Slashdot Mirror
Microsoft Microsoft Microsoft
Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
I clicked on the Microsoft security bulletin. I've never seen one of those before. Back when I first bought my gateway I actually registered with Microsoft online, and so I find it hilarious that an important bulletin such as this is in such an obscure place. I think it's only right for them to send this out to everyone who's registered at least, it's just the right ethical move. We do have to remember who we're talking about though. I'm still laughing about that bulletin. Aren't you supposed to distribute bulletins, not hide them somewhere? Ugh...
~ now you know
I find it hard to believe that someone on slashdot would complain about webpages designed for IE not working.
If MS security bugs encourages web designers to design gracefully degradable web pages, that's fine with me.
Jesus saves....And takes 1/2 damage.
Just as a disclaimer, I'm not one to defend Microsoft is most cases. But what I think most people don't think about is that there have been so many bugs reported in MS software not only because MS releases naturally buggy software, but because the user-base is so huge that there is more of a possibility that these bugs will be found and in many cases used for unfortunately bad purpouses. If Linux/Mac OS/etc was the most widely used, you'd see much the same focus on problems with the software.
That said however, I don't care for MS and the majority of their software that I do use is out of necessity.
forma3
I'm just waiting for him to declare Windows XP to be "unsafe at any speed."
Do not taunt Happy Fun Ball(TM)
"California deserves special credit for its stance. Bill Lockyer, the state attorney general, has emerged as the most important public official in America when it comes to holding back the Microsoft tide."
sulli
RTFJ.
Firestone tried it, and, while software bugs might not kill people, they certainly do some damage. What did it cost them, $41.5M?
How are software bugs, especially critical ones, different from design flaws in a tire?
Indie rock lives! b-side!
And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows.
If you read the security bulletin, it's not referring to windows at all. It's a problem with Internet Explorer version 5.5 or later.
Seems that that little slip exposes a great deal of anti-M$ bias. Not good for a supposed "news source".
The Register, and How Microsoft invented open source, by Billg
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
because I disabled scripting.
Yes. You need scripting in order to get details of the security hole. On the other hand they recommend you to disable scripting.
Odd.
Yes. I have to use Windows at work.
Yes. I could use Mozilla.
Of course, Nader's stance at the far left at the political spectrum could hurt things if the judge has right-wing leanings (as appears to be the case). At least Nader isn't as rabid as RMS. As much as I admire his commitment and idealism, RMS's uncompromising attitude and abrasive personality could do more harm than good. (Also, RMS's reputation is pretty much confined to geeks, whereas Nader has mainstream recognition.)
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
OK. Let's let Microsoft keep their security flaws secret. Do any of us think that will really work?
Part2: The flaws do need to be placed in 'escrow' in a secure database, with a planned release date, perhaps 6 months after first notice.
Then let's see if the situation is better or worse. After all, Code Red exploited a months-old hole, which could have been discovered by monitoring Microsoft's own update pages. Somehow it doesn't seem to me that the course of the Code Red mess this Summer would have been affected in the least by Microsoft's proposed policy.
Or do they consider publication of a bugfix tantamount to 'Security Anarchy', because it lets others know that a hole exists?
But the real goal here should be that we want to keep Bugtraq and the like alive for our own use. Let Microsoft mess their own sandbox, just don't mess ours.
The living have better things to do than to continue hating the dead.
Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"
Are they referring to the recent release of XP?
Thanks Raplh, this is why I voted for you.
Also I like seatbelts.
Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"
Funny, Open Source software can have a patch out within a few days, why can't Microsoft?
Things you think are in the Constitution, but are not.
SF Gate has an article about how the states are "sabotaging" the settlement:
Why are they asking the court to derail the settlement, effectively guaranteeing that the case won't be resolved for years? The state attorneys general claim the high ground as defenders of consumers, but it is hard to see what consumers of software would gain in prolonging this legal agony.
Uhh, ok...
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
The bylaws will also include an agreement that any security software produced by members of the group will be engineered in such a way that it can only be used for lawful purposes.
Yet again, we have a software usage agreement that restricts the types of things for which the software can be used. This is silly and ironic. If some sort of authority were set up to police the observance of this, we'd be a huge step closer to the scary world RMS describes in the famous essay set in a (hopefully) fictional future. Without such an authority, MS and friends would essentially be relying on the honor system which it hates so much.
I guess that MS and friends would rather have the sense of security they get from restrictive user licenses and the like. Folly.
BEN
If you weren't AC I would tell you where you can get them, where to find patches, and who to contact about getting a fix.
The Kruger Dunning explains most post on
The BBC also has an article today detailing some of the groups and corporations that are lining up to take on Microsoft on several different fronts.
Pardon my french, but *bullshit*.
Apple released iTunes 2.0 on a Saturday night. When a major bug was found, not only did they pull the installer *immediately*, but they fixed the bug and had a new one up in its place (properly labelled 2.0.1) within 24 hours. Not only that, but they have also said that they will pay for DriveSavers recovery for anyone who lost data to the bug. Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)
Reality has a liberal bias
The best thing I learned from my experiences as a skript kiddie is that BUGTRAQ, BoS, and every other sysadmin-visited list was the last to hear about new security flaws. Sure, on occasion, @stake or the ISS X-Force would come up with something novel. But the majority of the time, I would see sploits circulated by my Russian friends on IRC weeks before anyone even mentioned the vulnerability on BUGTRAQ. Consider the BIND 8.2.2-P5 flaw: I had the ADM sploit for it weeks before an advisory was even issued.
Stopping full disclosure won't hurt the script kiddies. It will hurt the admins, who won't have enough information to patch their source base to fix the problem. (As a FreeBSD admin with a good grasp of C, patching a security hole takes on the order of minutes now.) But it will help this cartel to keep privileged information to themselves, so that hapless admins like myself will not have the information we need to defend ourselves. And it helps Microsoft, who can honestly claim that their systems are more secure than UNIX when the UNIX admins can't defend themselves more quickly than the M$ admins can anymore. It's just capitalism at work.
-CT
It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.
Yes, the DMCA is a bad law, but it's not infinitely bad. It does not forbid discussion of bugs or circulation of patches for bugs; claims otherwise are based on confused readings.
Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days".
A Microsoft spokesman was later heard saying - "We didn't fix it in the first place, what makes you think we're going to now?"
Error:
But what do I know.
You can't go to Windows Update to download patches any more after you've turned Active Scripting off. Microsoft sends you to a page telling you to turn Active Scripting and all sorts of other dangerous things back on.
Redmond dumb-asses.
From the article:
The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
I was reading through the "Irresponsible" link, as well as the vulnerability report. Information Anarchy is the phrase they have coined to display that information really doesn't want to be free. This, if successful, will cause a very adverse association to open source developers I think. If they "edjucate" their end-users into thinking that information should be tightly controlled by a centralized source, than it's easy to make the connection that the open-source community is villifying the information management structure that Microsoft and friends is working so hard to manage for the best interest of the consumers.
They claim it's not feasible for them to release a patch within 5 days. Why do I have a feeling that this code segment is probably less than 50 lines, hell - you could provide a hack just to filter malicious URLs in less than that and release that patch in well under a day or two without sacrificing what we all know as Microsofts high standards of quality.
Maybe I'm paranoid, but it seems this is a much larger tactic towards a revised SSSCA that will be in Microsofts best interest - much easier to add a clause saying it's illegal to release unauthorized security information about a companies product to an unapproved bill.
Dacels Jewelers can't be trusted.
The point of the Microsoft suit was to bring back competition. Innovation was stifled because no one could get investment $$ if they were in a market Microsoft was even thinking about entering.
So what is the effect on investment capital of the settlement?
The proof is in the pudding. Is Red hat stock up? Is Palm or Be stock up - or is anyone coming in with a bid that beats Palm's paltry $11 million? Is there venture capital available for companies to compete with productivity apps or streaming audio?
Here's a reality check...
Microsoft made PC vendors deals they couldn't refuse (and when they accepted, couldn't afford to get out of) to put their stuff on machines. If it's already on the machine, most people won't bother to get a different program unless it's so atrocious as to be unusable. Doesn't matter if it's free- it'd have to be 100 times better for the average person to bother with getting it. Once you're in that position, it's very difficult to shift the player in place because of network effect- it's nothing at all to do with how "good" a program is.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Many of MS's problems aren't bugs, they're designed to work that way. MS has had a poor record of thinking about security. They tend to think more of features, and what can the enable, rather than what shouldn't be permitted. Allowing a macro to be automatically run on opening of a document, which can then have full access to the system, is a classic example.
This is just lying right-wing ideological crap. He has said that the public (government) has a right to limit the actions of corporations when those actions might harm the interests of the public.
So many holes in this rant, which ones to choose? Let's go with this one.
I can sell my Copy of XP if i wish, if i sell my NFL tickets it can be scalping.. Microsoft doesn't price point XP, they give it a value. I can buy XP and sell it for 30 bucks or 300 bucks, whatever the consumer is willing to pay. I can't do that with Baseball tickets, nfl tickets ore phone service.
Try selling your copy of XP online, and watch how fast MS stops you because of licensing issues. If you actually sell it on the street, they could still nail you if they find out. You can resell your sports tickets at face price without violating scalping laws. Phone service is a service, not a product, and thus is non-transferable.
Or how about this one?
So why all the resistance on microsoft? Why not make it a perfect world and attack the NFL, MLB, NBA, WNBA and your local telco megopoly who restrict your choices and charge you exhuberant prices and rip off the consumer.
Because there are other sports and other phone options, and for the most part those don't do such blatant anti-competitive practices. You don't see the NFL trying to create a baseball team. M$ wants to control the entire computing experience and then some...and they make no bones about it. And of course, the biggest point is that MS has been found to be in violation of law for their monopolistic practices, and yet they still fragrantly defy the law. That makes them a viable target for criticism, pure and simple.
Electronic Frontier Foundation for online civil rights information
From the MSNBC article:
In a classic display of Microsoft pugnacity, the company hammered opposing government lawyers on nearly every conceivable point, no matter how small. Eventually exhaustion became a factor, lawyers on the government side acknowledge.
So let's make sure the state attorneys general keep their lawyers adequately supplied with No-Doze!
www.lucernesys.comHorizon: Calendar-based personal finance
Cookie Data in IE Can Be Exposed or Altered Through Script Injection
t ernet Settings\Zones
t ernet Settings\Zones
Originally posted: November 08, 2001
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer
Impact of vulnerability: Exposure and altering of data in cookies.
Maximum Severity Rating: High
Recommendation: Customers should consider disabling active scripting in the
Internet Zone and the Intranet Zone. Customers using Outlook Express who have
not set OE to use the "Restricted Sites" Zone should do so as a best practice.
Affected Software:
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Technical details
Technical description:
Web sites use cookies as a way to store information on a user's local system. Most
often, this information is used for customizing and retaining a site's setting for a
user across multiple sessions. By design each site should maintain its own cookies
on a user's machine and be able to access only those cookies.
A vulnerability exists because it is possible to craft a URL that can allow sites to
gain unauthorized access to user's cookies and potentially modify the values
contained in them. Because some web sites store sensitive information in a user's
cookies, it is also possible that personal information could be exposed.
Microsoft is preparing a patch for this issue, but in the meantime customers can
protect their systems by disabling active scripting. (The FAQ provides step-by-step
instructions for doing this). This will protect against both the web-hosted and the
mail-borne variants discussed above. When the patch is complete, Microsoft will
re-release this bulletin and provide details on obtaining and using it.
Mitigating factors:
A user must first be enticed to a malicious web site or to open an HTML e-mail containing the malformed
URL.
Users who have applied the Outlook Email Security Update are not affected by the HTML mail exploit of
this vulnerability.
Users who have set Outlook Express to use the "Restricted Sites" Zone are not affected by the HTML mail
exploit of this vulnerability because the "Restricted Sites" zone sets Active Scripting to disabled. Note that
this is the default setting for Outlook Express 6.0. Users of Outlook Express 6.0 should verify that Active
Scripting is still disabled in the Restricted Sites Zone.
Severity Rating:
Internet Servers
Intranet Servers
Client Systems
Internet Explorer 5.5
High
High
High
Internet Explorer 6.0
High
High
High
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment
patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2001-0722
Tested Versions:
Microsoft tested Internet Explorer 5.5 SP2 and 6.0 to assess whether they are
affected by these vulnerabilities. Previous versions are no longer supported, and
may or may not be affected by these vulnerabilities.
Frequently asked questions
Why isn't there a patch available for this issue?
The person who discovered this vulnerability has chosen to handle it irresponsibly,
and has deliberately made this issue public only a few days after reporting it to
Microsoft. It is simply not possible to build, test and release a patch within this
timeframe and still meet reasonable quality standards.
What's the scope of this vulnerability?
A malicious web site with a malformed URL could read the contents of a user's
cookie which might contain personal information. In addition, it is possible to alter
the contents of the cookie. This URL could be hosted on a web page or contained in
an HTML email.
What causes the vulnerability?
The vulnerability results because of an unsafe handling of cookies across IE zones.
How would an attacker carry out an attack using this vulnerability?
An attacker could attempt to maliciously exploit this vulnerability by hosting a page
with a maliciously crafted URL. They could also send the victim an HTML email with
a similarly crafted URL.
In the case where the attacker hosted a web page, would he have any way to
compel me to visit the site?
The attacker could not force you to visit his site. Instead, he would need to entice
you into performing some action that would cause you to visit the site. There are,
however, a variety of actions that could be used to do this, from visiting a web site
that would redirect you to the attacker's, to opening an HTML e-mail that
referenced the attacker's site.
In the case where the attacker sent me an HTML e-mail, would simply opening
the mail allow me to be attacked?
Yes. It is possible for an attacker to craft an HTML email in such a way that it
would exploit this vulnerability on opening the mail.
Why does changing my IE settings help protect me against a mail-borne
attack?
As we mentioned above, HTML e-mails are just web pages sent via e-mail. Outlook
uses the IE security architecture to limit what HTML e-mails can do when opened.
By default, Outlook 2002 opens all HTML e-mails in the Restricted Sites Zone.
Is this a permanent change?
No. Microsoft is working to develop a patch that will eliminate the vulnerability.
When it's completed, you'll be able to install the patch and then return your IE
settings to their previous values.
How likely is it that I could be affected by this vulnerability?
It depends on your web browsing and e-mail habits. Customers who exercise care
in choosing the sites they visit, and who are careful not to open obvious spam and
other untrustworthy e-mails would be at less risk from this vulnerability. However,
customers can easily make a configuration change that will provide complete
protection.
What's the configuration change that will protects against this vulnerability?
Customers who are concerned about this vulnerability should disable active
scripting. All web pages (and HTML e-mails, which are just web pages delivered via
e-mail) are categorized into one of several zones, and the settings in each zone
dictate what actions can be taken within it. By disabling active scripting in the
Internet zone a user can prevent an attacker from exploiting either the web-borne
or mail-borne versions of this attack.
How do I disable active scripting in Internet Explorer 5.5 and 6.0?
On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
In the Settings box, scroll down to the Scripting section, and click Disable under "Active scripting" and
"Scripting of Java applets".
Click OK, and then click OK again.
I am a network administrator. How can I disable active scripting in my
enterprise?
With new deployments of Internet Explorer, an administrator would use the IEAK and disable active
scripting before building the package and rolling it out to client machines.
For currently deployed client use Profile Manager to create an auto-config INS file to make registry changes
needed to disable active scripting on the client machines with Internet Explorer already installed.
For administrators that prefer to use SMS or login scripts, the following are the registry changes that would
disable active scripting on the client machine:
HKLM\Software\Microsoft\Windows\CurrentVersion\In
HKCU\Software\Microsoft\Windows\CurrentVersion\In
There are five different sub keys under each "Zones" key. Each key control a
different security zone. The key names are 0-4.
= Your computer
1 = Local Intranet
2 = Trusted Sites
3 = Internet
4 = Restricted Sites
There is then a DWORD value under each zone number key that must be modified to disable active-scripting
for each zone.
REG_DWORD value is "1400" to be modified.
Setting this value to "3" (from "0") will disable active scripting.
HKCU setting changes take effect immediately. However the HKLM settings
would most likely require a reboot.
Patch availability
Download locations for this patch A patch will be posted as soon as it is available.
Additional information about this patch
Installation platforms:
This patch can be installed on systems running Internet Explorer 5.5 and 6.0 when available.
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
Security patches are available from the Microsoft Download Center, and can be most easily
found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
All patches available via WindowsUpdate also are available in a redistributable form from the
WindowsUpdate Corporate site.
Other information:
Support:
Technical support is available from Microsoft Product Support Services. There is no charge for
support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (November 08, 2001): Bulletin Created.
Doesn't matter if the exploit is disclosed or not- people still find them, more often than not before they're announced. All the announcement does is put it in the open (open disclosure isn't a script kiddie's friend- it often times means that the exploit's hole is plugged and they can't use their toys on some or most machines anymore...).
There's loopholes in any system. They will be exploited. It's whether or not you know about the loophole and can fix it that makes all the difference between being 0wn3d or not.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Well Linux still hasn't solved the bug that prevents it from being an Operating System you would be comfortable having your parents use. I have no problem putting Mac OS X in front of my technophobe mom.
Strange women lying in ponds distributing swords is no basis for a system of government.
Gross exaggeration makes your point weaker, not stronger.
I got this in my inbox at yesterday at 9:14pm (EST). If you really care about security with Windows machines look at this page, specifically that mailing list service.
Why isn't there a patch available for this issue?
The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
Hehe.
Wooden armaments to battle your imaginary foes!
I don't use microsoft products either. But when nimda infected how many damn IIS servers, my poor little T1 sure as hell noticed it when all those IIS machines started scanning my servers.
How about when sircam started e-mailing random documents to anyone in the address book. I got a load of random files for absolutely no reason at all. An inadvertant spam.
Just because you don't use Microsoft products doesn't mean Microsoft products can't be used to attack your machine(s). Indirectly, your still effected somtimes.
Can all fish swim?
On another note, I'm not sure that Microsoft has any grounds for demanding to be notified about flaws in the final releases of their software. If they want to keep bugs from becoming huge public brouhahas, then they should either fix them in-house while the software is still beta, or open the source up and let other people actually fix it. They're out of line to say that people should find bugs in their ware, tell them, and then sit on their discovery while some cubicle slave works to make a patch, and Microsoft takes the credit for saving the day.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
In the cases where Linux or unix has a majority market share Microsoft still leads the exploit statistics by far.
Of course, it's not as simple as saying that MS sucks, but it's a combination of bad design (dont put everything in every program, dont have unlimited interoperation between everything) bad programming(dont use admin privilidges if not absolutely necessary, also a design issue maybe), bad installation policies (dont install everything or even anything but the basics by default), bad admins and bad will.
The combination of these elements end up in software you dont want to be running because it will stink from a security point of view.
So, no, you wouldnt have the same amount of problems on Linux at least. You'd have problems, yes, but not nearly as many. Unless, of course, the general policies among linux distribution vendors change to install everything insecurely by default, but hopefully that wont happen, and in the Linux world you can always change to another vendor if one of them goes seriously astray.
Hey,
Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems joined with the software-maker to declare they would immediately begin
Wasn't @stake formed from hacker group l0pht? Yes, I think they were! They used to attend Def Con, and work on Back Orifice and L0phtCrack?? Didn't they get banned from BugTraq because they posted links to thier site in the place of good, solid descriptions?
My, how times change.
-M
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
Okay, some vulnerabilities might be difficult to get fixed in a couple of days...but with a team of programmers as large as they have...months is quite a stretch...they still have God knows how many vulnerabilities in NT 4 that have been known for some time! The linux folks can patch stuff rather quickly with a fraction of microsoft's financial and wetware resources. Show me the problem.
Derek Greene
Does anyone think that withholding software bugs is illegal? It was illegal for Firestone to withhold information because it irresponsibly cost lives. Security holes generally do not, but they do cost companies money. Holding back info for a security flaw will definitely prevent many admins from changing system settings, limiting current development, waiting for a patch before releasing, etc. That in turn will cost money if the flaw is still exploited.
IANAL, but I personally think MS could be sued by a company attacked through a hole kept secret by this security gang. It should in fact be illegal to withhold information about known flaws in any product, since knowing of those flaws may change the value in the customer's eyes. I see that as indirectly constituting fraud.
Anyone know of any precedence or the true current legal standing of such a situation?
Developers: We can use your help.
Just try running without IE
already doing it.
My gaming machine at home runs windows 98SE, and after using 98Lite, it's running beautifully without the scourge that is IE. Mozilla takes care of my web-browsing functions in its place, and I'm a happier man for doing it.
I think if Linux or MacOS, as they are currently, were the most widely used, MS would still have more reported bugs, because there's just so much MS stuff. There's the kernel, the GUI, many applications, etc. With Linux, bugs in these would be reported against different entities.
Also, MS software is integrated on a large scale without sufficiently restrictive interfaces to cleanly separate it into individual programs. Since the number of potential bugs in a program grow faster than the length, this makes such integrated code more likely to have bugs; and, in fact, many MS bugs are due to interactions between different projects. With the Linux model, code is in relatively small chunks, which communicate over limited interfaces, so there is much less opportunity for cross-project bugs.
So I think that, to a certain extent, the reason that there are so many MS bugs reported is mostly that there are so many opportunities for MS to make mistakes, due to their size and the architecture they have chosen.
I recently attended a SANS course on IIS. According to the instructor, MS enables features to lower support costs. If it's already on nobody will call to get it working. WFM is a similiar tale. It was designed to eliminate support calls but an employee realized it could be expanded to function like tripwire.
Personally, I think if someone needed Internet printing enabled on a web server they would search for a TID instead of spending money calling MS if they couldn't noodle it out. But I'm guessing I'm just optimistic here.
I don't want knowledge. I want certainty. - Law, David Bowie
Speaking as someone who was at the conference, I would like to make a few corrections.
First, it wasn't Microsoft that proprosed the idea at the conference.
Second, the idea of this is to try to get people to follow a standard way of reporting vulnerabilities and force companies to take a responsible role in addressing and responding to vulnerabilities.
Third, this is not designed to try to hide vulnerabilities from anyone.
Basically, it works as thus:
Joe Random Person finds a vulnerability in a program or service. He then documents the vulnerability, along with sample code to reproduce the bug. He contacts secure@company.com with the information he has. Joe is now expected not to release information on the bug at this time, but will stay in contact with the company.
The company now has to respond with a couple things.
1) Acknowledgement of the bug
2) An estimated date when it will be fixed
3) Any further questions the company may have
The company will be responsible for keeping in touch with Joe and provide updates on timeframe.
Once there is a patch in place or a fix has been implemented, the company goes public with the bug, including high level information on the exploit. This will not contain code that will exploit the vulnerability, but rather a description and model by which it could be exploited. The company will give credit for the find to Joe. Joe is also free to release his own high-level description of the issue.
After the grace period (around 30 days, there are exceptions), full information on the exploit is released, including code that can be used to exploit the vulnerability. This grace period is intended to allow administrators to have a chance to patch their products. At this time, Joe can also release a full paper with sample code and more details. Again, full credit is given to Joe for the find.
The intent of this is not to prevent the details from becoming public. It is rather intended to lessen the damage that can happen after the release of exploit code. It is not gaurenteed to prevent damage, just to try to help reduce it.
There could be errors in this, and don't take this as a summary of the eventual document. This is my summarized take on it.
"All the things I really like to do are either immoral, illegal, or fattening."
- Alexandar Woolcot
Why did you USAnians not vote this guy in as president? Nader has consistently shown himself to be perhaps the only American politician with any clue, ever.
Instead you lot went to a two party choice between Mr Personality and The Chimp. And the Chimp won!
The world weeps.
Anyone else remember when l0pht.com used to be the place to find information on Windows vulnerabilities? I see that @stake is one of the 5 security companies announcing this anti-information coalition.
Heh, security through obscurity! That's a good idea that has always worked for Microsoft;)
If corporations want to enjoy the rights of natural persons, then they must also accept the responsibilities of natural persons as well. The senior management and board of directors of corporations must be held PERSONALLY accountable for the illegal actions of the corporations. Microsoft wouldn't keep defying the courts if Gates, Allchin, and Balmer were actually faced the possibility of being sent to prison for their criminal activities.
I'm suprised that some ambitious Federal prosecutor hasn't gotten the bright idea of bringing up Gates & Co on federal conspiracy charges. (Conspiricy to violate the Sherman Anti-Trust Act, for example). It is a federal felony for 2 or more people to conspire to break a federal law. Hell, if they really wanted to go for broke, they could call MS Continuing Criminal Enterprise, and invoke the RICO act. [Shudder. Even Bin Laden doesn't deserve to have that draconian piece of shit law used against him]
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
One thing I know talking to a friend who was on a microsoft programming team. They do not get bonuses on quality / security of code, but on the fact of how fast they can get it out for cash. Basically as I was told, there software is never really fully tested. With 2000/nt, until patch 2 came out for either of them, they where riddled with security holes and bugs. Microsoft is a moneymaking company, not a quality software company. From someone as big as microsoft, they easily could test there products extensively, but that would cut down on there profits. O dam we could not do that to pore old billy boy gates could we.
Personally, I would not care if microsoft is a monopoly if they would be some what inventive (they just re vamp others ideas) and put out quality code.
My 2 cents plus more
Of course, it also misses the point that network security admins may need to do massive exploit scans to locate vulnerable machines on their networks. There are a lot of people who admin networks with thousands of machines.
And it misses the point that one may not have a 100% trust that the vendor gets the patch right and would like to test vulnerability after patching.
Go call Microsoft and ask them if you can sell your copy of XP, eh?
Hint of what response you can expect: In. Your. Dreams.
Though that strategy looks downright effective compared to yelling at "grownups" who've seen the error of their ways.
While I see the reasoning behind this, shouldn't the Sept. 11 attacks make us more appreciative of our freedoms than of our money? All the politicians are running around talking about freedom being the American ideal, shouldn't they be more focused on maintaining freedom than money in this case also?
"I may not have morals, but I have standards."
and yet they still fragrantly defy the law
So THAT'S what that smell is! I thought it was just my cubemate's brain frying on this old code.
"Active Scripting" is the term Microsoft uses to refer to client-side JavaScript and VBScript. Thus, disabling active scripting will not only break pages designed for IE, it will break any page designed for any browser if that page contains JavaScript or VBScript (remember, there's an addon for the Windows version of Netscape 4.x that gives it the ability to run client-side VBScript and ActiveX controls).
Furthermore, Michael, switching off Active Scripting is not the only way to avoid falling prey to this exploit. In order for the exploit to work, someone must convince you to go to a specially-formed URL. Being smart enough to recognize malicious URLs would allow you to avoid this security hole without disabling Active Scripting.
I find it disturbing that you're so obviously biased against IE (and apparently also uninterested in learning details before representing your own uninformed misconceptions as "fact"). I've never made the mistake of thinking of Slashdot as an unbiased news source. A predilection towards open-source rather than commercial software is one thing, however, while openly vehement bias based on false conclusions is another.
For your own sake, and for the sake of Slashdot's journalistic integrity (ha ha), please at least do a little bit of fact-finding before posting knee-jerk stories like this.
Cookie vulnerability found here
Reading this gave me a warm fuzzy feeling inside.
-----------------
The level of fines that would serve as a deterrent for cash rich Microsoft would be difficult to fathom, but one might make these fines deter more by directing the money to be paid into trust funds that would fund the development of free software, an endeavor that Microsoft has indicated it strongly opposes as a threat to its own monopoly. This would give Microsoft a much greater incentive to abide by the agreement.
The manager responsible for this piece of Internet Explorer was overbudget and entrusted its development to a college co-op with Visual Basic experience.
It's all so clear now...
-- @rjamestaylor on Ello
Pissing in the ocean. That's what this "unnamed organization", otherwise known as the "Security KGB", will accomplish. I'm amazed at how many businesses aren't making enough money from the internet, and thus are trying to legislate out free speech. I'm having a blast, personal economic downturn and layoff aside, watching these companies that have never actually had a product to sell, crying because the big bad internet is out of control, and that they can't compete against free products that do EXACTLY THE SAME TASKS as their pay-products. Waaaa...
Welcome to the open market and the information age, crybabies exit at the rear...
It's interesting. I've already read every one of these articles linked to by slashdot in the last few days.
h tm l?tag=bt_bh
But the bizarre thing is how biased slashdot is with their presentation. If you actually quick thru on the links and read the stories, you'll understand why.
For instance, why wasn't this article from news.com linked as well, considering it is Scott Culp responding to a lot of the questions and accusations?
http://news.cnet.com/news/0-1014-201-7819204-0.
As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
Well duh! If you're creating webpages just for IE you get what you deserve. There are standards out there and if you use them you will be fine. If you don't use them you only have yourself to blame.
I've stopped blaming Microsoft and starting blaming these webmaster who ought to know better.
A Government Is a Body of People, Usually Notably Ungoverned
Nope. It's not.
The Netcraft survey crawls through all those little Melvin machines which each have an httpd running that nobody ever accesses.
Nobody cares about them. They are irrelevant.
Actually, it tends to go the other way - IIS installs as standard on a heck of a lot of WinNT boxen that do no hosting, and as (much as we hate to admit it here) most small businesses (big enough to have an always-on connection but not big enough for their own IT dept) use Windows. Most Apache installs are meant to be there.
If Linux/Mac OS/etc was the most widely used, you'd see much the same focus on problems with the software.
Microsoft's products are buggier because they are more ambitious in terms of functionality and target user base. Designing software that is only used by people with software knowledge is much easier than designing software for the general public. Creating an application that accounts for all the possible mistakes and questions that the average user is going to have is a huge undertaking. Add to that the extra functinality that M$ adds to its products (for better or worse), and it is not mystery why it has more bugs. Sure it crashes more, but is also DOES more.
As such, the idea that more bugs will be found in software if it gets wider distribution puts the cart before the horse. In order to get wider distribution, software must expand ease of use and functinality, and thus expose itself to the introduction of bugs (if it is to be released in a timely manner). However, users, as history has demostrated, care more about features than they care about bugs. Again, as history has demostrated, the most stable OS you can create, even if it is free, can not compete with an OS that includes the functionality that people want and, more importantly, is easy to use.
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
...because Microsoft is implicitly saying that it's okay to enable Active Scripting on Microsoft sites because you can trust them. Despite the fact that they're the ones who gave you this security vulnerability in the first place.
Gee, maybe that explains why http://packetstormsecurity.org has had the rate of submissions slow from many a day to one or two every couple of days. I KNOW vulnerabilities are being found but it's REALLY hard to explain to management why they MUST rollout a security patch if I cannot PROVE to them that, yes its a problem! Has everyone rolled over?
WTF is wrong with these folks?! I can see it now - we're all going to have to sign up to some sort of subscription service to learn about the various vulnerbailities. No doubt it won't be free, right? I have a VERY hard time believing that @Stake aka L0PHT signed up for this. My opinion of those fine folks just dropped into the basement. I never thought I'd see the day when they would cowtow to Microsoft, it's a sad day indeed for the security industry.
Who are we doing this for? The children? National Security? Oh wait - Bill's cash. Seems to have greased the DOJ wheels pretty good, guess things are bad all over when the security industry sucks it up too. This just makes me sick.
Any good full disclosure sites out there taking over where PacketStorm died? If so I'd appreciate some URLs. BTW, some of the folks on our team swear the SecurityFocus has pulled data OUT of their vulnerability database in recent months. Cannot confirm it for sure but when you know you looked it up previously and then it's not there later you have to begin to wonder....
P.S. If RFP signs on Hell will have frozen over. Thankfully he doesn't appear to take cash for his efforts!
Build it, Drive it, Improve it! Hybridz.org
Why? Microsoft isn't the government.
Not yet anyway.
You see? You see? Your stupid minds! Stupid! Stupid!
They tend to think more of features, and what can the enable, rather than what shouldn't be permitted. Allowing a macro to be automatically run on opening of a document, which can then have full access to the system, is a classic example.
I will point out that this exactly how the vast majority of people think as well. In most ways, MS is giving the customer exactly what they want.
People are not trained to think about computer security (and would probably give up on computers if they had to). Thus, they only see security measures as a hindrance. I've certainly heard people complain that Java applet's can't really to anything useful since they can't do what an ActiveX program can...
Blaming MS for badly thought out security is like blaming Hostess for making fatty foods. They're both addressing what there markets wants, not what "is good for them".
I've been on broadband for one year now, with both Slackware and FreeBSD, and not once have I been hacked. I have logs that show people tried but not got through. Of course I'm only running a client box so I shut off virtually everything, but if I know enough to secure my box at home, you would think that the guys getting paid to admid servers would be evern more paranoid.
The bastards are going to know the exploits before you do, so make that part of your equation. Don't plan on the known avenues of attack, plan for the unknown. Expect that someone *will* break in and have a plan in place for that eventuality.
A Government Is a Body of People, Usually Notably Ungoverned
Why all the MS bashing? If it wasn't for MS there would be no OpenSource. ;-) Read today's TheRegister
Quote: The open source movement wouldn't exist without Microsoft, Bill Gates told his company's shareholder meeting earlier this week. Open source is also a follower, not an innovator, and destroys jobs, the economy and world peace (we made that last bit up).
Help fight continental drift.
Of course, Linux is free, so the reason more people don't use it isn't the same as the reason more people don't drive Ferraris or Mercedes Benz...the average person doesn't want to mess around with his or her computer any more than he or she wants to have to do his or her own car repairs, and thus if, thanks to MS's restrictive OEM licenses, you have to build your own computer to run Linux and have to install it yourself and, thanks to the applications barrier to entry, have to go looking for Linux applications, the average person won't bother, but will instead be an obedient consumer and use Windows.
Earth to AC: Read The Fine Court Decision. MS has a monopoly, and can and does use it to crush competition.
*sigh*
Under capitalism man exploits man. Under communism it's the other way around.
What do you mean still?
RedHat has release more bulletins about security vulnerabilities this year than Microsoft has.
At the rate RedHat is going the ratio will be 2 to 1 next year.
From this article...
Arming the enemy
First, let's state the obvious. All of these
worms made use of security flaws in the systems
they attacked, and if there hadn't been security
vulnerabilities in Windows®, Linux, and Solaris®
I thought Linux was a registered trademark? Because it's free, does that mean they don't have to recognize their trademark with ® signs they like to toss up all over the place???
Why can't M$ get a patch out in the "few days" of warning they had? Because they are too bussy breaking other people's applications to fix their own code. M$ is rulled by the $, don't think engineering has any power any more. If PR and management wanted a good reputation, you would think they would quit trying to screw everyone.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I have a lot of respect for Nader (I even voted for him), but I don't think he knows much about computers or software. MS is an easy target and Nader hasn't had been particularly effective at protecting consumers in recent years. I wish he would do more to break the Ticketmaster monopoly which is far more comprehensive than Microsoft's and has measurably harmed consumers financially.
i've been using up2date on my computer at home. after you login you get one free "seat" (i dont remember the word they use).
so when you start up2date on a computer the first time you create a profile of that computer at redhat. you can move this seat between computers so you can still use it for free if you have multiple computers. this is nice because it cuts home users, like myself, some slack.
-- john
I don't know, last time I checked IIS was only installed by default if you upgraded from a box with PWS on it. This is *not* a very common happenstance, and I fail to see why the "IIS installs by default" mantra is so prevelant, given that it *hardly ever happens*.
What's a sig?
Knowing how a security protocol works should not make it less secure. I can read how SSL works, but that does not make it less secure. Same with Kerberos, DES, RSA, etcetera. A proper security protocol should be secure even if you know how it works. Security through obscurity DOES NOT WORK.
This quote sounds like it came from Microsoft, but get this: he works for the DOJ! This guy James was the one in charge of the negotiations with Microsoft. He is supposed to be on our side.
It seems like he knows very little about computer security. It also seems like he believed whatever the Microsoft lawyers told him. No wonder they arrived a such a one-sided settlement.
Most evil is done by good people, and not by accident, but deliberately; motivated by high ideals toward virtuous ends.
Either they or their technology are pathetic.
A strange game. The only winning move is not to play. How about a nice game of chess? - Joshua (Wargames)
So, there's apparently a huge market for poorly designed, poorly implemented, but "feature-rich" and "easy to use" software.
Okay.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
"Install IIS" is on by default in the Windows NT Server 4.0 installer.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Maybe so, but what I don't get is this expectation everyone has that these security holes go through the same steps...
The real danger is when someday someone will discover one of these huge gapping holes, not tell a soul, and then exploit them for profit, terror, extortion, or simple chaos.
We've been lucky so far. For Microsoft to try to divert the entire blame is what is irresponsible. Remember who created the security hole in the first place....
Usually, I think MS has an undeservedly bad reputation. But I can't stomach their assertion that open discussion about their bugs is somehow unethical.
From Microsoft's article:
We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.
Who chooses what sort of speech is smart, prudent, and responsible? The speaker? Or Microsoft? Since they branded it irresponsible to reveal a security flaw only "days" after telling Microsoft about it, it seems obvious to me that this is a request to let Microsoft control all discussion about their security flaws. This is patently unacceptable.
If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
I don't think it's best described as information anarchy. Anarchy is an emotionally loaded term, like piracy. But anarchy just means "not centrally controlled or regulated". Do we want all discussion of security to be centrally controlled and regulated? If you replace the phrase "information anarchy" with "free speech", the article becomes much more enlightening. The author seems to try to address this by saying:
By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
But the movie house is on fire. The bug exists - your private information is vulverable. The responsible thing for Microsoft to do is admit that they made a mistake, and work to put out the fire. Unfortunately, they've chosen to blame the messenger.
It's natural for a powerful organizion to want to surpress speech that points out its flaws. It's natural - but it should never be tolerable.
Don't blame me; I voted for CowboyNeal.
Interestingly, Apple has generally taken the exact opposite approach. I haven't run OS X yet so I don't know what the precise situation there is, but out of the box an OS 1-9 machine has no network services enabled by default, except the basic support for AppleTalk/EtherTalk, while Windows boxen, particularly NT systems, have a bunch of open ports by default. I suspect that OS X probably has some open ports; *nix tends to necessitate it. I still get paranoid about syslogd. :)
I've never heard that Apple gets tons of support calls from this policy.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
And your interpretation of Pogo sucks. The correct line is:
BTW, what does it mean for a software design to 'get to first base', as you put it?
I've often thought about this, and the company itself should be punished as well, and with severness similar to what you or I go through. Criminal Negligence Causing Death would come up more then once in a while in a company lifetime. You or me? A few years in the clink. Corporation? 00.3% hit out of their profits. Right. How bout they are denied the right to sell products for a 4 year period? Maybe when shareholders start noticing their stocks disappearing they might invest in companies that with more morals then a thailand organ-harvesting racket.
There's a reason why MS takes so long to get security patches out.
A previous posted mentioned Apple with the iTunes installer nuking the hdd, and how they got a patch out quickly, implying that if Apple can do it, MS should be able to too... well, things aren't quite so black and white:
The problem in the iTunes installer was a small typo in a bash script. The behaviour of the installer script is so simple that it's fairly obvious what effects the change would make. Easy patch. If only all bugs were so easy to fix.
A relatively short while ago some info regarding few vulnerabilities in Exchange (I think it was Exchange...) were released to the public@large by some third party. MS rushes out patches and lo and behold! A fairly significant proportion of users reported serious issues after installing the patch - it was messing up other parts of the system. MS rushed out a second version of the patch, which again wasn't satisfactory. It took 3 iterations of the patch to get something that seemed to work successfully on almost every machine it was installed on!
What went wrong? The Law of Unintended Consequences reared its ugly head.
If you look at the security holes that poke up in MS stuff, they often look like they result from some complex interaction that Microsoft's developers never expected. These interactions are partially the fault of the way they seem to design their systems and partially due to the vast number of configurations they end up operating in. Unfortunately, when you're fixing a bug that's resulting from some complex and probably subtle interaction between different components of your application (or even worse: another application) then your change could have drastic and far-reaching effects.
To help mitigate this problem they do extremely extensive regression testing. Typically, before a patch gets posted it's run through some of the weirdest and craziest system configurations they can think of to make sure it doesn't break anything, and if it does they figure out why and fix it. This takes time. Lots of time!
Failure to address Ill Gotten Gains
Ill Gotten Gains, or Bill Gotten Gains.
JET Program: see Japan, meet intere
While I'm glad he's chimed in on this, I'd say he's just as, if not more, "uncompromising" and "abrasive" as RMS.
Sure, lets enable scripting "just this once", because Microsoft servers have never been infested by worms or trojans right, so we can trust them.
Besides, its much easier to leave the nice dynamic content scripts all over the site than to just provide a basic HTML with the exploit warning and patch link.
They might as well make the whole security notification system an ActiveX control- because those have such good security, much better than a simple text file.
Sarcasm off, one would think that security advisories could avoid using the tools that generate the majority of the security advisories.
Sure it crashes more, but is also DOES more
This is not an excuse, it is also only half true, Windows XP does crash more, but it certainly does not do more than RedHat Linux 7.2
Fascism should more properly be called corporatism, since it is the merger of state and corporate power - Benito Mussoli
Actually, this a useful comparison. The Twins issue is all about coercsion: St. Paul voters (bless them) decided a few years ago not to fund a new stadium for the Twins with tax dollars. There was a lot of bucking and hawing, but the public's message consistently was, "We want the Twins, but we don't want our taxes to fund them." Here's a great feature from Minnesota Public Radio about the whole history of the issue.
A few days ago, the major league basball owners voted to eliminate two teams. It's front-page headlines here. Here's the catch: they've announced that they'll eliminate two, but not which ones. They're basically trying to whip up a lot of public sentiment, and daring the various cities with struggling teams to outdo each other in tax subsidies. It's a disgustingly coersive power play.
And I expect to see the same from Microsoft. If -- we could only wish! -- the court threatens a remedy that will actually have any effect, they'll start dangling their carrots and tying their heroines to the railroad tracks. They already do this in their rhetoric with these far-fetched missives about the economy, freedom, and Technological Progress.
But I expect to see some concretely coersive tactics from Microsoft aimed at the government and the public as a whole, similar to what the baseball owners just did. What will they be? I don't know. But I expect it -- Microsoft is the slyest bunch of bastards on the planet when it comes to business strategy. Any theories?
Wow. Your post
made me wobble
and sway
down to the
floor, with
visions of
"Spy vs Spy vs Spy"
swirling
around my head...
__
Do ya feel happy-go-lucky, punk?
Many Many people I've helped support for the ISP I work for have never heard of windows update, or never been to the site to get updates. I suspect the issue is that so many copies of windows are pirated, and those users think they'll be discovered by MS if the run windows update.
I like that XP makes people pay, folks will not pay and seek alternatives...what, you can run the corporate version and make as many copies as you like?....I wonder if MS did that on purpose?
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
I tried many of the IP addresses that showed up in my apache log during the recent Code Red (and it bretheren) attacks to see what machines were compromised.
You know what - most of them were on subnets owned by DSL and cable providers, and when you requested a page from them you got back either nothing or the "welcome to IIS" page.
"hardly eveer happens" my ass - it happens all the fscking time.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
Quoting from "Don't Drink the Water":
"'Cause you're all dead now
I live with my justice
I live with my greedy need
I live with no mercy
I live with my frenzied feeding
I live with my hatred
I live with my jealousy
I live with the notion
That I don't need anyone but me
Don't drink the water
There's blood in the water
"
Interpret as you see fit. Sorry 'bout the copyright infringement, Dave.
Ah, but you see, you're not necessarily comparing apples to apples. The following could be an interesting exercies:
How many vulnerabilities from each company...
I haven't done this exercise, but I strongly suspect that it would show that MS and RH have very different views of what constitutes a "security problem" that needs to be reported & patched. I'm guessing most if not all of the MS bulletins are remotely-exploitable holes, and that most are probably not mere DoS holes. The RH bulletins, on the other hand, will have a lot of temp file vulnerabilities -- which, in the MS world, would not even be considered bugs, much less security holes.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
In my experience, I always thought that a large part of the MS bugs come from the fact that MS offers features (no sarcasm) that are inherently prone to security flaws. I've never once heard of a user security being breached when they were off a network and writing a document in notepad.
Examples include
VB scripts + extension hiding => viruses (and what-have-you).
macros => viruses.
inter-application communication => security flaw.
autoextract/running of downloaded software => general fscking up of computer.
Now, not all the features require that bad things come from them and there is definite programmer and management error. Although my description of it is perhaps unnecessary: What they need to do is demarcate all functions,methods,variables and objects that are capable of being abused as security flaws, regardless of whether the abuse could only come from within the layer of code above that method or whether it could be used outside. When the final stages of development come there needs to be an inside-out evaluation of all the possible paths that can be taken to reach those methods/functions/variables and which of those pose risks. Those risks need to be evaluated and if they find them to be acceptable risks, they simply need to mark them in their released product documentation. Of course, if they are found to be unacceptable risks then they need to reduce them in whatever manner or else provide warnings during operation that the user may hurt themselves doing whatever it is that opens that hole.
[please note that I'm not in the mood to look up terms such as trojan horse, worm, etc. to figure out where they all go, think of "virus" used above as a generic term.]
the worst fact about this is that i had to read it on /.
when ie loads for the first time it checks with a MS server... why can't it make a quick to check for awful security flaws like this and notify the user?
Do the best you can under the circumstances. I use Macs, and I make a point of throwing out IE and using iCab or netscape or something- and I also go into the system folder, and throw out the large amount of operating system code (to support IE) such as ActiveX support and a host of OS extensions Microsoft insist upon building into Macintoshes.
Interestingly, this seems to make the Mac more stable. But the bottom line is you cannot either avoid indirectly purchasing Microsoft products- or even running MS OS code! by using stock Macs. They come with extensive Microsoft code and you have to literally go in and take that garbage out if you want to run a non-Microsoft MacOS.
How's that strike you? Does that make you more or less persuaded that Microsoft is dangerous and all-controlling? Maybe your original vow is all the more worthwhile seeing as you CAN'T do it without either going incredibly DIY to the point of building your own computer and running nothing but Linux, or abandoning computers entirely.
Did you know it was that bad?
I find it easier to believe he's not a troll, and just someone with a misguided assumption who thinks they are entitled to voice their opinion without knowing anything. Which they are entitled, I find it more satisfying to debunk such folk, and hopefully get them to stop and think the next time they open their mouth without really understanding all aspects of the discussion. Getting in an argument with a coder who does mostly network based stuff (including a lot of internet-app development) and saying they don't know code is a great example :)
Dacels Jewelers can't be trusted.
Jeez, you promote Mac OS X and you become a right wing crackpot? Steve Jobs is going to have one funny joke to tell Bill Clinton the next time they hook up.
Strange women lying in ponds distributing swords is no basis for a system of government.
Microsoft lawyers invoked a more-threatening world when they proposed inserting a security exemption in a different part of the settlement. The exemption applied to provisions that require the company to disclose the inner workings of Windows to competitors who want to make all sorts of software that works well with Windows. The company said it needed the exemption to guard against cyber-sabotage. ...]
[
Microsoft?s competitors and some of the states claim that these technologies are used so commonly that the provision could shield a number of Microsoft?s products from competition.
[...]
James rejects these criticisms and says the decision to protect Microsoft?s security provisions was ?one of those ?duh? issues.? He continues: ?Microsoft has security protocols. Are we going to tell everyone how they work? Do you want people to get access to your credit-card information when you shop on line??
James (the Justice Department antitrust chief) either uses very cheap rhetorics here (to cover up how bad that deal is) or he really doesn't understand the issues (and i don't know what's worse, the DoJ in cahoots with MS, or them being too dumb to do their job). Microsofts argument is just plain ridiculous. Everyone knows. that good security protoclos don't rely on obscurity, but on good crypto and a good protocol. You can't rely on obscurity especially not for Software which is sold worldwide, and open for everyone to take apart and scan for holes (even if that costs some to wade through all that assembler).
Also there are open source implementations of secure protocols (openssh to name just one). By Microsofts argument they couldn't work at all. If the DoJ is incapable of understanding the issues, or at least ask someone who does, and just sitting there nodding their heads when anything comes up they don't understand, i can really understand, how that 'agreement' came to be. And the statement about such measures being necessary to protect credit-card information shows, that he doesn't know enough to make the deal that is needed to keep microsoft in line. That wouldn't be too bad, if at lest he would rely on some advice in such situations.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
As others have pointed out, the exchange of information is going to happen one way or another. Illicit data gets exchanged via an underground community every day. Restricting the highly visiable and open channels will not stop this. Doing so is just a wild shot in the dark.
But you still want to do something. What to do?
My advice is to educate yourself, or get help from a friend or hired professional. And there's ample history that points to this concept.
The microcomputer hit the market. Killer apps showed up that drove them in to homes and businesses. Individuals either had to learn how to set up and use these devices themselves or hire others to do it. One could argue the beginnings of IT departments and consultants.
Networking small computers begins to catch on. Now there's a new wave of technology. Existing support staff either learned the new technology or increased their ranks with already knowledable staff. The IT department takes on a whole new level of responsibility.
The Internet hits the mainstream. Smaller, private networks interconnect to a world-wide network. In many cases, this involves a whole new series of networking concepts and technology. IT picks up the pace. There is more training to be done.
Enter information security. Individuals and businesses learn that world-wide network access is a two-way street. Many products and services are woefully inadequate. There is, once again, a whole slew of new concepts and technologies to learn.
Each step involves a minimum level of knowledge required to go it on your own. The huge advantage with the infosec portion is that, thanks to open disclosure, there is also a wealth of information available online. There are also some very good books on the subject. Sure - a lot of that stuff is mainly for the hobbiest or professional. But there is also a wealth of information for the beginner - the basics.
So what does the average end user do? Educate themselves. Learn the basics. Or hire / offer a beer to someone who can help you. Look at what products you're buying and using. Security reviews of products (especially security products like personal firewalls) are fairly common. Do a bit of product research. Use the best that you can find/afford.
If you've been around computers for any length of time these concepts (education, product knowledge, and expert help) shouldn't be new.
One final, parting shot. One of my favorite infosec concepts is the inverse relationship between functionality and security. The more secure something is, the harder it is to use (and vise versa). Functionality is what has been driving the IT industry for the last couple decades (at least). Its made it possible for a wide degree of products that "just work" with little knowledge from the end user. However, this has also lead to huge insecure infrastructure.
See you in metamod!!
Heh. Well, it was a rather simple point. This other fool doesn't seem to understand the difference between hacking and programming. He's obviously never had to release code to a production environment and suffer the wrath of users complaining about the lack of testing.
What's surprising is he still thinks he is right. Sigh, well quality control is something you learn with experience I guess.
How we know is more important than what we know.
Every way-kewl-radical Linux user throws up apache to show off to his friends.
Yes, but said lamer is unlikely to put it on a permanent, upstreamable connection - generally by the time you're big enough to reserve an IP, you are a small company, and are therefore less likely to be a lamer putting up Apache to show off.
Strange, my email addr used to show in my messages. Must be one of the things that changed with one of the upgrades, and I never noticed. ryan@securityfocus.com . Anyway, I'm glad to hear that you find us useful, I love to hear that stuff. Thanks!