Slashdot Mirror
Microsoft Microsoft Microsoft
Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
I clicked on the Microsoft security bulletin. I've never seen one of those before. Back when I first bought my gateway I actually registered with Microsoft online, and so I find it hilarious that an important bulletin such as this is in such an obscure place. I think it's only right for them to send this out to everyone who's registered at least, it's just the right ethical move. We do have to remember who we're talking about though. I'm still laughing about that bulletin. Aren't you supposed to distribute bulletins, not hide them somewhere? Ugh...
~ now you know
Just as a disclaimer, I'm not one to defend Microsoft is most cases. But what I think most people don't think about is that there have been so many bugs reported in MS software not only because MS releases naturally buggy software, but because the user-base is so huge that there is more of a possibility that these bugs will be found and in many cases used for unfortunately bad purpouses. If Linux/Mac OS/etc was the most widely used, you'd see much the same focus on problems with the software.
That said however, I don't care for MS and the majority of their software that I do use is out of necessity.
forma3
I'm just waiting for him to declare Windows XP to be "unsafe at any speed."
Do not taunt Happy Fun Ball(TM)
"California deserves special credit for its stance. Bill Lockyer, the state attorney general, has emerged as the most important public official in America when it comes to holding back the Microsoft tide."
sulli
RTFJ.
Firestone tried it, and, while software bugs might not kill people, they certainly do some damage. What did it cost them, $41.5M?
How are software bugs, especially critical ones, different from design flaws in a tire?
Indie rock lives! b-side!
And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows.
If you read the security bulletin, it's not referring to windows at all. It's a problem with Internet Explorer version 5.5 or later.
Seems that that little slip exposes a great deal of anti-M$ bias. Not good for a supposed "news source".
The Register, and How Microsoft invented open source, by Billg
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
because I disabled scripting.
Yes. You need scripting in order to get details of the security hole. On the other hand they recommend you to disable scripting.
Odd.
Yes. I have to use Windows at work.
Yes. I could use Mozilla.
Of course, Nader's stance at the far left at the political spectrum could hurt things if the judge has right-wing leanings (as appears to be the case). At least Nader isn't as rabid as RMS. As much as I admire his commitment and idealism, RMS's uncompromising attitude and abrasive personality could do more harm than good. (Also, RMS's reputation is pretty much confined to geeks, whereas Nader has mainstream recognition.)
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
OK. Let's let Microsoft keep their security flaws secret. Do any of us think that will really work?
Part2: The flaws do need to be placed in 'escrow' in a secure database, with a planned release date, perhaps 6 months after first notice.
Then let's see if the situation is better or worse. After all, Code Red exploited a months-old hole, which could have been discovered by monitoring Microsoft's own update pages. Somehow it doesn't seem to me that the course of the Code Red mess this Summer would have been affected in the least by Microsoft's proposed policy.
Or do they consider publication of a bugfix tantamount to 'Security Anarchy', because it lets others know that a hole exists?
But the real goal here should be that we want to keep Bugtraq and the like alive for our own use. Let Microsoft mess their own sandbox, just don't mess ours.
The living have better things to do than to continue hating the dead.
Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"
Are they referring to the recent release of XP?
Thanks Raplh, this is why I voted for you.
Also I like seatbelts.
Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days"
Funny, Open Source software can have a patch out within a few days, why can't Microsoft?
Things you think are in the Constitution, but are not.
The bylaws will also include an agreement that any security software produced by members of the group will be engineered in such a way that it can only be used for lawful purposes.
Yet again, we have a software usage agreement that restricts the types of things for which the software can be used. This is silly and ironic. If some sort of authority were set up to police the observance of this, we'd be a huge step closer to the scary world RMS describes in the famous essay set in a (hopefully) fictional future. Without such an authority, MS and friends would essentially be relying on the honor system which it hates so much.
I guess that MS and friends would rather have the sense of security they get from restrictive user licenses and the like. Folly.
BEN
The BBC also has an article today detailing some of the groups and corporations that are lining up to take on Microsoft on several different fronts.
Pardon my french, but *bullshit*.
Apple released iTunes 2.0 on a Saturday night. When a major bug was found, not only did they pull the installer *immediately*, but they fixed the bug and had a new one up in its place (properly labelled 2.0.1) within 24 hours. Not only that, but they have also said that they will pay for DriveSavers recovery for anyone who lost data to the bug. Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)
Reality has a liberal bias
The best thing I learned from my experiences as a skript kiddie is that BUGTRAQ, BoS, and every other sysadmin-visited list was the last to hear about new security flaws. Sure, on occasion, @stake or the ISS X-Force would come up with something novel. But the majority of the time, I would see sploits circulated by my Russian friends on IRC weeks before anyone even mentioned the vulnerability on BUGTRAQ. Consider the BIND 8.2.2-P5 flaw: I had the ADM sploit for it weeks before an advisory was even issued.
Stopping full disclosure won't hurt the script kiddies. It will hurt the admins, who won't have enough information to patch their source base to fix the problem. (As a FreeBSD admin with a good grasp of C, patching a security hole takes on the order of minutes now.) But it will help this cartel to keep privileged information to themselves, so that hapless admins like myself will not have the information we need to defend ourselves. And it helps Microsoft, who can honestly claim that their systems are more secure than UNIX when the UNIX admins can't defend themselves more quickly than the M$ admins can anymore. It's just capitalism at work.
-CT
It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.
Yes, the DMCA is a bad law, but it's not infinitely bad. It does not forbid discussion of bugs or circulation of patches for bugs; claims otherwise are based on confused readings.
Error:
But what do I know.
You can't go to Windows Update to download patches any more after you've turned Active Scripting off. Microsoft sends you to a page telling you to turn Active Scripting and all sorts of other dangerous things back on.
Redmond dumb-asses.
From the article:
The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
I was reading through the "Irresponsible" link, as well as the vulnerability report. Information Anarchy is the phrase they have coined to display that information really doesn't want to be free. This, if successful, will cause a very adverse association to open source developers I think. If they "edjucate" their end-users into thinking that information should be tightly controlled by a centralized source, than it's easy to make the connection that the open-source community is villifying the information management structure that Microsoft and friends is working so hard to manage for the best interest of the consumers.
They claim it's not feasible for them to release a patch within 5 days. Why do I have a feeling that this code segment is probably less than 50 lines, hell - you could provide a hack just to filter malicious URLs in less than that and release that patch in well under a day or two without sacrificing what we all know as Microsofts high standards of quality.
Maybe I'm paranoid, but it seems this is a much larger tactic towards a revised SSSCA that will be in Microsofts best interest - much easier to add a clause saying it's illegal to release unauthorized security information about a companies product to an unapproved bill.
Dacels Jewelers can't be trusted.
The point of the Microsoft suit was to bring back competition. Innovation was stifled because no one could get investment $$ if they were in a market Microsoft was even thinking about entering.
So what is the effect on investment capital of the settlement?
The proof is in the pudding. Is Red hat stock up? Is Palm or Be stock up - or is anyone coming in with a bid that beats Palm's paltry $11 million? Is there venture capital available for companies to compete with productivity apps or streaming audio?
Many of MS's problems aren't bugs, they're designed to work that way. MS has had a poor record of thinking about security. They tend to think more of features, and what can the enable, rather than what shouldn't be permitted. Allowing a macro to be automatically run on opening of a document, which can then have full access to the system, is a classic example.
So many holes in this rant, which ones to choose? Let's go with this one.
I can sell my Copy of XP if i wish, if i sell my NFL tickets it can be scalping.. Microsoft doesn't price point XP, they give it a value. I can buy XP and sell it for 30 bucks or 300 bucks, whatever the consumer is willing to pay. I can't do that with Baseball tickets, nfl tickets ore phone service.
Try selling your copy of XP online, and watch how fast MS stops you because of licensing issues. If you actually sell it on the street, they could still nail you if they find out. You can resell your sports tickets at face price without violating scalping laws. Phone service is a service, not a product, and thus is non-transferable.
Or how about this one?
So why all the resistance on microsoft? Why not make it a perfect world and attack the NFL, MLB, NBA, WNBA and your local telco megopoly who restrict your choices and charge you exhuberant prices and rip off the consumer.
Because there are other sports and other phone options, and for the most part those don't do such blatant anti-competitive practices. You don't see the NFL trying to create a baseball team. M$ wants to control the entire computing experience and then some...and they make no bones about it. And of course, the biggest point is that MS has been found to be in violation of law for their monopolistic practices, and yet they still fragrantly defy the law. That makes them a viable target for criticism, pure and simple.
Electronic Frontier Foundation for online civil rights information
From the MSNBC article:
In a classic display of Microsoft pugnacity, the company hammered opposing government lawyers on nearly every conceivable point, no matter how small. Eventually exhaustion became a factor, lawyers on the government side acknowledge.
So let's make sure the state attorneys general keep their lawyers adequately supplied with No-Doze!
www.lucernesys.comHorizon: Calendar-based personal finance
Why isn't there a patch available for this issue?
The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
Hehe.
Wooden armaments to battle your imaginary foes!
On another note, I'm not sure that Microsoft has any grounds for demanding to be notified about flaws in the final releases of their software. If they want to keep bugs from becoming huge public brouhahas, then they should either fix them in-house while the software is still beta, or open the source up and let other people actually fix it. They're out of line to say that people should find bugs in their ware, tell them, and then sit on their discovery while some cubicle slave works to make a patch, and Microsoft takes the credit for saving the day.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
In the cases where Linux or unix has a majority market share Microsoft still leads the exploit statistics by far.
Of course, it's not as simple as saying that MS sucks, but it's a combination of bad design (dont put everything in every program, dont have unlimited interoperation between everything) bad programming(dont use admin privilidges if not absolutely necessary, also a design issue maybe), bad installation policies (dont install everything or even anything but the basics by default), bad admins and bad will.
The combination of these elements end up in software you dont want to be running because it will stink from a security point of view.
So, no, you wouldnt have the same amount of problems on Linux at least. You'd have problems, yes, but not nearly as many. Unless, of course, the general policies among linux distribution vendors change to install everything insecurely by default, but hopefully that wont happen, and in the Linux world you can always change to another vendor if one of them goes seriously astray.
Hey,
Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems joined with the software-maker to declare they would immediately begin
Wasn't @stake formed from hacker group l0pht? Yes, I think they were! They used to attend Def Con, and work on Back Orifice and L0phtCrack?? Didn't they get banned from BugTraq because they posted links to thier site in the place of good, solid descriptions?
My, how times change.
-M
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
Okay, some vulnerabilities might be difficult to get fixed in a couple of days...but with a team of programmers as large as they have...months is quite a stretch...they still have God knows how many vulnerabilities in NT 4 that have been known for some time! The linux folks can patch stuff rather quickly with a fraction of microsoft's financial and wetware resources. Show me the problem.
Derek Greene
Does anyone think that withholding software bugs is illegal? It was illegal for Firestone to withhold information because it irresponsibly cost lives. Security holes generally do not, but they do cost companies money. Holding back info for a security flaw will definitely prevent many admins from changing system settings, limiting current development, waiting for a patch before releasing, etc. That in turn will cost money if the flaw is still exploited.
IANAL, but I personally think MS could be sued by a company attacked through a hole kept secret by this security gang. It should in fact be illegal to withhold information about known flaws in any product, since knowing of those flaws may change the value in the customer's eyes. I see that as indirectly constituting fraud.
Anyone know of any precedence or the true current legal standing of such a situation?
Developers: We can use your help.
I think if Linux or MacOS, as they are currently, were the most widely used, MS would still have more reported bugs, because there's just so much MS stuff. There's the kernel, the GUI, many applications, etc. With Linux, bugs in these would be reported against different entities.
Also, MS software is integrated on a large scale without sufficiently restrictive interfaces to cleanly separate it into individual programs. Since the number of potential bugs in a program grow faster than the length, this makes such integrated code more likely to have bugs; and, in fact, many MS bugs are due to interactions between different projects. With the Linux model, code is in relatively small chunks, which communicate over limited interfaces, so there is much less opportunity for cross-project bugs.
So I think that, to a certain extent, the reason that there are so many MS bugs reported is mostly that there are so many opportunities for MS to make mistakes, due to their size and the architecture they have chosen.
I recently attended a SANS course on IIS. According to the instructor, MS enables features to lower support costs. If it's already on nobody will call to get it working. WFM is a similiar tale. It was designed to eliminate support calls but an employee realized it could be expanded to function like tripwire.
Personally, I think if someone needed Internet printing enabled on a web server they would search for a TID instead of spending money calling MS if they couldn't noodle it out. But I'm guessing I'm just optimistic here.
I don't want knowledge. I want certainty. - Law, David Bowie
Go call Microsoft and ask them if you can sell your copy of XP, eh?
Hint of what response you can expect: In. Your. Dreams.
While I see the reasoning behind this, shouldn't the Sept. 11 attacks make us more appreciative of our freedoms than of our money? All the politicians are running around talking about freedom being the American ideal, shouldn't they be more focused on maintaining freedom than money in this case also?
"I may not have morals, but I have standards."
Reading this gave me a warm fuzzy feeling inside.
-----------------
The level of fines that would serve as a deterrent for cash rich Microsoft would be difficult to fathom, but one might make these fines deter more by directing the money to be paid into trust funds that would fund the development of free software, an endeavor that Microsoft has indicated it strongly opposes as a threat to its own monopoly. This would give Microsoft a much greater incentive to abide by the agreement.
It's interesting. I've already read every one of these articles linked to by slashdot in the last few days.
h tm l?tag=bt_bh
But the bizarre thing is how biased slashdot is with their presentation. If you actually quick thru on the links and read the stories, you'll understand why.
For instance, why wasn't this article from news.com linked as well, considering it is Scott Culp responding to a lot of the questions and accusations?
http://news.cnet.com/news/0-1014-201-7819204-0.
Nope. It's not.
The Netcraft survey crawls through all those little Melvin machines which each have an httpd running that nobody ever accesses.
Nobody cares about them. They are irrelevant.
Actually, it tends to go the other way - IIS installs as standard on a heck of a lot of WinNT boxen that do no hosting, and as (much as we hate to admit it here) most small businesses (big enough to have an always-on connection but not big enough for their own IT dept) use Windows. Most Apache installs are meant to be there.
Gee, maybe that explains why http://packetstormsecurity.org has had the rate of submissions slow from many a day to one or two every couple of days. I KNOW vulnerabilities are being found but it's REALLY hard to explain to management why they MUST rollout a security patch if I cannot PROVE to them that, yes its a problem! Has everyone rolled over?
WTF is wrong with these folks?! I can see it now - we're all going to have to sign up to some sort of subscription service to learn about the various vulnerbailities. No doubt it won't be free, right? I have a VERY hard time believing that @Stake aka L0PHT signed up for this. My opinion of those fine folks just dropped into the basement. I never thought I'd see the day when they would cowtow to Microsoft, it's a sad day indeed for the security industry.
Who are we doing this for? The children? National Security? Oh wait - Bill's cash. Seems to have greased the DOJ wheels pretty good, guess things are bad all over when the security industry sucks it up too. This just makes me sick.
Any good full disclosure sites out there taking over where PacketStorm died? If so I'd appreciate some URLs. BTW, some of the folks on our team swear the SecurityFocus has pulled data OUT of their vulnerability database in recent months. Cannot confirm it for sure but when you know you looked it up previously and then it's not there later you have to begin to wonder....
P.S. If RFP signs on Hell will have frozen over. Thankfully he doesn't appear to take cash for his efforts!
Build it, Drive it, Improve it! Hybridz.org
> In order for the exploit to work, someone must convince you to go to a specially-formed URL.
No. They must convince you to go to a webpage or open an HTML email. Have you never gone to a webpage where it loads a popup (i.e. another webpage)? Or redirects you to another webpage? That's all they have to do.
Knowing how a security protocol works should not make it less secure. I can read how SSL works, but that does not make it less secure. Same with Kerberos, DES, RSA, etcetera. A proper security protocol should be secure even if you know how it works. Security through obscurity DOES NOT WORK.
This quote sounds like it came from Microsoft, but get this: he works for the DOJ! This guy James was the one in charge of the negotiations with Microsoft. He is supposed to be on our side.
It seems like he knows very little about computer security. It also seems like he believed whatever the Microsoft lawyers told him. No wonder they arrived a such a one-sided settlement.
Most evil is done by good people, and not by accident, but deliberately; motivated by high ideals toward virtuous ends.
So, there's apparently a huge market for poorly designed, poorly implemented, but "feature-rich" and "easy to use" software.
Okay.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Maybe so, but what I don't get is this expectation everyone has that these security holes go through the same steps...
The real danger is when someday someone will discover one of these huge gapping holes, not tell a soul, and then exploit them for profit, terror, extortion, or simple chaos.
We've been lucky so far. For Microsoft to try to divert the entire blame is what is irresponsible. Remember who created the security hole in the first place....
Usually, I think MS has an undeservedly bad reputation. But I can't stomach their assertion that open discussion about their bugs is somehow unethical.
From Microsoft's article:
We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.
Who chooses what sort of speech is smart, prudent, and responsible? The speaker? Or Microsoft? Since they branded it irresponsible to reveal a security flaw only "days" after telling Microsoft about it, it seems obvious to me that this is a request to let Microsoft control all discussion about their security flaws. This is patently unacceptable.
If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
I don't think it's best described as information anarchy. Anarchy is an emotionally loaded term, like piracy. But anarchy just means "not centrally controlled or regulated". Do we want all discussion of security to be centrally controlled and regulated? If you replace the phrase "information anarchy" with "free speech", the article becomes much more enlightening. The author seems to try to address this by saying:
By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
But the movie house is on fire. The bug exists - your private information is vulverable. The responsible thing for Microsoft to do is admit that they made a mistake, and work to put out the fire. Unfortunately, they've chosen to blame the messenger.
It's natural for a powerful organizion to want to surpress speech that points out its flaws. It's natural - but it should never be tolerable.
Don't blame me; I voted for CowboyNeal.
While I'm glad he's chimed in on this, I'd say he's just as, if not more, "uncompromising" and "abrasive" as RMS.
Do the best you can under the circumstances. I use Macs, and I make a point of throwing out IE and using iCab or netscape or something- and I also go into the system folder, and throw out the large amount of operating system code (to support IE) such as ActiveX support and a host of OS extensions Microsoft insist upon building into Macintoshes.
Interestingly, this seems to make the Mac more stable. But the bottom line is you cannot either avoid indirectly purchasing Microsoft products- or even running MS OS code! by using stock Macs. They come with extensive Microsoft code and you have to literally go in and take that garbage out if you want to run a non-Microsoft MacOS.
How's that strike you? Does that make you more or less persuaded that Microsoft is dangerous and all-controlling? Maybe your original vow is all the more worthwhile seeing as you CAN'T do it without either going incredibly DIY to the point of building your own computer and running nothing but Linux, or abandoning computers entirely.
Did you know it was that bad?
So the problems that Microsoft patches cause are not solely due to 'oh, Microsoft software is so much more sophisticated and advanced!' but due to bad planning and inappropriate bundling combined with lack of disclosure of what's being altered. And it is going to get MUCH worse, not better. To cap it off, if they are able to suppress disclosure of bugs and security holes, they don't need to regression test anywhere near as hard as you seem to think they are doing- because all that will happen is that Windows boxes will mysteriously die and there won't be any publically disclosed link to connect that with Microsoft updates.
Hell, if they can truly cut off all disclosure, they can just STOP any work on security patches entirely. Who'd know?