Slashdot Mirror
FBI, Pentagon Talk to MS about XP Hole
(eternal_software) writes: "The Associated Press is reporting that the FBI and Defense Department are talking to Microsoft about the serious flaws found in the XP operating system. As we all know, the most recent flaw allowed any XP machine to be hijacked simply by connecting it to the internet. The government is getting involved because of growing U.S. concerns about risks to the 'net as a whole." In fact, the FBI would like you to go a bit beyond the MS patch. davecl points out the updated page put out by the National Infrastructure Protection Center about this vulnerability as well.
now we see the Gov't take a special interest in
the latest XP hole.
Dont know about you, but I am really dont know what to think?
Sigs are dangerous coy things
While you're at it, though, you might consider also recommending that whilst people are disabling their Universal Plug and Play feature, they buy themselves a Mandrake install CD???
For everyone with Lynx! Printer friendly version.
Wot? No ads?
Tryfen
If a square is really a rhombus, why aren't all triangles purple?
the fact remains, ms code *can* be secure, obviously just not xp, good to see them getting their act togethor
If you ignore ACs because they are anonymous - you're an idiot.
MS XP patch disabled network card on my computer!
I guess the computer is really safe now.
"Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it. "
thats really messed up that and scary
(Hmmm.. magic latern)
--
What is the sound of this sentence?
How much you want to bet that no one sees this as a problem with Microsoft? One can only hope this emboldens the anti-trust crusaders and their cause.
The bitter lessons of a veteran coder: http://bitterprogrammer.blogspot.com
Who the heck trusts microsoft products anymore....
Microsoft has known for five weeks that XP had a serious security hole. They didn't do anything to warn customers who bought XP during that time. They just kept telling how XP is so secure.
It's unbeliavable what Microsoft can get away with. I don't think the hole and the patch are the important issues here. I'm shocked how Microsoft can lie to the whole world for five weeks and people still trust them.
Microsoft should have withdrawn XP and fixed it. Expecially as they don't even have any serious competitors. What they showed was that they don't care about the safety of their customers. They just want to make money no matter what.
Although I refuse putting a Windows box directly on the internet (and btw neither a linux-box) even for home use, I know a lot of people who do.
Especially all the unaware homeusers like my landlord for example. For systemadmins it already difficult to keep up to date with all the patches even with the various *update programs, at least they are firewalled
And yet they (the homeusers) are the most vulnerable!
And Microsoft proclaimed this was its most secure OS ever.
- In Memoriam: Jeroen de Bruin (1972-2004), bye bro
recommend the smart thing - disable Windows XP. Just disabling Universal PnP isn't going to help.
hmmm nobody will support installing or enable their software to detect the government version of "backorfis" so they "recommend" you download one of THEIR patches. Just kidding, but I wouldn't put it past them.
Could microsofts dominance now present a great enough danger when its politically important, to cause the initiation of Federal oversight of thier secureity procedures.(sp.. I know)
Wonder how far it could go...
Can they be held responsible in the future, now that they have been warned, if thier bugs allow "terrorist" to wreak havoc.
After what the U.S. did not somalia's telecompany there certainly are no lines drawn for how far they will go to ensure security.
--
What is the sound of this sentence?
One that blocks out everyone except them.
Never trust the government!
If you use Linux, please help development of Autopac
It is NOT a goatse link, don't worry, the parent is just a troll
If only I could come up with a good sig
What the makers of Linux distributions must do is concentrate on usability (and by extension consistency) and further refining their installers so that anyone off of the street can choose and then run Linux as painlessly as they have done with all the different windoze generations.
Ximian are the closest to making easy to use tools that even my Aunt Grace (70) can use. A fully blown distribution from Ximian would be "most welcome" to use parliamentary language.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
~~~
Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it.
I must be living under a rock because this is the first I've heard of this. XP just starts downloading files without any action from the user? Does anyone beside me feel uncomfortable about that?
In the past, it was CIA who had free and easy access to your data. Now, it is al Qeada, SK's and any idiot out there.
Basically the story was about a hacker Wizard(not lotr type) who could root your system whenever you went online, and you wouldn't be aware of it. This guy would then use info from your computer to kill you.
Now I here XP can give up System control simply by having you go online!
I really hate Dan Patrick.
I honestly and truly hope that the US government brings them to their knees about this. That's wishful thinking, I know. However, two statements in particular in the Yahoo! article surprised me:
1. Microsoft declined to tell U.S. officials Friday how many consumers downloaded and installed its fix during the first 24 hours it was available.
2. Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.
The reasons for point 1 are quite clear though. Acting on point 1 would indicate what a fiction the sales figures for XP really are.
Point 2 is more difficult to fathom... perhaps they're hoping people won't notice? Why on earth, other than their disdain for non-corporate users, wouldn't they send out the reminder? Or even a reminder stressing the improtance of installing the auto-updater?
Microsoft. Someone ought to tell the FBI.
Reliable, Great Value Hosting: $7.95/mo 2.4G/120G
I hope that the government and the courts will combine to force Microsoft to implement more interoperability in its systems (for instance, publish its file formats) and perhaps even make some key outward-facing components of its operating systems open source. These steps would give the consumer more choice and ensure that system vulnerabilities could be spotted more easily.
Another risk, that hackers can implant rogue software on vulnerable computers, was conidered more remote because of the technical sophistication needed.
Now IANASK (script kiddie), but isn't implanting "rogue software" a critical step in getting a DDOS up and running? It'd be nice if tech journalists knew a little about what they're reporting, especially the ones who get their paychecks from MS. On the other hand, it'd be nicer if coders knew a little more about what they're doing- especially the ones who get their paychecks from MS.
I spent a year in Iraq looking for WMD and all I found was this lousy sig.
After all the blather and FUD from Redmond, they again pushed a product out the door with great media hype which is again unsecure. It would be so ironic if Microsoft were punished for this kind of negligence after getting a slap on the wrist. I don't expect that to happen though.
A feeling of having made the same mistake before: Deja Foobar
XP doesn't just start downloading and installing stuff without your knowelege. There is a feature called "Critical Updater" that has to be enabled first that checks the Windows Update sites daily for new critical patches. You can set it to install them with out prompting you or it can be set to just tell you about them.
This is the DoJ (FBI) we're talking about, they want to thank Bill personally for keeping them all busy and employed during these uncertain economic times. Also, I'm sure there's a card with a box of chocolates on the way to Redmond from McAfee.
A feeling of having made the same mistake before: Deja Foobar
"Yeah, but those eEye guys didn't want to be on our Security-Through-Obscurity team! And we had all these great goodies for them!"
-------
Warning: Slashdot may contain traces of nuts.
...that security will suffer when you make an os too easy to use. It's an age-old tradeoff: security vs. ease of use. Moreover, with more features comes more complexity and with more complexity come more security holes.
Don't want to check to see if there's a patch needed for your OS? Don't worry, we'll have the OS check for you. We can't guarantee that your computer will be talking to our servers when it downloads the patches but hey! it'll be automatic! Come to think of it, we can't even secure our own servers so we're not too sure what you'll be downloading even if you are talking to our servers but hey! - it's automatic!
I can't think of a better argument for limiting the services an os provides than this fiasco.
The DOD was instrumental in forming the basis of the internet, DARPA-NET
Man, I remember when it was a secret network.
No. No you evidently don't.
A feeling of having made the same mistake before: Deja Foobar
MagikSlinger is almost certainly right about this. However, if there is a terrorist group out there which was organized and sophisticated enough to carry out another large-scale, imaginative attack (which I doubt), Microsoft might be on their list for these reasons:
- It's American, and a symbol of American characteristics such as innovation, which is in itself hated by reactionaries.
- It's extremely visible.
- Its market dominance could be perceived as "imperialist" or culturally imperialist by people who think like that.
- It's a center of wealth and therefore, in puritanical minds, of evil decadence.
- It could be thought of as a "vital organ" of the American economy by someone who doesn't realize how decentralized the American economy is.
Arguing against an attack on Microsoft is the idea that it's causing enough trouble for the US by itself, but this concept is probably beyond the reach of most fanatics.
with all these blackdoors already 'embedded' in the OS...
would make project Magic Lantern useless and idiotic.
Why care? Well, I found out after installing MSN Messenger that most of the features are useless behind a NATed network unless your router/firewall understands UPNP. Of course, Microsoft ICS and Servers understand it. I was getting frustrated since I couldn't use MSN messenger except for messages behind my home linux firewall. ICQ features like file transfer work fine by port forwarding the necessary ports or using a kernel module for it.
So, here's the interesting bit. UPNP works by telling the other client on the other end what your private IP address is. Microsoft's docs say this is necessary for the other client to be able to find out how to talk back to you. I think this is stupid. The other end of an MSN connection just needs to look at the source IP in the packets it receives and just send there and hope the owner of the IP knows what to do.
However, UPNP apparently knows how to handled multiple chains of NAT networks, kinda like I guess an old fashioned UUCP bang path. Problem is, it seems like one can modify that "bang path" to route return packets to false places. Can you say DDOS?
So I sent a rant to my friends about this on December 10, and about how UPNP is a security hole waiting to happen according to posts I read out of google searches...
Here's my rant...
Microsoft claims UPNP is a universal open standard. It'd be interesting to learn more about its origins and who is really controlling development of it, security of it, etc. Microsoft claims all manner of peripheral vendors will be supporting it.
Is the concept itself as flawed as it seems, or is this just yet another case of Microsoft's implementation of something being flawed?
I want my updated copy delivered by their (MS/FBI's) black helicopters!!!
(sorry, first day of vacation, lack of caffine, new puppy, lack of sleep..I thought it was amusing)
.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
What really makes M$ asicine is the following:
M$ can't do no wrong.
M$ isn't at fault; the guy/gal that found the exploit is.
"M$ makes good products!" they preach, but in reality they are piss-poor quality that have more problems than their competition. Not to say that the competition has flawless software, but M$ tends to have more bugs and severe issues. So hold back your flame...
M$ doesn't care about their customers, they care about their customer's money. They feel that they don't have to do anything good to secure their computers, just focus on putting a dog on the screen and make it go "Good morning!" This is one reason why I support Linux and their companies.
Finally, M$ doesn't believe in QC. That's right, Quality Control is important. Code audits, testers, secruity audits; whatever -- bottom line: Do a better damn job with QC.
That my friends, will be M$'s demise... lack of QC.
Karma whorin' since 1999
is so incredulous.
I think the underlying problem is everyone thinks Microsoft is a technology company.
It is not.
It is a marketing company, and that's all it is.
The above post is an editorial, the poster cannot and will not be held responsible for all or in part for it's contents
In epidemiology, one of the mitigating factors of the spread of any disease is simply the diverse genetic makeup of the targeted population.
The opposite to this is what's called a monoculture, where one particular genetic structure is present in the large majority of the population. Such situations will usually not last long, beacuse once something is found that affects that population, it spreads quickly and decisively.
With Windows having such a large share of the market as it is, could this be considered the electronic equivalent of a monoculture? Would one major virus or security flaw cause much more damage to the net than otherwise would have happened, because of the homogenity of the net's computer systems in terms of OS?
Whether the king is Linux or Windows or MacOS, or..., is having a near monopoly market share ofany one OS a good thing in light of this philosophy? Hmm. GFood for thought.
There's 10 types of people in this world, those who understand binary and those who don't.
They set up a bogus server to crit update code into your system or just wreck it
They hack DNS to point to it
Yeah, that's a nice feature to have....
A feeling of having made the same mistake before: Deja Foobar
Now say an XP user gets his computer trashed by some malicious cracker and loses all of his important personal/business data, should he or she not be able to sue Microsoft for the loss?
I'm guessing a recall by the auto manufacturer would absolve the auto maker, but to do this, the manufacturer must send notification of the recall to EVERYONE who has the defective car. Apparently, Microsoft doesn't feel a similar obligation to notify all of its XP users...
Perhaps I'll go buy XP, leave it unpatched on the 'net, hope someone comes by and fux with it, call Johnny Cochran, and see what happens!
"Ask not what your country can do for you." --John F. Kennedy
With Magic Lantern, etc. it wouldn't surprise me to see that this flaw in XP, if not intentional at the behest of the FBI, was known about by the FBI for much longer than anyone else in the world outside of MS.
And please don't jsut dismiss this with "conspiracy theory" or mod down without a coherent counterargument. Surely at least SOME folks in the law enforcement realm must be thinking how can we take advantage of this monopoly.
After all, Other major companies like petro firms, airlines, etc. all are subject to working with/for the govt and subject to regulation at times because of their strategic important value for national security, whos to say the same couldn't be said for computer software?
There's 10 types of people in this world, those who understand binary and those who don't.
I'm thinking new computers that have been bought this Christmas as presents. I wonder how many of these computers are preinstalled with Windows XP. As we speak, these computers are all wrapped in gift papers; who will patch them? Do people even have time to do anything else except get prepared for the big day? And are people aware of the severe security flaw?
Probably quite many of those computers go to people who are going to have it as their first computer. And what are they going to do first? Turn it on. And probably, go online with it..
And the crackers will be waiting for the easy prey.
__
Zarathustra.fi
Modern man has no goal, no aim, no ideals.
where Burns and Smithers goes through high security steel doors, scanning stations, gates and end up in the control room that has a old screen door to the outdoors in it allowing a stray dog in. Seems to me that sums up Microsoft's entire security structure.
bonus karma points to anyone who correctly identifies the show number.
"Oh for christ sake"- Montgomery Burns after discovering a stray dog in his XP like high security control room.
....... Thus ends my attempt at wit or whatever
This would be a damm good way to get Magic Lantern on a whole lot of systems.
This was mentioned earlier, but now the FBI is pushin it as well, Coincedence??
On the other hand, you have fingers
CSS is essentially a black box. Closed source software hides design, implementation, and the intentions of the software designer. As a result of CSS, the consumer and software engineer is unable and not responsible for distinguishing between flaw or intended design. It simply is a black box.
The successful prosecution for the non-malicious exercising of XP "flaws or intended design" will require convincing the jury that the intentions were to violate the design.
CSS is dying a slow death. Don't expect it to go willingly, however.
They failed to protect the country from terrorists and now they're trying to rebuild their reputation among the population by getting involved in the Internet. Th
:)
Looks like MS isn't the only one with good marketers
I set up an XP Home Edition box on 12/14 and after installation, went to Windows Update. Found a dozen (4 critical, 4 non-critical) updates waiting for me.
oh yeah...NOT UNIX you dumbass..and I especially enjoy the part where MS always prefaces ANY news about XP with "our most secure" operating system ever
And how will the Microsoft Controlled Slave Elements and other Microsoftistas spin the fact they're the only software vendor that's had this happen to them. What other company's products ever posed "risks to the internet" as a whole?
Yeah, I don't like Microsoft. Just look at my Karma rating. Over the last 3 years, I've had ME eat a hard drive and start munching on a second one, had to rewrite the registry several times, and a boatload of other problems. This is why I switched permanently to Mandrake.
I wasn't at all shocked when I read that XP has a serious hole. Heck, the whole "Upgrade/Shutoff" issue made me walk away from the idea of ever owning it. And now, there's a hole big enough that the FBI is on their case. Granted, it's because of the current state of the world. But really, are you surprised at all?
I know nothing about coding an operating system, but in all reality, I just don't get Microsoft's logic. Linus, Alan and a slew of other keystroke kings/queens work diligently to produce a solid OS (all OSs will have holes, noone's perfect), and they don't even get paid for it! Microsoft makes billions and they can't even get over their e-mail virus hurdle (short answer, stop making e-mail clients open everything with scripts). Now there's a serious hole in XP? Could someone explain that logic to me?
I know it'll never happen. We all know it. But until MS gets its act together, I'll be running Mandrake nearly full time and trying other distros. Anyone care to place bets as to when the next big problem with XP will be discovered? My money is on sometime in the next 10 days...
Blog Prophyts - Right On, Man
The automatic update, is a gift to all those whose concerns are security and the exploitation of MSecurity.
photosMy Photostream
How can the user tell the difference between the MS automatic update and an attack by some kiddie?
Remember folks, MS's head security official now works for the administration. We might as well turn over all secrets to our enemies.
photosMy Photostream
So what is up with those buffer overflows...do Microsoft developers hate users and not care about quality? Well, no. It only takes one buffer overflow in the whole system that hundreds of developers have worked on, to make it vulnerable.
At Microsoft the ultimate way people are valued is at review time when bonuses, stock options, and raises are awarded. Do developers get hosed for leaving buffer overflows in? Well, not as of when I left (April 2000). But maybe that will change, slowly.
Eventually you have to stop accepting excuses like "Gee code is really complicated and I thought I was being careful" or "we really tried to think through this design" and recognize that essentially every buffer overflow comes from being lazy as a developer, or not accounting for what kind of garbage packets can come in off the net. If Microsoft starts emphasizing that you can be fired for leaving a buffer overflow in, then things might change. Of course it's a little unfair, there is no doubt lots of clunky code in there that just doesn't happen to expose an externally exploitable buffer overflow (and merely crashes the system or something), but you start emphasizing the necessity to go over things with a fine-tooth comb to prevent buffer overflows, it will improve all the code.
Because although there may be a few cases where someone really tried to check boundary conditions and just did it wrong in the code, in most cases developers are just being lazy about writing the code robustly to begin with. Plus if you have some code to prevent this and you write it wrong, you haven't tested your code properly anyway.
More ruminations at this osopinion article.
- adam
Hey Corgha,
Good job! Your automatic check will be downloaded
to your eXPensive machine automatically. You don't have to even be informed of it (don't forget the stealth mode in eXtreme Profits
that we haven't told our customers about.
Oops! I did it again! )
Slicky Willy
I find it it amusingly ironic that the same government who clamps down on data encryption is suddenly worried about make the net a safe place for business.
Mirror Site #1
Mirror Site #2
Mirror Site #3
Mirror Site #4
Mirror Site #5
Homer Simpson laughing and saying, "It's funny 'cuz it's true!"
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
If one were to look at history and see which animals survived drastic changes, the most adaptive wins. Microsoft does provide some great products like excel and maybe word. But at some point, it's size becomes an barrier to rapid adaptation. As George C Scott said in the movie patton "all glory is fleeting."
It's American, and a symbol of American characteristics such as innovation
Since when is Microsoft a symbol of innovation?
It's hard to be religious when certain people are never incinerated by bolts of lightning.
A few thoughts:
1. Last I checked, nobody forced anybody to use an MS OS or browser to surf the net... nor does MS OWN the internet. BUT- I think this inquiry is a BACKDOOR to the anti-trust issue... that maybe while NOT a monopoly, the user base is SO LARGE that a "widespread catastrophy" *could* occur.
2. Accountability? If I purchased a new boat that was full of leaks, and all my friends purchased boats from the same company that also all leaked, that company would have a serious PR issue, and would likely be out of business in no time- whether they "fixed" them or not, the expectation of the consumer is that they won't leak during their first launch. MS does NOT have a serious PR problem to most consumers.
Instead, we have "experts" as much as tell us that "all boats leak a little here and there"- and there is no real effort involved with patching these leaks (just use your "auto-update"). Then we add the fact that to the general rank and file consumer, the issue is so COMPLICATED and "gee-whiz" (meaning most consumers wouldn't recognize the leak, nor could they make their own boat "visibly" leak, etc... in essence they never NOTICE the leak, but rather they merely read about it, so it does not directly affect them- unless their boat actually sinks).
(as an aside): I would like to see someone actually try to return XP to MS as a defective product... just as a test case of sorts to see how MS handles the issue. Clearly they are selling leaky boats, and there must be at the very least an "implied warrantee."
The real question is whether XP "works as advertised." On the other hand, almost all software companies "expect" their users to be beta testers- MS is no different.
3. Internet as national infrastructure: We risk receiving anthrax through the mail, risk dying in a crash on the highways, risk a carjacking in a rough neighborhood... should we NOT assume some risk by connecting our computers to a world wide network that is accessable from all sorts of dark corners?
I know that I am speaking out the other side of my mouth here, and in essence NOT holding MS accountable, but car makers make all sorts of safety comprimises based on cost and convenience. We could have a "helmet law" while riding in a car, and five-point seatbelt harnesses if we were more concerned about safety than convenience. There are countless product recalls. Where do we draw the line?
I do think FBI involvement is a bit presumptuous. On one hand, for years they have banned encryption they couldn't easily crack, now they turn around and express concern for security? Where's the logic?
On a humorous note:
"
Outside experts cautioned that disabling the affected Windows XP features threatens to render unusable an entire category of high-tech devices about to go on the market, such as a new class of computer printers that are easier to set up. But they also acknowledged that disabling it could afford some protection against similar flaws discovered in the future. "
---yeah, there's nothing MORE DIFFICULT than "setting up a home printer"
Those that suggest you "dance like no one is watching" really want to see you make a complete fool of yourself.
Since the big-name OSS companies/projects obviously aren't interested. The latest Gnome control panel looks just like the XP control panel, down to using the paradigm of tasks. KDE is built to look and act much like Windows. In fact, where is the innovation? Most of the more successful and/or high-profile projects you read about every day seek to duplicate features found in ... Microsoft OSes?
It is certainly true that the Linux kernel plays catch-up to advances made in "the real world". How much longer has Windows (NT) had a journaling filesystem than Linux? How many distros even ship with a journaling file system configuration option? Let's not even get into the subject of USB.
On the other hand you have groups pumping out software with very nice functionality, such as openssh, apache, etc. But for the most part those projects, at least of now and in terms of "innovation", look more like they're resting on their laurels too! (Apache 2.0 betas being a notable exception)
For further information I direct you to Microsoft Research.
I remember when NT 4.0 came out (they were fairly low key with NT 3.x) and Microsoft claiming it was far more secure than UNIX and you wouldn't have buffer overflows because the source was closed and people couldn't find them even if they existed.
I also remember many years ago them claiming NT was more secure and showing the number of submissions of security holes posted to Bugtraq (before NTbugtraq) there were for UNIX vs NT (back when nothing serious ran on NT and no one really cared less about it to look for holes).
Now they want their code running in everything, including acting as firewall devices. I find this so fucking funny I could just split a gut. You're going to protect machines running code "x" by installing a device running much of the same code "x" to protect those machines from the world?
I just find it a bit frightening. The entire world running on code from one manufacturer that is not open to public review. I'm even more surprised that foreign governments are so trusting of it.
You know what's scary? We just bought an EMC disk array and had to give it an IP address for management. Did a port scan on it. WTF? It's listening on netbios ports. Use smbclient to take a gander at it and low and behold....
Domain=[AZBYCXDWEVFU] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
Workgroup Master
AZBYCXDWEVFU CLARIION_SPB
I call EMC and they say "Oh, the new clariions run a stripped down NT kernel in their service processors." :-( Joy... my SAN is now trusted to that super sekure Microsoft code. At least I can block it from the world through my router which, for now, is running non-Microsoft code...
Can you imagine the harm one could do with a hole in THAT? The financial world survived WTC through redundancy and real-time mirrors of data kept in far flung locations. There are disaster recovery data centers where entire warehouses are filled with machines just waiting to kick in during a crisis. So now you have your storage area networks themselves controlled by Microsoft code. Just exploit the hole-of-the-week to get your code inside a corporate or government firewall, seek out these storage networks running NT kernel code, trash them, take out the primary and backup locations. Chaos.
Linux and RS/6K systems were formerly completely open if you knew their IP address and typed "rlogin 192.168.1.1" and typed "-f root" at the login. People knew about it for several days before it was announced (I know because I exploited it).
Telnet shared library hack cost me a linux box hanging off a DSL line.
Every system has holes...
Since the government these days seems to be all about protecting innocent corporations from us evil individuals, you'd think something this would have happened after, say, the second "ILOVEYOU"-style worm brought corporate mailservers around the country to a screeching halt-- during an administration that was actually prosecuting Microsoft for its monopolistic misdeeds.
But now the Republicans are in office, and faced with a real conundrum: what do they do when one mega-corporation is selling dangerous, unsecure products to all the other mega-corporations? Because that's who they're thinking about here. If it warmed the cockles of your heart that the government was concerned for all those consumers who ran out and bought XP, you're delusional-- they're worried about seeing more shit like this once XP gets widely adopted in the corporate world.
~Philly
Yeah they all look JUST like windows.
If your only experience with a gui
interface is windows. If your only
experience with flying objects are
birds, then the first aircraft you
see would appear to be JUST like a bird.
However, they are quite different and
some of their operations are very different.
The similarity of KDE, fvwm95 and gnome
to windows may be more of an attempt to reduce
user learning curve. But look I just caused
my opera window to disappear into the title
bar with a CTRL-S and then switched to my
third desktop with an ALT-3 and then back
again and then I pressed CTRL-ALT-F8 and
I'm looking at an instance of X exported
from by Dell Poweredge server in the basement.
If you pull your head out of your ass you
will see the innovation.
You're saying that the same people who "need" the auto-updater because they're clue-deficient will know to do this? These people are sitting ducks.
Too bad Microsoft's web server farm was running XP.
So much for madcow...
I wouldn't expect that level of imagination from people who name themselves after Star Wars characters. ;-D
Stating on Slashdot that I like cheese since 1997.
wow, mirror site #3 really helped me. Now when I wanna move something to the trash, it just goes there instead of questioning me.
And nobody tried to sell me anything!
If you don't say anything, you won't be called on to repeat it. -- Calvin Coolidge
Linux=OpenSource=Freedom
Want to get government backdoors in the OS that runs almost every computer in the world? Threaten the company with trumped up charges which will ruin them for life, then cut deals with them so they can return to business as usual in return for their cooperation.
Except that MSNBC is the most openly critical newssite, when it comes to MS. I suppose they think it gives them journalistic credibility to be so openly critical of their parent company. ;-)
Stating on Slashdot that I like cheese since 1997.
This sounds like a good incentive to upgrade to Mac OS X to me... A
Sure, remote X and multiple desktops are nice and interesting, but how long has THOSE particular features been hanging around? Has there been any sort of "innovative" usability enhancement of that nature recently? No? Ok.
Besides which, remind me, what's the point of windowshading? Is there a useful distinction between windowshading and minimizing that I'm missing out on?
Fine, then I won't discuss VisiOn, GEM, DESQView, or GEOS ...
...
and then of course there's Amiga
A big part of the 'ploit seems to revolve around M$ trying to do a "hardware detect" over the LAN to load the proper OS or third party "drivers". They are suprised that network boundries are primarily psycological, so their ease-of-use feature leaks out into the internet and causes security problems.
Linux® on the other hand demands much more standards compliance and relies less on "drivers" to provide translation layers and introduction of security and or performance problems.
And I agree, I just did a WindowME® install a few months ago, on a freshly formated hard-drive SuSE has blown Windows out of the water for a couple years on ease of install, auto-detected hardware not to mention ease of use. I do disagre with modern Linux desktops being hard to learn, for the same functionality as windows its about the same or easier to learn, but you can do alot more on the desktop in *nix than windows. (I like the way jaws drop when I change screen resolutions, and jump back and forth between six different screens and have twenty differnt apps running at the same time, from windows users.)
Apocalypse Cancelled, Sorry, No Ticket Refunds
Even the FBI is crying "buffer overflow," following in Microsoft's footsteps to divert attention for a designed-in security flaw.
It makes sense, from the perspective of a defensive Microsoft. "Buffer overflow? Who hasn't slipped up once or twice and had a buffer overflow bug? We have our code scanners routing out the last one or two of these bugs, they'll all be gone soon and we'll all be safe."
The bigger gaff is that they designed the OS to say "hack me" (or words to that effect) whenever some other device--any other device--asks to fondle, as it were, the OS's drivers. That this is a huge security exposure is obvious to anyone who is old enough to remember the early days of hacking. Some hotshot designers at Microsoft, (probably with degrees in marketing, not computing) designed this "hack me" feature into the OS intentionally.
Now they have the attention of the NIPC/FBI. Even FBI agents (who, over the last 10 years, gave new meaning to the term "anti-intellegence") know that on Christmas day, millions of un-patched XP OS's are going on line, in the same 24-hour period. The hackers will be waiting to stick their electronic -er-fingers in those exposed UPNP ports and leave behind a little deposit.
Maybe, maybe not, the FBI realizes that some of those systems will have time-delay bugs planted in the pre-patched OS's. Then, downloading the patch will produce the false security that keeps the spirit of the XP season alive throughout the coming year.
The silver lining? Corporate PHB's, the holy grail of Microsoft marketing, will lose confidence in any of Mr.Bill's claims of reliability and security, once and for all. XP was supposed to be the one-size-fits-all OS, from palmtops to corporate web front-ends to data warehouses. (not that it was the first attempt at this unification by Microsoft, or even their competitors.) Even the golf-buddy execs are going to remember the day when the FBI started pushing patches to the monopolist's holey flagship.
Did anybody notice, last year, when Bill Gates started to cut the cord to Microsoft? He did see the big fall coming, you know. Not as stupid as we make him out to be, eh?
Microsoft marketing: "Windows XP is the most secure and crash-proof OS ever!"
Microsoft EULA: "...but if it turns out not to be, tough titties on you for trusting us when we said it was. You can't sue us, because you agreed you wouldn't at install-time. And we think we can afford better lawyers than you, anyway. So neener neener neener!"
The no-liability stuff in license agreements, I'm sure, began life with the noble purpose of protecting companies from getting hit with lawsuits by morons who should have known better, or greedy individuals just out to screw a company out of a quick million. Typical of everything it does, though, Microsoft has twisted the purpose of the EULA into its current form-- that of a "lawsuit-proof vest" used to prevent people or companies with, in many cases, very valid beefs about Microsoft products, from taking them to court over it, and allowing Microsoft to push crap on us with impunity and just shrug when we get bitten by bugs or security holes.
Imagine if other companies did this. What if you had to agree to a EULA on a train ticket before boarding the train, then then the train derailed because the operator was high on crack and speeding around a curve, and you wound up in a wheelchair for the rest of your life? You'd probably never take the train again. But what about companies who have to spend large sums of money on antivirus software and on employees who have to stay late to undo the damage done by the Outlook/Windows Virus/Worm of the Week. They just accept it and keep on using the same shitty software.
If it were possible to sue the living fuck out of Microsoft over these bugs and security holes, I think Microsoft QC might get a little budgetary upgrade. But nobody wants to be the first person to test the validity of the shrinkwrap/disk envelope/click-to-be-bound-by-it EULA in a court of law.
~Philly
My web logs are full of messages from already comprimised Microsoft Systems trying to break into my server. This is on a non-published web server on a non-Microsoft system. I can imagine the traffic load hit the internet is taking from all the infected Microsoft systems already out there, much less the new wave that will come from the XP vulnerabilities. Maybe since Microsoft is enjoying government protection for it's monopoly it's time for the government to do something about them.
...I think that we've only seen the beginning,
since the DOJ has bent over and greased up
for their good buddies at Microsoft. In about
10 years, you'll be able to find Windows XP
running life support machines, BSOD's, security
holes, and all.
Welcome to hell.
"- Its market dominance could be perceived as "imperialist" or culturally imperialist by people who think like that. " Damn, I'm thinking like a terrorist now.
Microsoft is just plain dumb, here is already the next Internet Explorer securityhole...m l
http://security.e-matters.de/advisories/012001.ht
just my 2 cents
In the previous thread on this issue, I raised the question of legal liability of non-disclosure with the hypothetical case of a company hacked through this hole prior to the recent announcement, but after Microsoft learned of the hole, that suffered financial injury. Putting aside the specifics and focusing on the legal question, is this liability, if it exists, a business argument against non-disclosure?
Responses to the previous post indicate that the EULA is not a sufficient shield to hide behind and this is about willful non-disclosure of a known vulnerability. Does an implicit (in the legal sense) trust exist that vendors alert their customers to vulnerabilities as soon as they become known so that the customers can take immediate, non-patching action (e.g. disconnect from network, shut down affected services) to protect their systems until a patch is released?
Why? Wouldn't you be better off rolling your own? I remember pricing these things out a year ago and I quickly cane to the conclusion that it would be better and cheaper to buy all the components separately and assemble them myself.
Come lets troll...troll across the board!
How about the biggest reasons:
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
It's American, and a symbol of American characteristics such as innovation, which is in itself hated by reactionaries.
Microsoft a symbol of innovation? You've got to be kidding...this company has never innovated anything. Their practice of ripping ideas from smaller companies and then waxing them with sheer marketing power has become THE dominant company trade.
Federal Criminal Charges need to be brought (and not dropped) against Microsoft in this case.
This way the Government can come to a settlement with MS where those who were harmed by the hole can't sue MS.
Along the lines of the deal struck between the tobbacco industry and government.
Seriously, with all the digital rights issues going, certainly the compromise caused by such a hole but without
criminal legal action against mircrosoft is only going to tell people that lady justice doesn't have her blindfold on.
Thats' a serious problem! Assisting criminal activity knowingly.....
Looking at this I do have to wonder will UPnP (Universal Plug and Play) be the next IIS in terms of exploits, viruses and worms?
This issue is the second major *known* problem with UPnP in as many months, both involving buffer overflows of some kinds (MS01-059 & MS01-054).
Since UPnP runs as a service with a SYSTEM level authority, rooting it gives you god-like control over the system, so this falls under the heading of a bad thing. I seem to remember that it is installed by default (currently running w2k so i cant check if it is or not).
So what we have here is a service that seems to be exploitable, running a protocol similar to http (assuming that what was posted to ntbugtraq was actually content), that is installed by default and will be a total pain to turn off, assuming of course that johnny average user even realises it is turned on!
Getting the average user convinced to download patches for this sort of thing are going to be a hard sell (unless they make it say something along the lines of "would you like to open file porn.jpg.vbs from " which as the last year has shown us half the planet will happily click).
IIS had similar problems, not to mention a raft of exploits (i imagine these UPnP exploits are just the tip of the iceberg) and look what that became - one of the more popular webservers - both to host sites *and* to write worms for...
And that's actually a LIE.
Note that this hole does NOT affect Windows 2000 Professional, or Server for that matter, but we are talking client OSes here, so comparing 2K Pro to XP Home/Pro is the natural comparison
I knew when the truth finally came out about XP, it would be found to be less secure than 2K Professional. I'm waiting for the next 'sploit to happen...I suspect that Remote Assistance/Remote Desktop is way less secure than 2K Terminal Services, and there will probably be a big-ass vulnerability found in that "feature."
A Win2K Pro machine, fully patched and without IIS enabled, is actually pretty tight. Of course, since 2K Pro is not open sourced, there's no way of knowing for sure. So yeah, other OSes are far more secured than anything from M$. But 2K Pro is definitely more secure than XP.
Knowledge is power. Knowledge shared is power multiplied.
Companies often have recalls of dangerous
goods (e.g. toys, baby cribs, etc). I think
Microsoft should voluntarily recall all
WinXPs that have been sold. Consumer protection organizations should be in an uproar regarding potentially dangerous consumer goods such as this
I think the full implications of what MS has allowed to happen is going to felt more and more as real users suddenly understand that MS basically does not care about its users.
Look at
Argh... mod that other one down.
I think the full implications of what MS has allowed to happen is going to felt more and more as real users suddenly understand that MS basically does not care about its users.
People won't realise. Just look at the news. Not a single newspaper is asking why MS aggressively kept selling an OS they knew was insecure. People just concentrate on patching their computers and are happy for the old good Microsoft for a FAST fix.
This case should be documented. Each and every press release from Microsoft should be investigated. "In this ad you claim XP to be most secure ever. And this was one week AFTER you knew of the hole. Please explain."
how long has that been around? good to see ms is on the bleeding edge of system security...
And of course technical sophistication is so rare that the chances of finding but one person in the world both able and willing to exploit it is...about 99.99%
-- SIGFPE
Innovation isn't always visible of flashy...making a (nearly) crash-free OS IS an innovation. Making an open-source OS, which can be improved by a community of users a programmers instead of a marketing department, IS an innovation. Making an OS that is more efficient in memory and processor management IS innovation (did I mention SETI@home runs TWICE as fast, on same machine, under Linux instead of Win2K? Yes, I use both...) The reason the GUI look more and more like windows (which itself once strived to look more and more like MacOS) is that people don't really care for innovation, they want to find themselves in familiar territory, and GNOME/KDE gives them that... If the only innovation brought forth by Microsoft is using pop rock bands in ads and the Start menu, then I really don't think they deserve that epithet (or maybe it's about innovative anti-competitive practices...)
Reminder: find a new sig
In all the hustle and bussle of this holiday season, it looks like someone forgot to make his monthly bribe to the Feds...
------
Today's Top Deals
My main complaint is you pay $$$ for their product, then help them fix it. Then when you've got a stable happy system, you're told to purchase their new product, which is broken, and you help them fix it.
Not only that, you get to pay them to allow you to help them fix it... ie, pay for support on a product you've purchased already, which helps them track down problems they can fix in a future service pack.
I'm not talking about getting help changing your wallpaper or setting up tcp/ip, but things that you find in the KB with the explanation "This is a known problem in XXXXX", or, that you don't find at all in the KB. It's insane.
Unfortunately, MS is rich enough to buy off the government, so nothing will be done to force them to make a better product. Then again, we're not held at gunpoint to purchase their product. However, MS is rich enough that they can afford the super-sexy salespeople to convince the suits to use MS throughout your organization. Plus, there really aren't good non-MS options to such standard office products as Word, Access, etc. Not to mention 3rd party software developed specifically to run on Windows. These 3rd party software companies are not likely to abandon X years' work to switch platforms.
I think it will take a very high-profile (rich) company filing suit against MS for damages before anything will happen. Plus they've got to get around the EULA. Typical end users will just put up with it, knowing they don't a chance in hell against MS, but a big company could. Maybe even the US Government. There's got to be some way to argue that their sales pitch is fraud.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
I was just watching BBC news 24 - one of the news items was is that "...the FBI are warning people that the patch released by Microsoft to fix the problem in their latest operating system, Windows XP, is not enough to make them safe - they should install the patch, and also disable the feature known as Plug And Play. The bug means anyone connecting to the internet can have their computer taken over..."
It's nice that they report tech related stories, but if they make a mistake like forgetting "Universal", I wish they hadn't bothered...
The arrogance of the US government is far bigger than M$'s. When they take over, things usually do not get better.
There are only three situations with Windows XP, all of which result in a safe computer:
1) The user is a novice/intermediate and goes on the Internet frequently, where XP will automatically install the update.
2) The user never goes online, so the vunerability is moot.
3) The user is advanced and turns off automatic updating and is thus advanced enough to install the patch on their own.
No official reports of the vunerabiliy being exploited exit.
I'm sorry, but if you can't be bothered to find the configuration setting that tells Windows not to ask for confirmation, you have no business making any sort of judgement on it's usability or worth.
Vintage computer games and RPG books available. Email me if you're interested.
If it doesn't already exist, someone should create a web page with all the big M$ security problems described chronologically. Just listed in the order they were discovered with 1-2 lines about what they do.
It would be a neat place to refer people to who don't believe that M$ is a security problem.
Does anyone know if XP's built-in firewall protects these ports?
Yes, with minimizing you have to keep moving your mouse down to the bottom of the screen, or transferring between using the mouse and using the keyboard. Plus, it looks cooler. Besides, when was the initial code on the new GNOME/KDE apps/controls that you say look like XP started? Was this before or after Windows XP was first released to testers? Kind of makes you wonder who is copying who, right? Just because Microsoft comes out with a "finished" product before GNOME and/or KDE does not necessarily they started working on said product before GNOME/KDE...
Considering the fact that the auto-installer has already updated my XP box to fix this hole, I think that I'm pretty safe. As are the vast majority of XP users, who don't turn off auto-update, which seems to be on by default.
Another great service my Linux boxen don't enjoy that would protect me from Code Red is McAfee XP (.net) which is running on my box and getting virus updates several times a week without my intervention.
Beat on their business practices all you want, because M$ deserve it, but don't knock XP until you've put in some time evaluating it.
I am sure that someone could human engineer the error messages. and since they would actually never go to MS, but maybe to some Bogus Site, like Microsoft-security.com some folks could be fooled by this. I am thinking of the Pay-Pal Scam that was running around a few days back, using simple email. It wouldn't be that hard for people who were expert to fudge something to send a user to La la land, with appropriate dialogs, disclaimers, etc. etc.
"It is a greater offense to steal men's labor, than their clothes"
Does this mean that my government (i.e. my tax dollars) will subsidize security development efforts at Microsoft, when Microsoft itself has consciously elected to empty their own deep pockets into marketing XP instead of making it secure? If the government truly has interest in security, should they not fine instead of fund Microsoft, or advocate acceptible alternatives?
I want to buy a new notebook, but I don't want to run Windows XP. Is there any way that I can purchase a system from, say, Dell or Compaq, without XP? I don't want to pay for an OS if I'm going to format and install Linux anyway.
They say that attacks other than DOS are unlikely because of the technical sophistication needed. What a flimsy excuse for complacency. What kind of technical sophistication was needed to get that 'weapons grade' anthrax? The unlikely happens many times each day.
The continuing security exposures of Microsoft products and the high initial price tag have as a consequense that MY earning power is under threat. I am certified to be professional by Microsoft. But when I am asked if Microsoft produces software that I can securely implement and give a guaranteed performance, I find that it is becoming more and more difficult to say in good consience that it is OK.
:(
I am only ONE professional, Gartner says do not use IIS, the FBI has a hart to hart with Microsoft. I find that I need additional skills and qualifications to secure MY financial future.
I might not be completely clued in here, but wouldn't such a devistating, overall vulnerability be contributed to WinXP's implimentation of RAW sockets? Or am I not correct in my understanding of the full control extent that RAW sockets allow?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Okay I d/l and installed the patch. The first box was a Mac running XP inside VirtualPC; I was installing v5 and it was running so off I went (auto update is disabled on all my XP boxes). Took about 4 minutes to d/l the 583KB file. Wow, VPC5 is slow, I think.
Second box, AMD 1GHz and the patch took... what's this? 3 minutes for a 600K file via hispeed?
Anyway, the patch caused some kind of "serious system error" on the AMD box, and XP asked me to send a report (I did, anonymously) to help them find whatever mysterious crash it caused.
But, I digress...
MS won't tell the FBI how many users d/l the patch yesterday because at 150K a minute only about 87 users were able to get it installed before they had to go to bed.
Intervention, control and structure around your OS?
Give the responsibility/power to do it for MS and watch Linux disappear. After all -- we can't have independent OS's.
Maryland Residents should be writing our dear Mr. Curran, explaining the problem in simple terms, explaining that making users go into the internet for the patch is not sufficient for dealing with this faulty product, and demanding to see the OS recalled and a fraud investigation initiated.
Might want to copy the DoJ, even if Ashcroft is a sell out to Redmond.
Here's your chance, Maryland! Do us all proud.
In space, no one can hear you moo.
``This is the first network-based, remote compromise that I'm aware of for Windows desktop systems,'' said Scott Culp, manager of Microsoft's security response center. ``Every Windows XP user needs to immediately take action.'' He called it a ``very serious vulnerability.''
r os oft_hackers_7.html
``This is the most secure version of Windows we have ever released,'' said Culp, adding that complex software ``will always fall short of perfection.''
http://dailynews.yahoo.com/h/ap/20011220/tc/mic
You can't handle the truth.
Now, of course there will be dozens of MS apologists on this thread, and you can do a lot of apologizing about this bug, after all they got a patch out before there were any known uses of the exploit, and on the other hand this vulnerability leaves your computer more wide open than almost any that have come before, but I'm not interested in taking that debate any further, as that is what the rest of the thread is about.
The reason I think this story has become significant is because this bug is actually getting reported by large news organizations. Slashdot might run an article every time some script kiddie finds a new hole in IIS, but when is the last time you heard about that on your local news?
This bug, however, has actually been featured on all the big news organizations, thanks to the government statement. I saw a two-minute piece on it on CNN and a 30-second piece on Fox News, both feturing the governments warning that the patch would not be enough and everyone should disable UPnP on their machine. Flipping by CNN Headline News, I noticed the headline at the bottom, "Win XP hyper-vulnerable to hackers."
It is getting people to be concerned about security that will get something done about it; security isn't a selling point right now. When was the last time you saw an OS (besides OpenBSD) listing security as its top feature?
So think what you will about the impact of the bug itself, our government should be applauded for once for finally getting the media spotlight on security.
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
Yes, buffer overflows make me absolutely sick. It is insane that Computer Science hasn't advanced beyond this shite yet.
When I worked at MS, my group we did fall victim to a buffer overflow bug. What did we do? We outlawed strcat, strcpy, etc. And instead made all the developers use boundary checking functions which always returned HRESULT's. And yes, we did rewrite all our existing code to use them.
Any developer, no matter how perfect, can make a mistake. So don't punish a single mistake. Put conventions into place which make it more difficult to repeat the mistake.
Finally, the buffer over-run is only a security risk because computers these days grow the stack downward. That is, the function return pointer is stored AFTER the "end" of your local variable. If we grew the stack upwards, the return pointer couldn't get overwritten with an over-run. Yes, I know growing downwards makes stack-overflow checking easier/quicker, and this functionality is paritaly immbedded in the CPU (e.g. x86 'push' command). But computers are fast these days, so maybe it is time for the CE's to solve some of the SE's security problems.
Microsoft failed to notify the FBI in the 5 weeks they knew about it, so the FBI didn't have the time to code a secret d/l of Magic Lantern on everybody's box, and now MS releases a fix and goes and tells everybody about it.
Agent 1 "Now, we'll never get it on the 10 million boxes that were just SITTING THERE, with their mouths open... "
Agent 2 "That's it! Call the DofJ. Tell them fix is off. And don't cash Bill's last check! "
Anyone else got to see the demo version of McAfee ActiveShield installed on new HP systems? One of my friends called me over one day because he said his antivirus had found a virus on his computer. I told him just to hir repair and if that didn't work, hit delete, then he told me there were no repair or delete buttons.
When I went to look at the problem, I saw ActiveShield had popped up a dialog, "McAfee ActuiveShield has detected an infection in this file somefile.mp3.vbs VBS/Love Letter." With a button that took you to the McAfee website where you could remove this virus using McAfee online for "only 39.95." After getting him NAV, we found that it had infected every eligible file on the system (about 23,000), and LoveLetter of course overwrites the original files.
I found his restore disks and went back to my Power Mac.
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
Microsoft is a symbol of innovation. It's a front. It's a sham. But it's still a symbol as long as there are enough gullible victims who believe.
Also had to (and still do) endure shitloads of nuisance packets as a result - AT&T cable, dontcha know. Still, the majority of DEU's (defective end users) responsible for patching IIS or stopping the service didn't.
My prediction is that this will gain more momentum as a hazard, but may subside sooner as a result of Evening News coverage and a higher profile in the AP - ie: the DEU's might get a clue this time ;-)
Your mileage may vary...
db
Cig:
ôô
IIRC, NT at some point was rated secure when not networked.
Under capitalism man exploits man. Under communism it's the other way around.
"Except that MSNBC is the most openly critical newssite, when it comes to MS. "-
Except that there really isn't any competition for most users- it is like being critical of the WEATHER
Also, notice the story breaks AFTER the patch is released... we can all hail those "innovators at Redmond" for saving the day- reminds me of all those cheesy movies where the arsonist is a fireman.
Most users never ever experience or are aware that they have experienced a "security breech" of their home system- most home users' PC problem solving skills are about following tech support's advise to insert their recovery CD and wipe out everything in their box because their modem doesn't work.
The public has so little understanding of the core issues... a co-worker I was speaking with today who just purchased an XP box asked me a bunch of questions about the issue after reading about it in the paper... his facination with the topic was akin to reading about local crime stories- with a weird thrill that "it could happen to him"- while here the discussion is about "the principle of the issue"- that the OS was even let out the door in the first place, and that this is one of many problems.
Those that suggest you "dance like no one is watching" really want to see you make a complete fool of yourself.
Well, Ford might have thought "we can't possibly get ahold of everyone who has this problem, so we won't notify anyone".
MAKE THE EFFORT. If people aren't registered with a valid email (and check it occasionally) that's their problem.
creation science book
you sound like someone who used to work for Smith-Corona (the typewriter people) and whines that Smith-Corona isn't doing enough to ensure the future of each employee...cmon man..give it up and be a man...you CHOSE to specialize in MS products...nobody forced you (especially MS) and you have NO CLAIM to them for your future...moron
This is a really, really, really big one. It should be in the newspapers. Microsoft has claimed some time ago (free karma to the one who posts a link) that closed source, for-profit software and operating systems are more secure because the company can actually *hire* people to do security audits of the source code, whereas open source developers aren't motivated to do it because it's really boring, and there's no glory in it.
Now, we all know that OpenBSD has proved them wrong, by proving not only that open source developers *want* to do hardcore security audits of the source code, but that doing hardcore security audits on source code prevents security holes from being released into the wild. OpenBSD hasn't had a remotely exploitable security hole in the default install in FOUR YEARS! Windows XP has been in release for for all of about two months, and already there's a major security exploit found.
This proves by Microsoft's OWN ADMISSION, either they do not hire people to do the hardcore security audits they say they can, or if they do, they can't do it as well as the volunteers who "obviously" don't do it at all because there's no monetary motivation to do so.
With lies like this, Microsoft couldn't get into a Better Business Beurau if they paid each of its members a billion dollars.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
There's 2 OSs on the shelf:
+ The first one costs $300. It will be fully supported for the next 5 years
+ The second one costs $100. Next year you'll have to buy an upgrade to get bugfixes.
Which one do you buy? 90% of the people chose the second, cheaper option (Windows) over the first option (OS/2).
When the world is ready to pay for quality, let us all know. I see cheap shit everywhere, and computer software is no exception.
>THE FBI'S National Infrastructure Protection >Center said that, in addition to installing a >free software fix offered by Microsoft on the >company's Web site, consumers and corporations >using Windows XP should disable the >product's "universal plug and play" features >affected by the glitches.
If the FBI wants universal plug and play off, it sounds to me like there's another security hole there. Why else would they request this? Isn't Microsoft policy to keep these things quiet until they are fixed? They depend on no one knowing about the problem to keep machines safe. But, maybe for the FBI, especially with the terrorism situation, who might have critical data on XP machines, this thin line of defense isn't quite good enough.
http://junglevision.com -- Shamus for Gameboy
http://www.google.com/search?q=xp+hole
Results 1 - 25 of about 63,500. Search took 0.44 seconds.
1) Microsoft issues patch for "serious" XP hole - Tech News
The flaws were discovered by Aliso Viejo, Calif.-based security company eEye Digital Security and reported to Microsoft about six weeks ago, said Marc Maiffret, eEye's chief hacking officer.
It's in the first fucking link on Google. Or was that too difficult?
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
Slashdot recently reported 'Al Qaeda hacks Xp':
0 21 8&mode=thread
...
http://slashdot.org/article.pl?sid=01/12/18/145
Is it possible that the FBI is so interested in this case because of the above reports? Is there a link? Just a theory
It's more like the car company selling you a car without air bags and then offering to install free replacements if you drive down to the dealership in your currently airbag-less car...
It is, in one word, insufficient.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
Between the 2 of them, Windows XP users have poor Goatse-man beat by a painful mile for the infinite elasticity of their holes.
I'd mod you up for this line alone. You sir, are a poet.
If he can install and run debian, and can't find the Windows config dialog, then M$ is missing something.
.Xsession and comment out the line that loads the dockapp or whatever. That is really simple!
I find windows too hard to use because I can't tweak settings without going through a bunch of dialogs.
Example: all those taskbar apps that start up in windows (kills my roommates' comp)... how do you turn those things off!?... in linux all I have to is emacs
Oh, and flame away for not knowing how to use windows. I must be too stupid
My other car is first.
I won't make any comment as to your intellegence, but if you can't figure out 'right click on the recycle bin, and unselect 'display delete confirmation dialog' and hit 'ok' or, in other words, right click, left click, left click, left click, then you might just be having a problem of some sort, even if only a complete and utter bias against Microsoft that causes you to make unreasonable assertions.
Vintage computer games and RPG books available. Email me if you're interested.
Why can't I edit .trashrc and change
:P
PromptOnMoveToTrash: true
to false?
That doesn't even involve a mouse
My other car is first.
Does this mean, 'talk', or, 'inserted counter-insurgents into the Redmond campus'?
:)
Glad to see the government is finally saying, "Erm, hey, Bill? You might be able to buy the Department of Justice, but there's governmental agencies here who dislike your ramshackle approach to security. Fix it, so all our base still belong to U.S."
Perhaps the script kiddies were waiting until people got new PCs for Christmas.
Different design philosophy, and different intended end result. You pick the tool for the job, not the job for the tool.
Vintage computer games and RPG books available. Email me if you're interested.
Amen to that.
*shudder*
C'mon, Linux is much more secure.
As long as you spend a good five days reading up on what you shouldn't be installing. (:
I know Microsoft software is flaky, but this bug is surely too big even for Microsoft.
Oh you're so right. After the events of September 11th, my company, like many other individuals and institutions, came to the realization that foreigners (especially the swarthy ones) are inherently evil, and instituted a policy of hiring only white male Christians, plus providing each white male Christian employee with a free Holy Bible and framed copies of the second and tenth amendments. In the following months, we've found that the amount of terrorist code in our software has decreased dramatically! The exciting side effect of all this is that our code is also now 100% Made in the USA!
Here's to hoping that companies all over the globe follow our practices so that we can make this a better world for good, peace-loving people everywhere. Let's roll!
- adam
This hole also exists in 98, 98SE, and ME. It just hasn't come to light until recently due to the default settings on XP versus the default settings on prior versions. (The default setting on XP is to have UPnP enabled, whereas on previous OSes you had to actually go to a little trouble to open up the hole.) So the little ol' Al-Qaeda dude must have been working there for quite a while. And considering how many Windows computers are out there, it's not surprising that the government would take an interest in this, whether it's Al-Qaeda related or not--this is a BIG screwup on Microsoft's part, it's got the potential to cause more problems than a few bucks in stolen credit card transactions (does YOUR doctor's office have your records on a Windows box? How about your accountant or your attorney?), and it goes way back, which means it's gonna be a beast (probably impossible) to get everyone patched (and what if the patch screws up your computer? It does occasionally happen, no matter how carefully designed the patch is).
It's easier for me to leave my car unlocked, but not as safe. So should we just not tell people that we're leaving their cars unlocked or let them know how to lock them unless they specifically ask how?
Denver Isuzu Suzuki
This is pretty exciting news! It just goes to show that evolution takes time. Take a look at the computer industry in the last 50 years. The industry was yanked in many directions over the years, and Microsoft's yank was pretty big. MS's current influence is so huge, that one little fuckup in thier code can cause government agencies to get suspicious. Giants this big tend to be thier own undoing. When companies get this influential, they crumble under thier own weight. This effect is comparable to the rise and fall of say, Rome. The funny thing is that I think I see William Gates with a fiddle.
What could possibly hurt the security of the American people more than giving our own government the ability to hide its
Yep, they declined to tell officials how many consumers downloaded the patch, but I CAN tell you that the patch is not listed in their top ten downloads (service packs are included in the top ten list, but I don't know if critical updates are. Anyone on the inside know?)
Maybe installing the auto-updater hasn't been stressed because there's a security hole there we don't know about--Joe Schmo's computer downloads what he thinks is a Microsoft-issued update but in reality it's something some hacker has pointed him to instead, runs it, and...oopsie!
Denver Isuzu Suzuki
FBI> Mr. Gates, Thanks for meeting with us.
DOD> Yes, we appreciate your taking time out if your schedule.
BillG> Fuck You.
FBI> We have some problems with the unusually large number of exploits and security holes.
DOD> There is also that al Queda rumour.
BillG> Fuck You.
FBI> We'd like you assurances that you'll produce a better product.
BillG> Fuck You. You'll get what I give you.
FBI> We are perfectly willing to switch to another supplier.
BillG> Fuck You. You'll get what I give you.
FBI> We'll switch to...uh...
DID> Shit...
FBI> Sorry to bother you Mr. Gates.
BillG> I'm cancelling our contract with you. Good luck finding another OS and application set.
DOD> We're sorry. We're really sorry.
FBI> We shouldn't have come...What can we do to make you change your mind.
BillG> You'll pay double.
DOD> Sir. Yes Sir. We'll gladly pay double.
FBI> Yes. Thank you. You are truely kind.
BillG> One more thing... who's now my bitch?
DOD> I...don't understand...
BillG> WHOSE...MY...BITCH!!!
FBI> we're you bitch.
DOD> yes. we are your bitch.
BillG> Now get the fuck out of my face.
Here we come.
By disabling all links to an outside network, you have achieved the zen of true C@ security!!
One OS To Rule Them All,
One phone-home to find them,
One OS To Bring Them All,
And with a security hole bind them...
...PAY ME HEED MY GOOD USERS,
FOR THIS IS A STORY,
OF CRACKERS AND HACKERS, OF CODERS.
A WONDEROUS TALE YOU SHOULD KNOW,
FROM AN AGE NOT TOO LONG AGO,
BEFORE LINUX WAS THE MEASURE OF THINGS.
WHEN THE NET GENTLY MURMURED
HER SONG TO THE USERS,
AND THE FLAWS GENTLY WHISPERED ITS PART;
WHEN THE MICRO STOOD TALL,
AND IS STILL KNOWN TO ALL,
BY HIS WEAKNESS AND UNCARING OF DATA.
More?
Three OS's for the BSD-kings under the sky,
Seven for the Linux Kernel Team in their halls of stone,
Nine for Apple Men doomed to die,
One for the Bill Gates on his dark throne
In the Land of Redmond where the Bugs lie.
One OS to rule them all, One OS to find them,
One OS to bring them all and in the darkness bind them!
In the Land of Redmond where the Shadows lie.
"This is the Master-Flaw, the One Bug to rule them all.
This is the One Bug lost many weeks ago,
to the great weakening of its maker's power.
Now, he greatly desires to have it again,
- but he must NOT get it"
Get your Unix fortune now!
The main reason the FBI and the DOJ are getting so excited about this is obviously simple to me...
Some idiot within the government must have decided that Windows XP would be the new standard of choice for the "secure computers" within the government. As such, they (the government) have probably just about finished rolling out the new infrastructure to all the remote branches. All that work has essentially been thrown out the door, XP has just proven what a crock of crap MS has been feeding the general public. The government is beginning to actually realize just how reliable those "sales glossies" are...
Ron Gage - Westland, MI
My understanding is that NTFS' journaling was rudimentary at best. It hasn't been until its recent incarnation (introduced with Win2k) that its managed anything close to a true journaling file system.
If so, this will bring American commerce to a shuddering halt
far more effectively than the terrible events in Manhattan.
Is that a question or a statement?
must... continue... to mistrust.. gov't.. despite... indication... that.. FBI... cares... about.. us...
"I assumed blithely that there were no elves out there in the darkness"
I don't think that he ever claimed hiring non-caucasions was a bad thing. I think he was speaking mostly to the statistical poosibility of infiltration. Step back a moment before you start slinging anti-racist sentiment.
Put identity in the browser.
From the article...
"Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch"
So they won't send out email reminding people of the patch but they feel that it's acceptable to spam people with annoying "upgrade hotmail" emails?
For all of you running M$ Windoze, especially XP, here are the full instructions on how to secure the world from hackers.
1. Turn off your computer.
2. Do not turn it on again, unless you upgrade to a different operating system. (May I personally recommend Linux to you?)
This might cause some distress in your life, but isn't the security of America worth the small price of the learning curve of picking up a truly secure operating system? Remember, it's all for your nation.
I've always wondered why the programming community seems to have an interest in security on one hand, but still uses languages with major security problems? Why don't more people use something like ADA where it would be much harder to make a serious mistake? Programming already includes keeping track of a lot of things in ones head without having to watch for common errors that cause security problems. Face reality, most programmers don't have the time to go audit their own code for security problems and security isnt the number one priority for most projects. Now, if one were using a language that thwarted security issues by design this would be more ok. Why aren't we doing things to stop these holes at the real source--the language? I realize this xp hole is not something that could be caught, but this is one in 50 bugs that otherwise could be fixed.
Could it be that Windows 3.11/WFGW 3.11 will turn out to be the most secure OS we're *EVER* see from the boys of Microsoft?
Hehe. Worth a try, I guess. Here is one link about that very thing:
:)
You are welcome.
Exactly what statistical possibility of infiltration are you referring to? And why would foreigners on a work visa be more statistically likely to commit acts of espionage or terror than American citizens? I'm ready and waiting to see the logic behind that claim.
I think that the poster was playing on the recent claim that the Al Qaeda had planted malicious code in Windows XP, and to the average American's fear of Muslims and Arabs, and yes, I think that his post was a manifestation of the latent American racism and xenophobia that bubbled back to the surface following the September 11 attacks. Or perhaps you think that he was alluding to the fifth column of white Canadian programmer-terrorists in the software industry? Seriously, who are you kidding?
Talk of racism, whether overt or not, makes me uncomfortable too (after all, it should), but it's better to discuss the topic openly and candidly rather than blowing smoke and making excuses.
Most of our oil deposits come from vast monocultures of algae called stromatolites, basically cells that photosynthesise and spend no effort on defending themselves. This worked swimmingly until snails arrived on the scene and ate the algae. You still get stromatolites today, but only in really salty places where snails cannot dwell.
Stromatolites were especially susceptible to predators because they made no effort to defend themselves. With network connectivity becoming more pervasive, more previously isolated Windows boxes spew services to any network they can reach.
After millions of years OTOH, Roaches are still everywhere. This is because the suckers are robust and paranoid and therefore hard to kill. Even if you do kill one roach, it is quickly replaced.
Monoculture is only a part of the ecology.
Xix.
"Everything is adjustable, provided you have the right tools"
Is it possible to run a piece or pieces of code through some sort of an automated test that would check for buffer overflows?
My guess is that it isn't, because if it was, then they'd do it and we'd be done with them. But I thought I'd ask.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
You must be clinically retarded, a liberal, or a camel jockey.
I guess next you'll claim that foreigners on the FBI's list of suspected terrorists aren't more statically likely to hijack planes and crash them into buildings.
Hopefully, next time they do, you'll be aboard! (probably telling the other passengers it's racist to call them terrorists just because they're holding the stewardess hostage).
oh goody
a linux -vs- the world article
and
a microsoft sux0rz article
on the same day
go slashdot!
morons
" You must be clinically retarded, a liberal, or a camel jockey. "
I guess it's true. All republicans are racists. Some of them drag niggers behind their trucks other post racist remarks on slashdot.
"It's American, and a symbol of American characteristics such as innovation, which is in itself hated by reactionaries. "
Well I would not use the word innovation but yes it's an american symbol
"It's extremely visible. "
No doubt.
"Its market dominance could be perceived as "imperialist" or culturally imperialist by people who think like that. "
or maybe they are sonvinced there are back doors planted in it by the CIA or NSA or some such organization. Certainly I wouln't put it past them.
"It's a center of wealth and therefore, in puritanical minds, of evil decadence."
i think when most people in the world look around and see the abject poverty they live in and the constant misery they are forced to put up with they might resent obcene wealth and flamboyant lifestyles elsewhere don't you? Certainly somebody can use this as a recruitment tool.
"It could be thought of as a "vital organ" of the American economy by someone who doesn't realize how decentralized the American economy is."
This argument was put out my microsoft during the anti trust trial. MS (and their lapdog politicians) frequently argued that breaking up MS would disrupt the economy and harm the country. I heard a guest on the O'Reilly factor (I forget his name right now be he is a very vocal critic of the democats and clinton) blame the recession on clintons pursuit of MS. The Idea that harming MS would harm the economy of the US was broadcast far and wide by everybody from executives of MS to politicians. I suppose it would not surprise me if some terrorists believed it.
War is necrophilia.
SOME people are actually smart enough not to receive email viruses. Plus that, what about the (super-unpopular) people who aren't on anyone's email list yet? Can't manage to let anyone slip through the cracks, can we?
Such a lame troll, doesn't even know the lynx featureset!
Doesn't annoy me ya big wuss. Grow up.
- adam
Oh you're so right. (the rest of his post was massively sarcasm "agreement" with mine.)
I understand where you are coming from in attacking my post, but let me ask you: how many of the 19 hijackers were Canadian or British or ANY ethiicity other than Middle Eastern, most notably Egyptian and Saudi Arabian? While we shouldn't prejudge, that's not the same as saying we should put on blinders and not more carefully investigate members of specific groups. You may deride this a 'racial profiling' - I call it common snese.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
memo to ANY government agency, department, or representitive about mike-serra-xray-papa. if little billy gates whipped the judical branch of the government, then you HAD better say please first. *grin*
It's American, and a symbol of American characteristics such as innovation, which is in itself hated by reactionaries.
I'm sorry, but AFAIK the crackpots who fly jets into skyscrapers (or organise such events) aren't offended by innovation but by the US foreign politics alone. They do not hate the USA for what the US people think the USA is (freedom, innovation, rags-to-riches, american dream etc). They hate USA because what the governments of the US have done and/or not done.
oh wait a second that was a white guy. Good thing no racist assumptions were made then, oh wait it was just logical to start blaming those from the middle east for the bombing even though it was wrong.