Slashdot Mirror
Microsoft Microsoft Microsoft
Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
Firestone tried it, and, while software bugs might not kill people, they certainly do some damage. What did it cost them, $41.5M?
How are software bugs, especially critical ones, different from design flaws in a tire?
Indie rock lives! b-side!
ahhh... but Microsoft claimed in court that IE could not be removed from Windows so this is indeed a security hole in Windows.
Unless... *gasp* you're calling Microsoft a liar and telling us that IE and Windows are indeed two separable products?
Pardon my french, but *bullshit*.
Apple released iTunes 2.0 on a Saturday night. When a major bug was found, not only did they pull the installer *immediately*, but they fixed the bug and had a new one up in its place (properly labelled 2.0.1) within 24 hours. Not only that, but they have also said that they will pay for DriveSavers recovery for anyone who lost data to the bug. Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)
Reality has a liberal bias
MS's windows update is a step in the right direction, but it sucks compared to Red Hat's up2date program. It's a service that is well worth paying for. Even if you just download the Red Hat ISOs, consider subscribing to RHN - you are supporting future Linux development and are getting a good service at a fair price. [Disclosure: I own RHAT stock]
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Many of MS's problems aren't bugs, they're designed to work that way. MS has had a poor record of thinking about security. They tend to think more of features, and what can the enable, rather than what shouldn't be permitted. Allowing a macro to be automatically run on opening of a document, which can then have full access to the system, is a classic example.
I think if Linux or MacOS, as they are currently, were the most widely used, MS would still have more reported bugs, because there's just so much MS stuff. There's the kernel, the GUI, many applications, etc. With Linux, bugs in these would be reported against different entities.
Also, MS software is integrated on a large scale without sufficiently restrictive interfaces to cleanly separate it into individual programs. Since the number of potential bugs in a program grow faster than the length, this makes such integrated code more likely to have bugs; and, in fact, many MS bugs are due to interactions between different projects. With the Linux model, code is in relatively small chunks, which communicate over limited interfaces, so there is much less opportunity for cross-project bugs.
So I think that, to a certain extent, the reason that there are so many MS bugs reported is mostly that there are so many opportunities for MS to make mistakes, due to their size and the architecture they have chosen.
You get what you pay for. RedHat has a financial stake in making sure you get your money's worth. Microsoft does not. You've already paid for thier product. So they put out fixes, updates, etc. at their leisure. Where RedHat will lose update subscribers if there is the 'perception' that people aren't getting value for the money spent. The customer can be getting value, they just have to feel like they are not getting value for RedHat to suffer in this way.
Just my $0.02
EFGearman
---
Atomic batteries to power! Turbines to speed!
What is it exactly that you're so baffled by? Just because you've never seen them only shows your ignorance, since they've been sending these out for years now. As far as being in an obscure place, where would you expect to find it? I always use the direct link to the bulletin list (www.microsoft.com/technet/security/current.asp), but if I didn't know how to find it, I think I might try www.microsoft.com/security. And whaddaya know, there's a web page there and the second link on the left is for the Security Bulletin service. How obscure. *ahem*
Reading this gave me a warm fuzzy feeling inside.
-----------------
The level of fines that would serve as a deterrent for cash rich Microsoft would be difficult to fathom, but one might make these fines deter more by directing the money to be paid into trust funds that would fund the development of free software, an endeavor that Microsoft has indicated it strongly opposes as a threat to its own monopoly. This would give Microsoft a much greater incentive to abide by the agreement.
It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.
Not at all. The way I see it, there are two things at work here.
- Cover his own ass from possible litigation from the people of the United States, represented by John Ashcroft.
- Drive a message to the people of the United States that the DMCA is a bad law, and they should seek its immediate repeal.
On the other hand, Microsoft, while their intention is also to cover their ass, it's not from litigation and legal hot water, it's from their own bad PR. Microsoft isn't even trying to seek repeal of the DMCA, for obvious reasons. Whereas Cox was making a political statement, Microsoft is just trying to censor bad PR.Therefore, it is right and consistent that we can hate Microsoft for censorship, and applaud Cox for censorship, because there are deeper levels and motives than simply censorship.
Join the Slashcott! Stay away entirely Feb 10 thru Feb 17! Close all tabs to prevent autorefresh!
Knowing how a security protocol works should not make it less secure. I can read how SSL works, but that does not make it less secure. Same with Kerberos, DES, RSA, etcetera. A proper security protocol should be secure even if you know how it works. Security through obscurity DOES NOT WORK.
This quote sounds like it came from Microsoft, but get this: he works for the DOJ! This guy James was the one in charge of the negotiations with Microsoft. He is supposed to be on our side.
It seems like he knows very little about computer security. It also seems like he believed whatever the Microsoft lawyers told him. No wonder they arrived a such a one-sided settlement.
Most evil is done by good people, and not by accident, but deliberately; motivated by high ideals toward virtuous ends.
Usually, I think MS has an undeservedly bad reputation. But I can't stomach their assertion that open discussion about their bugs is somehow unethical.
From Microsoft's article:
We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.
Who chooses what sort of speech is smart, prudent, and responsible? The speaker? Or Microsoft? Since they branded it irresponsible to reveal a security flaw only "days" after telling Microsoft about it, it seems obvious to me that this is a request to let Microsoft control all discussion about their security flaws. This is patently unacceptable.
If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
I don't think it's best described as information anarchy. Anarchy is an emotionally loaded term, like piracy. But anarchy just means "not centrally controlled or regulated". Do we want all discussion of security to be centrally controlled and regulated? If you replace the phrase "information anarchy" with "free speech", the article becomes much more enlightening. The author seems to try to address this by saying:
By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
But the movie house is on fire. The bug exists - your private information is vulverable. The responsible thing for Microsoft to do is admit that they made a mistake, and work to put out the fire. Unfortunately, they've chosen to blame the messenger.
It's natural for a powerful organizion to want to surpress speech that points out its flaws. It's natural - but it should never be tolerable.
Don't blame me; I voted for CowboyNeal.