Microsoft Microsoft Microsoft

Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.

I can't read the details of the security flaw

[Genaro]

because I disabled scripting.

Yes. You need scripting in order to get details of the security hole. On the other hand they recommend you to disable scripting.

Odd.

Yes. I have to use Windows at work.

Yes. I could use Mozilla.

security software

[whiteben]

Perhaps the scariest line in the securityfocus.com article is this one:

The bylaws will also include an agreement that any security software produced by members of the group will be engineered in such a way that it can only be used for lawful purposes.

Yet again, we have a software usage agreement that restricts the types of things for which the software can be used. This is silly and ironic. If some sort of authority were set up to police the observance of this, we'd be a huge step closer to the scary world RMS describes in the famous essay set in a (hopefully) fictional future. Without such an authority, MS and friends would essentially be relying on the honor system which it hates so much.

I guess that MS and friends would rather have the sense of security they get from restrictive user licenses and the like. Folly.

BEN

As a former "black hat"

[CmdrTroll]

Back when I was in high school, I was a script kiddie. I would DDoS my classmates to show how k-RaD I was. I had an extensive network of trin00 and BO2k zombies at my disposal. It was fun. For a while.

The best thing I learned from my experiences as a skript kiddie is that BUGTRAQ, BoS, and every other sysadmin-visited list was the last to hear about new security flaws. Sure, on occasion, @stake or the ISS X-Force would come up with something novel. But the majority of the time, I would see sploits circulated by my Russian friends on IRC weeks before anyone even mentioned the vulnerability on BUGTRAQ. Consider the BIND 8.2.2-P5 flaw: I had the ADM sploit for it weeks before an advisory was even issued.

Stopping full disclosure won't hurt the script kiddies. It will hurt the admins, who won't have enough information to patch their source base to fix the problem. (As a FreeBSD admin with a good grasp of C, patching a security hole takes on the order of minutes now.) But it will help this cartel to keep privileged information to themselves, so that hapless admins like myself will not have the information we need to defend ourselves. And it helps Microsoft, who can honestly claim that their systems are more secure than UNIX when the UNIX admins can't defend themselves more quickly than the M$ admins can anymore. It's just capitalism at work.

-CT

Something Amusing

[DarkZero]

As an experienced IE user, I immediately took the usual steps to get around IE vulnerabilities. I immediately turned off Active Scripting (it was a blunder on my part that it wasn't disabled, because I didn't know IE6 had added THAT MUCH new stuff), and then went to Windows Update...

You can't go to Windows Update to download patches any more after you've turned Active Scripting off. Microsoft sends you to a page telling you to turn Active Scripting and all sorts of other dangerous things back on.

Redmond dumb-asses.

Re:Linux Linux Linux

[M_Talon]

So many holes in this rant, which ones to choose? Let's go with this one.

I can sell my Copy of XP if i wish, if i sell my NFL tickets it can be scalping.. Microsoft doesn't price point XP, they give it a value. I can buy XP and sell it for 30 bucks or 300 bucks, whatever the consumer is willing to pay. I can't do that with Baseball tickets, nfl tickets ore phone service.

Try selling your copy of XP online, and watch how fast MS stops you because of licensing issues. If you actually sell it on the street, they could still nail you if they find out. You can resell your sports tickets at face price without violating scalping laws. Phone service is a service, not a product, and thus is non-transferable.

Or how about this one?

So why all the resistance on microsoft? Why not make it a perfect world and attack the NFL, MLB, NBA, WNBA and your local telco megopoly who restrict your choices and charge you exhuberant prices and rip off the consumer.

Because there are other sports and other phone options, and for the most part those don't do such blatant anti-competitive practices. You don't see the NFL trying to create a baseball team. M$ wants to control the entire computing experience and then some...and they make no bones about it. And of course, the biggest point is that MS has been found to be in violation of law for their monopolistic practices, and yet they still fragrantly defy the law. That makes them a viable target for criticism, pure and simple.

Re:They could learn from Apple...

[Jagasian]

Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)

Note that I am a Debian Linux user, so I have no bias in favor of Microsoft, but come on, the real question should be "Can anyone imagine MS shipping a product with such a horribly-stupid-of-stupid-critical-lose-every-flaw as the recent iTunes 2.0 ultra-blunder?" Apple is no hero for bringing out a fix as fast as they did; simply because such a fix never should have been necessary in the first place.

I have seen Microsoft release products that do really stupid things, but I have trouble recalling the last time they released a music application that unnecessarily formats your harddrive. I mean, come on... MS is bad, but are they as bad as Apple? If Apple was as popular as MS, you would probably be singing a different tune about iTunes 2.0?

Debian Linux has a community run software testing process that would never let something like iTunes ship as "stable".

Re:Of course there will be more buges reported in

[Flower]

Couldn't put it better myself.

I recently attended a SANS course on IIS. According to the instructor, MS enables features to lower support costs. If it's already on nobody will call to get it working. WFM is a similiar tale. It was designed to eliminate support calls but an employee realized it could be expanded to function like tripwire.

Personally, I think if someone needed Internet printing enabled on a web server they would search for a TID instead of spending money calling MS if they couldn't noodle it out. But I'm guessing I'm just optimistic here.

Re:Corvair all over again?

[ivan256]

I have yet to see a root level exploit in windows that has lasted even near as long before being patched.

I'm sorry, but a bug that is found today in NT 4.0or 2000 has most likely been around since the product came out. You're trying to say that Windows bugs don't exist until someone finds them, but Linux bugs are retroactive since the version that they are in came out. Compare apples to apples.

When the root exploit was found in Linux, the patch was available the very same day. Microsoft can't get a security fix out and tested with "a few days of work". They have hundreds of well paid programmers Linux is written by loosely tied mostly unpaid volunteers. You need to get the wool out of your eyes.