Uber-patch for Internet Explorer

malevolence writes: "According to The Register, Microsoft has released an Uber-Patch for Internet Explorer that fixes all known security problems, as well as 3 new ones, including the content-type issue that was reported on slashdot a few days ago."

Uber Patch

[IgnorantKnucklehead]

What does the "uber patch" do, install Mozilla?

Re:Uber Patch

[Negadecimal]

Or better, Magic Lantern.

It'd be the perfect trojan horse... MS gets leniency from the DOJ in exchange for some...favors.

Re:Uber Patch

Sorry to break it to you, but a significant protion of the readership *does* use IE. Rob used to publish statistics on this and stopped for obvious, embarassing reasons.

Re:Uber Patch

[ncc74656]

That would require that a significant portion of Slashdot users use IE.

...and you're implying that they don't? It's not like there are many options...Konqueror and Mozilla aren't all there yet, there seems to have been some sort of stink lately WRT Opera, and there's no way in hell that I'd use Nutscrape. Not everyone who reads /. is a flaming anti-MS zealot...MS has its warts (you're nuts if you put a Windows box directly on the Internet), but then so does nearly everything/everyone else.

Re:Uber Patch

[Xerithane]

Mozilla isn't where yet, exactly? I find Mozilla to be more capable than IE often times. My current project at work has an extensive CGI front end so I'm having to deal with all the cross-browser issues. Writing standard-compliant HTML/CSS works beautiful in Mozilla, have not had one problem yet.
What was the last version of Mozilla you used?

Re:Uber Patch

[slashdot_commentator]

Hmmm, I don't recall any version of IE working for linux. Perhaps the underlying truth is more embarrassing than we realize...

Nah, probably working stiffs who are stuck on NT/2K/Win9X boxes at work...

Hmm.

[Shaman]

I thought this was the bug that couldn't be fixed because it was worked so deep into the OS.

What a ripoff.

[Mike+Schiraldi]

Boy, Microsoft sucks. This patch doesn't even address future, yet-to-be-discovered vulnerabilities.

Re:What a ripoff.

[SubtleNuance]

...no but it probably introduces a few...

MS Craziness

[Fatal0E]

Just when I thought that I knew the difference between a Service Pack, Security Rollup Patch and a cumulative Hot Fix they go and release a Security Bulletin like this one.

Re:MS Craziness

[Chundra]

Ok it's easy:

Service Packs are the small, 6-8oz cups with the foil tops. They usually contain yogurt or pudding.

Rollup Patches are dried fruit puree attached to thin plastic wrap. You tear the fruit substance off the plastic before eating.

Hot Fixes are the things you remove from the plastic bag and put in the microwave. They usually consist of some sort of bread substance with a meaty and/or cheesy filling.

Hope that clears things up.

All in one patch is 1/2 the solution

[Rev.LoveJoy]

This is a step in the right direction, but I still have to install the thing on every single g-damn peecee in my enterprise.

For those of us with less than a few hundred MS clients (read: fewer clients that would make usefull something as heinous as SMS push upgrades) the issues are still very clear:

1). It takes too much time to keep up on MS software patches.

AND

2). Once you know what you need you still have to go box to box to box to patch (in *most* cases).

Granted the 'uber-patch' will help, but it still means I need a couple more inters to walk from machine to machine and interrupt users. IMO, patch managment tools should be MS's #2 priority (right behind 'getting it right the first time').

Cheers,
-- RLJ

Re:All in one patch is 1/2 the solution

[michaela]

I have found two solutions around this (although I agree about SMS pricing).

1. Require domain logins, don't even provide local logins to the machine. Then, as part of the logon procedure, use a logon script. Look in the patch archive to find the list of files it updates. In the logon script, check the timestamp on three of them and if they're out of date, run the updater.
2. Install VNC server on the user stations and set it to run at bootup. Then you can do nearly any administration task short of recovering from a complete blowout without leaving your desk. Do it after hours and you can reboot the machines right away. Or, use parts of #1 with a logout script instead to reboot the machine the next time they log out.

For IE 5.5 users

[The+Bungi]

This does not appear to be a service pack, and the target builds listed for the hotfix are only IE 5.5 SP2 and 6, so you'll need to head here to get yer SP and then install the hotfix (get directly to it from here).

It seems unlikely that the SP2 for 5.5 includes this as of right now, although it will eventually (I know sometimes I'll download an SP and take a few days to actually install it). Check your versions before you plunge your box into browser hell =)

Download URLs

[nstrom]

Here's the direct download URLs, so you don't have to wade through MS's crufty site:

for IE6:
http://download.microsoft.com/download/IE60/secpac 23/6/W98NT42KMeXP/EN-US/q313675.exe
for IE5.5:
http://download.microsoft.com/download/ie55sp2/sec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe

These updates have not yet appeared on Windows Update.

Re:Download URLs

[ZzeusS]

And why the hell have they not rolled it into windowsupdate? I could tell my users:

Check windowsupdate.

or.

Go to this huge MS address. Then go here, or here. Then download and run this.

Windowsupdate quite annoying!

[imuffin]

I find it very annoying to try to install Microsoft patches. I work in a place where I am responsible for several windows installations. When I install a M$ OS, in order to patch it, i have to:

1. Start IE (click through internet connection wizard)
2. Open the windows update website
3. Download an activeX application to determine what updates I need
4. Download and install the updates (often, more than 5!) one at a time, rebooting in between each one!

It's so much easier to swivel my chair around to my redhat box and do a simple 'up2date -i'.

I wonder if there's any particular reason why Microsoft makes it so difficult? Do they actually like their security holes?

Re:Windowsupdate quite annoying!

[brunes69]

Its because of the way windows works. It wo't let you overwrite a .exe or .dll that is in use, and since IE is so tied into the OS itself, most of the IE components are in use all the time. Therefore you have to reboot in otder for the update to take effect. When rebooted, it copies the file sover while in protected mode, before IE loads.

This has to be chipping away at confidence....

[lblack]

Consumers (not just slashdot ubergeeks) will have to sit up and take notice at this one, I think. It's getting a bit more coverage / product placement, and isn't being couched in esoteric terms (MS has a tendency of releasing patches that have descriptions which underplay the effects of not patching, or else are so laden with jargon that the layman cannot quite process them). It really is an "uber patch", and it really is MS saying, "We've been releasing insecure software for awhile. In fact, we're still doing so, as evidenced by the three bugs that you don't even know about that we're patching. Please install this patch or else you're screwed."

I think consumers can weather something like, "Apply this patch in order to ensure that your copy of internet explorer appropriately identifies content header types and reconciles them with dialogue saving and automated execution routines." because it just looks so *foreign*. Approached from a non-computing background, it looks like something very small and unlikely to affect anyone. This patch, though, looks a bit more like "Oops. Our browser sucks for security. Install immediately."

Hopefully this will draw peoples attention to:

1) The importance of frequent patching
2) The lack of security in MSIE
3) The problems associated with bundling a browser into core OS functionality (bit more unlikely).

Of course, the spin is still there, but:

Who should read this bulletin: Customers using Microsoft® Internet Explorer.

Impact of vulnerability: Run code of attacker's choice.

Maximum Severity Rating: Critical

Recommendation: Customers using IE should install the patch immediately.

Affected Software:

Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0


...is still pretty cut & dry. Anyone with even half a brain should realize that if a gaping hole in a consumer product existed through *2* releases (like having a 2000 and a 2001 Honda both explode in flames under appropriate conditions), that product may not be the best built out there.

Right?

Of course, I'd be much more pleased if people were being notified via a big ol' link on msn.com, and through a mail from the beloved "Hotmail Staff". What, are they scared of leveraging a monopoly to insure the security of their users?

-l

Only 5.5 and 6.0?

I had two users today get the Nimda.E variant via email. It had an interesting header that was included from an html formated email's iframe . . .

Content-Type: audio/x-wav; name="sample.exe"
Content-Transfer-Encoding: base64

I'll leave out the actual format of the email's html. But what happened was Windows tried to run sample.exe right after previewing. No popup box, no nothing. And this was using Outlook Express 5.0 It was a good thing that the virus software saw the executable as a Nimda. If they had sent a format.exe that would have been it for the two user's data.

Microsoft said that only 6.0 was affected?

Or is this something different than what they have supposedly patched?

Even weirder...

[oGMo]

What if it was the reverse. The DOJ gives MS leniency, but calls in a favor with the FBI to announce some "Magic Lantern" spyware, and suddenly open projects become very popular....

...naw. ;-)

Re:Question for michael...

[FortKnox]

I have to agree about the anti-microsoft atmosphere here. Not only with this statement but all the "It deletes IE!" "It installs Mozilla!" jokes just make you people look like you are desperate to fit in. Its pathetic!

IE is the best browser out there. Check ANY review. And MS has jumped to fix a bug that everyone found (notice the GAPING HOLE in Solaris/AIX systems that still isn't patched? Why aren't you going off on that?)

Remember when you had to purchase Netscape, but IE was free?

Mozilla MAY -become- better, but it isn't, yet. If you give me that "IE doesn't run in Linux" then why are you even posting to this article?

You guys need to be less Open Source/Anti-Microsoft Zealotous.

I'd post anonymously to preserve karma, but the authors already know my IP (see sig).

Re:Untill the next one is found next week

[Webmoth]

Reminds me of a pair of pants my neighbor had. So many patches there wasn't any original fabric left.

It's not just IE - other apps need this!

[PacketMaster]

It's also important to note that it's not just users of IE as their browser that are affected by this bug. Lots of Windows programs took a shortcut (Eudora being a prime example) and used MSHTML.DLL as the rendering engine for their application. Any application that displays HTML and uses MSHTML.DLL and has IE5.5 or IE6 should install this patch IMMEDIATELY.

Re:It's not just IE - other apps need this!

[neonstz]

It is possible to turn off the use of IE (or whatever) for displaying mail in Eudora. In Tools->Options->Viewing Mail just uncheck the "Use Microsoft's Viewer" checkbox. (I'm using Eudora 5.1 btw.)

tee hee

[Frac]

Michael exaggerated this exploit beyond belief:

If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten.

Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?

In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

Eerrr.. a proper "fix" of Michael's previous article probably involves a higher level of computer literacy, and less impulsive urge to write expository essays that sound dramatic, but are wrong.

Re:tee hee

[DeadMeat+(TM)]

Good grief! Can somebody link to the tens of thousands of "designed for IE" webpages that are currently incompatible as a result of this patch?

Well, there would be a problem, but it's not something awful IE-specific HTML brought about. Since IE half-ignores MIME types, servers that don't have proper MIME types set up could suddenly have file associations break on their Web page. I was recently asked by someone about a problem they were having with .M3U files getting downloaded as text or being asked to be save them to disk in anything but IE. Turns out the Web server didn't have a MIME type set up for M3U files, and the guy who ran the server just argued "it works fine in IE."

So yeah, it would be a kinda big problem, and it's Microsoft's fault (if they wouldn't have set up a brain-dead policy of not handling MIME types properly then the servers would have been set up right to begin with). But it's not a "Designed for IE" page thing, and I doubt it's in the thousands of pages. Most pages that don't get the kind of traffic where somebody would notice bad HTML (e.g. homepages) are hosted on GeoCities/Angelfire/whatever which already have MIME types set up right.

Re:Question for michael...

[sroddy]

You better check your info again bud.... It is patched. at least Sun and IBM.

Besides, anyone not using ssh rather than telnet and rlogin is not very worried about security anyway.

Re:not too bright

[jvj24601]

I downloaded the 2.15 mb patch. I try to run it, and I get a prompt that I need IE5 Service pack 2 installed. That's it, it doesn't supply a link, it doesn't try to download it, nothing. Microsoft rushed this one out.

The update only works with IE 5.5 or 6.0. You might be running 5.0.

Interesting note: If you read the bulletin and click on the Technical Details submenu, you'll find the worst part:

"Microsoft tested Internet Explorer 5.5 and 6.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer eligible for hotfix support."

As someone who does some sysadmin stuff at work, I didn't know this before. This means that a large majority of users (as far as my limited experience goes) that still use IE 5.0 will still have exploit available that won't be tested nor fixed. Wow...

Re:Protecting customers

[Webmoth]

Microsoft is like a condom. It'll protect you, but if you use it, you're screwed.

Fast Patching.

[saintlupus]

Well, it's certainly a good thing that there are so many people looking at the source to produce a patch...

er....

Never mind.

--saint

Re:Untill the next one is found next week

[Junks+Jerzey]

Reminds me of a pair of pants my neighbor had. So many patches there wasn't any original fabric left.

Just like any large software project, including the Linux kernel, KDE, Mozilla, you name it.

Slashdot Inconstancies

[Captain_Frisk]

Seriously guys calm down.

Yesterday you bashed MS for not going public about anything, and now you bash them for patching the program. Short of open sourcing everything, is there anything they could do that would appease this croud?

They might not get it right on the first try, but they do fix their bugs, and i think this was fairly timely, especially given the size / scope of IE.

Re:Slashdot Inconstancies

[fumble]

... is there anything they could do that would appease this croud?

I think you hit the nail on the head. The answer is "no." The fact remains that this community has seen M$ do some nasty things, and now they've formed their opinion (and that's just fine). Regardless if M$ does something right, it really doesn't matter. Imagine if one day at school, the bully that usually pounds your ass into the ground held the door open for you ... you probably wouldn't buy it for a second. Or maybe if Barry Manilow actually put out a mildly good song ... would you admit to liking it? I wouldn't :P

Re:Download URLs - Must Have 5.5 SP2

[Cy+Guy]

for IE5.5 for IE5.5:
http://download.microsoft.com/download/ie55sp2/s ec pac23/5.5_SP2/WIN98Me/EN-US/q313675.exe

Note, that is for IE 5.5 SP2 if you have SP1, or plain vanilla 5.5, you will first have to upgrade, so you may want to wait till a full release with the patches is available. SP2 is 17MB download.

Anyone know what the equivalent version is if you have the AOL version of IE? (not that I do) but you can imagine AOL will be slowed to a crawl if every single user must get an upgrade first to SP2 or IE6, then get this patch. When - oh - when will AOL finally become browser neutral or go entirely to Netscape/Mozilla?

Sensationalism courtesy of /.

[fumble]

Warning: mild flamebait.

Remember Michael's over-the-top misinformed rant about this 3 days ago?

... they refuse to provide any information about when a patch might be made available, if ever.

I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago. Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

Great

[El_Smack]

Now Microsoft will get Slahdotted. One more reason for them to hate us. *sigh*

No brainer...

[sterno]

How many gaping security holes has Mozilla had?

The BEST is all in how you measure it, non?

Although realisitcally this isn't so much a flaw in IE, rather it is a flaw in the tight integration of IE and windows. How many of the major Microsoft security problems it the last couple of years can be directly tied to the integrations between the operating system and the applications? Frankly I can't think of many that aren't directly attributable to that.

It all boils down to the usual sacrifice of security for convenience. A computer in a 6 foot thick block of concrete at the bottom of the ocean is very secure and nearly unusable. Microsoft has chosen to focus more on convenience and their security must pay the corresponding price.

Re:Question for michael...

[SCHecklerX]

IE is the best browser out there.

Care to back this up? Have you used the alternatives? In case you missed it, here is what Moz has that is lacking in IE:

• Best CSS2 Compliance out there. IE totally screws up my CSS2 compliant web page. Mozilla, Konqueror, Opera render it properly.
• Tabbed browsing. Open separate windows, or open tabs within an existing window. Great feature for browsing slashdot, keeping similar stuff together in one window with tabs while browsing other stuff in a separate window
• Full control over what javascript functions/objects/features are allowed to execute on a per-site basis. You can even globally kill the popup on page load bullshit (the only real reason I've found to disable javascript so far)
• Cookie management on a per-site basis
• Image management on a per site basis. Allow/disallow images, stop animated gifs, etc.
• Site navigation bar for sites that use that old forgotten tag (like slashdot). This is very cool and useful.
• Proper implementation of a 'favicon' that, get this, uses ANY SUPPORTED IMAGE FORMAT, not that M$ specific .ico crap. Use a PNG and you can use alpha channels. Imagine that.
• FAST rendering engine. Much better than IE (especially in recent builds!) This is VERY significant for modem users who have to sit and wait for IE to figure out what is in a table before rendering it, while moz's engine pops it up as it comes down. Slashdot renders here in under a second.

Those are just some of the highlights of why mozilla is the better browser and quite frankly, blows away IE, even as prerelease software

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Been there, done that

*sigh* It's Friday afternoon. Time to go home. No more f*cking patches to do.


Not so fast, buster. First we need you to change the toner cartridge on the LJ4 up on third floor.

hup-hup to it, now, IT boy. The girls in the secretary pool don't call you 'sysadmin' (while smirking) for nothing.

I turned off Active Scripting to be secure

[Pinball+Wizard]

Using Microsoft's own recommendations for making Internet Explorer and Outlook secure I disabled Active Scripting.

By doing so, I can't get to Hotmail, can't sign in to Passport, and most importantly, can't access Windows Update.

Hey, anyone astroturfing for Microsoft! Your own security recommendation means people can't access your sites. I am NOT turning on active scripting(i.e. disabling a security measure) so I can get the fix.

You guys need to make your site work without Javascript. Sheesh. How can anyone take you seriously?

Re:I turned off Active Scripting to be secure

[dR.fuZZo]

You guys need to make your site work without Javascript. Sheesh. How can anyone take you seriously?

Seems pretty professional to me. Some of the finest porn sites do that.

Does anyone else feel immoral?

[Sludge]

I've been thinking about this for a long time, and it's time I asked my peers at slashdot- Does anyone else feel immoral browsing the web with an Internet Explorer USER_AGENT? I'm going to state what seems obvious to me:

• Company designs nice website with features that are only supported with IE.
• Company realises that Netscape market share is too high to do these cool things, so they downgrade their website. Animosity is felt towards the browser not developed for (in my experience this goes both ways)
• Company waits a year and a half, and ends up re-evaluating their Netscape support position based on their current USER_AGENT stats showing 95% IE clients.
• Company switches webpage to use proprietary and non standard technologies, locking us alternative software people out of another website.

By this logic, which I feel is a common path for businesses to take, using Internet Explorer and letting webmasters know that you do will harm our freedom to choose our client software in the future.

I don't understand why no one else has come forward and stated that they feel this way. For this reason, I refuse to use the software except in situations where it's seriously inconvenient to do otherwise.

I don't mean to be alarmist. If the web is only accessible from IE, a project will be started to supply a proxy for other browsers which interprets the data from the web server and converts it to nice, standardized HTML. This could get kludgy, and is the worst case scenario I see.

Re:Does anyone else feel immoral?

[istartedi]

Does anyone else feel immoral browsing the web with an Internet Explorer USER_AGENT?

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu rr entVersion\Internet Settings] "User Agent"="Mozilla/Church Lady 3.01"

Would that make you morally superior?

Re:who cares?

[gmhowell]

Actually, I think the server logs show that either a bunch of people on /. use IE, or a bunch of people on /. changed their http-client string.

CT has mentioned it in the past. Granted, a smaller percentage use IE here than, say, www.yahoo.com, but it is still a significant (and if I remember, majority) browser.

Remember, lots of us are on here from work where we have no choice (I actually have the choice of Mozilla/Netscape, but am too lazy to install it, as IE 5.5 seems okay)

Re:not too bright

[TheAwfulTruth]

Not informative at all. Here's the real information: The patches can be applied to IE 6.0 OR IE 5.5 SP2 ONLY. If you do not have either of those you need to upgrade to one of them then apply the appropriate patch.

If you have not already upgraded to these versions then you are (and have been ) vunerable to numerous PAST holes. So if you haven't bothered to upgrade by now, why do you care about patching all of a sudden?

Please mod me up to 5 now thank you.

Pursuant to Appropriate Legal Process != YES

[Jon+Howard]

Note that the segment you highlighted did not say "YES" - why do you suppose they didn't say yes?

Re:Happy Friday

[SuiteSisterMary]

Step 1: Download patch.
Step 2: load onto test box. Start tests.
Step 3: Works great. Create SMS package.
Step 4: Schedule SMS to install the package Saturday at, oh, say three PM.
Step 5: Send out yet another email reminding users that if they don't leave their computers on over the weekend, the full virus scan, software updates and disk defrag that would have run, will infact run on Monday when they come in, and it will NOT be stopped, and their managers know this, even if they don't.
Step 6: Profit!

This qualifies more as "troll" than "flamebait"

[oGMo]

Flamebait is typically written to elicit strong emotional response and name-calling from the target audience... this falls under the "troll" category which gives a more subtle feeling of disturbance, saying something usually inaccurate or incorrect in a seemingly reasonable manner to generate lots of "discussion". Let's go point-by-point:

Remember Michael's over-the-top misinformed rant about this 3 days ago?

Seeing as michael's story was neither misinformation nor an over-the-top rant (read the story), this plays on the popular opinion that slashdot gets a lot of stuff wrong all the time, as well as our obvious anti-Microsoft bias, to pretend that it was in fact an over-the-top misinformed rant.

... they refuse to provide any information about when a patch might be made available, if ever.

I'm surprised he posted this fix, kinda points out how far off base /. was a short 3 days ago.

Did they provide information about when a patch was available? At the time, they did not, so this is hardly misinformation. Whether they release a patch today or three months from now, "no information" is still "no information".

Hey, I'm no M$ fan and I kinda expect some opinion on /. posts ... but there comes a point when it turns into yellow journalism and becomes childish M$ name calling.

Correct me if I'm wrong, but I believe "M$" is childish name calling. "If it agrees with me, it's opinion, otherwise it's bias": This just about sums it up. There is nothing wrong with bias; there is no way to avoid it, claiming something is unbiased is a great indication that something is trying to be intentionally misleading. I read slashdot because the bias mostly agrees with my own. Perhaps your time would be better spent looking for a more agreeable forum, instead of trolling on this one.

all "known" vulnerabilities

[Jettra]

In the spirit of legal debate over the meaning of the specific usage of words, what is meant by 'known'?

Since Microsoft anounced it's policy of attempting to keep the lid on the security holes that exist within it's software, I would assume that 'known' means ones that they are willing to reveal to us.

So the word 'all' preceeding 'known' has no meaning since Microsoft itself admits to witholding the true extent of the damage its software can do to your system through security holes.

I consider this another decietful marketing attempt to make consumers feel safe about their products despite their worse than poor track record. They may not be outright lying, but there planting the seeds for others to do it for them. How many sysadmins will now send out an email saying that "IE will be free from all security bugs by installing this patch"? Of course that is a lie.

Can't turn off search-from-toolbar??

[I-man]

Interesting. After installing this patch, I typed in some garbage to the address bar to make sure it was still seeing my proxy (which should display a custom no-such-address page).

What happened? That bloody search-from-the-address-bar thingy had turned itself on. Oh well, I say, just go to Options -> Advanced -> Do Not Search From The Address Bar. I do this, type in "asdfa sdfsdfsa dfwer" (note the spaces) and POW: search-from-the-address-bar turns itself back on.

Much the same thing happens if you change the option and then restart IE.

WTF?

Won't even install!

[GeckoX]

Cute!

Tried installing the 6.0 UberPatch on 2 separate boxes now, both running W2kPro sp2 with IE 6.0 installed with VS.NET beta2.

(IE v. 6.00.2462.0000 to be exact)

The installation quits with an error telling me I must have IE 6.0 to install.

Also seen as mentioned above similar effect on 5.x versions other than 5.5 with that version install.
Leaves me not exactly feeling warm and fuzzy about whether the actual patch will really patch the holes it's supposed to or not!

Re:Won't even install!

[Kevinb]

(IE v. 6.00.2462.0000 to be exact)

2462 is not the final release build of IE 6. I think that's IE 6 beta 2, or maybe the "public preview" that went out before XP shipped.

The shipping version of IE 6 is 6.0.2600.0. If you go to Windows Update you should be able to install it, and then after you do that install the patch.

In MS we trust.

[doodleboy]

I would just like to say at the outset that I am not a raving nut. But I have puzzled at the unusually close relationship between Microsoft and the Bush administration. And consider the following disclaimer from the End User License Agreement (EULA) at passport.com:

.NET Passport will disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to:

. . . d. Act under exigent circumstances to protect the personal safety of users of Microsoft, the .NET Passport Web Site, or the public.

With the recent terrorist activities and the sweeping new anti-terrorist legislation, any "exigent circumstances" could be said to be met as a matter of course. So what guarantees do we have that MS and the gov't doesn't have a secret agreement in place to continuously sift and profile all the data (OUR data) that the .Net databases will surely contain? And is there a person on the planet who believes that MS wouldn't use its users privacy as a bargaining chip to extract a favourable deal from the gov't? (Not that they ever had any respect for it before, of course.)

really wild and crazy folks ...

[Erris]

you're nuts if you put a Windows box directly on the Internet

And you are nuts if you put one behind the firewall where any old Outlook or MSIE flaw will put a keylogger, sniffer or what ever. What's the point of a nice little firewall when some goon can soap his way through the browser?

I suppose you just have to be wild and crazy to use M$ at all. Look at what your money buys: a poor security model with intentional bypasses, monthly crashes, Magic Lantern, WMP sound, Digital Rights Management (now patented!), remote kill switches, and the opertunity to pay again and again. What a bargain, but spending is good for someone else's economy so party on, fanboy!

Posted using Mozilla, running through a secure shell from a 650MHz Athlon to my punny little 150 MHz Pentium laptop on my lap in my bed. Try that with M$ garbage. What MSIE won't run in 24MB RAM? What Billy G won't let you run coppies of it on more than one machine at once? Where did you want to go yesterday?