Slashdot Mirror
Microsoft Microsoft Microsoft
Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
It's a feature.
Could I get a list of all the new security flaw in Linux? Thanks.
Oh wait, this is Slashdot.
I clicked on the Microsoft security bulletin. I've never seen one of those before. Back when I first bought my gateway I actually registered with Microsoft online, and so I find it hilarious that an important bulletin such as this is in such an obscure place. I think it's only right for them to send this out to everyone who's registered at least, it's just the right ethical move. We do have to remember who we're talking about though. I'm still laughing about that bulletin. Aren't you supposed to distribute bulletins, not hide them somewhere? Ugh...
~ now you know
First of all, don't use Windows if you don't have to (I use Windows 2000 for the things I do have to use Windows for and haven't really had many issues with it). Second, third, and fourth, get a good firewall, get a good virus scanner, and don't open strange files. I mean, a lot of this stuff is basic common sense, but most people ignore it, and those are the ones who have all the problems with Windows.
I find it hard to believe that someone on slashdot would complain about webpages designed for IE not working.
If MS security bugs encourages web designers to design gracefully degradable web pages, that's fine with me.
Jesus saves....And takes 1/2 damage.
Just as a disclaimer, I'm not one to defend Microsoft is most cases. But what I think most people don't think about is that there have been so many bugs reported in MS software not only because MS releases naturally buggy software, but because the user-base is so huge that there is more of a possibility that these bugs will be found and in many cases used for unfortunately bad purpouses. If Linux/Mac OS/etc was the most widely used, you'd see much the same focus on problems with the software.
That said however, I don't care for MS and the majority of their software that I do use is out of necessity.
forma3
Your day wouldn't be complete without Microsoft news.
/. and reading my daily dose of Microsoft bashing.
No, my day wouldn't be complete without logging into
Yes, my girlfriend is a BitchX
Why am I not surprised? Like this is news. This is like a periodic function, with a fequency real high. So annoying!
I'm just waiting for him to declare Windows XP to be "unsafe at any speed."
Do not taunt Happy Fun Ball(TM)
Please. I think running IE is irresponsible, personally, but hey... :) MS needs to STFU and fix their code. Enough talk, enough spouting rhetoric, enough blaming. Just start fixing it. They can shout at everyone _after_ there's a patch out.
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
"California deserves special credit for its stance. Bill Lockyer, the state attorney general, has emerged as the most important public official in America when it comes to holding back the Microsoft tide."
sulli
RTFJ.
Firestone tried it, and, while software bugs might not kill people, they certainly do some damage. What did it cost them, $41.5M?
How are software bugs, especially critical ones, different from design flaws in a tire?
Indie rock lives! b-side!
And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows.
If you read the security bulletin, it's not referring to windows at all. It's a problem with Internet Explorer version 5.5 or later.
Seems that that little slip exposes a great deal of anti-M$ bias. Not good for a supposed "news source".
Ralph Nader has long campaigned for the government to have monopoly control on all economic activity, and somehow he gets mad at Microsoft for being a monopoly. If he were consistent, he would be angry that Microsoft did not have MORE monopoly power.
The Register, and How Microsoft invented open source, by Billg
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
NO
because I disabled scripting.
Yes. You need scripting in order to get details of the security hole. On the other hand they recommend you to disable scripting.
Odd.
Yes. I have to use Windows at work.
Yes. I could use Mozilla.
Of course, Nader's stance at the far left at the political spectrum could hurt things if the judge has right-wing leanings (as appears to be the case). At least Nader isn't as rabid as RMS. As much as I admire his commitment and idealism, RMS's uncompromising attitude and abrasive personality could do more harm than good. (Also, RMS's reputation is pretty much confined to geeks, whereas Nader has mainstream recognition.)
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
OK. Let's let Microsoft keep their security flaws secret. Do any of us think that will really work?
Part2: The flaws do need to be placed in 'escrow' in a secure database, with a planned release date, perhaps 6 months after first notice.
Then let's see if the situation is better or worse. After all, Code Red exploited a months-old hole, which could have been discovered by monitoring Microsoft's own update pages. Somehow it doesn't seem to me that the course of the Code Red mess this Summer would have been affected in the least by Microsoft's proposed policy.
Or do they consider publication of a bugfix tantamount to 'Security Anarchy', because it lets others know that a hole exists?
But the real goal here should be that we want to keep Bugtraq and the like alive for our own use. Let Microsoft mess their own sandbox, just don't mess ours.
The living have better things to do than to continue hating the dead.
If Microsoft did such bad software, and the free alternative was so incredibly great, nobody would buy anything from Microsoft. And what about the monopoly? Who else is there? The other "players" haven't ever wanted to win, which Microsoft always has. I see the lack of competition as a problem, but not because of Microsoft, but because nobody else wants to win, nobody else wants to be the best.
Gates starts every day as if someone else was taking over, that is how other companies has to work as well. You always has to be hungry and never live on old accomplishments. What use is there to do everything "we" can to cripple Microsoft when the media soon is controlled by a few monopolies? If you want to do something, be better than Microsoft, don't whine...
to expect Micro Soft to release a patch in a few days. However MS is even more irresponsible releasing code with so many security flaws. Maybe they should spend less time innovating and more time testing the basic functions of their operating system.
Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"
Are they referring to the recent release of XP?
Remember that US Presidential election back in 2000? Although Nader did not manage to get enough votes to secure federal funding, he did get enough to keep Gore out of the White House.
The current makeup of the DoJ is a direct result of Nader's actions. He was warned about this outcome repeatedly during the race, by many of his former friends. I'm amazed he has to gall to come out in public and complain about this, when it's as much his fault as anyone else's.
Thanks Raplh, this is why I voted for you.
Also I like seatbelts.
Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"
Funny, Open Source software can have a patch out within a few days, why can't Microsoft?
Things you think are in the Constitution, but are not.
SF Gate has an article about how the states are "sabotaging" the settlement:
Why are they asking the court to derail the settlement, effectively guaranteeing that the case won't be resolved for years? The state attorneys general claim the high ground as defenders of consumers, but it is hard to see what consumers of software would gain in prolonging this legal agony.
Uhh, ok...
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
The bylaws will also include an agreement that any security software produced by members of the group will be engineered in such a way that it can only be used for lawful purposes.
Yet again, we have a software usage agreement that restricts the types of things for which the software can be used. This is silly and ironic. If some sort of authority were set up to police the observance of this, we'd be a huge step closer to the scary world RMS describes in the famous essay set in a (hopefully) fictional future. Without such an authority, MS and friends would essentially be relying on the honor system which it hates so much.
I guess that MS and friends would rather have the sense of security they get from restrictive user licenses and the like. Folly.
BEN
I think this just goes to show that the grey hats are the real white hats.. and supposidly white hats like these are really pretty grey. Clearly, the black hats want to keep their secrets and it seems that white hats want their secrets too, but grey hats seems to have been previoously defined to include anyone who keeps no secrets.
I can just see these "white hats" using their secrets to prove that their potential customers are insecure.. only to ignore the problem untill MS fixes it one or two years later.
Ta Da!
nothing is quite as irresponsible as supporting your software.
but think about this... is it not irresponsible to release code that isnt tested enough?
--donabal
Safety First Day?
The BBC also has an article today detailing some of the groups and corporations that are lining up to take on Microsoft on several different fronts.
'If it becomes hard to release vulnerabilities, that's a good way for Microsoft to get rid of some embarrassment.' -- Marc Maiffret, eEye Digital Security from the Security Focus article
;)
That's just plain funny. You know only those people in the 'group' know how to code exploits. Imagine what would happen if just *anybody* could code an exploit? It would what Scott Culp, manager of MS's security response center, calls "information anarchy"
I don't mind if they do this, it will show how incorrectly the 'security by obscurity' paradigm works.
Chaos, Mayhem, and Destruction: Not
Pardon my french, but *bullshit*.
Apple released iTunes 2.0 on a Saturday night. When a major bug was found, not only did they pull the installer *immediately*, but they fixed the bug and had a new one up in its place (properly labelled 2.0.1) within 24 hours. Not only that, but they have also said that they will pay for DriveSavers recovery for anyone who lost data to the bug. Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)
Reality has a liberal bias
On their page describing the security hole with active scripting, you need to have active scripting enabled to read the text that is hidden unless the "+" icon is clicked.
---Technology will liberate us if it doesn't enslave us first.
Microsoft does whatever it likes mainly due to the fact that no one is a serious contender in their main areas of business. They have managed to convince people, through software and OS's that are good enough for most folks, that their only real choice when it comes to buying computers is which hardware manufacturer to buy from. The business ethics of Microsoft are questionable, but their ability to dominate markets is not.
for being one of those names I'd heard quite a lot,
I never realized that he was such a rational human
being. How can I support this cat? He's obviously
a force that is on the side of the people, and I
think we (the Free Software users) should rally to
his support. How can we help?
b
"The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards."
Let's see hundreds of developers,exclusive access to source code and billions of dollars and they can't fix as fast as open source. But then again it is always easier to blame the messenger.
By definition, a government has no conscience. Sometimes it has a policy, but nothing more. - Albert Camus
Seems to be common sense to me. No sense in broadcast vulnerability information to people who may use the information to exploit unpatched systems. (and are not smart enough to find the vulnerabilities themselves) The plan does allow limited public notice with a detailed release of the information after 30 days... I guess they assume that after 30 days all systems will be patched.
Who exactly comes to slashdot looking for news and updates about microsoft?
Why don't the editors admit this is just a good way to start silly flamewars and draw eyeballs to their site.
By drumming up a little misinformation and hysteria, the editors get to still draw a paycheck.
Seems that that little slip exposes a great deal of anti-M$ bias. Not good for a supposed "news source".
Just try running without IE. I'll pass on the M$ bulletin as none of that junk is corrupting any of my machines.
Everyone is biased but God, but he might not like you and Bill Gates either.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Jesus saves....And takes 1/2 damage.
.sig I've seen.
:P
OMG, if I wasn't at work I'd be bawling my eyes out in laughter-induced hysteria. That has got to be the funniest damned
*cough*
Now... Yesterday I went to a site - eqcomics? - using Mozilla 0.93 (or somesuch, I don't track version numbers as religiously as some. Whatever the default for Debian testing is), and it gave me a minimal page with "This page can only be viewed using Internet Explorer 5+"
Bah. Perhaps the multitude of bugs and backdoors and such in nearly ALL of M$'s products (or so it seems - every other day we hear of something new) will convince page designers to forgo all of the Javascript 'browser tests' and simply code a GOOD site.
GIR: I'm going to sing the Doom song now. Doom doom doom doom doom doom de-doom doom doom doom doom doom doom...
Yah, god knows without active scripting, IE just wont work at all. Way to keep it real michael
The best thing I learned from my experiences as a skript kiddie is that BUGTRAQ, BoS, and every other sysadmin-visited list was the last to hear about new security flaws. Sure, on occasion, @stake or the ISS X-Force would come up with something novel. But the majority of the time, I would see sploits circulated by my Russian friends on IRC weeks before anyone even mentioned the vulnerability on BUGTRAQ. Consider the BIND 8.2.2-P5 flaw: I had the ADM sploit for it weeks before an advisory was even issued.
Stopping full disclosure won't hurt the script kiddies. It will hurt the admins, who won't have enough information to patch their source base to fix the problem. (As a FreeBSD admin with a good grasp of C, patching a security hole takes on the order of minutes now.) But it will help this cartel to keep privileged information to themselves, so that hapless admins like myself will not have the information we need to defend ourselves. And it helps Microsoft, who can honestly claim that their systems are more secure than UNIX when the UNIX admins can't defend themselves more quickly than the M$ admins can anymore. It's just capitalism at work.
-CT
OPEN SOURCE SOFTWARE IS PATCHED WITHIN HOURS OF REPORTED SECURITY HOLES!!!!!!!!!!!
There; it IS possible, and it IS reasonable to expect it.
Who is the "irresponsible" party here? the people who find the flaws, or the people who put flawed software out there WITHOUT THE ABILITY TO SUPPORT IT!!!
---
In other news.. Security through obscurity is WEAK SECURITY, ask any security expert. As soon as you take the vulnerablities out of the public hands, you invite the black-hats and the darker-gray hats, and the d|_|mba55 scr1pt kiddies to HACK YOUR BOX..
deny Administrators and Programmers access to your security information, and say goodbye to security on the Internet(tm)..
case closed..
--
US$0.02++
I'm always UP for it. You must be a girly-man.
It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.
Yes, the DMCA is a bad law, but it's not infinitely bad. It does not forbid discussion of bugs or circulation of patches for bugs; claims otherwise are based on confused readings.
Go home, Bill. You're still the guy with the most money. That means something on a superficial level, doesn't it?
Asshole.
Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days".
A Microsoft spokesman was later heard saying - "We didn't fix it in the first place, what makes you think we're going to now?"
Error:
Mr Bush and his croonies are now in charge. Please go back to your daily, common lives.
...even though that will make essentially every webpage that's designed for IE not work.
...arguably a feature.
Can't OSS freaks come up w/ an original idea?
Thoughts along this line get into infinte regression, as you thug from Mr. Softy what are really previously thugged ideas.
Recall Solomon's preemtive strike, oh Choad Correspondent: "There is nothing new thing under the sun". (Ecclesiastes 1:somethin')
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
...for the IE problem in the usual places. The linked article says it's not ready, but if you go to the update site, it's there.
Watch how these new bug release standards are going slowly turn into law.
SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits
How is the top 20 exploits page MS-specific? At least by the wording of the article, you make it seem this way. Newsflash genius, the SANS/FBI Top 20 is a list of vulnerabilities - UNIX, Windows, and General...not Microsoft-only.
You really need to get over your Windows envy. It's getting the point of being pathetic.
But what do I know.
You can't go to Windows Update to download patches any more after you've turned Active Scripting off. Microsoft sends you to a page telling you to turn Active Scripting and all sorts of other dangerous things back on.
Redmond dumb-asses.
Here's another interview with SANS. Interesting.
How about the netcraft survey? Apache the most used webserver software? It's probably running on Unix machines. That's not a large installed base that would find defects in the (OS) software?
*dances around like an ape in search of some deo rollon*
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
From the article:
The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
I was reading through the "Irresponsible" link, as well as the vulnerability report. Information Anarchy is the phrase they have coined to display that information really doesn't want to be free. This, if successful, will cause a very adverse association to open source developers I think. If they "edjucate" their end-users into thinking that information should be tightly controlled by a centralized source, than it's easy to make the connection that the open-source community is villifying the information management structure that Microsoft and friends is working so hard to manage for the best interest of the consumers.
They claim it's not feasible for them to release a patch within 5 days. Why do I have a feeling that this code segment is probably less than 50 lines, hell - you could provide a hack just to filter malicious URLs in less than that and release that patch in well under a day or two without sacrificing what we all know as Microsofts high standards of quality.
Maybe I'm paranoid, but it seems this is a much larger tactic towards a revised SSSCA that will be in Microsofts best interest - much easier to add a clause saying it's illegal to release unauthorized security information about a companies product to an unapproved bill.
Dacels Jewelers can't be trusted.
"Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"."
What's irresponsible is that Microsoft releases such buggy crap in the first place. THAT'S irresponsible. Oh, but the NT admins out there will biatch, whine, and moan about the bugs in ALPHA open source software, and use that to "prove" that doze is better. What ninnies.
Hey Microsoft, here's an idea: TEST YOUR CRAP BEFORE YOU SHIP IT, THAT WAY IT WON'T BE SO EASY TO MAKE YOU AND YOUR ADVOCATES LOOK LIKE LYING ARSED BAFFOONS.
The point of the Microsoft suit was to bring back competition. Innovation was stifled because no one could get investment $$ if they were in a market Microsoft was even thinking about entering.
So what is the effect on investment capital of the settlement?
The proof is in the pudding. Is Red hat stock up? Is Palm or Be stock up - or is anyone coming in with a bid that beats Palm's paltry $11 million? Is there venture capital available for companies to compete with productivity apps or streaming audio?
A great quote from this article: "The relationship between information anarchy and the recent spate of worms is undeniable. Every one of these worms exploited vulnerabilities for which step-by-step exploit instructions had been widely published. But the evidence is more far conclusive than that. Not only do the worms exploit the same vulnerabilities, they do so using the same techniques as were published - in some cases even going so far as to use the same file names and identical exploit code. This is not a coincidence. Clearly, the publication of exploit details about the vulnerabilities contributed to their use as weapons. "
In other words, "Please don't publish anything about security flaws you find in our products. All this does is spread viruses."
Translate out of M$ speech: "Please don't make us and our products look bad by publishing this info."
"The market alone cannot provide sufficient constraints on corporation's penchant to cause harm." -- Joel Bakan
Consider all of the other voters who forfeited voicing their opinion merely to pick someone who they though might actually win. The lesser of two evils is still evil and I'm glad I voted for who I thought was the best candidate. I'll do it next time too.
Don't forget, the race was virtually a tie. If the democrats lost votes to Nader, where did all of the corresponding Republican votes go?
who exploit weaknesses of the Internet for personal gain. I'll bet right now you're pissed at Microsoft for asking for tougher disclosure guidelines, yet if it weren't for you and your script kiddie brethren they wouldn't need to tighten the rules.
Here's a reality check...
Microsoft made PC vendors deals they couldn't refuse (and when they accepted, couldn't afford to get out of) to put their stuff on machines. If it's already on the machine, most people won't bother to get a different program unless it's so atrocious as to be unusable. Doesn't matter if it's free- it'd have to be 100 times better for the average person to bother with getting it. Once you're in that position, it's very difficult to shift the player in place because of network effect- it's nothing at all to do with how "good" a program is.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Here is a link to my site that has more info on the "security thru obscurity" discussion.
It also has the email addresses of some of the companies that have jumped on the "anti-disclosure" bandwagon.. just click and mail them how you feel!
=-=-=-=-=-=-=-= - The Celtic - =-=-=-=-=-=-=-=
Many of MS's problems aren't bugs, they're designed to work that way. MS has had a poor record of thinking about security. They tend to think more of features, and what can the enable, rather than what shouldn't be permitted. Allowing a macro to be automatically run on opening of a document, which can then have full access to the system, is a classic example.
So many holes in this rant, which ones to choose? Let's go with this one.
I can sell my Copy of XP if i wish, if i sell my NFL tickets it can be scalping.. Microsoft doesn't price point XP, they give it a value. I can buy XP and sell it for 30 bucks or 300 bucks, whatever the consumer is willing to pay. I can't do that with Baseball tickets, nfl tickets ore phone service.
Try selling your copy of XP online, and watch how fast MS stops you because of licensing issues. If you actually sell it on the street, they could still nail you if they find out. You can resell your sports tickets at face price without violating scalping laws. Phone service is a service, not a product, and thus is non-transferable.
Or how about this one?
So why all the resistance on microsoft? Why not make it a perfect world and attack the NFL, MLB, NBA, WNBA and your local telco megopoly who restrict your choices and charge you exhuberant prices and rip off the consumer.
Because there are other sports and other phone options, and for the most part those don't do such blatant anti-competitive practices. You don't see the NFL trying to create a baseball team. M$ wants to control the entire computing experience and then some...and they make no bones about it. And of course, the biggest point is that MS has been found to be in violation of law for their monopolistic practices, and yet they still fragrantly defy the law. That makes them a viable target for criticism, pure and simple.
Electronic Frontier Foundation for online civil rights information
I wonder... What was the longest time a known security bug took to fix in the linux kernel or one of its major apps?
http://www.askthevoid.com
From the MSNBC article:
In a classic display of Microsoft pugnacity, the company hammered opposing government lawyers on nearly every conceivable point, no matter how small. Eventually exhaustion became a factor, lawyers on the government side acknowledge.
So let's make sure the state attorneys general keep their lawyers adequately supplied with No-Doze!
www.lucernesys.comHorizon: Calendar-based personal finance
Cookie Data in IE Can Be Exposed or Altered Through Script Injection
t ernet Settings\Zones
t ernet Settings\Zones
Originally posted: November 08, 2001
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer
Impact of vulnerability: Exposure and altering of data in cookies.
Maximum Severity Rating: High
Recommendation: Customers should consider disabling active scripting in the
Internet Zone and the Intranet Zone. Customers using Outlook Express who have
not set OE to use the "Restricted Sites" Zone should do so as a best practice.
Affected Software:
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Technical details
Technical description:
Web sites use cookies as a way to store information on a user's local system. Most
often, this information is used for customizing and retaining a site's setting for a
user across multiple sessions. By design each site should maintain its own cookies
on a user's machine and be able to access only those cookies.
A vulnerability exists because it is possible to craft a URL that can allow sites to
gain unauthorized access to user's cookies and potentially modify the values
contained in them. Because some web sites store sensitive information in a user's
cookies, it is also possible that personal information could be exposed.
Microsoft is preparing a patch for this issue, but in the meantime customers can
protect their systems by disabling active scripting. (The FAQ provides step-by-step
instructions for doing this). This will protect against both the web-hosted and the
mail-borne variants discussed above. When the patch is complete, Microsoft will
re-release this bulletin and provide details on obtaining and using it.
Mitigating factors:
A user must first be enticed to a malicious web site or to open an HTML e-mail containing the malformed
URL.
Users who have applied the Outlook Email Security Update are not affected by the HTML mail exploit of
this vulnerability.
Users who have set Outlook Express to use the "Restricted Sites" Zone are not affected by the HTML mail
exploit of this vulnerability because the "Restricted Sites" zone sets Active Scripting to disabled. Note that
this is the default setting for Outlook Express 6.0. Users of Outlook Express 6.0 should verify that Active
Scripting is still disabled in the Restricted Sites Zone.
Severity Rating:
Internet Servers
Intranet Servers
Client Systems
Internet Explorer 5.5
High
High
High
Internet Explorer 6.0
High
High
High
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment
patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2001-0722
Tested Versions:
Microsoft tested Internet Explorer 5.5 SP2 and 6.0 to assess whether they are
affected by these vulnerabilities. Previous versions are no longer supported, and
may or may not be affected by these vulnerabilities.
Frequently asked questions
Why isn't there a patch available for this issue?
The person who discovered this vulnerability has chosen to handle it irresponsibly,
and has deliberately made this issue public only a few days after reporting it to
Microsoft. It is simply not possible to build, test and release a patch within this
timeframe and still meet reasonable quality standards.
What's the scope of this vulnerability?
A malicious web site with a malformed URL could read the contents of a user's
cookie which might contain personal information. In addition, it is possible to alter
the contents of the cookie. This URL could be hosted on a web page or contained in
an HTML email.
What causes the vulnerability?
The vulnerability results because of an unsafe handling of cookies across IE zones.
How would an attacker carry out an attack using this vulnerability?
An attacker could attempt to maliciously exploit this vulnerability by hosting a page
with a maliciously crafted URL. They could also send the victim an HTML email with
a similarly crafted URL.
In the case where the attacker hosted a web page, would he have any way to
compel me to visit the site?
The attacker could not force you to visit his site. Instead, he would need to entice
you into performing some action that would cause you to visit the site. There are,
however, a variety of actions that could be used to do this, from visiting a web site
that would redirect you to the attacker's, to opening an HTML e-mail that
referenced the attacker's site.
In the case where the attacker sent me an HTML e-mail, would simply opening
the mail allow me to be attacked?
Yes. It is possible for an attacker to craft an HTML email in such a way that it
would exploit this vulnerability on opening the mail.
Why does changing my IE settings help protect me against a mail-borne
attack?
As we mentioned above, HTML e-mails are just web pages sent via e-mail. Outlook
uses the IE security architecture to limit what HTML e-mails can do when opened.
By default, Outlook 2002 opens all HTML e-mails in the Restricted Sites Zone.
Is this a permanent change?
No. Microsoft is working to develop a patch that will eliminate the vulnerability.
When it's completed, you'll be able to install the patch and then return your IE
settings to their previous values.
How likely is it that I could be affected by this vulnerability?
It depends on your web browsing and e-mail habits. Customers who exercise care
in choosing the sites they visit, and who are careful not to open obvious spam and
other untrustworthy e-mails would be at less risk from this vulnerability. However,
customers can easily make a configuration change that will provide complete
protection.
What's the configuration change that will protects against this vulnerability?
Customers who are concerned about this vulnerability should disable active
scripting. All web pages (and HTML e-mails, which are just web pages delivered via
e-mail) are categorized into one of several zones, and the settings in each zone
dictate what actions can be taken within it. By disabling active scripting in the
Internet zone a user can prevent an attacker from exploiting either the web-borne
or mail-borne versions of this attack.
How do I disable active scripting in Internet Explorer 5.5 and 6.0?
On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
In the Settings box, scroll down to the Scripting section, and click Disable under "Active scripting" and
"Scripting of Java applets".
Click OK, and then click OK again.
I am a network administrator. How can I disable active scripting in my
enterprise?
With new deployments of Internet Explorer, an administrator would use the IEAK and disable active
scripting before building the package and rolling it out to client machines.
For currently deployed client use Profile Manager to create an auto-config INS file to make registry changes
needed to disable active scripting on the client machines with Internet Explorer already installed.
For administrators that prefer to use SMS or login scripts, the following are the registry changes that would
disable active scripting on the client machine:
HKLM\Software\Microsoft\Windows\CurrentVersion\In
HKCU\Software\Microsoft\Windows\CurrentVersion\In
There are five different sub keys under each "Zones" key. Each key control a
different security zone. The key names are 0-4.
= Your computer
1 = Local Intranet
2 = Trusted Sites
3 = Internet
4 = Restricted Sites
There is then a DWORD value under each zone number key that must be modified to disable active-scripting
for each zone.
REG_DWORD value is "1400" to be modified.
Setting this value to "3" (from "0") will disable active scripting.
HKCU setting changes take effect immediately. However the HKLM settings
would most likely require a reboot.
Patch availability
Download locations for this patch A patch will be posted as soon as it is available.
Additional information about this patch
Installation platforms:
This patch can be installed on systems running Internet Explorer 5.5 and 6.0 when available.
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
Security patches are available from the Microsoft Download Center, and can be most easily
found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
All patches available via WindowsUpdate also are available in a redistributable form from the
WindowsUpdate Corporate site.
Other information:
Support:
Technical support is available from Microsoft Product Support Services. There is no charge for
support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (November 08, 2001): Bulletin Created.
PROBLEM:
Damnit, our products are so damn insecure we have to patch the patch before we even release the patch to the service pack to the bugfix.
This is directly impacting our ability to innovate by finding new anticompetitive practices to drive customers out of business. On top of that, we have lost complete track of which politicians to buy off.
SOLUTION
Slow down the security sieve that is Windows. "Thirty days after the first advisory, a more detailed noticed can be released under the rules."
Wow, this also must explain why my windows boxes always crashed so much, because all the other people in the world are using windows too and this uncovers crash bugs on the machine that I'm using.
I'm sure that as more people start using Linux that this will cause my machine to start crashing more often too!
--
(for the humor impared, this was funny)
Doesn't matter if the exploit is disclosed or not- people still find them, more often than not before they're announced. All the announcement does is put it in the open (open disclosure isn't a script kiddie's friend- it often times means that the exploit's hole is plugged and they can't use their toys on some or most machines anymore...).
There's loopholes in any system. They will be exploited. It's whether or not you know about the loophole and can fix it that makes all the difference between being 0wn3d or not.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Nope. It's not.
The Netcraft survey crawls through all those little Melvin machines which each have an httpd running that nobody ever accesses.
Nobody cares about them. They are irrelevant.
There are a number of big WWW sites that use Apache.
There are a number of big WWW sites that use IIS.
And, there is a growing and significant number of internal Intranet sites that use IIS because of the way it's seamlessly integrated with Microsoft Office for collarboarative work. It's appealing for people in a corporate environment to be able to open, edit and save web pages seamlessly to an Intranet server. In fact, that's where the money is these days.
Not in little Melvin linux boxes serving up the default Apache page that the owner doesn't even know is enabled.
Well Linux still hasn't solved the bug that prevents it from being an Operating System you would be comfortable having your parents use. I have no problem putting Mac OS X in front of my technophobe mom.
Strange women lying in ponds distributing swords is no basis for a system of government.
Fer cryin' out loud...
It's pretty obvious that Microsoft has control of the industry primarily because people *buy* their products. Whether or not buying Microsoft is the smartest thing is an argument we all know the answer to. We also know it's the pointy-haired bosses that are buying quite a bit of it.
But there's also the home user... I don't think I would ever allow my parents to use Linux... not even Mandrake. They'd force me to move back in with them just to provide tech support. At least with Macintosh & Windows they can figure out how do do the things they want to do without needing a CS degree or years of hacking experience. And if all else fails, they can call trained, paid tech support. (Not that they're often very helpful)
About all the bug stuff... Of course Microsoft wants to keep their bugs under wraps... bugs hurt business... but we should have 100% freedom to flout every bug with enthusiasm! Only one thing will steal away the attention of the pointy-haired managers and that is our ability to prove again and again that Microsoft products are the *wrong* choice!
I know I'm risking some big-time flaming, but I don't believe Microsoft has a monopoly. Give me a quantifiable set of criterion for a company to hold a monopoly and let me see if they fit the requirement.
If you can prove to me that there is an existing product that large numbers of computer users really want to use but it is *unavailable* because Microsoft has squashed it, then I'll believe there is a monopoly.
I'm done with sigs. Sigs are lame.
I got this in my inbox at yesterday at 9:14pm (EST). If you really care about security with Windows machines look at this page, specifically that mailing list service.
Why isn't there a patch available for this issue?
The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
Hehe.
Wooden armaments to battle your imaginary foes!
Just a quick note....selling your NFL tickets for the face price is not scalping. Selling for *Higher* than face value is. It's called scalping for a reason.
And pulled the faulty iTunes2 installer and started damage relief efforts asap.
On another note, I'm not sure that Microsoft has any grounds for demanding to be notified about flaws in the final releases of their software. If they want to keep bugs from becoming huge public brouhahas, then they should either fix them in-house while the software is still beta, or open the source up and let other people actually fix it. They're out of line to say that people should find bugs in their ware, tell them, and then sit on their discovery while some cubicle slave works to make a patch, and Microsoft takes the credit for saving the day.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
In the cases where Linux or unix has a majority market share Microsoft still leads the exploit statistics by far.
Of course, it's not as simple as saying that MS sucks, but it's a combination of bad design (dont put everything in every program, dont have unlimited interoperation between everything) bad programming(dont use admin privilidges if not absolutely necessary, also a design issue maybe), bad installation policies (dont install everything or even anything but the basics by default), bad admins and bad will.
The combination of these elements end up in software you dont want to be running because it will stink from a security point of view.
So, no, you wouldnt have the same amount of problems on Linux at least. You'd have problems, yes, but not nearly as many. Unless, of course, the general policies among linux distribution vendors change to install everything insecurely by default, but hopefully that wont happen, and in the Linux world you can always change to another vendor if one of them goes seriously astray.
Ahh Mozilla. All the features of a 6.0 browser, with none of the blantant, dangerous security exploits that have come to be synonymous with closed source.
You are wrong. It is that they 1) write buggy code, and 2) their design philosophy is routed towards features, not stability. That said, their policy about creating patches with *known* bugs is horrendous there has been at least one known vunerability that exisited for months without a patch. A patch was only released days after an exploit was implimented. What was this exploit? Code red.
Hey,
Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems joined with the software-maker to declare they would immediately begin
Wasn't @stake formed from hacker group l0pht? Yes, I think they were! They used to attend Def Con, and work on Back Orifice and L0phtCrack?? Didn't they get banned from BugTraq because they posted links to thier site in the place of good, solid descriptions?
My, how times change.
-M
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
Okay, some vulnerabilities might be difficult to get fixed in a couple of days...but with a team of programmers as large as they have...months is quite a stretch...they still have God knows how many vulnerabilities in NT 4 that have been known for some time! The linux folks can patch stuff rather quickly with a fraction of microsoft's financial and wetware resources. Show me the problem.
Derek Greene
"The agreement provides Microsoft with a rich set of
strategies to undermine the development of free software,
which depends upon the free sharing of technical information
with the general public, taking advantage of the collective
intelligence of users of software, who share ideas on
improvements in the code."
With words like these Ralph Nader almost seems to good to be true: a well known presidential candidate who really knows his open source.
He's like an kick ass (some would say cheat) dual class wizard/warrior combination.
Does anyone think that withholding software bugs is illegal? It was illegal for Firestone to withhold information because it irresponsibly cost lives. Security holes generally do not, but they do cost companies money. Holding back info for a security flaw will definitely prevent many admins from changing system settings, limiting current development, waiting for a patch before releasing, etc. That in turn will cost money if the flaw is still exploited.
IANAL, but I personally think MS could be sued by a company attacked through a hole kept secret by this security gang. It should in fact be illegal to withhold information about known flaws in any product, since knowing of those flaws may change the value in the customer's eyes. I see that as indirectly constituting fraud.
Anyone know of any precedence or the true current legal standing of such a situation?
Developers: We can use your help.
I was speaking a bit more generally than server software, though aren't there a lot of flavors of Unix? In other words, one exploit that works with one might not work with another. (correct me if I'm wrong, I'm just a designer) Also, I was referring to more than just bugs but also exploits. If no one (or a very small number) uses Netscape Communicator for their email then there is less incentive to try to find exploits for it.
forma3
Appearently "reasonable quality standards" do not pertain to the initial release.
Finkployd
i have xp for gameing. i find it intresting/histerical that if you disable scripting you cannot view the update page for when the patch is posted..... i can't wait till there is an os other than MS win that can run all of my software natively.
Can we change the name of the "Developers" section to "Developers Developers Developers!"... and change the icon to an animated PNG of Ballmer?
I think if Linux or MacOS, as they are currently, were the most widely used, MS would still have more reported bugs, because there's just so much MS stuff. There's the kernel, the GUI, many applications, etc. With Linux, bugs in these would be reported against different entities.
Also, MS software is integrated on a large scale without sufficiently restrictive interfaces to cleanly separate it into individual programs. Since the number of potential bugs in a program grow faster than the length, this makes such integrated code more likely to have bugs; and, in fact, many MS bugs are due to interactions between different projects. With the Linux model, code is in relatively small chunks, which communicate over limited interfaces, so there is much less opportunity for cross-project bugs.
So I think that, to a certain extent, the reason that there are so many MS bugs reported is mostly that there are so many opportunities for MS to make mistakes, due to their size and the architecture they have chosen.
I recently attended a SANS course on IIS. According to the instructor, MS enables features to lower support costs. If it's already on nobody will call to get it working. WFM is a similiar tale. It was designed to eliminate support calls but an employee realized it could be expanded to function like tripwire.
Personally, I think if someone needed Internet printing enabled on a web server they would search for a TID instead of spending money calling MS if they couldn't noodle it out. But I'm guessing I'm just optimistic here.
I don't want knowledge. I want certainty. - Law, David Bowie
Speaking as someone who was at the conference, I would like to make a few corrections.
First, it wasn't Microsoft that proprosed the idea at the conference.
Second, the idea of this is to try to get people to follow a standard way of reporting vulnerabilities and force companies to take a responsible role in addressing and responding to vulnerabilities.
Third, this is not designed to try to hide vulnerabilities from anyone.
Basically, it works as thus:
Joe Random Person finds a vulnerability in a program or service. He then documents the vulnerability, along with sample code to reproduce the bug. He contacts secure@company.com with the information he has. Joe is now expected not to release information on the bug at this time, but will stay in contact with the company.
The company now has to respond with a couple things.
1) Acknowledgement of the bug
2) An estimated date when it will be fixed
3) Any further questions the company may have
The company will be responsible for keeping in touch with Joe and provide updates on timeframe.
Once there is a patch in place or a fix has been implemented, the company goes public with the bug, including high level information on the exploit. This will not contain code that will exploit the vulnerability, but rather a description and model by which it could be exploited. The company will give credit for the find to Joe. Joe is also free to release his own high-level description of the issue.
After the grace period (around 30 days, there are exceptions), full information on the exploit is released, including code that can be used to exploit the vulnerability. This grace period is intended to allow administrators to have a chance to patch their products. At this time, Joe can also release a full paper with sample code and more details. Again, full credit is given to Joe for the find.
The intent of this is not to prevent the details from becoming public. It is rather intended to lessen the damage that can happen after the release of exploit code. It is not gaurenteed to prevent damage, just to try to help reduce it.
There could be errors in this, and don't take this as a summary of the eventual document. This is my summarized take on it.
"All the things I really like to do are either immoral, illegal, or fattening."
- Alexandar Woolcot
Why did you USAnians not vote this guy in as president? Nader has consistently shown himself to be perhaps the only American politician with any clue, ever.
Instead you lot went to a two party choice between Mr Personality and The Chimp. And the Chimp won!
The world weeps.
Why are you so obsessed with MS? You're supposed to be using Linux, so what exactly are you complaining about?
Is it really so hard for you to accept the fact that MS, a company who in your opinion doesn't know much about software development, is more successfull than any other OS company?
From his "open letter":
We note at the outset that the decision to push for a rapid negotiation appears to have placed the Department of Justice at a disadvantage, given Microsoft's apparently willingness to let this matter drag on for years, through different USDOJ antitrust chiefs, Presidents and judges.
Wow. What an awful, complex, and incorrect sentence! Here's how I would have said it:
The preference for rapid negotiation has disadvantaged the Department of Justice. Microsoft is willing to let this matter drag on for years through different antitrust chiefs, Presidents, and judges.
Another gem from the "open letter":
Moreover, where Microsoft appears be given broad discretion to deploy intellectual property claims to avoid opening up its monopoly operating system where it will be needed the most, in terms of new interfaces and technologies.
Subject? Verb? Sentence? I'm lost. Here's my attempt:
Microsoft has been granted broad discretion to keep its operating systems' interfaces and technologies secret under the pretense of intellectual property protection.
If you want to make an argument, make it clearly and succinctly. This "open letter" is so poorly written that I can only conclude Mr. Nader is too technically unskilled to run a simple grammar checker or is too uncaring to give his own writing one last visual inspection before publishing it. Judge Kollar-Kotelly will likely come to the same conclusions, invalidating any good and valid arguments Mr. Nader might have made.
- "It's just a matter of opinion!" - PRIMUS
No, it just illustrates the simple fact that most people are unaware of the alternatives, and that they are (knowningly or not) the prey of a monopoly.
Anyone else remember when l0pht.com used to be the place to find information on Windows vulnerabilities? I see that @stake is one of the 5 security companies announcing this anti-information coalition.
Heh, security through obscurity! That's a good idea that has always worked for Microsoft;)
James says that today various Internet features are woven more deeply into Windows, offering consumers such benefits as one-click access to the Internet from e-mail.
Yes, Chuck, and in exactly the same way one (double) click on a image file brings up LView (unless Office has assaulted Windows and you get MS PhotoEditor)
So it's pretty clear Mr. James he doesn't know a damn thing about how OSes work. But try explaining to your friends, even ones who are not terrified by their keyboard, or mildly interested in how such things work, why these two actions are essentially the same thing, and they'll just stare you, maybe say baaaaah.
The only way out of this is for people who are tech-savvy and interested to get involved with legislation of technology. To law school, my pretties!
Well if you keep getting your Red Hat box hacked perheps you should considering setting up a firewall and disabling unncessary services if you haven't already done so. An open box with running services is quickly hacked if not secured properly.
I've had @Home service for nearly two years and haven't had to reload the box at all since I haven't been hacked. I follow @Home's EULA and don't run any publicly available services on my Linux system. My firewall logs show a lot of script kiddie activity sometimes with port probes but with disabled services a a good set of firewall rules it is possible to keep the system reasonably secure.
Tony
its smaller, faster, and doesn't use active X
If people just designed sites properly, everything would look great with the browser, sites I've done have.
Last week, I came across CmdrTaco's poem generator (http://cmdrtaco.net/poemgen.cgi), and after trying it out on the obvious candidates such as /. and kuro5hin, I entered www.microsoft.com and got this:
Welcome to the Microsoft government
reach settlement. Consent decree is to
the perfect after school program.
Now students
and more.
Windows XP. U.
Taken figuratively, I'm wondering if this isn't too far of the mark. From what I've read, Bill Sr. and Mary Gates have been very politically active in Washington state for a long time. Back in the initial IBM-PC days, Mary knew the chairman of IBM through her involvement (IIRC) in the United Way - I've always thought that this was an influence in the contract negotiations that led to MS-DOS being used on the PC. Bill Jr. has been to Camp David on at least one occasion, so the political side of Microsoft has been there from the beginning. This is a company that has covered all of it's bases very well.
In fact, I'm coming to the conclusion that the software itself has been the least important factor in what makes Microsoft what it is.
Reading thru the "irresponsibly" link, I have to agree with the "Responsible Handling is Key", but in a slightly different way than the author meant: the responsibility should be carried only by the software manufacturer. Just imagine if Ford tried to stop people reporting problems with the braking system... okay, this might not be the same thing; so imagine them trying to stop you from telling that all this years cars can be opened with a toy remote; do they stand a chance in hell to get anything else than a laughter?
Maybe it's time for the software industry to stop being the spoiled child and enter maturity, like any other industry: by assuming responibility.
You know, with more holes being discovered and even less being documented in the future, the more I feel like blowing my Windows partition off of my hard drive for good...jeez!
(shaking head, but not surprised)
Eventually, MS's shots to the head should actually hit the small grey matter in it...
One thing I know talking to a friend who was on a microsoft programming team. They do not get bonuses on quality / security of code, but on the fact of how fast they can get it out for cash. Basically as I was told, there software is never really fully tested. With 2000/nt, until patch 2 came out for either of them, they where riddled with security holes and bugs. Microsoft is a moneymaking company, not a quality software company. From someone as big as microsoft, they easily could test there products extensively, but that would cut down on there profits. O dam we could not do that to pore old billy boy gates could we.
Personally, I would not care if microsoft is a monopoly if they would be some what inventive (they just re vamp others ideas) and put out quality code.
My 2 cents plus more
It wasn't redundant when it was posted; read the timestamp.
All these comments were posted at approximately the same time, in response to a pathetic MS cheerleader.
Recent public statements by Microsoft executives have cast Linux and the open-source philosophy that underlies it as, at the minimum, bad for competition, and, at worst, a "cancer" to everything it touches. Behind the war of words, analysts say, is evidence that Microsoft is increasingly concerned about Linux and its growing popularity.
It's nice to know they see Linux as a threat. They should.
The agreement provides Microsoft with a rich set of strategies to undermine the development of free software,which depends upon the free sharing of technical information with the general public, taking advantage of the collective intelligence of users of software, who share ideas on improvements in the code.
Glad someone pointed that out in a direct manner. Let's hope because its prominent people that somebody takes notice as well.
:) Redundant. I know.
Most people would die sooner than think; in fact, they do.
Go call Microsoft and ask them if you can sell your copy of XP, eh?
Hint of what response you can expect: In. Your. Dreams.
Maybe they will figure it out when it has a measurable impact on them. You know, when they lose the ability to run roughshod over markets, dictate standards, and relegate competitors to obscurity.
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
where did all of the corresponding Republican votes go?
To Bush. That's why he won. Nader sucked Gore's chance of winning right out from under him.
I'd like to open this with an insult.. but I won't
;)
in no particular order:
I can sell my Copy of XP if i wish, if i sell my NFL tickets it can be scalping..
No you can't, otherwise, Microsoft wouldn't be cracking down on people on e-bay selling their LEGITIMATE unused copies of WindowsAnything
The major league baseball is an approved monopoly.. WHY? It isn't like we need a standard in baseball players. The NFL is an approved monopoly.. WHY? Verizon sells worse service and products then microsoft and restricts customers choices, but nobody wants to break a telco..
This is great.. Monopolys are ok, if they're not detrimental.. and Verizon?? if i don't like the I switch to sprint, or cingular, or some no-name service.. i don't see a monopoly here..
I'm finding more reasons to use Windows every day. It has great Java support,
You need to be more clear on this for me, at last count WindowXP wasn't even SHIPPING WITH JAVA SUPPORT! Is that crack smoke I smell?
still no good office suit, fun fun fun
still no good (bugfree) developer suit, fun fun fun
Yes, I'm guessing it is crack smoke, didn't KDevelop just win some award or another?? Have you ever TRIED to develop in Emacs?? Obviously you can't be much of a programmer if you truly think this.. Especially if you think ANY software is "bugfree".. even if you're just being figurative, I KNOW you're not tryna convince me VisualStudio is "bugfree" HAHAHAHA!!!!!
oh, and as far as Office Suites go, I direct your attention to: Staroffice 6 beta's latest scorecard...
hmm,
I wouldn't ever recommend windows for a server, nor would i recommend linux. HPUX or Solaris all the way, possibly IBM but i'm not a fan of AIX yet.
Obviously you've never used either HP-UX or Slowlaris, especially if you think there's such a thing as an AIX fan.. heh.. I highly recommend using Linux as a server, especially if you'd like to LEARN Solaris or HP-UX..
And, Ask IBM about AIX.. In particular, ASK THEM WHY THEY ARE RETIRING IT AND REPLACING IT WITH LINUX!! on RS6000s, retiring OS/400 on the AS400s, S390s already run Linux, Netfinitys, NUMA boxs, thinkpads, EVERYTHING..
I'd never recommend linux on the desktop. It merely makes a good tool to learn from, tinker around with.
Honestly, neither would I, but the people I work with, who see Gnome, the people I work with who see and use KDE, and those who see it for the first time [i run E, fyi], really really really want me to.. I tell them, maybe.. maybe when StarOffice 6 is out of beta.. I think they're crazy to want Linux on the desktop.. even if it would drive IT support costs down because it's SO MUCH EASIER to administer. The biggest thing holding it back, i think [besides decent MSOffice filters], is Unix administrators who are too used to administering servers, not wanting to support Lusers(tm), and Help Desk/Desktop Support guys who are just now thinking about learning it.. once that gap gets a little narrower, I think I'll start recommending it more.. otherwise, I'll just go around showing people how much more pretty my notebook is than anything they've EVER SEEN..
Redone vm, fun fun fun
actually, it is.. my machine swaps A WHOLE LOT LESS nw.. i highly recommend 2.4.14..
Commercial apps dont, work, fun fun fun
Sure they do! VMware runs like a dream! =) So does Oracle, Mentor Graphics.. What in the world are you running??
Bloated new apps, fun fun fun
Hmm, the only thing I can think of here might be Nautilus.. At the same time. It's still being developed [two minor versions now?], long after Eazel went the way of the dodo bird..
And in conclusion.. I can't wait for posts like yours to go the same way..
have a nice day, Captain Uninformed..
m.
--
US$0.02++
While I see the reasoning behind this, shouldn't the Sept. 11 attacks make us more appreciative of our freedoms than of our money? All the politicians are running around talking about freedom being the American ideal, shouldn't they be more focused on maintaining freedom than money in this case also?
"I may not have morals, but I have standards."
Why the heck don't they call "campaign contributions" by their right name? Bribes. (I'm no lawyer)
and yet they still fragrantly defy the law
So THAT'S what that smell is! I thought it was just my cubemate's brain frying on this old code.
"Active Scripting" is the term Microsoft uses to refer to client-side JavaScript and VBScript. Thus, disabling active scripting will not only break pages designed for IE, it will break any page designed for any browser if that page contains JavaScript or VBScript (remember, there's an addon for the Windows version of Netscape 4.x that gives it the ability to run client-side VBScript and ActiveX controls).
Furthermore, Michael, switching off Active Scripting is not the only way to avoid falling prey to this exploit. In order for the exploit to work, someone must convince you to go to a specially-formed URL. Being smart enough to recognize malicious URLs would allow you to avoid this security hole without disabling Active Scripting.
I find it disturbing that you're so obviously biased against IE (and apparently also uninterested in learning details before representing your own uninformed misconceptions as "fact"). I've never made the mistake of thinking of Slashdot as an unbiased news source. A predilection towards open-source rather than commercial software is one thing, however, while openly vehement bias based on false conclusions is another.
For your own sake, and for the sake of Slashdot's journalistic integrity (ha ha), please at least do a little bit of fact-finding before posting knee-jerk stories like this.
Cookie vulnerability found here
Reading this gave me a warm fuzzy feeling inside.
-----------------
The level of fines that would serve as a deterrent for cash rich Microsoft would be difficult to fathom, but one might make these fines deter more by directing the money to be paid into trust funds that would fund the development of free software, an endeavor that Microsoft has indicated it strongly opposes as a threat to its own monopoly. This would give Microsoft a much greater incentive to abide by the agreement.
As a result of this move by Microsoft to silence the independent security teams who bring vulnerabilities to light, the NMRC have released a call to arm for "Information Anarchy."
Article on it here.
Open Source care more, plain and simple.
Sean D.
"Hmm. I am to metaphor cheese as metaphor cheese is to transitive verb crackers!"
> Well Linux still hasn't solved the bug that prevents it from being an Operating System you would be comfortable having your parents use. I have no problem putting Mac OS X in front of my technophobe mom.
Those aren't bugs, it's the choices of implementation. How did a troll such as yourself get a +1?
But that vast user base is completely ignored.
This is what really makes Microsoft look doubly stupid! Everybody seems to know about the bug(s) (what does vast user base imply?), except of course, Microsoft, who fakes ignorance.
Who does Microsoft think they are fooling? It can't be their customers. It could only be their investors, who seem to be clueless beyond hope.
for 2 games i can upgrade to a 1900 mhz XP Athlon Processor
We can already see how ignorant this poster is.... They don't have 1900mhz Athlon XPs yet, only 1900+ Athlon XPs
It has great Java support
Pardon me while I laugh.
Bloated new apps [for linux]
dude, are you trying to compare Win apps to Linux apps? Bloated is Windows.
I'd never recommend linux on the desktop. It merely makes a good tool to learn from
And learning is not needed? Well, lets get rid of the education system then!
I'm finding more reasons to use Windows every day. It has great Java support, a polished gui, a great application base, a great office productivity suite and lots of games
Odd, thats why I use a Mac.
Dumb-ass...
sin(6cos(r)+5A)
The manager responsible for this piece of Internet Explorer was overbudget and entrusted its development to a college co-op with Visual Basic experience.
It's all so clear now...
-- @rjamestaylor on Ello
i think he effectively shit on my opinion that political leaders have little understanding of technology. rock on badass...
Please help! I'm stuck inside my virtual reality headset!
Pissing in the ocean. That's what this "unnamed organization", otherwise known as the "Security KGB", will accomplish. I'm amazed at how many businesses aren't making enough money from the internet, and thus are trying to legislate out free speech. I'm having a blast, personal economic downturn and layoff aside, watching these companies that have never actually had a product to sell, crying because the big bad internet is out of control, and that they can't compete against free products that do EXACTLY THE SAME TASKS as their pay-products. Waaaa...
Welcome to the open market and the information age, crybabies exit at the rear...
98Lite looks interesting, but Win9X won't run without IE as too much of the OS has been mulched into it. Try actually removing IE and see what happens. =;) Holy no boot, bat-man.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
http://www.microsucks.com
It's interesting. I've already read every one of these articles linked to by slashdot in the last few days.
h tm l?tag=bt_bh
But the bizarre thing is how biased slashdot is with their presentation. If you actually quick thru on the links and read the stories, you'll understand why.
For instance, why wasn't this article from news.com linked as well, considering it is Scott Culp responding to a lot of the questions and accusations?
http://news.cnet.com/news/0-1014-201-7819204-0.
Unfortunately, with this "rice pudding" model of software is virtually impossible to verify correct operation. Once upon a time there was a disipline called IVV (Independent Verification and Validation) that was used to verify mission critical software for the DOD. This drek would have never, never, ever, made it off of the bench, much less to first base. I shudder whenever I hear that the military is using "off the shelf" hardware/software (read Wintel) units. It wouldn't take much to bring the whole thing down. Pogo was right "We have met the enemy and he is us."
Sex is heriditary, if your parents didn't have it chances are good you won't either.
Hint of what response you can expect: In. Your. Dreams.
Actually, this (Warning! Don't click on this link unless you actually like that sort of thing!) is what you can expect if you ask Microsoft if you can sell your copy of XP. And then they'll turn you over to the BSA so they can have their turn...
That is all.
As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
Well duh! If you're creating webpages just for IE you get what you deserve. There are standards out there and if you use them you will be fine. If you don't use them you only have yourself to blame.
I've stopped blaming Microsoft and starting blaming these webmaster who ought to know better.
A Government Is a Body of People, Usually Notably Ungoverned
com e up with an origional idea? we have thousands of times, MS just keeps stealing them and callit it their own...
.NET.... blatently stolen from redhat.
GUI blatently stolen from Unix.
NT filesystem and services modal.... Stiolen from Unix.
thereisnt ONE thing other than stupid ideas coming from Microsoft.
and only a moronic drool monger would support anything microsoft did or stood for.
so yes, you sir are a turd.
don't buy their games or their X- box.
Nope. It's not.
The Netcraft survey crawls through all those little Melvin machines which each have an httpd running that nobody ever accesses.
Nobody cares about them. They are irrelevant.
Actually, it tends to go the other way - IIS installs as standard on a heck of a lot of WinNT boxen that do no hosting, and as (much as we hate to admit it here) most small businesses (big enough to have an always-on connection but not big enough for their own IT dept) use Windows. Most Apache installs are meant to be there.
who ever posted the parent to this is turd, plain and simple.
Microsoft is _JUST_NOW_ owning up to this hole???
... Just how the hell do people think Melissa, Anna Kournikova, Love Letter, sircam and the e-mail attack in nimda work???
Two years ago when I was working for an ISP, I had every new user who called in for setup help (damn near all of them) configure Outlook/Outlook Express this way.
I mean, jeez
utter rubbish
How can anyone (with an internet connection, computer magazine subscription, etc.) be unaware of Linux? The zealots have been trying to push it in our faces for a few years now, with marginal success. If it was better, more people would use it.
If Linux/Mac OS/etc was the most widely used, you'd see much the same focus on problems with the software.
Microsoft's products are buggier because they are more ambitious in terms of functionality and target user base. Designing software that is only used by people with software knowledge is much easier than designing software for the general public. Creating an application that accounts for all the possible mistakes and questions that the average user is going to have is a huge undertaking. Add to that the extra functinality that M$ adds to its products (for better or worse), and it is not mystery why it has more bugs. Sure it crashes more, but is also DOES more.
As such, the idea that more bugs will be found in software if it gets wider distribution puts the cart before the horse. In order to get wider distribution, software must expand ease of use and functinality, and thus expose itself to the introduction of bugs (if it is to be released in a timely manner). However, users, as history has demostrated, care more about features than they care about bugs. Again, as history has demostrated, the most stable OS you can create, even if it is free, can not compete with an OS that includes the functionality that people want and, more importantly, is easy to use.
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
Getting to vote for a politician that I believed in - I'll be telling my grandchildren about that....
This anti-disclosure policy is about the largest example of "a problem doesn't exit if nobody knows about it" that I have ever heard. Guess what, if a tree falls in the woods and nobody is there to hear it, it does make a sound.
MS tries to claim that publishing security flaws informs would be attackers. Excuse me, but are they f&*^(^@$ serious!? I'm sorry, but no malicious hacker above age 6 is learning about these holes in the system from USA Today's tech section (those who find the holes let us all in on the secret, and they cannot be silenced). The people who are kept in the dark here are the people who invest their money in MS stock, which is exactly as MS wants it. I pity the poor admin who thinks MS will let him know when his system is ripe for f&*^*&^%*&.
I guess that's what you get, "Thank you for choosing Micro$oft for all your server needs, now bend over".
Fortunately for M$ (and unfortunately fo Linux), the average user does not have the same requirements as the DOD. They will continue to pick functionality and ease of use over stability every time.
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
...because Microsoft is implicitly saying that it's okay to enable Active Scripting on Microsoft sites because you can trust them. Despite the fact that they're the ones who gave you this security vulnerability in the first place.
Gee, maybe that explains why http://packetstormsecurity.org has had the rate of submissions slow from many a day to one or two every couple of days. I KNOW vulnerabilities are being found but it's REALLY hard to explain to management why they MUST rollout a security patch if I cannot PROVE to them that, yes its a problem! Has everyone rolled over?
WTF is wrong with these folks?! I can see it now - we're all going to have to sign up to some sort of subscription service to learn about the various vulnerbailities. No doubt it won't be free, right? I have a VERY hard time believing that @Stake aka L0PHT signed up for this. My opinion of those fine folks just dropped into the basement. I never thought I'd see the day when they would cowtow to Microsoft, it's a sad day indeed for the security industry.
Who are we doing this for? The children? National Security? Oh wait - Bill's cash. Seems to have greased the DOJ wheels pretty good, guess things are bad all over when the security industry sucks it up too. This just makes me sick.
Any good full disclosure sites out there taking over where PacketStorm died? If so I'd appreciate some URLs. BTW, some of the folks on our team swear the SecurityFocus has pulled data OUT of their vulnerability database in recent months. Cannot confirm it for sure but when you know you looked it up previously and then it's not there later you have to begin to wonder....
P.S. If RFP signs on Hell will have frozen over. Thankfully he doesn't appear to take cash for his efforts!
Build it, Drive it, Improve it! Hybridz.org
I do find it funny that Microsoft has managed to win against the government by, essentially, saying "Naw, we don't want to do that". I never thought I'd see the day when the bureaucracy would put up with that. When it's people, they get squished. With Microsoft, I honestly thought that Billg and everyone else involved would be stuck in a jail cell on "contempt of court" and perjury charges.
That would've been an interesting way to finish off the case, though. "Not willing to say you lied? That's fine, we'll come back to your cell in 5 years and see if you still want to sign our agreement".
Whomever thought you COULD fight city hall, especially by saying "I don't wanna"?
One operating system shall bind them all
They tend to think more of features, and what can the enable, rather than what shouldn't be permitted. Allowing a macro to be automatically run on opening of a document, which can then have full access to the system, is a classic example.
I will point out that this exactly how the vast majority of people think as well. In most ways, MS is giving the customer exactly what they want.
People are not trained to think about computer security (and would probably give up on computers if they had to). Thus, they only see security measures as a hindrance. I've certainly heard people complain that Java applet's can't really to anything useful since they can't do what an ActiveX program can...
Blaming MS for badly thought out security is like blaming Hostess for making fatty foods. They're both addressing what there markets wants, not what "is good for them".
Why all the MS bashing? If it wasn't for MS there would be no OpenSource. ;-) Read today's TheRegister
Quote: The open source movement wouldn't exist without Microsoft, Bill Gates told his company's shareholder meeting earlier this week. Open source is also a follower, not an innovator, and destroys jobs, the economy and world peace (we made that last bit up).
Help fight continental drift.
Don't go blaming me and others that voted Green simply because the Democratic party couldn't rally the troops when it came time to put up or shut up. Nader stuck to a position, Bush maintained his platform, Gore OTOH spent too much time trying to find the best way to sell himself to the public. I haven't seen that much waffling since Bush Sr. was in office.
Nader didn't cost Gore the election and Bush didn't beat Gore. Gore defeated himself. End of story.
I don't want knowledge. I want certainty. - Law, David Bowie
It's scary that the lead anti-trust lawyer for the government said this:
James rejects these criticisms and says the decision to protect Microsoft's security provisions was "one of those 'duh' issues." He continues: "Microsoft has security protocols. Are we going to tell everyone how they work? Do you want people to get access to your credit-card information when you shop on line?"
And we all know security through obscurity works so well.
Of course, Linux is free, so the reason more people don't use it isn't the same as the reason more people don't drive Ferraris or Mercedes Benz...the average person doesn't want to mess around with his or her computer any more than he or she wants to have to do his or her own car repairs, and thus if, thanks to MS's restrictive OEM licenses, you have to build your own computer to run Linux and have to install it yourself and, thanks to the applications barrier to entry, have to go looking for Linux applications, the average person won't bother, but will instead be an obedient consumer and use Windows.
Earth to AC: Read The Fine Court Decision. MS has a monopoly, and can and does use it to crush competition.
I have an idea, let's make sure that none of our clients or investors know what they're getting themselves into.
Since MS keeps its code secret, why not keep its vulnerabilities secret too, that way, evildoers will never know about it. Yeah right. If you can't see that an anti-disclosure policy affects only investors and customers, then you should open you eyes.
This is an example of Microsoft attempting to control information and public opinion; it does nothing to stop malicious attacks. If anything, it gives a false sense of security when their is none.
Look, don't get me wrong, a company should be wary of things that effect its image and value on the market. Microsoft has a responsibility to investors, customers, and employees to deliver a profit. However, the anti-disclosure policy is not good business. This policy does nothing to address the problem; it only addresses the public view of the problem. Security holes must be made public knowledge for the sake of the customer, so that measures can be taken to protect themselves from attack.
Perhaps you are right that the idea of bashing MS is not new, but in this case, the fact is clear that MS is sticking its head in the sand when it comes to the questionable security of IIS.
By your logic, a Casio is a better watch than a Vacheron Constantin. A Toyota Corolla is a better performing car than a Porsche, and an Olive Garden All-U-Can-Eat-Italian-Buffet has better food than a cozy, 200 year old, family owned and operated restaurant on the Sicilian coast. Quality and quantity are not synonymous.
You are correct Mr. Total Shit WinZig! Linux distros use standard communications protocalls to get updates to you, MD5 sums to check the package and well defined, open source, free methods to upgrade.
Why would anyone in a free world try to invent some stupid buggy propriatory closed up methods to replace accpeted practice? To fuck you, that's why. Give me all your money, says Mr. Gates. TCP/M$ at work for you.
Supprise, other people will find the hole and abuse it. I seem to recall a few "spam mails" opening up on my machine behind the company firewall a few weeks ago. It would be OK, because MSIE is so slow I could kill it before it finished reading the proxy script. But then I reported it and some dumb ass at the exchange group remoted into my machine and activated the stupid thing while I was not there. Great. I wonder what it did to me and what it will do to the "enterprise". Oh yes, I tried to turn off scripting by changing the association types to NotePad, but I see there is a new Leet trick with the left hand for protection these days. Thank you SOOOO much for the belated and usless tip about "prompt" mode. The black hats have struck again, weeks before notification, and more weeks before correction.
Why, oh why, does my company use this shit?
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
*sigh*
Under capitalism man exploits man. Under communism it's the other way around.
What do you mean still?
RedHat has release more bulletins about security vulnerabilities this year than Microsoft has.
At the rate RedHat is going the ratio will be 2 to 1 next year.
Oh yeah? What about a redirect?
From this article...
Arming the enemy
First, let's state the obvious. All of these
worms made use of security flaws in the systems
they attacked, and if there hadn't been security
vulnerabilities in Windows®, Linux, and Solaris®
I thought Linux was a registered trademark? Because it's free, does that mean they don't have to recognize their trademark with ® signs they like to toss up all over the place???
Why can't M$ get a patch out in the "few days" of warning they had? Because they are too bussy breaking other people's applications to fix their own code. M$ is rulled by the $, don't think engineering has any power any more. If PR and management wanted a good reputation, you would think they would quit trying to screw everyone.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I have a lot of respect for Nader (I even voted for him), but I don't think he knows much about computers or software. MS is an easy target and Nader hasn't had been particularly effective at protecting consumers in recent years. I wish he would do more to break the Ticketmaster monopoly which is far more comprehensive than Microsoft's and has measurably harmed consumers financially.
i've been using up2date on my computer at home. after you login you get one free "seat" (i dont remember the word they use).
so when you start up2date on a computer the first time you create a profile of that computer at redhat. you can move this seat between computers so you can still use it for free if you have multiple computers. this is nice because it cuts home users, like myself, some slack.
-- john
You can turn on or off scripting for the sites of your choice you know. You can have it on for windows update and off for everything else if you need to. I have it off for everything and only turn it on for a few needed sites (Like windows update)
So basically you look a lot more like a fucking dumb-ass.
MS is the largest, most resourceful, and "most innovative" software company in the world. Unless MS claims they don't have enough buget to hire, and they havn't found an innovative debugging method to QA their product, the size of the user-base is nothing but an execuse, simply implying they don't really care.
Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days".
no, what's irresponsible is having critical flaws in the first place!
I don't know, last time I checked IIS was only installed by default if you upgraded from a box with PWS on it. This is *not* a very common happenstance, and I fail to see why the "IIS installs by default" mantra is so prevelant, given that it *hardly ever happens*.
What's a sig?
Knowing how a security protocol works should not make it less secure. I can read how SSL works, but that does not make it less secure. Same with Kerberos, DES, RSA, etcetera. A proper security protocol should be secure even if you know how it works. Security through obscurity DOES NOT WORK.
This quote sounds like it came from Microsoft, but get this: he works for the DOJ! This guy James was the one in charge of the negotiations with Microsoft. He is supposed to be on our side.
It seems like he knows very little about computer security. It also seems like he believed whatever the Microsoft lawyers told him. No wonder they arrived a such a one-sided settlement.
Most evil is done by good people, and not by accident, but deliberately; motivated by high ideals toward virtuous ends.
Wrong.
Every way-kewl-radical Linux user throws up apache to show off to his friends.
Either they or their technology are pathetic.
A strange game. The only winning move is not to play. How about a nice game of chess? - Joshua (Wargames)
Would you mind posting a few links for your extraordinary claim? No, I don't believe 98Lite does it.
Ahhh! I've stepped into another God Damn troll hole. Why on earth are you sitting around here making excuses for M$ crap? The bottom line is that people trusting M$ BS are subject to yet another email attack. Kudos to you if you manage to torture that platform enough to keep your game box from being destroyed, but that amount of effort put elswhere could earn you a living instead of Bill Gates. I prefer to be free.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
So, there's apparently a huge market for poorly designed, poorly implemented, but "feature-rich" and "easy to use" software.
Okay.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Your day wouldn't be complete without Microsoft news.
If we don't make light of everything, we are just stumbling in the dark - Blank
"Install IIS" is on by default in the Windows NT Server 4.0 installer.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
James rejects these criticisms and says the decision to protect Microsoft's security provisions was "one of those 'duh' issues." He continues: "Microsoft has security protocols. Are we going to tell everyone how they work? Do you want people to get access to your credit-card information when you shop on line?"
Umm, damn straight I want to know how they work! How else do I know if they are really secure? Trust MS? I think their track record speaks for itself on that one. Do I trust OpenSSL to keep my credi card secure? Yes, because I know how it works.
When will people learn, security through obscurity is a dead end.
Maybe so, but what I don't get is this expectation everyone has that these security holes go through the same steps...
The real danger is when someday someone will discover one of these huge gapping holes, not tell a soul, and then exploit them for profit, terror, extortion, or simple chaos.
We've been lucky so far. For Microsoft to try to divert the entire blame is what is irresponsible. Remember who created the security hole in the first place....
I hope Bin Laden blows up Redmond, that's the one good thing he could do.
You can't view the technical details or frequently asked questions with active scripting disabled.
How else do you explain Microsoft's success then? That's exactly what they're doing.
bug.gd: error search engine. Humanity working together to solve all errors.
Usually, I think MS has an undeservedly bad reputation. But I can't stomach their assertion that open discussion about their bugs is somehow unethical.
From Microsoft's article:
We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.
Who chooses what sort of speech is smart, prudent, and responsible? The speaker? Or Microsoft? Since they branded it irresponsible to reveal a security flaw only "days" after telling Microsoft about it, it seems obvious to me that this is a request to let Microsoft control all discussion about their security flaws. This is patently unacceptable.
If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
I don't think it's best described as information anarchy. Anarchy is an emotionally loaded term, like piracy. But anarchy just means "not centrally controlled or regulated". Do we want all discussion of security to be centrally controlled and regulated? If you replace the phrase "information anarchy" with "free speech", the article becomes much more enlightening. The author seems to try to address this by saying:
By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
But the movie house is on fire. The bug exists - your private information is vulverable. The responsible thing for Microsoft to do is admit that they made a mistake, and work to put out the fire. Unfortunately, they've chosen to blame the messenger.
It's natural for a powerful organizion to want to surpress speech that points out its flaws. It's natural - but it should never be tolerable.
Don't blame me; I voted for CowboyNeal.
Interestingly, Apple has generally taken the exact opposite approach. I haven't run OS X yet so I don't know what the precise situation there is, but out of the box an OS 1-9 machine has no network services enabled by default, except the basic support for AppleTalk/EtherTalk, while Windows boxen, particularly NT systems, have a bunch of open ports by default. I suspect that OS X probably has some open ports; *nix tends to necessitate it. I still get paranoid about syslogd. :)
I've never heard that Apple gets tons of support calls from this policy.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
And your interpretation of Pogo sucks. The correct line is:
BTW, what does it mean for a software design to 'get to first base', as you put it?
Ok, so once upon a time there was the l0pht who did some great work and believed in full disclosure. Then they get bought out by @stake and suddenly they find themselves not able to release information on Microsoft's vulnerabilities. WTF?!? are those guys just sleeping on their big pile of money now?
There's a reason why MS takes so long to get security patches out.
A previous posted mentioned Apple with the iTunes installer nuking the hdd, and how they got a patch out quickly, implying that if Apple can do it, MS should be able to too... well, things aren't quite so black and white:
The problem in the iTunes installer was a small typo in a bash script. The behaviour of the installer script is so simple that it's fairly obvious what effects the change would make. Easy patch. If only all bugs were so easy to fix.
A relatively short while ago some info regarding few vulnerabilities in Exchange (I think it was Exchange...) were released to the public@large by some third party. MS rushes out patches and lo and behold! A fairly significant proportion of users reported serious issues after installing the patch - it was messing up other parts of the system. MS rushed out a second version of the patch, which again wasn't satisfactory. It took 3 iterations of the patch to get something that seemed to work successfully on almost every machine it was installed on!
What went wrong? The Law of Unintended Consequences reared its ugly head.
If you look at the security holes that poke up in MS stuff, they often look like they result from some complex interaction that Microsoft's developers never expected. These interactions are partially the fault of the way they seem to design their systems and partially due to the vast number of configurations they end up operating in. Unfortunately, when you're fixing a bug that's resulting from some complex and probably subtle interaction between different components of your application (or even worse: another application) then your change could have drastic and far-reaching effects.
To help mitigate this problem they do extremely extensive regression testing. Typically, before a patch gets posted it's run through some of the weirdest and craziest system configurations they can think of to make sure it doesn't break anything, and if it does they figure out why and fix it. This takes time. Lots of time!
Failure to address Ill Gotten Gains
Ill Gotten Gains, or Bill Gotten Gains.
JET Program: see Japan, meet intere
While I'm glad he's chimed in on this, I'd say he's just as, if not more, "uncompromising" and "abrasive" as RMS.
It appears that this agreement is an important step in the right direction for Microsoft:
It's the only thing they've done where it didn't take them 3 tries to get it right.
Sure, lets enable scripting "just this once", because Microsoft servers have never been infested by worms or trojans right, so we can trust them.
Besides, its much easier to leave the nice dynamic content scripts all over the site than to just provide a basic HTML with the exploit warning and patch link.
They might as well make the whole security notification system an ActiveX control- because those have such good security, much better than a simple text file.
Sarcasm off, one would think that security advisories could avoid using the tools that generate the majority of the security advisories.
Sure it crashes more, but is also DOES more
This is not an excuse, it is also only half true, Windows XP does crash more, but it certainly does not do more than RedHat Linux 7.2
Fascism should more properly be called corporatism, since it is the merger of state and corporate power - Benito Mussoli
First off it isn't even possible to debug MS software. Who is going to test it on all the configurations out. My Suse version of Linux won't support my GeForce 3 but that is because instead of adding function they choose stability. Second of all business does nothing till it is cost effective. That is a period at the end of that sentence.
and be done with it. He's babbling and making absurd accusations.
Yeah in Linux-world you do have to make SOME compromises for the sake of secutiy, BUT you mindless dolt, you don't have to hamstring your system to the point that you can't access needed resources (*like updates*).
Computer Science is Applied Philosophy
Actually, this a useful comparison. The Twins issue is all about coercsion: St. Paul voters (bless them) decided a few years ago not to fund a new stadium for the Twins with tax dollars. There was a lot of bucking and hawing, but the public's message consistently was, "We want the Twins, but we don't want our taxes to fund them." Here's a great feature from Minnesota Public Radio about the whole history of the issue.
A few days ago, the major league basball owners voted to eliminate two teams. It's front-page headlines here. Here's the catch: they've announced that they'll eliminate two, but not which ones. They're basically trying to whip up a lot of public sentiment, and daring the various cities with struggling teams to outdo each other in tax subsidies. It's a disgustingly coersive power play.
And I expect to see the same from Microsoft. If -- we could only wish! -- the court threatens a remedy that will actually have any effect, they'll start dangling their carrots and tying their heroines to the railroad tracks. They already do this in their rhetoric with these far-fetched missives about the economy, freedom, and Technological Progress.
But I expect to see some concretely coersive tactics from Microsoft aimed at the government and the public as a whole, similar to what the baseball owners just did. What will they be? I don't know. But I expect it -- Microsoft is the slyest bunch of bastards on the planet when it comes to business strategy. Any theories?
Yes, I went to those server once, while CodeRed was ravaging servers left and right... But all I saw on the page was some text saying something like "Hacked by Chinese" and a link to www.worm.com or something...
Then shouldn't we be seeking to split Clinton up into two seperate entities.
I vow not to purchase any Microsoft products, directly or indirectly, from now on. That includes PCs that come with Windows. My next system will most likely be an Apple PowerMac/Book. Mac OS X is a great OS (UNIX-based) with a great UI!
Many Many people I've helped support for the ISP I work for have never heard of windows update, or never been to the site to get updates. I suspect the issue is that so many copies of windows are pirated, and those users think they'll be discovered by MS if the run windows update.
I like that XP makes people pay, folks will not pay and seek alternatives...what, you can run the corporate version and make as many copies as you like?....I wonder if MS did that on purpose?
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
I seem to be trapped in some sort of reality distortion field, because I could have sworn Microsoft lost the original trial and the subsequent appeal. And yet in the settlement, the DOJ is acting like Microsoft won the case. I imagine this conversation between a judge and a convicted felon:
"You have been found guilty of the crime of murder, and will be sentenced to life in a maximum security prison."
"Um, yeah, maximum security...I don't think I'll like that very much. How 'bout Tahiti?"
"Oh, all right, but only if you promise to behave!"
There ain't no rules here; we're trying to accomplish something.
I tried many of the IP addresses that showed up in my apache log during the recent Code Red (and it bretheren) attacks to see what machines were compromised.
You know what - most of them were on subnets owned by DSL and cable providers, and when you requested a page from them you got back either nothing or the "welcome to IIS" page.
"hardly eveer happens" my ass - it happens all the fscking time.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
That's a red herring. One of the natures of open source is that people get to see what's going on under the hood. This allows more bugs to be found than if the hood is welded shut and you find them by stumbling over them.
.vbs virus...), etc. MS claims that these massive security holes that are impossible for you to disable are there by customer demand! These are "Features", not "Flaws!"
Who knows how many MS security bugs were found that we DON'T know about, or how many INCREADIBLY stupid things are going on that could be HUGE problems inside that closed source...
MS refuses to address the massive security problems with word macros (who needs them REALLY...) email (Yet Another
And No, the options in IE, Outlook, word, etc that are supposed to secure things don't really. Check bugtraq archives for more info.
They seem to be drawing a large distinction between the "security community" and the "customers". From my point of view, no distinction can be made. Your customers, who actually use your software for their critical business operations, need security. This makes them part and parcel of the security community because not only are they exposed themselves, but many times they are able to recognize vulnerabilities when they have been exploited and warn others. Your customers are your security community, and vice versa.
Go Lakers!
Quoting from "Don't Drink the Water":
"'Cause you're all dead now
I live with my justice
I live with my greedy need
I live with no mercy
I live with my frenzied feeding
I live with my hatred
I live with my jealousy
I live with the notion
That I don't need anyone but me
Don't drink the water
There's blood in the water
"
Interpret as you see fit. Sorry 'bout the copyright infringement, Dave.
Anyone who puts that crackpot ultra right wing crap "junk science" link in his/her info field cannot be taken seriously.
Ah, but you see, you're not necessarily comparing apples to apples. The following could be an interesting exercies:
How many vulnerabilities from each company...
I haven't done this exercise, but I strongly suspect that it would show that MS and RH have very different views of what constitutes a "security problem" that needs to be reported & patched. I'm guessing most if not all of the MS bulletins are remotely-exploitable holes, and that most are probably not mere DoS holes. The RH bulletins, on the other hand, will have a lot of temp file vulnerabilities -- which, in the MS world, would not even be considered bugs, much less security holes.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
In my experience, I always thought that a large part of the MS bugs come from the fact that MS offers features (no sarcasm) that are inherently prone to security flaws. I've never once heard of a user security being breached when they were off a network and writing a document in notepad.
Examples include
VB scripts + extension hiding => viruses (and what-have-you).
macros => viruses.
inter-application communication => security flaw.
autoextract/running of downloaded software => general fscking up of computer.
Now, not all the features require that bad things come from them and there is definite programmer and management error. Although my description of it is perhaps unnecessary: What they need to do is demarcate all functions,methods,variables and objects that are capable of being abused as security flaws, regardless of whether the abuse could only come from within the layer of code above that method or whether it could be used outside. When the final stages of development come there needs to be an inside-out evaluation of all the possible paths that can be taken to reach those methods/functions/variables and which of those pose risks. Those risks need to be evaluated and if they find them to be acceptable risks, they simply need to mark them in their released product documentation. Of course, if they are found to be unacceptable risks then they need to reduce them in whatever manner or else provide warnings during operation that the user may hurt themselves doing whatever it is that opens that hole.
[please note that I'm not in the mood to look up terms such as trojan horse, worm, etc. to figure out where they all go, think of "virus" used above as a generic term.]
what about that hole that affected 2.2 onward that was discovered only a short while ago.. http://asimov.lib.uaa.alaska.edu/linux-kernel/arch ive/2001-Week-41/0920.html
the worst fact about this is that i had to read it on /.
when ie loads for the first time it checks with a MS server... why can't it make a quick to check for awful security flaws like this and notify the user?
Intuit, the MS sukbutts that publish QuickBooks, MANDATE the use of IE, and no other. Guess what, all the scripting and JavaCrap have to be turned on to download the state and Fed tax tables, and their own bugfixes, of which there are mucho.
QuickBooks is usable only when IE security is completely relaxed in the five areas - your pooter, intranet, trusted, untrusted, whatever. And you won't hear a bleat from the CPAs.
I don't even want to know how this affects PMS Money.
and somebody moderated me down for flamebait. I really do have a hard time giving any credibility to Microsoft's arguments about bug reporting and security. The first day on the job as a newbie sys admin I was told about tcp wrappers. It is amazing how much of a first line defense they provide. Why haven't they made that a standard feature? Yes, I know that some third party solutions, like zone alarm, exist. But to my knowlegde they do not do forward and reverse lookups. Also, as I work in IT now, I periodically ask users of any office type program if they use macros and the majority do not. So why do they still ship those products with that functionality wide open when there have been so many macro virus and breaches? Why is there no way to disable that port that listens for netbios? Nay, I can not see how they can even attempt to defend their stance and place they blame on others when they can not even take these basic steps themselves.
Either give it away or get top dollar, but never sell yourself cheap.
I keep reading it wondering if you meant something by it.
.sig? What a trollishly wonderful invention! Personally I'd have given up on you after the second post.
Perhaps it's just your
Check out the flaw, type this in the address location:p t>
about://www.slashdot.org<script language=JavaScript>alert(document.cookie);</scri
[alk]
There is something bothering me that is far worse than Microsoft's "naturally buggy software" (love that phrase, BTW), or the fact that their large user-base makes the bugs come to the surface. It is their arrogant attitude. The recent "responsibility" vs. "information anarchy" campaign is just the lastest of a looong history of irresponsibility and denial on the part of Microsoft. Back when I was spending 11 months trying to get a stable installation of Windows 95 (oh, let me count the hard drive reformats and reinstalls), PC Magazine was proudly proclaiming that Windows 95 had "no significant bugs". The really funny thing was when a Microsoft support person tried to tell some poor customer that their PC had a "preexistant virus" that had *overwritten* their install *CDROM* and wrecked a cab file. Yeah, right. ;)
:b
Contrast that with Apple's recent resolution of their iTunes 2 bug. They released the new version (a *free* download) on a Friday night. By Saturday, they had received word that it had a nasty tendency to delete the contents of hard drives, but only on OS X systems with multiple volumes. By sometime Saturday, the download was yanked from their site. Later Saturday night, within 24 hours of the original version post, they had posted a fixed version. Sunday they were posting tips on how to recover the lost files. Within a day or two of that, they were offering free copies of Norton Utilities, and a free hard drive repair to those harmed by the bug. Now that is what I call service! And all on a weekend, for a program they give away for free!
Microsoft, in the mean time, is throwing a snit because some "irresponsible" individual warned their customers about a bug that affects the security of their customers' computers (and effectively makes the browser unusable for ecommerce). "Boo-hoo, no patch for you!"
Microsoft grow up and get over yourselves!
35 days until Mothra returns!
Windows XP does crash more, but it certainly does not do more than RedHat Linux 7.2
I don't use either, but I have not heard this from people who do (even on Slashdot). Perhaps you are falling back on the outdated truism, "Window crashes all the time." Hasn't been true since Win98, from what I here.
More to the point, it IS and excuse in the the consumer desktop market. The vast majority of consumers don't install an OS so that they can brag to other geeks about how long it has been since they had to reboot. They also do not care about thumbing their nose at Bill Gates. Time and time again they have chosen expensive, buggy M$ products over free (allegedly) superior alternatives. Why? Because M$ products are consumer-oriented-feature rich, easy to use and meet the reliability requirements of the consumer market.
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
if the xbox is like anything else microsoft releases, it'll be interesting to see how a crashing system will go over with gamers.
What if this "Trusted" Computing Forum decides to patent the exploits to vulnerabilities they find? Would that be possible? Does that mean that other security experts that find the same vulnerabilities would not be allowed to publish their own implementations of the exploits, because it would accomplish, in essence, the same thing?
Ralph Nader is the biggest tool I have ever seen. A lying tool at that.
Oh yeah and Yebyen is a tool too.
Yep, RedHat is fixing more vulnerabilities than Microsoft.
Jeez, you promote Mac OS X and you become a right wing crackpot? Steve Jobs is going to have one funny joke to tell Bill Clinton the next time they hook up.
Strange women lying in ponds distributing swords is no basis for a system of government.
I think if Linux or MacOS,
And BSD is what? chopped liver?
Slashdot uses Active Scripting too, you know. I set IE to prompt me whenever I loaded a page with Active Scripting, and believe it not, Slashdot does that. On every page. Sleeping with the enemy?
With information like this easily accessible to the public, how long will it be until someone becomes legally liable for damage done due to the fact that they used poorly written software, failed to follow a futile patching schedule and ignored common sense in general.
Perhaps then business would begin to follow the technology instead of the other way around.
I was crazy back when being crazy really meant something. (Charles Manson)
>RedHat has release more bulletins about security vulnerabilities this
>year than Microsoft has.
>At the rate RedHat is going the ratio will be 2 to 1 next year.
>
This is because RedHat *WANTS* people to beaware of the security
vulnerabilities,while people like you and those at Microsoft don't.
A real world example of this would be the Anthrax Contamination within the
Post Office.
The people at RedHat would've warned the postal employees about the
danger from when they realized there might be a danger to them.
You and those at Microsoft would've waited untill people actually started
droping dead before doing anything whatsoever.
Microsoft lawyers invoked a more-threatening world when they proposed inserting a security exemption in a different part of the settlement. The exemption applied to provisions that require the company to disclose the inner workings of Windows to competitors who want to make all sorts of software that works well with Windows. The company said it needed the exemption to guard against cyber-sabotage. ...]
[
Microsoft?s competitors and some of the states claim that these technologies are used so commonly that the provision could shield a number of Microsoft?s products from competition.
[...]
James rejects these criticisms and says the decision to protect Microsoft?s security provisions was ?one of those ?duh? issues.? He continues: ?Microsoft has security protocols. Are we going to tell everyone how they work? Do you want people to get access to your credit-card information when you shop on line??
James (the Justice Department antitrust chief) either uses very cheap rhetorics here (to cover up how bad that deal is) or he really doesn't understand the issues (and i don't know what's worse, the DoJ in cahoots with MS, or them being too dumb to do their job). Microsofts argument is just plain ridiculous. Everyone knows. that good security protoclos don't rely on obscurity, but on good crypto and a good protocol. You can't rely on obscurity especially not for Software which is sold worldwide, and open for everyone to take apart and scan for holes (even if that costs some to wade through all that assembler).
Also there are open source implementations of secure protocols (openssh to name just one). By Microsofts argument they couldn't work at all. If the DoJ is incapable of understanding the issues, or at least ask someone who does, and just sitting there nodding their heads when anything comes up they don't understand, i can really understand, how that 'agreement' came to be. And the statement about such measures being necessary to protect credit-card information shows, that he doesn't know enough to make the deal that is needed to keep microsoft in line. That wouldn't be too bad, if at lest he would rely on some advice in such situations.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
"Fortunately for M$ (and unfortunately fo Linux), the average user does not have the same requirements as the DOD. They will continue to pick functionality and ease of use over stability every time."
Turning on devil's advocate mode I will point out that konqueror crashes about 3 times a day for me and IE6 never. And as for Koffice...
I like linux- I really do- I like freebsd too, but if you want applications to be reliable, they have to have money spent on them.
Note that this is only true of "user-type" applications- I don't deny that the free unices are better for server daemons and kernels.
graspee
IE can certainly be removed from windows. I've done it several times.
same here, up to 98se click here
See, the point is during the trial in front of Judge Jackson, they committed purjury...why MS's legal team or it's officers did not wind up in Jail for a few nites is beyond me.
Lying, Doctoring evidence, delaying (granted not illegal) and such a condecending attitude during the trial...sheesh, even 5 seconds upon leaving the courthouse and hitting the cameras.
Shock the sh*t out of me that no one used thier finegaling *in the court of public opinion* against them...If they did, then I missed it somehow.
Oh, back on the train of thought:
a 98lite'd system is actuall quite stable to the point of being shocking.
Once you "unbolt" I.E from 98se, feed the program a 95b cd (need 5 files, IIRC) it *screams* on even a lowly PII.
I got a p200/64M and it is *very* usable.
Can't remove IE...bullshit! MS can, but then how would they keep their monopoly in browser software?
Crap, just asked and answerd my own question...I seem to be getting quite good at that.
If it is not on fire, it is a software problem.
but I share his views on how microsoft should be punisched:
The level of fines that would serve as a
deterrent for cash rich Microsoft would be difficult to fathom, but one might make these fines deter more by directing the money to be paid into trust funds that would fund the development of free software, an endeavor that Microsoft has indicated it strongly opposes as a threat to its own monopoly. This would give Microsoft a much greater incentive to abide by the agreement.
New things are always on the horizon
Presentation of facts does not make one a "turd". Nader consistently does campaign and argue for "accountability" tothe rulers through regulation, instead of accountability to the people through the direct democracy of the marketplace.
Whoever mentioned the Soviet Union is correct. Nader's philosophies are pure left-wing fascism: more power for the powerful.
The guy is also a multi-millionaire, with investments in Cisco. Cisco is a monopoly in its market area as well. But since Nader is getting rich off it, he doesn't whine about it.
...there have been so many bugs reported in MS software not only because MS releases naturally buggy software, but because the user-base is so huge...
That's not gonna play.
The reason so many bugs are reported in M$ "software" is because there are lots of bugs, period.
Bugs in software are discovered in about three ways: systematic testing, random chance, and inspection (of the source code).
Just as many people (indeed, many of the same security professionals) systematically test Open Source software (and for basically the same vulnerabilities) as M$, and they find many more bugs in M$. This implies that there are many more bugs in M$
Admittedly, the random chance bug discovery technique is pursued with far greater magnitude on M$, and we would expect it to find more bugs there than in OSS. But random chance is a piss poor way to find anything.
Inspection of the source code is a far superior mechanism for finding bugs than random chance, and this shifts the balance into OSS's favor since this does not occur with M$ (I neglect M$' own inspection of its code, as bugs discovered thus are seldom reported). A FAR higher fraction of the bugs in OSS are discovered and reported - quickly - by inspection, than may be reasonably expected to be found in M$ "software" by random chance.
And, of course, the total number of reported bugs in M$ "software" dwarfs the number found in OSS. This suggests that the total number of bugs in M$ "software" _more_ than dwarfs the number in OSS software, since M$ "software" is excluded from a more effective bug discovery method (inspection) than the random chance which OSS is (supposedly) less exposed to than M$.
It would be interesting to see a breakdown of these reported bugs by discovery method. We'll never have a meaningful comparison of the numbers of bugs in M$ and OSS code until we _see_ the M$ code. Until then, the only metric that is anywhere near comparable between the two types is the number of bugs found by systematic, controlled testing. And my understanding is that many more M$ bugs are found in this manner than OSS bugs.
Exceeding the recommended torque is not recommended.
The government is the biggest corporation of all, when you get right down to it. It is less accountable than private corporations, and enforces its "monopoly" with military firepower.
He's an "anti-globalist", just like Buchanan, because globalism is nothing more than removing the boundaries that get in the way of freedom. Removing this boundaries is dangerous to the ruling class.
Nader only wants to see this corporation more powerful and less accountable. He even argues for "campaign reform" to make it so that there is never any public input in the election process.... back to the Soviet Union again.
To "nationalize" means to bring under government control: to put into the hands of ruling elites. It would replace Gates control of Microsoft with control by those who shoot those who disagree with them.
It is typical that Nader, a leading fascist ideologue of our age, wants to add the power of Microsoft to the out of control monopolistic federal government.
This is the problem with the component model... Although, in the future, I'm sure we will see more stability than traditional engineering as lab coat weenies figure out better way to do things.
The problem is Microsoft employees 'seem' to prefer performance over robustness.. That combined with late integration is a bad mix, because specification boundaries can get confused and work with one integration and not the other.
Speaking of Microsoft, I ran into a problem with them today. My company orders the MSDN stuff from them, so we have pretty much every cd made from Microsoft, so I had to load Office XP on one of our developers computers today, and it told me I had to activate it to use it, I'm like bleh, whatever, I'll just activate it, and so I did. I then installed it on the developer's computer next to the other one, and it told me I can't do that without the Customer Service Rep #, which they don't give you if you register online. What a bunch of crock crap! Microsoft's licenses are going to turn people away, and lean people towards linux. But, do we want everyone to use Linux? The question of the day.... Hummm!
Windows still crashes. Anyone claiming otherwise is full of crap. It has to do with the basic design which hasn't changed since windows 3.1. While I haven't used XP (and don't intend to frankly,) NT4, 2000 and 98 crash frequently.
When applications install, they all come with their own versions of shared dll's (such as the infamous mfc42.dll of which there seem to be hundreds of versions...) which can cause instability (crashes) in other apps. A shared dll that almost every app uses (and is generated with MS tools) is effectivly part of the OS, since the OS itself uses these shared dll's which applications can replace! This is BAD BAD BAD folks! You will NEVER EVER see stability in apps and windows until MS changes the way apps are installed.
When one application crashes and won't run again without a reboot (or causes other apps to flake), I call that a windows crash. I have to reboot in order to work again.
The other big problem area is the extensability in windows - third party crap (of which there is tons - almost every app wants to put crap in the system tray, extend the desktop, etc.) creates instability in the desktop probably due to piss poor QA / coding.
Bigger than outright crashes for me has been degredation. Running windows for more than a day and it starts to get - "strange", where more programs start to crash or behave in unpredictable ways.
Enough. I don't need the headaches. If you want to use that crap and deal with all the problems, be my guest. I'll just use Linux for my primary work, and windows only when absolutely required (which is VERY rare.)
Let's make all lawyers take an oath before appearing in the court, and disbar any lawyer who lies in the courtroom. It would scare Johnnie Cochran purple, but it would clean up the mess in the courts.
(this all assumes that the Microsoft Hellstorm/Pissport thing does not take over the economy... then we won't be able to ignore Microsoft just by running linux anymore).
It is an interesting mathematical fact that our election system has those bugs.
You should install the patches at www.fairvote.org
Hey, if seatbelts are so unsafe, why are you wearing them then. do us all a favor and get catapulted through the windshield, have your flesh pealed off your skull by the windshield's glass and your spine crushed. Voila! One less believer!
it will take for "clippy" the office assistant to become the windowsupdate/security advisor?
I can see the paper clip now, popping up and asking:
"I see you've been exploited by the latest worm. Would you like to:
a) Write a letter to the "freedom to Innovate" foundation celebrating this cool new worm that 'we' made possible (passport required)?
b) thank the virus writer via email using the viruses built in SMTP engine or outlook (passport required)?
c) Launch IE and go to windowsupdate (passport required)
d) thank the DOJ and help pay our legal fees (passport required)
OK(passport required) Cancel (passport required).
OS X.1 on X86, where art thou?
C'mon Apple 'grow some brass ones' and as was stated before "let loose the dogs of war an port OS X to X86...consequences be damned if you want that 'other 90%' running your wares".
I have a dream, that one day Bill Gates and the Devil himself will ask the same question at the same time:
"Why is it so damn cold, and just where did all these fricking penguins come from?"
Hey, I can dream, can't I? (passport not required, yet).
If it is not on fire, it is a software problem.
As others have pointed out, the exchange of information is going to happen one way or another. Illicit data gets exchanged via an underground community every day. Restricting the highly visiable and open channels will not stop this. Doing so is just a wild shot in the dark.
But you still want to do something. What to do?
My advice is to educate yourself, or get help from a friend or hired professional. And there's ample history that points to this concept.
The microcomputer hit the market. Killer apps showed up that drove them in to homes and businesses. Individuals either had to learn how to set up and use these devices themselves or hire others to do it. One could argue the beginnings of IT departments and consultants.
Networking small computers begins to catch on. Now there's a new wave of technology. Existing support staff either learned the new technology or increased their ranks with already knowledable staff. The IT department takes on a whole new level of responsibility.
The Internet hits the mainstream. Smaller, private networks interconnect to a world-wide network. In many cases, this involves a whole new series of networking concepts and technology. IT picks up the pace. There is more training to be done.
Enter information security. Individuals and businesses learn that world-wide network access is a two-way street. Many products and services are woefully inadequate. There is, once again, a whole slew of new concepts and technologies to learn.
Each step involves a minimum level of knowledge required to go it on your own. The huge advantage with the infosec portion is that, thanks to open disclosure, there is also a wealth of information available online. There are also some very good books on the subject. Sure - a lot of that stuff is mainly for the hobbiest or professional. But there is also a wealth of information for the beginner - the basics.
So what does the average end user do? Educate themselves. Learn the basics. Or hire / offer a beer to someone who can help you. Look at what products you're buying and using. Security reviews of products (especially security products like personal firewalls) are fairly common. Do a bit of product research. Use the best that you can find/afford.
If you've been around computers for any length of time these concepts (education, product knowledge, and expert help) shouldn't be new.
One final, parting shot. One of my favorite infosec concepts is the inverse relationship between functionality and security. The more secure something is, the harder it is to use (and vise versa). Functionality is what has been driving the IT industry for the last couple decades (at least). Its made it possible for a wide degree of products that "just work" with little knowledge from the end user. However, this has also lead to huge insecure infrastructure.
Boo hoo hoo, Microsoft Microsoft Microsoft. Cry me a river liberal.
Because as all know MICROSOFT is perfect...and being perfect then it's products have no flaws! Only (undocumented) features!
The world according to microsoft:
It's bad for open source software to supposedly run software and IP companies out of business,
but,
It's ok for MS to bully other competing companies out of business by use of monopoly power.
Hmmm....
/nt
To hear the gods laugh tell them your plans.
not to mention preentive multitasking, protected memory, etc.
My other car is first.
as trolls so often are.
Nader's presidential run was foolish, and wasted a potful of political capital. On the other hand, his analysis of the Microsoft "settlement" is compelling.
To hear the gods laugh tell them your plans.
If it's "irresponsible" to expect them to produce a patch within a few days, how would they describe the act of releasing unsafe, buggy software for sale to the public?
What's in a Sig?
Kelly had just finished the last summer cheerleading practice.She was the first
girl in ten years to make the squad their freshman year. Several of the other
cheerleaders were upset. Kelly wasn't concerned about their thoughts. She shyed
away from others and had very few friends. She didn't believe in the clicks
people got into. Kelly is one of the prettiest girls in school. Shoulder length
reddish blonde hair, acute face with a small button nose, and always smiled.
Breasts the size of small grapefruits with nipples same size as quarters. Flat
slightly sculptured belly, slender waist, narrow hips, small plump butt and
perfectly shaped legs. All wrapped into a 5'4" 115pds frame.
After showering Kelly dried herself, as she went to her locker. She noticed four
girls across from her locker talking and snickering. Kelly ignored them. After
slipping her cotton bikini pantys on, she grabbed her bra. Somebody had cut the
straps. There was no way she'd be able to wear it now. She turned around to
confront the now, laughing girls. They quickly walked out of the lockeroom.
Kelly put on her low cut tank top, and shorts. After throwing her stuff into her
bag, she headed out. Her breasts stood just as if she had a bra on. Her breasts
firmly jiggled as she walked to the bus stop. Kelly was headed downtown to the
library first. Then to a movie.
Kelly had noticed lately that boys as well as men were looking her over as she
walked by. Today more so than ever. After she got off the bus downtown. She went
to walking the 4 blocks to the library. When a old black man walked out of a
alley. Hey there. Where you headed? (shyly and quietly) Oh, hi. I'm going to
have lunch with my dad. Kelly walked a little faster. She didn't notice that the
old black man was following her. Kelly went into the library and looked over a
couple of books untill it was time to go to the movie. She looked up. Over a few
tables was the old black man. Since she had noticed men looking her way. Kelly
was starting to become a tease. So, she walked his way to put the books away.
She knew he wouldn't do anything in public place. When she was in front of him.
She dropped the books. Bending over to pick them up. (without bending her knees)
Her tank top layed so the old black man could get a good look at her white
breasts. The old black man's mouth dropped open. Oh! Excuse me. (acting as it
was an acident)
Kelly headed to the movie. Which was a couple of blocks away. She loved the
reaction she had got from the old man. The movie Kelly wanted to see was sold
out. She wanted to see a movie. So, she got a ticket to another. Then she saw
that another was starting and it was rated R and nobody was around. She went on
in. Hardly anybody was there. Kelly sat towards the back . The movie started.
When a nude scene started someone came and sat by her. She didn't even pay any
mind. She in awe of what was on the screen. This was her first R movie. There on
the screen was a black slave climbing on top of his master's white wife to have
sex. Kelly liked the sight of the slave's black skin on the white woman's body.
Kelly didn't even realize the person beside her had placed their hand onto her
knee.
But, when he moved his huge hand upto her thigh. Kelly regained her awareness.
She turned. It was the old black man. She tried to push his hand away. He just
leaned over and kissed her neck. He kissed his way down to the tops of her white
breasts. As he moved his hand upto her shorts. He kissed the tops of her breasts
as he rubbed her crotch. He then unbuttoned and unzipped her shorts. Even though
she liked the sight of his black face to her white chest area. She knew she had
to do something before he got any further. She thought to herself (that she
shouldn't have teased this old man) As the old black man started pulling at the
young white girl's shorts. Stop. Or I'll scream. At this time an usher was
making his rounds. Kelly got up to leave. The usher stopped her. your not old
enough to see this movie. I know. I came into the wrong movie by acident. Kelly
left and went home.
It had been several weeks since the incident with the old black man. School had
started. Pro football season had started the week before, and Kelly's school was
going to have their first game tomorrow morning. Today they were having a pep
rally at the end of the school day. Kelly stopped over Stacy's house for awhile.
It was about 6:00p.m. Kelly hurried home to help set up things for her dad's
party. Every month her dad and some of his friends would get together and have a
few drinks and discuss sports. This was her dad's turn to have it at his house.
When she got home. Her dad told Kelly that her mother had went out with aunt Mae
and that she'd be out late. Kelly helped her dad set things up. Most of the guys
were there. Kelly fixed herself something to eat and took it to her room. She
turned on the stereo as she ate.
It was about 8:15 now and Kelly decided she'd take swim as it was unseasonabley
warm tonight. Kelly danced around to the music as she got her bikini out.
Without thinking she took her top and bra off. She was in front of the window
and hadn't pulled the blinds down. She looked outside and noticed Mr. Turner
looking up at her. Mr.Turner was retired runningback from the local pro team. He
was black very muscular. He stood about 6 feet tall and weighed around 235
pounds. Kelly was so embarassed. She hurried away from the window and put on her
bikini. She thought about not swimming. But, after a half hour she went on down
to swim. As she tried to sneak by the rec room. Mr. Turner walked out and almost
bumped into her. Oh! Hi. Didn't mean to run you down. Kelly couldn't even speak.
By the way. I didn't mean to stare earlier. It isn't everyday you see such
beauty. That's ok. (very quietly) As she went onto swim.
Kelly swam and relaxed poolside for a couple hours. She went on upto the
bathroom and took a shower. Dried herself. Then, slipped on a robe. She went
across the hall to her bedroom. As Kelly entered her room she looked to see who
was coming up the stairs. It was Mr. Turner. May I use the restroom. Sure. Kelly
pushed at the door. The door sounded like it closed. But, it came open slightly.
Kelly saw Mr. Hicks looking through his upstairs window towards her. He must be
around 73 years old. Kelly turned on the radio and started dancing. Her robe
came open. Mr. Hicks just stared as she danced. Kelly turned off the overhead
light after turning a lamp on. She thought to her self. She'd realy give
Mr.Hicks a surprise. She slipped her robe off. Exposing her totaly naked body to
him. After all he was in his house and to old to do anything. She danced around
for a few more seconds. Then she layed down on her bed. Mr.Hicks still had view
of her. Kelly was turning into a real tease and was liking it. She rolled over
onto her belly, so that Mr.Hicks would get a good look at her butt.
She heard the bathroom door open. She glanced at a mirror across the room, and
noticed her door was open slightly. She thought about getting up and closing it.
But it was to late. Mr.Turner was in the hallway next to her doorway. Kelly
acted to be asleep. After a few seconds she heard the door close. Kelly figured
that he pulled the door closed. But, when she heard some movement. She became
terrified. She kept her eyes shut as if she was sleeping. She then felt
Mr.Turner run his hand up the back of her white thigh. Kelly trembled as he
caressed her young white buns. She instantly felt herself getting wet inside.
Mr.Turner kissed her white butt. Kelly liked this but knew it was wrong. She
turned over onto her back. Don't!
Then she saw him. Totaly naked huge black man. Huge biceps, a very muscular
chest, ripple tummy. Kelly let out a quiet gasp as she noticed his huge erect
penis. It must be 11inches long and realy fat. She couldn't get her eyes off of
his huge black monstercock. Mr.Turner walked upto her face. Suck on it. No! as
she thought ( that would be gross) He rubbed his black cock across her lips a
couple times. He then went to the foot of the bed and knelt down. He kissed the
young white girl's thighs working his way up. Don't! Stop! I'll scream. As
squeezed her legs together. He kissed her blonde pubic hair, then lower belly.
Kelly became speachless as he kissed white belly and licked at her bellybutton.
Mr.Turner wasn't going to take a no for an answer at this point. He kissed his
way to her teenage white breasts. He kissed and sucked at her nipples at the
same time ran his hand to her young pussy.
Kelly let out a moan, as he inserted his finger inside her. She tried to push
him away. Even though she was enjoying what he was doing. Kelly knew this was
bad and besides he would most likely rip her in half. Mr.Turner rubbed at her
teenage pussy for moment to lubricate the outside of her pussylips. Mr.Turner
climbed onto the bed to mount her little white body. Kelly held her legs
together. Please don't It will hurt me. It only will hurt for a moment. Ohhh! As
Mr.Turner rubbed his huge black cock up and down her little pussy. He pushed
forward. No penetration. He gave big shove forward. Still no penetration of the
little white girl's pussy. He pushed again and finaly managed to get his
cockhead inside her. Kelly tightened up. He pushed a little deeper. She felt his
huge black cock press against her hyman. She knew that one more push would pop
her cherry. Just as he drew back. A knock at the door. Kelly! Kelly! Are you
awake. As the door opened. Mr.Turner jumped off the side of the bed.
Hi dear. Mmmom! Yes. Are you ok? ya. Dad, said you'd be late. The movie was sold
out. So, I came home early. Are you sure? That you are ok. Yes. Just tired. I've
told you to pull the blinds down. You are old enough now that guys will love to
see you dress and undress. You sure seem nervouse. Is there anything wrong? No
mom! Well, you look flush and sweaty. I'll get the thermetor. No. That's ok. I'm
alright. Ok. Call for me if you need me. Goodnight. Goodnight mom. Kelly was
trembleing. Mr.Turner jumped up and dressed and quietly went back downstairs
where there were still a few men gathered having their last drink. Kelly finaly
fell asleep a couple hours later. But, within another hour she woke up from a
bad dream. Her mother rushed in and comforted her. Kelly couldn't tell her
mother that she dreamed about being raped by twelve black men.
After this Kelly quit teasing men for a couple weeks. She started slowly once
more. She would mostly like old black men. She would go without a bra and leave
a button undone then lean over in front of them. During the holiday vacation.
When her parents were at work. Kelly even went totaly naked. Except a long
winter coat. She rode the public bus all the way downtown. She aboat croaked
when an old black man sat beside her. They talked awhile. He was headed to work.
He was going to retire in the spring, after 40 years of service. When he looked
the other way. Kelly undid the top button of her coat. Which exposed just a
little of the tops of her white breasts. Your a very pretty young lady. You need
to be careful. Someone may try to have their way with you. I can take care of
myself. Here's my stop. Take care.
Kelly felt ashamed. She stopped such things. Untill the last day of school. She
had worn her white blouse and plaid skirt.(the catholic school girl look) She
decided to walk home since it was very nice day out and school let out early.
She was walking through the park. She was nearing the walk bridge across the
creek. She heard some voices coming from under the car bridge nearby. There were
three black hobos. There was nobody else in sight. They were washing theirselves
in the creek. She starred at them. They only had their pants on. But, she liked
the sight o their black chests. Kelly also knew that they would most likely see
her cross the walkway. She was realy excited. After a moment she slipped her bra
then pantys off and put them in her backpack. This excited her. Even though they
were to far away to notice. She only had two blocks to go to get home from the
park. When she walked across the walkway. The men whistled and yelled to her.
They were close enough to see that she was a pretty girl. Kelly liked this but
ignored them. But, then she noticed they were following her. She picked up her
pace. A short distance from the street. They caught her. One of the black hobos
grabbed her. Turned her around. Man! We're goin to have a good time today. As he
saw her quarter sized pink nipples poking through her blouse. Then a cop drove
by. Then backed up. The men ran off. Mam! Were they bothering you? As the cop
walked upto her. No sir. He was a tall black man in his fortys. He took a double
take when he noticed her pirky breasts through her blouse. You need to watch how
you dress. Your asking for trouble.
That night she dreamed of Mr.Turner fucking her. She woke up in a sweat. She was
showering when her parents yelled in at her. Honey! We're headed to work early.
Kelly wondered more and more what it would feel like to be fucked by a black
man. Mr.Turner was very gentle with her. She couldn't believe how close she came
to being fucked. Kelly thought to herself-(I know it's wrong. But, I'm going to
find out today) She put on her bikini pantys then bra and her summer sundress.
After slipping on shoes she went downtown on the bus. Remembering the first
experience with an old black man. She walked towards the alley where she first
saw him. It was almost 10:00a.m. Ahead was a tall old black man. It might even
be the same man. Kelly acted as if she didn't notice him. She walked as if going
to the library. Hey baby! Don't you say hi to your friends? So, she knew he was
the same man and he remembered her. Oh. Hi. (acting not to be interested) Hey!
You want a puppy. (Knowing this was a ploy) (Even though she was scared-she was
going through with her plan) Sure! Where is it? Down here. In a box. Directing
her to the alley. Kelly nervousely followed. I sleep here and this puppy came
upto me and had no tags. A third of the way through the alley. There were stacks
of large cardboard boxes with blankets on them. There were five other old black
men laying on their blankets. Untill they seen her. Kelly started to leave. Not
soon enough. They surrounded her.
Don't I'll scream! One of the black men pulled out a knife. No you won't.
Unless! Kelly stood there while the black men fondled her. Two of them fondled
her breasts and two others played with her firm butt. One watched the street as
one of the black men unzipped her sundress and slipped the straps off of her
shoulders. Her dress fell to her ankles. Please! Don't hurt me. The man with the
knife walked upto her. Not saying a word. Cut the right strap of her bra. With
the other black men laughing he cut the left strap. Starring into her eyes he
ran the knife across the tops of her breasts. Then suddenly cut her bra in half.
Kelly's bra fell to the ground. Exposing her firm white breasts to the old black
bums. They all got quiet. Starring at the young white girl. The black man put
the knife up. Then with two hands grabbed her pantys and ripped them from her
petite teenage body. Kelly felt herself getting wet. Even though she was
terrified. Here she was a virgin about to be raped by six old black men in an
alley downtown. She didn't even know if they would kill her or not.
Kelly just watched as the man in front of her dropped his pants and undershorts.
He was black as midnight. His cock was hard pointing towards her. It was smaller
than Mr.Turner's. But, Kelly didn't see how it would fit into her. Kelly shaked
like a leaf and tears started to run down her face. The black man's cock pressed
against her belly as he stepped closer. He shoved her down onto a blanket. He
knelt down and pushed her legs apart. She was to scared to fight back. She
looked to the side as he mounted her. She noticed that the other men's dicks
were larger and fatter. He whispered to her I'm the nice one. The others would
just ram it inside you. He rubbed his black cock up and down her blonde pussy 4
or 5 times to slicken her up. He then pushed forward. Without sucess. Then
another, and another. Your one tight chick. One more huge shove forward and
Kelly felt his cockhead push inside her. Then another push and he was touching
her hyman. He pulled back. Then with a smile gave a quick shove forward. Kelly
screamed out in pain as his black dick ripped through her hyman.
The black man took pleasure at the painful look on her face. Your just a spoiled
white brat. As he slammed all 8 inches of his cock into her. Blood ran down her
butt. He squeezed her white tits so hard she thought that they would pop. She
felt his hairy black balls slamming against her white butt. The other black bums
were urging him to hurry. They wanted their turn. The pain subsided after a
couple minutes or so and Kelly was starting to enjoy the fucking she was
getting. She wrapped her legs across the backs of his. Kelly let out moans of
delight as the black man pounded his cock into her white pussy. She was about to
climax when she felt the man cum inside her. With one more lunge forward. He
pulled out of her. Who's next. She's a fine piece.
The next black hobo ordered her to her hands and knees. Like a dog you know.
After penetrating the young white girl from behind another got infront to force
her to suck him. She learned quick how to suck. Kelly first thought it was gross
to have a man's dick inside her mouth. After a couple minutes she even started
enjoying cocksucking. The man behind her fucked her as hard and fast as he
could. Making her buns and tits bounce around. She felt herself building to a
climax again. This time she squeeled in delight as she climaxed and felt the
black man cum inside her pussy. The old black man in front was cumming into her
mouth as the man behind pulled his black cock out and squirted a couple times
across her butt. The two black men quickly stepped away from the petite white
girl. When another layed beside her and directed her on top of him.
Kelly sat on his 12 inch black snake. She let out a gasp in dispair as the last
4 inches went inside her. It was uncomfortable as he fucked her. But, after a
moment it felt good being stretched this far. She figured he must have the
biggest dick in the world. To her surprise one of remaining black men knelt
behind her. He pushed her forward. He guided his 10inch black cock to her white
butt. He gave a hard continued push. Kelly screamed and tears appeared again as
she felt like she was being ripped in half. Without hesitation the black men
fucked her hard and unmerciful. One in her white ass and the other in her blonde
pussy. Even though it hurt after a few minutes of being double fucked. Kelly
yelled out in another orgasm. As the black man inside her butt squirted streams
and streams of cum inside her. Then the last black man traded places with the
man that was buttfucking her.
As he started buttfucking the teenage white girl. He yelled out. Hey! we're a
oreo cookie. Kelly was getting exhausted and was going limp. It felt like she
would pass out. Then she orgasmed again. After she came off of her third orgasm,
the man pumped her white ass full of his black seed. He quickly withdrew from
her as the man under her. Rolled over on top of her. He went to fucking his
black 12 inch pole in and out of her as fast as he could. He sucked on her white
breast. When he started cumming inside her he bit down. Kelly let out a yelp.
This didn't stop her from climaxing again, for the fourth time. The man stood
up. She was exhausted and just layed there. To her amazement they were still
standing around naked. We want you to meet Bubba.
Kelly was amazed when she saw Bubba. He was about 50yrs.old 6ft.6in. tall
220pds. His cock must be around 14 inches long. As he mounted Kelly's little
white body. He told her that he was going to fuck her brains out. It looked like
a black monster mounting a little white doll. He entered her slowly. Even though
she had been reamed out several times. It was slow going for him to get his
black cock into her. After getting 10 inches inside her white pussy. He started
fucking her hard. After a few minutes his huge black balls were smacking against
her white butt cheeks. Kelly orgasmed first. Then she felt him shoot a couple of
squirts of cum inside her pussy. He pulled his huge black cock out of her and
finished cumming all over her flat white belly. After he stepped back. She was
surrounded by the other six black men. They jirked theirselves off all over her.
She was drenched in cum. Her hair and face was covered with cum. Her white
breasts, belly, pubic hair, pussy, and butt was also was covered with cum. She
thought to herself I can't move. She figured that she was about to pass out with
exhaustion.
Kelly just layed there naked and covered with cum. The black men were dressed.
When she saw reflections of flashing lights. The black men had went to the
entrance of the alley. Kelly heard them talking to what seemed like police
officers. She slowly got up and peeked around the corner. It was the police. She
grabbed her sundress. As she walked out the otherside of the alley she slipped
on the dress. Her shoes had fallen off during all the fucking. Her breasts,
pussy, and butt ached from the pounding and stretching. She was drenched in cum
which was starting to dry on her now. No place to clean up. Oops. Excuse me. She
bumped into a lady. Are you ok. Yeh! Sure. Kelly walked three block as everyone
starred at her. Since she was such a mess. People kept asking if she was ok. She
got home on the bus. She threw her sundress in the washer, showered. Redressed
and fell asleep on the coach.
--I like to lick the shitty bits off Cmdr Tacos crusty ass
...
Cool! Amazing Toys.
and of course the header:
-- just a geek - trying to change the world
What kind of a signal does this send to the public and to other large corporate law breakers? That economic crimes pay!
Please consider these and other criticisms of the settlement proposal, and avoid if possible yet another weak ending to a Microsoft antitrust case. Better to send this unchastened monopoly juggernaut a sterner message.
God Bless Ralph Nader!
An open letter from the man who advocates a 100% tax bracket.
GPUSAThis party also want's to ban "Righ-to-Work" yet says that it's pro-labor. IMO unions are just big business by another name.
Nader can keep his party. But I want him to stay away from my business and my right to succeed or fail on my own merits. What he proposes certainly is neither democracy, or capitalism, more like facism.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
thinking that Microsoft's New Deal was to be Services, pure and simple.
"Yes, sir, how would you like to be served? We've got an extra-special discount today on sauteeing customers, and would you like to be served with fries or rice?"
"I his bow, and spun and wove, likes you." Vere de Vere out of my mould's mouth dragged me of the voluntary apes.
Here's @stake's Reseach Lab's mission statement:
As I write, this is current on their site.
The thing about mission statements, for all they often seem to be corporate puff, is that in theory they're the organisation's attempt to define its purpose and reason for existence. If you refute your own mission statement, it's time to pack up and go home, because even the Top Bosses have nothing to guide them in their decision-making.
So, @Stake, where do you stand? Are you now afraid to take things apart and share the knowledge with the world? And if so, what's the point of your Research Labs?
Can you imagine if Firestone attempted to include an "End User License Agreement" with each tire purchase?
"I Agree to not hold Firestone, its board of directors, employees, associates, etc, liable for any damage or death incurred when my defect-ridden tires blow out on the highway at 100+ KPH, regardless of any foreknowledge on the part of Firestone."
Choose one:
| I Agree! | | I Diasagree! |
In all fairness to Firestone: would you be comfortable signing an agreement like this from any provider of a product upon which your life depends?
So why do we put up with this in mission-critical software?
"Can't you see that everyone is buying station wagons?"
He *DOESN'T CARE* about software making money.
Would you call Jane Goodall "rabid" for wanting the Great Apes protected, despite contributing nothing to the GDP?
RMS has a particular view, and he is at least pretty consistent.
I Don't happen to think that he's right, but then RMS says it is *HIS* belief that software should be free, *NOT* that software *HAS* to be free.
Quite an important difference.
PS It's pretty hard to be humble when you're smart, and I think RMS does come across a bit of a "prima donna" in some cases.
1) When it comes to the best interests of the consumer, never trust any product or service that Microsoft offers for free. It means they're up to something.
2) When it comes to security, never trust any product or service that Microsoft offers.
3) Never trust a company that has more than enough wealth to find anyone's price, not to mention be able to fund lawsuits indefinitely.
It strikes me as odd that, in these days of encryption systems being broken mere weeks after their debut, no one has yet managed to crack the Microsoft Word file format.
You can't put M$ in your 'trusted sites' catigory, thereby having access to scripting on microsoft's website, and having it disabled on the rest of the net.
autopr0n is like, down and stuff.
"What if one day Nader decided that your little company is "harmful" and will be shut down because you unwillingly pissed off one of his cronies or weren't supportive enough of his policies ?"
If your company is Cisco, which is as much of a monopoly as Microsoft is, then it won't be shut down at all, since Nader has been getting rich off of his investments. Typical socialist: he is filthy rich but wants to change laws to cut down anyone else who tries to get rich.
More hypocrisy is shown with Nader's criticism of corruption in government. What better way to make government more corrupt than to give it more power and make it less accountable as Nader wants to do?
Flame bait? This is pretty much the beliefs of 98% of the voters that evaluated Nader's positions and rejected him. A pro-Nader post is more likely to flame-bait, since it represents the same tiny uninformed lunatic fringe; a similar proportion found with the KKK, flat earthers, and other lunatics.
Windows still crashes. Anyone claiming otherwise is full of crap. It has to do with the basic design which hasn't changed since windows 3.1. While I haven't used XP (and don't intend to frankly,) NT4, 2000 and 98 crash frequently.
The basic design hasn't changed since windows 3.1? What the hell kind of crack are you smoking? 3.1 was a 16 bit OS with non-preemptive multitasking. While there is some code sharing between 3.x and 9x, the general system is quite different.
And NT/2k/XP are based on a totally separate branch, that has been moving (gradually) toward compatibility.
autopr0n is like, down and stuff.
Contrast that with Apple's recent resolution of their iTunes 2 bug. They released the new version (a *free* download) on a Friday night. .... Later Saturday night, within 24 hours of the original version post, they had posted a fixed version.
Now, you're really comparing apples to oranges here. Apple's bug was huge, and didn't just affect the software you were installing. I mean, it isn't like iTunes wouldn't play MP3s on certain hardware, or even created coasters or something.
The iTunes installer DELETED ENTIRE PARTIONS! Apple deserves all the shit they get for it. I can't believe apple fanboys are falling all over themselves to laud apple for fixing the bug! I mean it literally rm -rf *'d them! It's a totally inexcusable (and actually quite easy to fix as well, just add two quote marks, apple websites had already figured it out before apple released their patch)
Its possible that this M$ bug is caused by a lot more then a few misplaced quote marks, and could be buried deep in the code, rather then in a simple shell script.
autopr0n is like, down and stuff.
So, ACs arn't worthy of having secure systems or something?
autopr0n is like, down and stuff.
Heh...that should be "flagrantly", huh? :) That's what happens when my coworker (female) breaks out that powerful Bath and Body lotion. Kills the brain cells faster than alcohol. :)
Electronic Frontier Foundation for online civil rights information
How we know is more important than what we know.
Linux must be pretty shitty, considering it is FREE, and still not as popular as the high priced Microsoft OS.
You'd be fucking surprised.
And the title for this new MS-spearheaded security initiative: "Ignorance Is Strength"
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
Every way-kewl-radical Linux user throws up apache to show off to his friends.
Yes, but said lamer is unlikely to put it on a permanent, upstreamable connection - generally by the time you're big enough to reserve an IP, you are a small company, and are therefore less likely to be a lamer putting up Apache to show off.
This is quite factual, I know what I am talking about. Show that I do not instead of bringing up a "right wing" strawman. I might as well accuse you of parroting only what you hear on left-wing radio, but any such accusation is silly and misleading.
Actually you have pretty closely described the law as it is. Lawyers are fined if they bring frivolous lawsuits. The McDonald's suit had merit.
The headlines are filled with frivolous lawsuits. Also, the McDonald's case had no merit: the sign at McDonalds says that the coffee is hot, and the so called "victim" held it in her lap going down the road. Her own stupidity. Did she ever hear of cupholders?
If the law did stop frivolous suits and lawyers lying in court, Cochran and his ilk would be in prison.
This is why the radical left realizes that it has to get judges appointed based on political beliefs, and has to block those who want to protect Constitutional rights.
The far right, like the far left, is for maximizing the power of the rulers. Seems like you were getting angry and letting the fingers of fury type faster than your brain.
"He has said that the public (government) has a right to limit the actions of corporations when those actions might harm the interests of the public."
Nader's big logical error is shown very clearly here. He says that the antagonistic entities of the public and the government are the same thing, when in fact one (government) rules the other and, through most of history, has treated the public very badly. Government tends to act to favor its own interests. Control of corporations by "the public" through the free market is a much more effective way to regulate corporate activity. If the corporation harms the public, the public will choose not to work, invest, buy.
Nader's idea that the oppressive government equals the public was so eloquently put by Lenin 90 years ago, when he overthrew a democracy and proceeded to massacre people "for their own good". As the Vangard of the Proletariat, he was the embodiment of the will of the people, and could do no wrong.
Ever hear of the idea that absolute power corrupts absolutely? People should remember this when listening to the fascist ravings of Nader, Buchanan, and others who want the rulers even more powerful.
The code may be different, but the architecture is the same. The API while being extended, moving from 16 to 32 bit, is the same. The way things work is the same.
The concepts and ideas on how things should work has not changed. Applications are still written from a single-user point of view. The concept of the end user controlling everything (from a security standpoint) is still there. While NT has added some levels of security, as long as you are permitted to install applications (which is the default behavior for workstations) there is basically no difference between NT/2000/XP and DOS / win31.
So what you have is:
Let's add windowing on top of DOS (Win 1 - 3.11)
Let's do a 32 bit version of 3.1 that really multi-tasks (NT) (BTW, best thing MS ever did...)
Let's take the 32bit API of NT and toss that into 3.1, and upgrade the graphical UI (Win95)
Let's take the new GUI and throw that on NT (NT4)
Time to integrate IE into the GUI to kill netscape (Win98)
And let's do the same for NT (Win2000)
Let's kill RealPlayer! (WinME)
Let's stop piracy and finally give the consumer
NT as DOS is still giving us fits and making us look bad! (XP)
Sure lots of things were redesigned and changed over the past 12 years, but the basics of 3.1 and DOS are still there. They have to be for compatability. Remember the win32 libraries that let you run some 95 code on 3.1??? Yup. Things haven't changed too much since then from a basic design / concept point of view. All that changed on the 9x(Me) side is moving code from DOS up into the protected environment. We still have a god aweful FAT file system, and NTFS still suffers from the lack of (usable) links and the concept of drive letters.
So I'll forgive your ignorance, but having worked with windows since 2.0 from a programming perspective, I do have a fscking clue.
It is quite sad to see that the former l0pht (hopefully you remember them), who went corporate and melted into @stake, have joined the "coalition against full disclosure of computer vulnerability information". I'm amazed that Mudge and Weld Pond would turn full circle and endorse this sort of thing. The l0pht were the sort of people who stood for full disclosure. Too bad they have made this decision. I have lost my respect for them.
At least eEye are keeping their heads about them.
What you're saying about windows is like saying that Linux 2.4 and the origional UNIX are the same because they use the same 'archetecture' While various versions of windows are 'the same' because they do the same things. But they all use diffrent codebases, and the fact that windows is single-user focused does not make it crash prone which is what you were claming.
So I'll forgive your ignorance, but having worked with windows since 2.0 from a programming perspective, I do have a fscking clue
Gee a whole version number ahead of me! You're so smart, I'm so glad you've in your graciousness decided to forgive me. I Never would have been able to live with myself if you haddn't.
autopr0n is like, down and stuff.
autopr0n wrote:
;)
> Now, you're really comparing apples to oranges here. Apple's bug was
> huge, and didn't just affect the software you were installing. I mean, it
> isn't like iTunes wouldn't play MP3s on certain hardware, or even
> created coasters or something.
Yes, you are quite right. I was comparing sweet Apples to rotten oranges. Of course Apple fixing a FREE program within 24 hours and offering to PAY to fix trashed hard drives is NOTHING like Microsoft REPEATEDLY trashing my hard drive because of an operating system I PAID FOR (twice actually, because I also bought the full version thinking it might work better than the upgrade), and NEVER acknowledging the problem existed, or repairing it in SIX YEARS.
Yep, the courage and compassion of Apple is quite different from the greedy callousness of Microsoft. How ever could I think I could compare them?
On December 14, 1996, Mothra resurrected a charred Apple sapling ("Mosura" 1996).
In 34 days, she will return to see its fruit.
OS X: the Apple of Mothra's Aqua eye.
The real Ralph Nader, the one rejected by 98% of the voters, is the one who wants to remove the power of corporations (due and undue) and turn it over the the government... NOT the people. His solutions all call for more centralized top-down control. Look at how he wants to "nationalize" the Fortune 500. This makes them even less accountable. It is a very fascist goal.
"The US government is NOT a corporation. There is very little similarity between how they are structured. Corporations are essentially feudalist, whereas the government is provisionally a democratic republic. The difference in the way power flows in each type of organizational structure is significant."
Corporations are not feudalist, as everyone involved in them chooses to be. The government is much more feudalist, as we "serfs" pay a bounty to enrich the rulers (taxes). Businesses are much more accountable; there is little force involved in them, especially compared to government.
But there are some things a contract can not protect you from. For example, if a contract is made for the purpose of an illegal act, that contract isn't binding. If the EULA goes against a state or federal law, that part of the EULA can't be used to prevent you from sueing them. That's why I'm wondering where the current law stands.
either you want companies to announce holes and fix them, or you don't
when that is the issue, saying it never should have happened achieves sweet FA
I spoke to the staff member here who's bitching loudest about this. I asked for a specific example. The example I was given was ToolTalk of all things (one of our faves!). This person claims that there used to be code out there in your database for this that had been pulled. A search I've just done turned this up -> http://www.securityfocus.com/cgi-bin/vulns-item.pl ?section=exploit&id=122 You'll note that exploit source exists. I will ask this teammate for more a more specific explanation for statement. It's possible that a specific piece of code isn't there and that the original source was SecurityFocus. If that's the case then an apology is in order although my getting this teammate to admit this might be the case is unlikely (ahem).
:-)
I will sat this about SecurityFocus - when my team is asked to evaluate a piece of software we've never heard of your site is the FIRST place I look. More than once I've found juicy tidbits that have allowed me to improve a customer's security. PacketStorm is a daily read (cough) and I try to keep up with BugTraq as well - your archive of that is a BIG help. with all of the crap going on in the security field do please pardon my suspicious nature
For those of you who may not quite understand - the crap that Microsoft is pulling, along with all of these jerks who are against full disclosure, is making MY JOB harder! No one person can find everything in all of the packages out there. Most customers will not simply apply patches because a vendor says so and MANY cannot keep up with the fast pace of exploits. For that matter we've got a flippin' team that has to struggle with this and it's not easy. Frcing all of the exploits ot go underground by killing full disclosure will make this harder.
Remember what Microsoft said to L0PHT years ago about their VPN software when they were contacted? I have no doubt they would do that again today if they could sweep it under the rug. When you're working with a paranoid customer (think bank or oil company level of worry) they want a SECURE and STABLE system. That means when you tell them to make a change you'd better have a list of passwords in your hot little hands to prove your point! That means excercising the vulnerability and playing the part of a black hat. We need the code folks and no one group working alone can develop it all, it must be shared. If the punk crackers get it too then fine, they'd have developed it themselves and circulated it amongst themselves anyway....
Build it, Drive it, Improve it! Hybridz.org
But most people don't actually USE most of the "functionality" of windows/office/etc - they add "features" by the dozen, when only a few make it through to the general public as being genuinely useful.
Anyway, it seems that more "features", whether they are useful or not, tends to be M$ "come buy me" hook, and is their excuse for bloatware - XP wanting 1.5 GIG!!!!!!
Erm, did you actually read the further up posts? There was quite a good reason given as to why average Joe wouldn't use it, namely THEY CAN'T BE ARSED. They want to be hand held all the way through the "computer world", hence M$ success