firm". Magic.
""You don't mark something safe for scripting unless you are going to let someone activate it
remotely," he said."
Huh? Shouldn't that be: You don't mark something safe for scripting unless you are !NOT! going to let someone activate it remotely?
It's 10 PM. Do you know if you're un-American?
Damn! That article is a hell of a rant...and on target. I'd give you an extra point if I was a moderator, but I'm not...
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Seriously, who really uses them anyways (don't answer that!). Anyone who needs that damned annoyance is already in need of some help. They're the ones that will run trojan horses and other "unknown" files out of ignorance.
kwsNI
what exactly would Microsoft have to gain?
You're ruining the communal paranoia feelings here.
-- Gunther T Dull is not responsible for his opinions.
Seems like the "view demo" link on l0pht's site just goes back to the same page, or maybe I missed something obvious.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
...can be found right here.
:-)
repartition the hard driving, giving all your space to linux. The installation will take care of the rest, and all of your Windows woes will be gone for good.
Which is exactly how you will feel, when you're finally rid of the beast.
The Future of Human Evolution: Autonomy
now, i dont want to be the one who spouts paranoia, but... SEE! I TOLD YOU SO!
you install the paperclip and he can SEE WHAT YOU DO! he is thinking! those eyes? they can see right out of the screen and at you! this information goes straight to microsoft, but not through the internet. that would be too simple. it goes through the satellite uplink to the paperclip mothership in low earth orbit.
the mothership then sends orders back down to earth and scripts are executed on your computer. be afraid. be very afraid.
shaolin punk, activist post-industrial
It could happen but it's not as likely. You can't run an AppleScript from the web via a browser (unless you use the help viewer as your browser). AppleScript can and has been used (stardust?) by virus writers but not in the way you mentioned.
.sig. I follow it with my computers)
BTW, Help viewer didn't open. I'm using Netscape so I don't know about IE.
(I love the
- Apple Computer......proudly going out of business for over twenty years.
It would be even funnier to have the Office Assistant explain why he is doing bad things to the system as the malicious code runs--let the user think that the clip is sick of being his secretary and that he will rebel against the glass cieling that prevents him from getting promoted by closing each document the user creates, without saving, after he has it open for 15 minutes.
ByteMyCode.com: A Web 2.0 code sharing community.
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
--Hikari
--Hikari
"Long distance information/ Disconnect me if you can/ On Detonation Boulevard..."
I followed the Microsoft instructions for disabling Office Assistant. But from the looks of the ZDnet article, even after removing the damn thing, I still have the threat because the scripts underlying it are still marked as safe.
Damn it, even when I've completely eradicated the blasted thing from showing on my screen ever again; it's still a problem. Hopefully this patch will let me eliminate the last vestiges of clippy's influence on my Win box. It (clippy) was a bad idea that should be forgotten and buried.
Micro$oft should form a new unit to look into such matters. Call it the Security Hole Investigation Team. BG: "Better turn the Office Assistant into S.H.I.T."
Believe in things of which no person has ever learned
The obvious reply is that no one's life depends on whether your letter to grandma gets eaten by the Office Assistant.
Why isn't anyone returning Outlook for a refund, because it's a major security threat on a Network?
Because people in the United States (I do not mean to exclude the rest of the world, but the U.S. is where Microsoft does a lot of its business, legitimate or not) have been carefully trained by fifty years of easy living that whatever doesn't affect them directly is not a problem. System security is seen as a task for system administrators, not users. Nobody realizes that good security begins with the users, in much the same way that U.S. citizens don't or won't believe that good government begins with good citizens.
Nobody is returning Outlook in droves because nobody sees it as a direct threat to them--except those who were bitten by the bug.
www.alarmist.org
too bad...that cute paper clip was the only thing I actually LIKED about MS products
New for 2001: Microsoft Office Assistant, powered by Ask Jeeves!
;)
"Jeeves, how can I create columns in Word?"
"808 The She Creature" Word Find - Mystery Science Theater 3000".
If nothing else, it would make tech support MUCH more interesting
You can write pretty good amusing toons in VBA using the Microsoft Office assistants like ones that pretend to reformat clueless users' c: drives or ones that present rude messages during presentations using Powerpoint.
Anyway my Office Assistant is the Keiru the dolphin rather than that f***ing Paperclip. All the ladies at work think he's cute but unfortunately this doesn't extend to me.
The problem is over-optimistic smart people who are too certain that they've worked all the problems out of a system, without any real testing.
If they've only created one or two programs, they are "functionally stupid": they don't yet know enough to be smart.
And, no offense, if you've been programming any time at all and can't yet give a time estimate within 10% of actual about 80% of the time then you have no business calling yourself a programmer.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Come on. You know Pitr would *actually* like it.
--Hikari
--Hikari
"Long distance information/ Disconnect me if you can/ On Detonation Boulevard..."
Ya know... I've really gotta thank Micro$h*t. It seems like everytime there is a release about a new security hole, I get 100 companies calling me and begging for security audits. Thank you, Micro$h*t, for helping my employer stay in business and keeping food on my table.
--cyphergirl (one very busy security engineer these days)
--Insert catchy
Does anyone have the current rate for sneaking a peak at Windows source...? i know back in '97 a license could go for $300,000 (and that would only allow a look at a tiny bit of code)... it must be a tremendous revenue stream (thus their determination to keep the source closed in the antitrust case)... of course, since one coder on the Office team (for example) can't see the source either, well its no wonder the line of products is in constant disarray.
I flee dead people.
To be fair to MS, I believe that Bubbleboy actually had the patch out before the virus hit.
--
I don't suffer from insanity- I enjoy it immensly!
To be fair to MS, I believe that Bubbleboy actually had the patch out before the virus hit.
--
I don't suffer from insanity- I enjoy it immensly!
Many thanks for this ref. An interesting article. Alas, all the feeble minds will ignore it. When it comes to courage, few IS managers have any...
What I don't get
incorrectly marked as "safe for scripting"
is how it could have been incorectly marked when it had to be marked that way to allow operation of the "Show Me" function.
This is like a boss I used to have who would spew statements all day long that made no sense to anyone but himself. When asked what he meant by that, he always replied "That's not what I said."
Sheesh.
-- Gunther T Dull is not responsible for his opinions.
Mac IE5 gave the matter a few seconds of thought, then astonishingly decided NOT to open the help viewer. Mac IE5 has some interesting twists -- it allows you to run executables by clicking on links, but presents you with a confirm box first. However, it allowed a self-mounting disk image to open without confirmation when I made a link to it.
Mac NN 4 has no idea what the help URL style means, and sent me to /. 404 page. Mac NN 4 will not run executables or unrecognized file types at all -- it tries to open their data forks as text files instead.
About the general security issue: MacOS has many features similar to Clippy, most notably AppleScript (which gained remote connectivity in OS 9). I haven't seen any real exploits yet, but that's probably because H4X0Rs disproportionately use Windows. If Steve Jobs were the evil overlord instead of Bill Gates, we'd probably have AppleSkript Kiddies.
right here.
[ps - the above 'toon was pre '29]
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Dude. All I can say is.
"YOU THE MAN."
and. Why have a Picture of an ActiveX component.That isn't very discriptive of a Skript Kiddie. But then again.. How would you portray a Pre-Pubescent 15 year old who figured out how to download scripts from rootshell or other various websites and run them. At the same time having the inabiltiy to realize that they have absolutely no life, and need a stronger deodarant.
My next question is... When I speak german... I think german in my head... but like... Do skript kiddes see a w40l3 8uncha 1's and 0's and 3's and 4's and 7's in their h34d'5 w43n t43y R +a1k1n6 ?
--------========+++Dont Feed The Lab Techs+++========--------
look, if M$ didnt watch our backs, who would? theyre just trying to help. plus hes sooo cute! somebody shoot me!
www.usamabinladen.net
thanks for stating the completely obvious. go away.
Clippy? I thought its name was Clippit.
I realize these security holes can be a serious problem, but c'mon guys... How many of us actually lose data to a virus or nasty script? I for one take the basic precautions, like a virus scanner and a reluctance to open suspicious attachements. the ILOVEYOU was especially virulent, but if I recall, all of the DDOS attacks come from *nix boxes and affect *nix network hardware. I don't remember a " *nix sucks sh*t " rant session over that, though it caused much more fear and probably more damage. and definately deserved it more than this ms hole.
Have you all forgotten the lesson of the early 80's? what, we had 15 platforms to consider, and whoah to those who bought dog systems like the TI/99 4a. Try getting a port of supercalc for that platform. That was one of the few truly useful apps back then, and many could not get ahold of it. All I know is that I want the best features and apps available. Maybe most of you ranters are too young to remember those crusty old days...
Microsoft has the worst job on the planet. They must please everyone, and can barely please anyone. You are not clever for raging about the occasional screw up. Windows happens to support more hardware than linux can claim knowledgable users. and as for software availability and backwards compatability, forget about it. They definatley have thier act together there.
you guys are in the akward position of being high tech savants that cause the most friction and FUD, thus slowing the pace of technological adoption and intimidating normal users like grandma into going without. You seem to suppose you are helping some cause, but all you are really doing is accelerating the entropy of an already flaky system. reminds me of teenagers who pick apart films and TV shows making noises like they are superior to the writers and directors. They are not, they just don't understand what it takes to organize and execute such a large project. To those of you actually doing something to make the world better, as in say contributing to the usability side of Linux, kudos. But the rest of you slackers are starting to piss me off.
Maybe one of you wise guys can explain why it took me 3 hours just to get my wheel mouse (sort of) working under redhat 6.2? or why my stealth II took even longer to setup with xf86config? No, the answer is not that I am an idiot, nor computer illiterate. I did figure it out, but not with any help from ranting zealots. an $80 Linux reference book and much digging through bugzilla eventually got me on my way. But slap this stuff in a windows machine and Blamo! no sweat. This is a respectable accomplishment on MS's part, why no mention of it from the zealots?
anyway, as a game developer that is OS ambivilant in theory, but actually trying to make a living in practice, why oh why should I spend any effort on the irrational foggy headed likes of you guys? can anyone answer me? I am not an M$ apologist, but I am interested in getting work done and advancing the state of the art. Can the ranterzealots claim the same?
-=b
I work at one of the air force research labs, and it's seriously infected with MS products. However there is a definate push by the techie folks like myself to use Linux (I have NO MS OS on my machines). Actually I do my job mainly with Linux, and do journal articals and such with a Macintosh. I also sysadmin AIX and a touch of SunOS.
The network Nazi's and computer apes will not support anything but NT or 95/98. And after they have worked their magic on a machine it invariably works worse.
Sheldon
It was an MS Word 97 macro virus that did just that - it made your paper clip say things like "You Should Have Left Me Alone, I Was Not Hurting Anything. Now IAm Mad!" This old Windows Magazine article mentions it near the bottom of the page as making the "Office Assistant less than friendly".
while (1) malloc (1);
Evil! I told you it was evil, but did you listen? Noooooooooo! Anything but go against our charismatic leader, the Paperclip! You people are pathetic, how else could you just sit there while that thing winks at you and makes faces every time you look away? I've seen it at night when it thought I was sleeping. It was stealing my keys and taking money out of my wallet. Then it laughs when people think I lost my keys and spent all that money on cheap beer and hookers. God, that laugh, the mocking laugh. I'll kill it though. I better start formatting before it finds it's way into the boot sector...
--
Win98 sux without these 1337 toolz !!
Is there a way to disable html viewing of email in Outlook Express? I'd like to see Email the way God (with a capitol G) intended, that is as plain ascii. The only html formatted mail I get is from spammers. Hmm, though come to think of it, maybe I should just kill all the html formatted mail in sendmail.
http://junglevision.com -- Shamus for Gameboy
Most Linux/*NIX holes aren't so glaringly stupid, and are a hell of a lot harder to exploit. Why should arbitrary script code be able to affect the registry (only one of the most important files on a Windows 9x system), overwrite files, and e-mail itself without telling the user? And why in hell is the Office "assistant" usable in resetting security permissions?
/home/$USER would remain unaffected. This is assuming the user didn't bother to at least read through the script first, or find out what the heck it actually is.
"But, but, but, someone could write a script for Linux too! Ha, got ya there!"
No, you don't. If a user sets up sh to run scripts automatically in Netscape, or downloads and sets the executable bit, it would still only affect that user's files unless they were dumb enough to run Netscape or the script as root. The user would lose the files they own, but binaries and pretty much anything outside
"But, but, but, there are bugs in Linux! And some can lead to a root compromise!"
No denying that; they still require some level of actual skill, either in programming or ingenuity, to take advantage. Once again; arbitrary code should not be able to affect anything; it should be contained (like the Java sandbox), and never run as an administrator. NT at least takes steps in this direction, though a cursory look through the Attrition page crack archives should show how much NT is like Swiss cheese.
The point: Windows 9x, and to a lesser extent NT, is inherently insecure, allowing arbitrary code and even scripts to affect important system files and take actions without the user's knowledge. The Morris Worm forced *NIX to shape up; perhaps dragging Windows into the light will force Microsoft to do the right thing for once.
Someday, you're going to die. Get over it.
Just think of all the costs and damage that all these holes incur.
Creating an OS with no notion of security, then adding networking functionality so you can connect it to every other computer on the planet and then adding scripting and remote execution functionality so that anyone may run scripts and executables remotely is the height of stupidity.
In fact, it sounds negligent to me.
How can such an operating system be considered of merchantable quality in a fully networked world? It's analogous to a building contractor selling a house without doors or windows.
It's not as if networks are a new thing. They have existed for what... 30 years now?
Government of the people, by corporate executives, for corporate profits.
I know this is a bit of a rehash of stuff I have said before, but since we all know that MS is paying very close attention to everything written here on /., maybe repeating some basic concepts will beat the idea into their brains...
:-)
Fa fook's sake...If MS would pay as close attention to security issues as they do to what a bunch of nerds are saying about them on a website perhaps they'd be able to avoid more class action lawsuits. Yeah, right. If you live by paranoia, you'll die by paranoia. Pity.
My name is Carlos Montoya. You share files of my music. Prepare to die.
Could we get him to install Linux? Visit slashdot, and clippy automatically starts an FTP install? This could be fun!
I can't believe that got moderated up. (Score: 5, Baseless FUD)
If Microsoft really wanted to "create extensive profiles on users", do you really think they'd have to stick a cartoon character on the desktop to do it?
On a similar vein, why do you suppose Perl uses the $ to mark off variables.... OF COURSE!! There's special hidden code attached to the $ key that emails your bank account numbers, your credit card numbers, your favorite food, what kind of porn you like, and the brand of soap you use to a SeKReT email address on Hotmail.
Oh yeah, Janet Reno's in on it.
NO CARRIER
Until that clip learns to proof my work and give useful comments, it's worthless. If it only would have said, "Are you sure you want to call your boss a 'worthless whore-mongering carbuncle' in the company newsletter?" At least that would have been something.
Nobody ever got fired for buying IB^H^HMicrosoft.
Burris
1)
Someone has taken a cue from a certain User Friendly strip and created VIGOR the vi[m] editor with an added paperclip assistant!
It features helpful advice, requiring you to click on a dialog box, such as:
"You have not entered insert mode before. While you're in insert mode, remember that you need to return to command mode before entering Vigor commands!"
and:
"Are you sure you want to move left?"
Screenshots
2)
I was once shopping on a Waldensoft store and found a boxed piece of software from Microsoft which would let you create your own Office Assistants. But the EULA specifically forbade creating any kind of office assistant that appealed to the prurient interests.
Want to work at Transmeta? MicronPC? Hedgefund.net? AT&T?
Can your IM do this?
Found an article here, that ought to be good to print out and put on your CIO's desk. It's titled Microsoft: A Proven Danger to National Security. (Warning - it's a PDF file.) Microsoft ought to find it interesting reading, anyway.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
I've had Office 2000 installed since last August, and I chose not to install the Office Assistant. Never seen one since. Who says it's impossible to remove? Just go to Office Setup.
Oops, replied to the wrong post. That was intended for the guy who mentioned it was impossible to remove. Sorry, it's lunch time and I'm not paying attention. =)
'sfunny, what with the well-published delays in releasing NT5.0....er...Win2K, I'd always assumed they'd only ever heard 50% of that particular mantra...
Still, I know plenty of young kiddies that follow this philosophy, and I'm not sure I like their results, either... Not that I'd wish to draw comparisons of course.
--
I'd rather have a bottle in front of me than a frontal lobotomy
I've never met a single IS/IT manager that wants Windows let alone any other Microsoft products. Most of them however have to spend most of their time working on their ----, patching releases, fighting viruses, alerting users not to use Clippy, etc. The reason any good Is/IT manager are using Microsoft products is because the users are too dumb to believe that there are choices.
Before you go on your rant yelling at the IT managers who
>force Micro$oft products down our throats
You'd better take a look around, and remember it's you who's doing the forcing of MS products.
Devil Ducky
Devil Ducky
MY peers would get out of jury duty.
But hold on a minute.
Binky and the mechanism used to send all your data to Redmond are totally separate pieces of programming. Just because we have Binky doesn't mean your data goes to Redmond; just because we didn't have Binky in Office 95 doesn't mean it didn't send data to Redmond.
The interesting psychology of this is that Binky makes it seem more real that there is something from MS analyzing your data and sending it to Redmond. I thought that myself the first time I saw Binky (see some of my other messages on this topic).
The good news is that if data was actually being sent, some Slashdot reader would have long since seen it - note how quickly the Windows 95 Registration fiasco got out. So we're safe. At least for now.
D
----
A security hole a week!?!?
This is going to work wonders for Micros**t. Combined with Oracle positioning itself into the 'next microsoft' (over here if your don't believe me), I'm convinced Microsoft is finally pushing themselves to their own demise! Keep up the great work you idiots. The sooner Microsoft's dominance is reduced, the sooner superior software will be an asset and poor software will be worth the equivalent to cow dung!
They thought this was a good idea.
It shows the depths of the contempt in which they hold their customers' security.
DFL
Never send a human to do a machine's job.
When the paperclip is unbent, it is magically tranformed. It's new name is The Macintosh Power User Floppy Diskette Extractor.
Every Mac power-user is VERY familiar with this tool, and it's uses. Some even call it a tool that enhances the User Experience(tm) of the Mac user.
iMac owners need not apply.
In a recent CSPAN discussion over the LoveBug worm, the respected representative from Washington asserted that the DOJ's action against Microsoft would prevent it from addressing security bugs like this. Gosh. I could not quite figure out why he was making this assertion; but since the representative kept repeating the assertion it must be true, right?
Dogbert's original name was Dildog. You think a hacker naming himself after a "pleasuring device" is funny, imagine a national comic strip figure. Can you imagine going into your co-workers's cube and asking them, "Is that a Dildo, er... I mean Dildog doll?"
In other words, instead of simply fixing what the same FAQ earlier describes as an "error in marking the particular control at issue" by turning off the "safe for scripting" flag, they have elected to disable real functionality (the genuinely useful show me feature).
Why? I can only assume because they've realised that there's some other security issue buried in this quagmire, and they don't want to tell us about it.
Oh dear. Every time I try to be reasonable about Microsoft and admire the good things they've done, something like this comes up ...
--
--
What short sigs we have -
One hundred and twenty chars!
Too short for haiku.
This shows that you are only pretending to know C.
What you want is
#ifdef RANT
silly text right here
#endif
Post tenebras lux. Post fenestras tux.
This article is in the public domain - republish at will.
=
= ====
...". When presented with a dialog
Version 2.4 "To Err is Human"
Microsoft Applications Security And The Internet
===============================================
IMHO(In My Humble Opinion) Microsoft Office applications are not secure
enough to use in any environment where email and documents are shared over
the internet.
This continued virus threat is not ONLY an email or Outlook problem
it extends to all Microsoft Office products, Microsofts internet
explorer as well as a lot of third party software for the Microsoft
OS platforms.
This is not a new problem and Microsoft answer has always been to
grudgingly release quick fix patches instead of dealing with the
failings in the design of the application framework.
Unrestricted Foreign Script And Executable Execution
===============================================
Microsoft continues to distribute applications that will execute embedded
destructive scripts, macros and therefore trojans. Microsoft applications
and operating systems do not even provide a restrictive environment in which
a user can open,view and run untrusted documents. Any operating system can
run executables,shell commands and other scripts but why is it that Windows
9X, 2000 and NT applications run scripts and executables embedded in email
and Office documents at the click of a users assent.
To make matters even worse Microsoft have made Visual basic (VBS) the
default embedded scripting language within all its Office 2000 documents
and templates. Microsoft have sold large organizations on the use of visual
basic scripting and Active-X within their templates,documents and
enterprise glue. Turning off Windows Scripting Host is not a viable option
for users of the new active directory and remote adminstration services.
The Threat
==========
It is a LOT easier to create a Visual Basic or Jscript virus than
to create a binary executable virus.
Any teenager with half a brain can now grab a copy of a trojan love,
melissa or any number of new visual basic scripts. He can modifiy it by
trial and error until it passes the virus scanners. Then embed the trojan
in any type of Microsoft Office 2000 document. He can then attach
the document to the email or have a URL to the document on a web/ftp server.
All he has to do to ensure the spread of the worm is email them to known
Microsoft Outlook email users or to any users with Windows Scripting
Host enabled.
Not all of the attached trojans will be executed by the email recipants but
enough will to ensure its spread.
Once the virus is executed it has unrestricted access to all files that the
user has access to and all interfaces that the Microsoft allows Visual
Basic access to.
To infect other computers the loveletter type script requires the Microsoft
MAPI mail interface. This is installed with Office Outlook and Outlook
express. We must blame Microsoft for allowing Visual basic scripts access
to this interface to send email without requiring a dialog/confirm from the
user. This is how the "worm" spread so fast.
This love letter virus demonstrates how such security holes can become the
biggest Denial of Service Attack threat to the whole internet.
The Failed Defence Strategies
=============================
Microsofts attempts to keep its applications vulnerabilities hidden behind
a proprietary veil of secrecy has failed.
Not all companies and users apply the security patches that Microsoft
release.
Human nature being as it is, relying on users to follow a strict protocol
when dealing with incoming email or other Office documents via the internet
is doomed to failure. Love letter from whom? The temptation to open the
attachments is too great even for the most security conscious person.
To quote Mark Twain "You can fool some of the people all of the time,
and all of the people some of the time
window with Yes/No buttons, a LOT of users click yes without even reading
the dialog.
All attempts at providing retroactive firewall and Anti-virus defences
against viruses,trojans and other backdoors have failed and IMHO will
allways be vulnerable to new and modified forms of attack. There is always
a delay between the release of a new virus or trojan and the detection
and clean up solution packaged and distributed by the Anti-Virus companies.
Firewall proxy based defenses are useless if the email or http request
is encrypted.
Just changing the client or server operating system to NT, win2000, MacOS,
or even a Unix based OS will not overcome the lack of security in the
client Microsoft Office suites. Any file that the user running the
script or executable has write access to is at risk. Microsoft continue
to change ita application interfaces so that using another vendors
server products is increasing difficult.
Relying on data backup to protect your documents is currently the best form
of defence. However if a stealthy virus or trojan is not detected or does
not "announce" its presence to the users and system administrators, then
how do you know how many days/weeks of backup are required?
What date do you restore from to get clean versions of the infected
and damaged files? How much information and work has been lost when
users change the documents in between backup and restore dates?
The Only Real Solution
======================
Where distributed agents or embedded scripting is desired then a suitable
restricted mode must be provided that limits what destructive actions
the execution of the embedded script/executable can perform in its
environment. If an attachment/document cannot be opened safely then
it should not be opened at all.
Peer Based Review
=================
The open source model may not be immune to attacks from determined
crackers and vandals, but at least making the source code available forces
programmers and other solution providers to take a proactive approach to
system security. Putting the source code under peer review results in
the fixing of the security holes in the design of the application
as well as its source code.
Looking Elsewhere
=================
If you are worried about security of your files and information stored on
your computers, then IMHO you should look to different applications and
systems than those currently provided by Microsoft.
You should look to vendors and solutions that provide a proactive approach
to security, instead of just relying on a third party retroactive antivirus
defence.
Also look for vendors that work towards implementing and following
standards. This insures that it is easier to deal with other organisations
not using the same vendors product and that in the worst case scenario it
is possible to switch to another vendors product.
Afterword
=========
Modifying Asimov's first law of robotics -
"Computer software should never cause the user to lose any of their
documents or through inaction cause the loss of their documents"
But it is not JUST the simplicity, or the services functioning to make the system "easy" to use that causes poor security. There are other systems, just as geared to the computer neophyte, that do not have this many holes. For example, MacOS.
Yes, it has some holes (OS-9 had a hole that allowed it to become a slave in a DDoS, but it was patched) but not that many. Yet it is (arguably) easier to use than Microsoft's product. Having a much better online help system helps. Having a more coherent and consistent gui helps.
Linux also is getting very to use (NOT set up, but easy to USE), but there are not near as many holes. Its gui is getting better. Help systems need a little polishing.
Microsoft's security problems are not solely caused by making the system easy to use. They are caused by using functions/scripts that make a fundamentally Byzantine system SEEM easy.
Tom Dutton
Reality does not happen until you analyze the dots. -Don DeLillo (Underworld)
It's on par with leaving your car unlocked in the city. Sure we Might be able to catch the guy who stole your briefcase from your unlocked car. We Might even be able to put him in jail. But why didn't you lock your car? If keys are that hard to use, hire someone to lock your car for you. :)
IF Microsoft had an otherwise good (I'm not saying perfect) record about security, and IF they didn't ALREADY have a reputation for lying to their customers ("no bugs" in Windows 2000??? "no significant bugs" in any Microsoft products???), I might be willing to give them the benefit of the doubt.
They're lying so as to minimize the PR damage they are going to suffer for this, coming as it does on the heels of ANOTHER Microsoft design choice that was grossly stupid (I'm speaking, of course, of ILOVEYOU).
Do you believe everything Bill tells you? How much do they pay for that Astroturf campaign?
DFL
Never send a human to do a machine's job.
> Nobody ever got fired for buying IB^H^HMicrosoft.
Come to think of it, if you buy M$, the IT department seems to GROW!!
>I can see a version of the ILOVEYOU virus that
:)
>spreads its self by yelling to all of the other >computers in the room!
This is funny please mod it up
I don't know if I would call Windows 95 ''cute''. But everything else you stated is 100% accurate.
--keith
Laugh if you want, but everybody was laughing at me in late '98 when I was insisting that AAPL was a good long-term bet.
My theory is this... any tech stock {with money in the bank) that gets spanked will either bounce back (AOL), or be bought by a more valuable company at a high price (Netscape). Either way, you usually win if you buy on bad news, buy a lot on disasterous news, and sell when everybody loves them again.
Now that my secret is out, I will need to start working on a new strategy that reacts to everybody taking my advice. :)
Information wants to be anthropomorphized.
I do believe it's #ifdef... But then, I don't hack C too much.
-=Canar=-
Hey, I think this is a good time to mention Microsith... These are people who understood the true nature of the talking paperclip!
I often wonder, when I hear theories of this sort (and even though you are probably joking, many people seem to take similar theories very seriously), where do you think Microsoft gets te time to analyse every keystroke on every computer in the world? They would have to have an immense labor force, not even Microsoft is that rich. Maybe they don't analyse evey keystroke... maybe they just store them for later analysis (if something comes up), but we are talking about exabytes of information here. Where would they put it all? Where would they find a search algorithm that could make any use of it? I just don't see it.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Anyone up for implementing this new feature/bug/security hole in Vigor for those of us who don't use office? andy j.
Stupid Cheap Guitars
Life is funny. MS has been deliberately screwing up, trying to fail, doing the dumbest things they can think of as badly as they can, so that they wouldn't get in trouble with the feds for being too successful. And every stupidity makes them richer.
I know i feel safer seeing as how the millitary computer systems are (approx.) 95% NT systems. The other 5% are 95/98 systems. Mind you i'm not counting the DNS servers or anything of the like, nor special terminals. I'm only counting the standard office computer anyone/everyone uses.
Yet another strike against that great oxymoron
Suspicious, I consulted my friendly install of StarOffice on my Linux machine. He didn't answer back, which is what I woudl have expected from M$ Office, and StarOffice continued to happily to my word processing without bother or error.
Moving back over to my Windows machine with M$ Office... that little MechWarrior like droid was not at all happy! He threatened to allow the 'I love you' worm to work its way through my machine via its evil powers of VB scripting.
Flustered... I then remembered who should be in control of the computer in the first place... ME! I promtly played my own ace-in-the-hole against that evil little M$ droid, named "F1", and hit the power button on the computer.
With F1 no longer being a concern, and no virus or VB script security problems on my Linux machine... I moved back over to the screen with the Gnome footprint eagerly waiting to do what I request without problem or crash.
I donned my red hat and rode off in into the lovely sunset with my StarOffice at my side.
It's not an error in labelling; it's an error in design. The design called for "Show Me" to be implemented by scripting in so-called HTML-help pages. This required the Office Assistant to be marked as safe for scripting.
It seems like every day I read about another Microsoft security hole. When will it become obvious to the managers who force Micro$oft products down our throats that they are compromising their companies security? If I forced everyone at my office to use software that is full of security holes and we got hit bad by it, I would be fired. When are IT managers going to be forced to face the consequences of their decisions?
I'm currently working for a Fortune 100 (maybe 500) financial company that is about as pro-Microsoft as you can get. They're planning on dumping their Novell servers for Win2k. It's not as if anyone actually believes that Win2k servers will be better, it's just that they already agreed to purchase "NT 5.0" quite a while back. I think there might be a financial interest in continuing to prop Microsoft up. At any rate, the decision to use Microsoft is not being made by IT. As far as I can tell it's some kind of partnership agreement made by non-IT management that dictates the use of Windows. Using Linux on-site (whether connected to the network or not) is a firing offense. Two other Fortune 100/500 financial companies that I've worked for are doing the same thing.
These companies have all bought Microsoft licenses, continually say that they're switching all their non-MS servers to W2k, but still don't because they actually know that it would be a bad idea. My guess these companies are propping up Microsoft for some other reason. They're buying licenses, not using them, and talking about Linux like it's the greatest evil around.
Anyway, all the articles about holes in M$ products get printed out by me and hung up on the board. People stop, look, laugh and shake their heads, and then it's back to business as usual. Oh well.
numb
Nobody is upset with MS because everyone blames "the hackers." The media doesn't know enough about this stuff to point out that thanks to MS, what once took lots of careful work by computer wizards now only takes a 9 year old and a few help files.
What I can't get over is how MS actually got away with convincing people that Win95 on a 486 will give you better performance than DOS.
What else is this Assistant doing? Perhaps it's logging keystrokes and sending them to Redmond. Perhaps it's analyzing user traffic and building a profile.
I suspect that MS is using the Assistant and other Office "features" to create extensive profiles on users around the world, for who knows what use in its own nefarious schemes. Perhaps that is why they seem openly contemptuous of the DoJ--they have the goods on Reno and her crowd and will use them when the time seems right.
You could use a packet sniffer to find out if your theory is correct or not. Then again, withaout a boogie man behind every corner, you may be forced to realize that your just a common run of the mill paranoid and have to go become a useful member of soceity.
DrLunch.com The site that tells you what's for lunch!
I think it's important that we fully understand the development and problems that Clippit has faced... the following link is an insightful history. http://www.hoe.nu/text/hoe-0906.txt Thanks. -Mogel
But it appears that MS is relying on the general public to act as its beta testers
As opposed to Linux?????
DrLunch.com The site that tells you what's for lunch!
If you're on a Mac, and you clicked that link, did your Help Viewer open (or move to the front if it already was)? It shouldn't have, but I'm curious.
Anyway, by replacing some of those scripts or web pages, you could conceivably do much damage to a Mac, too. That said, I do use one of the assistants in the Mac version of Office, the Hoverbot, just because I like the sound effects it makes (and it never gets in the way, unlike the stupid Windows paperclip.
I use Macs for work, Linux for education, and Windows for cardplaying.
Oddly enough, I'm taking an Astronomy class as we speak from the former Apple employee who designed the 'hole' that you use the paper clip on (Thom Ahl - a pretty nice guy).
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com)
- Jeff
No one is returning Outlook because most people have no idea of the risks involved. When a virus hits like Melissa or the ILoveYou, people aren't informed that it only is spread because of outlook. M$ doesn't inform anyone, so the only people who know that M$ is as much at fault as the idiots who wrote the virus are the people who are smart enough to avoid being infected. The sad thing is that even if they knew the risks involved, they would probably still use outlook because they don't care about internet security.
What Microsoft has done is truly interesting, and maybe a bit frightening: they have made a cute, vaguely helpful (but mostly interfering) figure a commonplace on the desktop. With Office 2000, you don't even have to be using an Office product to have the assistant sit on your desktop.
The Assistant uses up a lot of valuable system resources, and you can bet your bottom dollar that it doesn't just use them to render itself in stunning 3-d realtime graphics. We already know that Microsoft has a policy of blatantly, casually violating its users' privacy. What else is this Assistant doing? Perhaps it's logging keystrokes and sending them to Redmond. Perhaps it's analyzing user traffic and building a profile.
I suspect that MS is using the Assistant and other Office "features" to create extensive profiles on users around the world, for who knows what use in its own nefarious schemes. Perhaps that is why they seem openly contemptuous of the DoJ--they have the goods on Reno and her crowd and will use them when the time seems right.
www.alarmist.org
Given the extremely well considered approach to fixing the MS Outlook attachment problem (i.e. don't fix the problem, just make sure there is a patch which makes it impossible to get to the problem) will MS now do the right thing? Will they kill, scrag, frag, smash, disembowl and eviscerate Clippy the ultra-annoying? Totally, utterly expunge the cruel, procrastinating, patronising, difficult-to-put-up-with and even-harder-to-disable office assistant from our hard drives :-)
While they are at it, they could solve a few other of the problems in the same way? MS IE 5.5 not standards compliant - fix it so it doesn't run. BSOD - delete that c:\winnt directory. I think we'd all be happier for it. :-)
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Exactly, even more so with options. Everyone is laughing at how these sucker employees are screwed over now because the stock is down.
Employees who got options in December before the stock started its slide will just have to hold them a bit longer than they wanted since it will be a while before they can make money on $120 options. Employees who are getting options now at 67 are probably going to be really happy in a few months once the dust clears and the stock rebounds.
I think the way it works is you have to hold them for a couple years anyway and you have up to ten years before they expire (at least that's the way it works in my company). Yeah, the stock is down sharply since the beginning of the year. Yeah, bet a bunch of employees are looking at pretty disspointing negative or reduced value in their options right now. Seems to me that is an incentive to stick it out and work harder. Once you quit you usually have only 30 days or so to use any unexercised options. Better to hang around for another year to see if the stock goes up.
This is one of the reasons companies use stock options and bonuses as compensation. Gives the employee an incentive to stick around. Now, anyone who was really smart took all their options in December and split. But then, we've always wondered about how many Microsoft employees qualify as 'really smart' (not in the talented technician sense, in the 'why the hell would you work at Microsoft' sense)
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
[Yes, please help me] or [No thanks] (greyed out)
What next, a picture of a ActiveX scripting component painted on a cat to pop up and go "Script kiddie detected." followed by another message saying "Your security settings have changed, please reboot for these settings to take effect" ?
Should we really be surprised that we have found yet another problem with the "largest software company in the world"'s product. What does it say about our culture when such horible products become pretty much a standard? It makes me ill that nothing more than good marketing will sell a product. Here's my piece of crap (literally) in a nice fancy little case, and I even made it easy to use. No guarantee however. Thanks for nothing Microsoft.
Of course, that's just my opinion, I could be wrong.
ROFL!
It makes perfect sense now!
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
Big deal, let's see an article for every Linux related bug and fix on here for some parity...
DrLunch.com The site that tells you what's for lunch!
When you are going to release a product that allows so much interoperability, one would assume that those very functions that allow that interoperability would be slammed, nuked, beaten and in every way imaginable explored, repaired, and THEN the software released.
/., maybe repeating some basic concepts will beat the idea into their brains...
But it appears that MS is relying on the general public to act as its beta testers, to search out and discover these holes. They are complacent, non-proactive, and basically riding on the assumption that people will continue to use their products no matter how low the quality level goes.
This is one area.. where the communities like Open Source can really shine. Because opening your code to peer review keeps you on your toes. It allows different minds to work together cooperatively to create a better software package. And in the end, everyone benefits.
I know this is a bit of a rehash of stuff I have said before, but since we all know that MS is paying very close attention to everything written here on
One can always hope...
Check out Magic Firesheep!
Mr Hankey would be a great assistant for MS Office, because the MS Office assistant really is a piece of shit.
Go get your free Palm V (25 referrals needed only!)
Comment removed based on user account deletion
After decades of development and use, a major security flaw has been discovered in the Unix operating system. "All variants of Unix are affected", according to a mailing list of software security bugs for system administrators. Because this security hole was not discovered until today, it is possible that hackers have been exploiting it for years.
Details of the bug are still limited but early reports hint that a Unix feature called an "Unamed pipe" has a flaw that, when used, opens access to the computer system to any other computers on the network. According to a Microsoft spokesperson, the "[Unamed] pipe is a tool used exclusively by malicious computer hackers." As a leader in network security, Microsoft ensures its customers that it is not affected by the bug. The spokesperson continues, "At Microsoft we recognize the fact that the command prompt is the true reason why such hideous exploits flurish. For that reason, we have taken the innovative step of integrating the graphical user interface directly into the operating system, bypassing any need for a useful command prompt interface."
All users of Unix and Unix-variant operatings sytems are urged to refrain from using unamed pipes until a security patch is made available. Utilities such as "man" should not be used under any circumstances for any purpose. System administrators should take necessary precautions and install security patches as soon as possible. Users should also take precautions and never open unamed pipes, especially unamed pipes you weren't expecting.
At my old job, the company was all microsoft-all-the-way... why?
Because that's what they had used before, and that's what they were used to... they didn't want to take the time to invest in switching over to a new design.
Now, I'm sitting here thinking to myself, unaffacted by the latest lovebug crisis with my nice unix mail system at work and linux system at home... what is gonna happen to their system there? the IIS server went down everyday, the NT fileserver blue screened every other day, they had 2 techs running around fixing everything and all software was written in Visual Basic and Access. (Notice that I said this was my old job).
Not to mention this, but their security in general was laughable. Keypad combinations... for which the number was never changed and was possible to circumvent through other doors in the office.
Bearing this in mind, I seriously wonder just how much they care about security...
Before I left, I told a fellow code-monkey that for an initial down payment on a few lowend systems, a linux guru, and a month of tweaking, they could have a stable, fast, inexpensive, and secure system...the only caveat? It was linux... and this company was locked into microsoft.
I think the understatement of the year will be that Microsoft is manufacturing a couple industries to deal with the crap they force on companies.
I wonder how many other companies are similar in nature? =)
Humorless sig goes here.
Smart people know that Micro$ has created more millionaires than any other company. They will stick arround and get vested.
Also, Micros~1 tends to hire their techies strait out of college, so most of their people are blissfully unaware of what it is like to work for a company that is not run by the marketing department.
Information wants to be anthropomorphized.
I understand that as long as the user has clicked through the EULA on install, they can't sue M$ for losses incurred by the negligence of their programming....but what if I run an ISP with no M$ software and their bug costs me, can I sue? Surely I can!
Simplest scenario, bfreeSP provides email services to 1000 companies via POP/IMAP, a security oversight in a M$ product results in bfreeSP receiving a DDOS from all it's own customers and the people who want to mail to the customer. bfreeSP's customers lose their email system for 1 day (thanks to the speed of sendmail fixing the problem) and hence all claim a refund for the lost day (lets forget the compensation side for now). bfreeSP should be able to sue M$ because it has never agreed to the EULA, and the problem has been caused by the software written by M$.
In the above simple case, am I right in assuming the only factor a case would consider is whether the fault lies with M$, the author of the worm/virus/whatever which exploited the hole or each and every individual user who installed and used the M$ software? Anyone who is a lawyer care to suggest how this case might fare?
Never underestimate the dark side of the Source
You know, just yesterday, Clippy got up real close to my monitor, looked around serendipitously, and tapped on the glass. He mumbled something about "Snow Crash" and asked me to click on this vial of crack. I clicked, the monitor turned to static, but I looked away just as the phone rang...
I feel sorry for Microsoft. Just to qualify my credentials I don't actually use any of their product apart from keyboard and mouse. The problem Microsoft has is that most of it's users are a bit stupid and therefore tend to run scripts and things that wreck their systems. Providing support for eejits is probably the cause of alot of their security holes. I use Linux not because I hate Microsoft but because I get a C++ compiler and source code for any apps that I run. This helps me with work for custom reports on data etc. This just wouldn't be possible with NT. I guess I am just trying to defend MS a bit and explain that their target audience makes the OS increasingly difficult to secure properly. Having said that - there are too many people who use Windows in my work environment. They keep on having to do their work on my Solaris Box! Oh and by the way don't get me started on bloody Windows networking - WINS is a bunch of arse.
Isn't anyone else concerned about the number of recent security holes in M$ software? I have nothing to say, because I just don't use M$ crap, but why aren't there any public outrages against M$? I find it funny that the public just accepts these bugs as normal.
You know why this happens? Becuase programming is hard. Bitching and moaning about bugs won't change this fact.
DrLunch.com The site that tells you what's for lunch!
If they were so smart, how come they agreed to take stock options? Doesn't look so smart now, does it :) I guess it depends on whether you consider gambling to be a smart thing to do, or a dumb thing.
Your right to not believe: Americans United for Separation of Church and
> Isn't anyone else concerned about the number of recent security holes in M$ software? ...why aren't there any public outrages against M$? I find it funny that the public just accepts these bugs as normal.
>
One answer:
Because the responsibility for the problems is being put at the feet of anonymous hacker folx. By the general public, M$ isn't seen as "at fault"...they were, ahem, taken advantage of by malicious types.
We must all be very nice to microsoft. They have had to patch many of their backdoors, and they are getting very edgy.. DillDog the Hacker should be careful lest they erupt on him as they did in the Slashdot DDoS attack.
---
$ su
who are you?
$ whoami
whoami: no login associated with uid 1010.
#define RANT
It seems like every day I read about another Microsoft security hole. When will it become obvious to the managers who force Micro$oft products down our throats that they are compromising their companies security? If I forced everyone at my office to use software that is full of security holes and we got hit bad by it, I would be fired. When are IT managers going to be forced to face the consequences of their decisions?
#undef RANT
Seriously though, I guess we can't expect the masses of ignorant users to give up their beloved paperclips and fancy email attachments. They want everything and Micro$oft tries to give it to them without regard to the security risks.
This feature needs to be added to Vigor right away
134340: I am not a number. I am a free planet!
Let he who has never written a bug cast the first flame.
-----------------------------------------------
The patch is available at http://download.microsoft.com/download/office2000p ro/Uactlsec/2000/WIN98/EN-US/Ua ctlsec.exe, with instructions avaiable at http://officeup date.microsoft.com/2000/downloadDetails/Uactlsec.h tm
Microsoft states in their FAQ:
Sure. This time it's a simple error in labelling. What will it be next time? How many more simple marking errors lurk in Office or IE?Microsoft employs many very smart people.
Microsoft has a history of bone-headed security.
Conclusion: The smart people are being over-ruled by the dumb ones.
Corollary 1: The smart people will eventually tire of this and leave. Also, new smart people will not join.
Corollary 1a: With fewer (if any) smart people, Microsoft will be in even worse shape.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
It might be good for the Office team to continue following corporate guidelines for what to do about the Office Assistant: 1) Embrace --Check... 2) Extend --Well it's now 3D and has the ability to consume more resources and compromise a user's machine. Check... I think we know what the next logical step is, right? ;) --Kylus
--Kylus
--Kylus
Idiot-proof something, and Life will build a better Idiot.
the most annoying thing ever written into software...
----- Leghorn "Not responsible for program content"
hmmm, second security hole this week (First one was Outlook) well, this must be a record of some sort, don't they deserve to get into Guinnes records book?
Can a law suit be filed against the Paper Clip? Will he (or she) be accountable for helping the security violators to access our computer data? Can Turin test be used in this kind of a law suit to rule against MS?
Remember: On the other hand, if you write your virus in Visual Basic with some ASP processing on the server side + MTS + IIS + MS authentication process ripped of Kerberos + rules engine + XML + VRML + Marketing Department == a highly scalable and maintainable by only 120 people macro virus capable of overwriting all your jpg files with pictures of naked and petrified Ms. Portman, a virus with its own market share, very scalable robust and that only takes 10 minutes to execute on a single given client. Well, for this kind of virus of the future, the new Outlook security patch will work just fine!
You can't handle the truth.
you left the Office and all the Windows are wide open
.oO0Oo.
could you come back and close them please
all of our work is blowing outside
help us.......
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Perhaps that backdoor in Red Hat was this one? Oops, did I just link to it? Was that link a /. story? /., could you please link to it, because I am not aware of it... dork.
Ohhh, I see you must have missed that one.
Why be such a flamebater? If there was a different Red Hat backdoor that was not on
I personally have never used it, but I know some poeple who have used the MS agent activeX control on certain web pages to add "Clippy" functionality to some IE-centric web applications. If this bug affects that as well, there could be some major implications.
Add that in with MSs voice generation and voice recognition controls and I can see a version of the ILOVEYOU virus that spreads its self by yelling to all of the other computers in the room!
A|Q|U|A
Isn't anyone else concerned about the number of recent security holes in M$ software? I have nothing to say, because I just don't use M$ crap, but why aren't there any public outrages against M$? I find it funny that the public just accepts these bugs as normal.
When Boeing was accused of installing low-quality wiring in their jets in 1974, there was a massive public outrage forcing them to stop using that type of wiring. To the software industry, I consider this a simple bug. But a dangerous bug that cost many lives. Obviously, there is a major difference: using Outlook has not cost any lives. But still, why is the public gracefully accepting the fact that M$ software is full of bugs?
Yet a couple of stories ago, everyone and their dog was complaining that Corel's WP Office 2000 was full of bugs and that they returned it to get a refund. Why isn't anyone returning Outlook for a refund, because it's a major security threat on a Network?
Why doesn;t one of the OSS word processors include a Mr Hankey office assistant?
Every so often you'd get that slide guitar followed by,"Hidy ho! Hidy Ho guys!"
and a big brown jobbie wearing a hat would appear to guide you through the process.
"Seems to me that you're tryin' to type a letter!"
I'm out of my tree just now but please feel free to leave a banana.