Slashdot Mirror
Microsoft Microsoft Microsoft
Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
I clicked on the Microsoft security bulletin. I've never seen one of those before. Back when I first bought my gateway I actually registered with Microsoft online, and so I find it hilarious that an important bulletin such as this is in such an obscure place. I think it's only right for them to send this out to everyone who's registered at least, it's just the right ethical move. We do have to remember who we're talking about though. I'm still laughing about that bulletin. Aren't you supposed to distribute bulletins, not hide them somewhere? Ugh...
~ now you know
I find it hard to believe that someone on slashdot would complain about webpages designed for IE not working.
If MS security bugs encourages web designers to design gracefully degradable web pages, that's fine with me.
Jesus saves....And takes 1/2 damage.
Just as a disclaimer, I'm not one to defend Microsoft is most cases. But what I think most people don't think about is that there have been so many bugs reported in MS software not only because MS releases naturally buggy software, but because the user-base is so huge that there is more of a possibility that these bugs will be found and in many cases used for unfortunately bad purpouses. If Linux/Mac OS/etc was the most widely used, you'd see much the same focus on problems with the software.
That said however, I don't care for MS and the majority of their software that I do use is out of necessity.
forma3
Firestone tried it, and, while software bugs might not kill people, they certainly do some damage. What did it cost them, $41.5M?
How are software bugs, especially critical ones, different from design flaws in a tire?
Indie rock lives! b-side!
and had you read the security report instead of trying to karma whore your anti microsoft propaganda (nonsense, by the way), you'd realize the problem is that a malicious website can read and modify cookies ... it has nothing to do with firewalls, scanners, or opening attachments. It has everything to do with being smart about how you manage cookies, and what sites you allow to run scripts (i turn them [active scripting/scripts] off for everything except common sites like, for instance, hotmail).
... i submit to you a concept of "use the best tool for the job" ... and until LINUX or other unix can read, write, understand all the file formats in the MS Office suite (star/open office isnt close yet. period. it's not worth using) and show me a fast loading browser that doesnt crash (mozilla's getting close, not quite there yet), I'm going to use windows on every desktop I own, and leave Unix for the servers, where it belongs.
If you have no sensitive data in your cookies (and you shouldnt anyway, come on, common sense), you've got nothing to worry about.
As for the "dont use windows if you dont have to"
ahhh... but Microsoft claimed in court that IE could not be removed from Windows so this is indeed a security hole in Windows.
Unless... *gasp* you're calling Microsoft a liar and telling us that IE and Windows are indeed two separable products?
Pardon my french, but *bullshit*.
Apple released iTunes 2.0 on a Saturday night. When a major bug was found, not only did they pull the installer *immediately*, but they fixed the bug and had a new one up in its place (properly labelled 2.0.1) within 24 hours. Not only that, but they have also said that they will pay for DriveSavers recovery for anyone who lost data to the bug. Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)
Reality has a liberal bias
It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.
Yes, the DMCA is a bad law, but it's not infinitely bad. It does not forbid discussion of bugs or circulation of patches for bugs; claims otherwise are based on confused readings.
Error:
From the article:
The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
I was reading through the "Irresponsible" link, as well as the vulnerability report. Information Anarchy is the phrase they have coined to display that information really doesn't want to be free. This, if successful, will cause a very adverse association to open source developers I think. If they "edjucate" their end-users into thinking that information should be tightly controlled by a centralized source, than it's easy to make the connection that the open-source community is villifying the information management structure that Microsoft and friends is working so hard to manage for the best interest of the consumers.
They claim it's not feasible for them to release a patch within 5 days. Why do I have a feeling that this code segment is probably less than 50 lines, hell - you could provide a hack just to filter malicious URLs in less than that and release that patch in well under a day or two without sacrificing what we all know as Microsofts high standards of quality.
Maybe I'm paranoid, but it seems this is a much larger tactic towards a revised SSSCA that will be in Microsofts best interest - much easier to add a clause saying it's illegal to release unauthorized security information about a companies product to an unapproved bill.
Dacels Jewelers can't be trusted.
Many of MS's problems aren't bugs, they're designed to work that way. MS has had a poor record of thinking about security. They tend to think more of features, and what can the enable, rather than what shouldn't be permitted. Allowing a macro to be automatically run on opening of a document, which can then have full access to the system, is a classic example.
It strikes me how much we all seem to be recognizing that the courts now operate based on their political leanings instead of the foundation of law.
I don't use microsoft products either. But when nimda infected how many damn IIS servers, my poor little T1 sure as hell noticed it when all those IIS machines started scanning my servers.
How about when sircam started e-mailing random documents to anyone in the address book. I got a load of random files for absolutely no reason at all. An inadvertant spam.
Just because you don't use Microsoft products doesn't mean Microsoft products can't be used to attack your machine(s). Indirectly, your still effected somtimes.
Can all fish swim?
so how old are you, kid? @stake was formed in '99; they didn't begin releasing whitepapers for a good few months, as l0pht was still integrating with them, and they were operating (space-cramped) out of a tiny little office in cambridge. if you were a script kiddie in high school two years ago...*grin* no offense intended. just amused that you've come so far in terms of security-thought. always cool to see an @stake mention, as well.
one of the things that MS doesn't grasp is that a hole exists even when you don't publicize it, and if someone has pointed that hole out to them (presumably a grey-hat), they will share that information with some of their friends. geometric growth of exposure follows. with full disclosure, admins (even those lacking the skills/source to fix the problem) can mitigate it, pull systems down, turn off vulnerable features, or *gasp* consider alternative solutions.
On another note, I'm not sure that Microsoft has any grounds for demanding to be notified about flaws in the final releases of their software. If they want to keep bugs from becoming huge public brouhahas, then they should either fix them in-house while the software is still beta, or open the source up and let other people actually fix it. They're out of line to say that people should find bugs in their ware, tell them, and then sit on their discovery while some cubicle slave works to make a patch, and Microsoft takes the credit for saving the day.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
In the cases where Linux or unix has a majority market share Microsoft still leads the exploit statistics by far.
Of course, it's not as simple as saying that MS sucks, but it's a combination of bad design (dont put everything in every program, dont have unlimited interoperation between everything) bad programming(dont use admin privilidges if not absolutely necessary, also a design issue maybe), bad installation policies (dont install everything or even anything but the basics by default), bad admins and bad will.
The combination of these elements end up in software you dont want to be running because it will stink from a security point of view.
So, no, you wouldnt have the same amount of problems on Linux at least. You'd have problems, yes, but not nearly as many. Unless, of course, the general policies among linux distribution vendors change to install everything insecurely by default, but hopefully that wont happen, and in the Linux world you can always change to another vendor if one of them goes seriously astray.
Okay, some vulnerabilities might be difficult to get fixed in a couple of days...but with a team of programmers as large as they have...months is quite a stretch...they still have God knows how many vulnerabilities in NT 4 that have been known for some time! The linux folks can patch stuff rather quickly with a fraction of microsoft's financial and wetware resources. Show me the problem.
Derek Greene
I think if Linux or MacOS, as they are currently, were the most widely used, MS would still have more reported bugs, because there's just so much MS stuff. There's the kernel, the GUI, many applications, etc. With Linux, bugs in these would be reported against different entities.
Also, MS software is integrated on a large scale without sufficiently restrictive interfaces to cleanly separate it into individual programs. Since the number of potential bugs in a program grow faster than the length, this makes such integrated code more likely to have bugs; and, in fact, many MS bugs are due to interactions between different projects. With the Linux model, code is in relatively small chunks, which communicate over limited interfaces, so there is much less opportunity for cross-project bugs.
So I think that, to a certain extent, the reason that there are so many MS bugs reported is mostly that there are so many opportunities for MS to make mistakes, due to their size and the architecture they have chosen.
Let me play devil's advocate (seriously):
Yes, you can get a patch to kernel 2.foo very quickly. But it can take weeks/months for RH to get a package out. Perhaps M$ can get the code fixed, but not quickly send out a package (and in some ways they do. They send out hotfixes, and only later service packs).
Why? In both instances, the companies have to make sure that by fixing one problem, they don't create several others.
So yes, you can get quick fixes to Samba, the kernel, etc. But it takes time for commercial vendors to roll out the patches.
(And, having said all that, I used to use Progeny, and am switching to Debian. They get out patched packages really damned fast.)
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Reading this gave me a warm fuzzy feeling inside.
-----------------
The level of fines that would serve as a deterrent for cash rich Microsoft would be difficult to fathom, but one might make these fines deter more by directing the money to be paid into trust funds that would fund the development of free software, an endeavor that Microsoft has indicated it strongly opposes as a threat to its own monopoly. This would give Microsoft a much greater incentive to abide by the agreement.
Pissing in the ocean. That's what this "unnamed organization", otherwise known as the "Security KGB", will accomplish. I'm amazed at how many businesses aren't making enough money from the internet, and thus are trying to legislate out free speech. I'm having a blast, personal economic downturn and layoff aside, watching these companies that have never actually had a product to sell, crying because the big bad internet is out of control, and that they can't compete against free products that do EXACTLY THE SAME TASKS as their pay-products. Waaaa...
Welcome to the open market and the information age, crybabies exit at the rear...
don't buy their games or their X- box.
Nope. It's not.
The Netcraft survey crawls through all those little Melvin machines which each have an httpd running that nobody ever accesses.
Nobody cares about them. They are irrelevant.
Actually, it tends to go the other way - IIS installs as standard on a heck of a lot of WinNT boxen that do no hosting, and as (much as we hate to admit it here) most small businesses (big enough to have an always-on connection but not big enough for their own IT dept) use Windows. Most Apache installs are meant to be there.
If Linux/Mac OS/etc was the most widely used, you'd see much the same focus on problems with the software.
Microsoft's products are buggier because they are more ambitious in terms of functionality and target user base. Designing software that is only used by people with software knowledge is much easier than designing software for the general public. Creating an application that accounts for all the possible mistakes and questions that the average user is going to have is a huge undertaking. Add to that the extra functinality that M$ adds to its products (for better or worse), and it is not mystery why it has more bugs. Sure it crashes more, but is also DOES more.
As such, the idea that more bugs will be found in software if it gets wider distribution puts the cart before the horse. In order to get wider distribution, software must expand ease of use and functinality, and thus expose itself to the introduction of bugs (if it is to be released in a timely manner). However, users, as history has demostrated, care more about features than they care about bugs. Again, as history has demostrated, the most stable OS you can create, even if it is free, can not compete with an OS that includes the functionality that people want and, more importantly, is easy to use.
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
Credibility? High profile? Nader is about the most hated man in political life; no Democratic politician, consumer group, conservation group, et cetera will return his calls now.
i've been using up2date on my computer at home. after you login you get one free "seat" (i dont remember the word they use).
so when you start up2date on a computer the first time you create a profile of that computer at redhat. you can move this seat between computers so you can still use it for free if you have multiple computers. this is nice because it cuts home users, like myself, some slack.
-- john
Knowing how a security protocol works should not make it less secure. I can read how SSL works, but that does not make it less secure. Same with Kerberos, DES, RSA, etcetera. A proper security protocol should be secure even if you know how it works. Security through obscurity DOES NOT WORK.
This quote sounds like it came from Microsoft, but get this: he works for the DOJ! This guy James was the one in charge of the negotiations with Microsoft. He is supposed to be on our side.
It seems like he knows very little about computer security. It also seems like he believed whatever the Microsoft lawyers told him. No wonder they arrived a such a one-sided settlement.
Most evil is done by good people, and not by accident, but deliberately; motivated by high ideals toward virtuous ends.
So, there's apparently a huge market for poorly designed, poorly implemented, but "feature-rich" and "easy to use" software.
Okay.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
James rejects these criticisms and says the decision to protect Microsoft's security provisions was "one of those 'duh' issues." He continues: "Microsoft has security protocols. Are we going to tell everyone how they work? Do you want people to get access to your credit-card information when you shop on line?"
Umm, damn straight I want to know how they work! How else do I know if they are really secure? Trust MS? I think their track record speaks for itself on that one. Do I trust OpenSSL to keep my credi card secure? Yes, because I know how it works.
When will people learn, security through obscurity is a dead end.
Maybe so, but what I don't get is this expectation everyone has that these security holes go through the same steps...
The real danger is when someday someone will discover one of these huge gapping holes, not tell a soul, and then exploit them for profit, terror, extortion, or simple chaos.
We've been lucky so far. For Microsoft to try to divert the entire blame is what is irresponsible. Remember who created the security hole in the first place....
Usually, I think MS has an undeservedly bad reputation. But I can't stomach their assertion that open discussion about their bugs is somehow unethical.
From Microsoft's article:
We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.
Who chooses what sort of speech is smart, prudent, and responsible? The speaker? Or Microsoft? Since they branded it irresponsible to reveal a security flaw only "days" after telling Microsoft about it, it seems obvious to me that this is a request to let Microsoft control all discussion about their security flaws. This is patently unacceptable.
If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
I don't think it's best described as information anarchy. Anarchy is an emotionally loaded term, like piracy. But anarchy just means "not centrally controlled or regulated". Do we want all discussion of security to be centrally controlled and regulated? If you replace the phrase "information anarchy" with "free speech", the article becomes much more enlightening. The author seems to try to address this by saying:
By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
But the movie house is on fire. The bug exists - your private information is vulverable. The responsible thing for Microsoft to do is admit that they made a mistake, and work to put out the fire. Unfortunately, they've chosen to blame the messenger.
It's natural for a powerful organizion to want to surpress speech that points out its flaws. It's natural - but it should never be tolerable.
Don't blame me; I voted for CowboyNeal.
There's a reason why MS takes so long to get security patches out.
A previous posted mentioned Apple with the iTunes installer nuking the hdd, and how they got a patch out quickly, implying that if Apple can do it, MS should be able to too... well, things aren't quite so black and white:
The problem in the iTunes installer was a small typo in a bash script. The behaviour of the installer script is so simple that it's fairly obvious what effects the change would make. Easy patch. If only all bugs were so easy to fix.
A relatively short while ago some info regarding few vulnerabilities in Exchange (I think it was Exchange...) were released to the public@large by some third party. MS rushes out patches and lo and behold! A fairly significant proportion of users reported serious issues after installing the patch - it was messing up other parts of the system. MS rushed out a second version of the patch, which again wasn't satisfactory. It took 3 iterations of the patch to get something that seemed to work successfully on almost every machine it was installed on!
What went wrong? The Law of Unintended Consequences reared its ugly head.
If you look at the security holes that poke up in MS stuff, they often look like they result from some complex interaction that Microsoft's developers never expected. These interactions are partially the fault of the way they seem to design their systems and partially due to the vast number of configurations they end up operating in. Unfortunately, when you're fixing a bug that's resulting from some complex and probably subtle interaction between different components of your application (or even worse: another application) then your change could have drastic and far-reaching effects.
To help mitigate this problem they do extremely extensive regression testing. Typically, before a patch gets posted it's run through some of the weirdest and craziest system configurations they can think of to make sure it doesn't break anything, and if it does they figure out why and fix it. This takes time. Lots of time!
While I'm glad he's chimed in on this, I'd say he's just as, if not more, "uncompromising" and "abrasive" as RMS.
After making their reccomended changes I can't use
Windows Update either. Very interesting, how ironic that MS stuff is these days.
__ No registration required to read this message. They did it in the Matrix.
Ah, but you see, you're not necessarily comparing apples to apples. The following could be an interesting exercies:
How many vulnerabilities from each company...
I haven't done this exercise, but I strongly suspect that it would show that MS and RH have very different views of what constitutes a "security problem" that needs to be reported & patched. I'm guessing most if not all of the MS bulletins are remotely-exploitable holes, and that most are probably not mere DoS holes. The RH bulletins, on the other hand, will have a lot of temp file vulnerabilities -- which, in the MS world, would not even be considered bugs, much less security holes.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
In my experience, I always thought that a large part of the MS bugs come from the fact that MS offers features (no sarcasm) that are inherently prone to security flaws. I've never once heard of a user security being breached when they were off a network and writing a document in notepad.
Examples include
VB scripts + extension hiding => viruses (and what-have-you).
macros => viruses.
inter-application communication => security flaw.
autoextract/running of downloaded software => general fscking up of computer.
Now, not all the features require that bad things come from them and there is definite programmer and management error. Although my description of it is perhaps unnecessary: What they need to do is demarcate all functions,methods,variables and objects that are capable of being abused as security flaws, regardless of whether the abuse could only come from within the layer of code above that method or whether it could be used outside. When the final stages of development come there needs to be an inside-out evaluation of all the possible paths that can be taken to reach those methods/functions/variables and which of those pose risks. Those risks need to be evaluated and if they find them to be acceptable risks, they simply need to mark them in their released product documentation. Of course, if they are found to be unacceptable risks then they need to reduce them in whatever manner or else provide warnings during operation that the user may hurt themselves doing whatever it is that opens that hole.
[please note that I'm not in the mood to look up terms such as trojan horse, worm, etc. to figure out where they all go, think of "virus" used above as a generic term.]
What should be done about it is to inform everyone as soon as problems are discovered.
That is a period at the end of that sentence, it means there is nothing further to add. What we're doing now is what should be done.
Edith Keeler Must Die