Slashdot Mirror
Microsoft Microsoft Microsoft
Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
The Register, and How Microsoft invented open source, by Billg
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
Of course, Nader's stance at the far left at the political spectrum could hurt things if the judge has right-wing leanings (as appears to be the case). At least Nader isn't as rabid as RMS. As much as I admire his commitment and idealism, RMS's uncompromising attitude and abrasive personality could do more harm than good. (Also, RMS's reputation is pretty much confined to geeks, whereas Nader has mainstream recognition.)
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
OK. Let's let Microsoft keep their security flaws secret. Do any of us think that will really work?
Part2: The flaws do need to be placed in 'escrow' in a secure database, with a planned release date, perhaps 6 months after first notice.
Then let's see if the situation is better or worse. After all, Code Red exploited a months-old hole, which could have been discovered by monitoring Microsoft's own update pages. Somehow it doesn't seem to me that the course of the Code Red mess this Summer would have been affected in the least by Microsoft's proposed policy.
Or do they consider publication of a bugfix tantamount to 'Security Anarchy', because it lets others know that a hole exists?
But the real goal here should be that we want to keep Bugtraq and the like alive for our own use. Let Microsoft mess their own sandbox, just don't mess ours.
The living have better things to do than to continue hating the dead.
Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"
Funny, Open Source software can have a patch out within a few days, why can't Microsoft?
Things you think are in the Constitution, but are not.
SF Gate has an article about how the states are "sabotaging" the settlement:
Why are they asking the court to derail the settlement, effectively guaranteeing that the case won't be resolved for years? The state attorneys general claim the high ground as defenders of consumers, but it is hard to see what consumers of software would gain in prolonging this legal agony.
Uhh, ok...
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
The BBC also has an article today detailing some of the groups and corporations that are lining up to take on Microsoft on several different fronts.
But what do I know.
Here's another interview with SANS. Interesting.
MS posted this bulletin to their security mailing list about 8:00 est today. They are doing a pretty good job of notifying everyone in the event of a failure. To get good, up to date information about security go to www.microsoft.com/security. They usually notify of new security issues and fixes within a day or so. The information is there and its not that hard to find. Just in case you still have trouble finding the link for the bulletin mailing list, here is the link. http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/notify.asp
Digital is, by definition, imperfect. Analog is the way to go.
I got this in my inbox at yesterday at 9:14pm (EST). If you really care about security with Windows machines look at this page, specifically that mailing list service.
Why isn't there a patch available for this issue?
The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
Hehe.
Wooden armaments to battle your imaginary foes!
Does anyone think that withholding software bugs is illegal? It was illegal for Firestone to withhold information because it irresponsibly cost lives. Security holes generally do not, but they do cost companies money. Holding back info for a security flaw will definitely prevent many admins from changing system settings, limiting current development, waiting for a patch before releasing, etc. That in turn will cost money if the flaw is still exploited.
IANAL, but I personally think MS could be sued by a company attacked through a hole kept secret by this security gang. It should in fact be illegal to withhold information about known flaws in any product, since knowing of those flaws may change the value in the customer's eyes. I see that as indirectly constituting fraud.
Anyone know of any precedence or the true current legal standing of such a situation?
Developers: We can use your help.
One thing I know talking to a friend who was on a microsoft programming team. They do not get bonuses on quality / security of code, but on the fact of how fast they can get it out for cash. Basically as I was told, there software is never really fully tested. With 2000/nt, until patch 2 came out for either of them, they where riddled with security holes and bugs. Microsoft is a moneymaking company, not a quality software company. From someone as big as microsoft, they easily could test there products extensively, but that would cut down on there profits. O dam we could not do that to pore old billy boy gates could we.
Personally, I would not care if microsoft is a monopoly if they would be some what inventive (they just re vamp others ideas) and put out quality code.
My 2 cents plus more
While I see the reasoning behind this, shouldn't the Sept. 11 attacks make us more appreciative of our freedoms than of our money? All the politicians are running around talking about freedom being the American ideal, shouldn't they be more focused on maintaining freedom than money in this case also?
"I may not have morals, but I have standards."
"Active Scripting" is the term Microsoft uses to refer to client-side JavaScript and VBScript. Thus, disabling active scripting will not only break pages designed for IE, it will break any page designed for any browser if that page contains JavaScript or VBScript (remember, there's an addon for the Windows version of Netscape 4.x that gives it the ability to run client-side VBScript and ActiveX controls).
Furthermore, Michael, switching off Active Scripting is not the only way to avoid falling prey to this exploit. In order for the exploit to work, someone must convince you to go to a specially-formed URL. Being smart enough to recognize malicious URLs would allow you to avoid this security hole without disabling Active Scripting.
I find it disturbing that you're so obviously biased against IE (and apparently also uninterested in learning details before representing your own uninformed misconceptions as "fact"). I've never made the mistake of thinking of Slashdot as an unbiased news source. A predilection towards open-source rather than commercial software is one thing, however, while openly vehement bias based on false conclusions is another.
For your own sake, and for the sake of Slashdot's journalistic integrity (ha ha), please at least do a little bit of fact-finding before posting knee-jerk stories like this.
It's interesting. I've already read every one of these articles linked to by slashdot in the last few days.
h tm l?tag=bt_bh
But the bizarre thing is how biased slashdot is with their presentation. If you actually quick thru on the links and read the stories, you'll understand why.
For instance, why wasn't this article from news.com linked as well, considering it is Scott Culp responding to a lot of the questions and accusations?
http://news.cnet.com/news/0-1014-201-7819204-0.
Damn, I would have seen it too except for the fact that I broke my leg trying to go down those stairs which were missing...
For those who missed this reference, take a look at mid-chapter 1 on this page.
- Graff
- @stake was not "formed from" the l0pht. the l0pht comprises part of their research and development team.
- back orifice was the child of cDc, not the l0pht. there is some overrun between the groups. l0phtcrack was theirs; it is an invaluable resource for system admins as well as black-hats.
- lots of people attend DefCon. doing so does not make you evil. lots of people are hackers. same point.
-
they did not get "banned" from bugtraq, they split from them. there is a difference. they continue to release proof-of-concept code and whitepapers, but their formatting was not compatible with the bugtraq system.
not sure what your beef with @stake is, but they are a decent security company. that has been their focus since their inception, and they are easily among the best in that field. they have a number of brilliant minds working for their management (dan geer, president of USENIX, for example) alongside a powerhouse of a R&D team.We who were living are now dying
With a little patience
Why all the MS bashing? If it wasn't for MS there would be no OpenSource. ;-) Read today's TheRegister
Quote: The open source movement wouldn't exist without Microsoft, Bill Gates told his company's shareholder meeting earlier this week. Open source is also a follower, not an innovator, and destroys jobs, the economy and world peace (we made that last bit up).
Help fight continental drift.
Go to www.microsoft.com
Click on the link to the side that says "For IT Professionals"
There are Security Bulletins highlighted in the upper right hand side of the page. The ones discussed here are listed, along with a link that says "More".
Right on the top of that list is a link that says "Want to receive future security bulletins automatically?" You might want to click on that and subscribe.
Now for home users, they have the WindowsUpdate feature which easily allows you to download patches. Plus it also includes links to find out more information about the patch... these links go to the security bulletins again.
If Microsoft is hiding security bulletins, they are doing a piss poor job.
look look here
basically when you sign up with redhat you get to run up2date on one computer for free. nice for students.
-- john
The only info we have pulled out of the vuldb that I can remember was the telnetd exploit. This was because the copyright holder insisted. We do on occasion have a duplicate BID, or consolidate several into one when it becomes clear that they are the same. Therefore, you may sometimes see a particular BID number "go away", but the info exists under another BID. We also had a few temporary problems while we switched from Roxen to Apache a few weeks ago, and I recall that not all info was showing up for a while.
But basically, no we aren't pulling anything out.
Do the best you can under the circumstances. I use Macs, and I make a point of throwing out IE and using iCab or netscape or something- and I also go into the system folder, and throw out the large amount of operating system code (to support IE) such as ActiveX support and a host of OS extensions Microsoft insist upon building into Macintoshes.
Interestingly, this seems to make the Mac more stable. But the bottom line is you cannot either avoid indirectly purchasing Microsoft products- or even running MS OS code! by using stock Macs. They come with extensive Microsoft code and you have to literally go in and take that garbage out if you want to run a non-Microsoft MacOS.
How's that strike you? Does that make you more or less persuaded that Microsoft is dangerous and all-controlling? Maybe your original vow is all the more worthwhile seeing as you CAN'T do it without either going incredibly DIY to the point of building your own computer and running nothing but Linux, or abandoning computers entirely.
Did you know it was that bad?
Ralph Nader is the biggest tool I have ever seen. A lying tool at that.
Oh yeah and Yebyen is a tool too.