Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Microsoft Microsoft

Posted by ryuzaki0 on from the microsoft-microsoft-microsoft dept.

Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.

7 of 723 comments (clear)

  1. And don't forget... by Anonymous+DWord · · Score: 5, Informative

    The Register, and How Microsoft invented open source, by Billg

    --
    "If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
  2. Nader has credibility by Tassach · · Score: 5, Informative
    For better or worse, it's good to have a high-profile individual like Nader get involved in this. While anyone can file a letter during the public commentary period, or an amicus curae brief (if they have a valid interest in the outcome of the case), judges are more likely to pay attention to comments that come from respected public figures than they are to listen to J. Random Public. At least his letter will be read by the judge herself, instead of just being skimmed by a junior clerk and tallied up in the appropriate columns.



    Of course, Nader's stance at the far left at the political spectrum could hurt things if the judge has right-wing leanings (as appears to be the case). At least Nader isn't as rabid as RMS. As much as I admire his commitment and idealism, RMS's uncompromising attitude and abrasive personality could do more harm than good. (Also, RMS's reputation is pretty much confined to geeks, whereas Nader has mainstream recognition.)

    --
    Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
  3. Alternate Plan - Security Escrow by dpilot · · Score: 5, Informative

    OK. Let's let Microsoft keep their security flaws secret. Do any of us think that will really work?

    Part2: The flaws do need to be placed in 'escrow' in a secure database, with a planned release date, perhaps 6 months after first notice.

    Then let's see if the situation is better or worse. After all, Code Red exploited a months-old hole, which could have been discovered by monitoring Microsoft's own update pages. Somehow it doesn't seem to me that the course of the Code Red mess this Summer would have been affected in the least by Microsoft's proposed policy.

    Or do they consider publication of a bugfix tantamount to 'Security Anarchy', because it lets others know that a hole exists?

    But the real goal here should be that we want to keep Bugtraq and the like alive for our own use. Let Microsoft mess their own sandbox, just don't mess ours.

    --
    The living have better things to do than to continue hating the dead.
  4. Re:You know what I find funny? by rtkluttz · · Score: 5, Informative

    MS posted this bulletin to their security mailing list about 8:00 est today. They are doing a pretty good job of notifying everyone in the event of a failure. To get good, up to date information about security go to www.microsoft.com/security. They usually notify of new security issues and fixes within a day or so. The information is there and its not that hard to find. Just in case you still have trouble finding the link for the bulletin mailing list, here is the link. http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/notify.asp

    --
    Digital is, by definition, imperfect. Analog is the way to go.
  5. Legality by truthsearch · · Score: 5, Informative

    Does anyone think that withholding software bugs is illegal? It was illegal for Firestone to withhold information because it irresponsibly cost lives. Security holes generally do not, but they do cost companies money. Holding back info for a security flaw will definitely prevent many admins from changing system settings, limiting current development, waiting for a patch before releasing, etc. That in turn will cost money if the flaw is still exploited.

    IANAL, but I personally think MS could be sued by a company attacked through a hole kept secret by this security gang. It should in fact be illegal to withhold information about known flaws in any product, since knowing of those flaws may change the value in the customer's eyes. I see that as indirectly constituting fraud.

    Anyone know of any precedence or the true current legal standing of such a situation?

    --
    Developers: We can use your help.
  6. Sept. 11 As Justification by krmt · · Score: 5, Informative

    On Sept. 28, she told the parties in the Microsoft case that 'the recent tragic events affecting our nation' demanded a prompt end to litigation that had already roiled the stock market and generated economic uncertainty.

    That exhortation hit home. After Sept. 11, 'the world had changed, with war abroad, threats at home and a deteriorating economy, creating a powerful dynamic to settle,' says Richard Blumenthal, Connecticut's attorney general and one of the more-aggressive state officials involved in the case.


    While I see the reasoning behind this, shouldn't the Sept. 11 attacks make us more appreciative of our freedoms than of our money? All the politicians are running around talking about freedom being the American ideal, shouldn't they be more focused on maintaining freedom than money in this case also?
    --

    "I may not have morals, but I have standards."

  7. Re:You know what I find funny? by sheldon · · Score: 5, Informative

    Go to www.microsoft.com

    Click on the link to the side that says "For IT Professionals"

    There are Security Bulletins highlighted in the upper right hand side of the page. The ones discussed here are listed, along with a link that says "More".

    Right on the top of that list is a link that says "Want to receive future security bulletins automatically?" You might want to click on that and subscribe.

    Now for home users, they have the WindowsUpdate feature which easily allows you to download patches. Plus it also includes links to find out more information about the patch... these links go to the security bulletins again.

    If Microsoft is hiding security bulletins, they are doing a piss poor job.