Slashdot Mirror
Security Flaws May Be Microsoft's Undoing
tarpitt writes: "According to this article in the LA Times, repeated software flaws in Microsoft products has begun to raise concerns that they 'threaten the stability of a major piece of the world economy and to raise questions about Microsoft's future.' Flawed security is seen as a stumbling block to accepting Microsoft sponsored on-line services. It is also driving discussion about making software manufacturers liable for damages caused by flawed products." This piece in eWeek on troubles with XP's automatic updates is an interesting companion; releasing often doesn't seem to be enough.
Update: 01/15 15:00 GMT by J :
Bruce Schneier's
January Crypto-Gram
came out this morning, and is also topical: "Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense..."
Just a thought... If they dominate the market... Most software is Microsoft... Microsoft software is buggy and insecure.... Most software is buggy and insecure! They're right on par for the course!
What's in a Sig?
Add in a Gartner analyst casting doubts on MS and raising the trust issue in terms of
A failure to execute (on security) could get Microsoft executed.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
Maybe perfection is impossible, too.
But it's better to TRY hard to aim for it.
Insofar as it's true that software is flakier and more vulnerable than other products, the questions we might ask are the extent to which liabiliy has motivated other product manufacturers to be a lot more careful in their manufacturing processes, and the extent to which software is "inherently" impossible to get right. Is that perception that software should be exempt from the sort of standards that other goods have accurate, or has that perception been constructed by years of poor software and a lack of accountability?
Begun to raise concerns?! That's like saying, "In other news, repeated appearances of the star Sol on an approximate 24 hour basis have begun to raise concerns that it may do so tomorrow."
Microsoft never built operating systems with security in mind. The last time I checked, the security testing group at MS consisted of two Norwegian Black rats, a four-year-old, and a blind, deaf, chimpanzee with a drinking habit. It still hasn't occurred to them that improving their security might, in fact, be a good thing.
There, I feel better.
They that would sacrifice their
A blue-ribbon panel of technology experts assembled by the National Academy of Sciences said lawmakers should consider ending Microsoft's and other software companies' special protection from product liability lawsuits, which have long forced makers of cars, medical devices and just about everything else to pay closer attention to the safety of their wares.
Interesting, but in the case of free software, what would this mean for the developers? We all want Microsoft to be held responsible in some way for their security holes and such, but would we want to be treated the same way ourselves? What would happen when an author of a piece of free software was dragged to court because the software was buggy? And what would happen if it was Microsoft who did the dragging?
"Total destruction the only solution" - Bob Marley
Has shoddy security caused Microsoft any grief so far? A month after a hole is found, they fix it, and no one seems to care after that. Sure, people that don't like Microsoft remember it and add it to their encyclopedia of Microsoft holes to whine about, but people that like Microsoft fix it and go on with life. Who do they place the blame on? The "evil hacker", not the poor software.
People are so accepting of insecurity that they are even willing to spend cash money on antivirus suite after antivirus suite every year. It's just become a part of the cost of owning a PC.
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
A surprising sign of how quickly opinion is changing came last week. A blue-ribbon panel of technology experts assembled by the National Academy of Sciences said lawmakers should consider ending Microsoft's and other software companies' special protection from product liability lawsuits, which have long forced makers of cars, medical devices and just about everything else to pay closer attention to the safety of their wares.
Now THIS is what could really get them; forget about breaking them up, this could obliterate them totally. They could probably beat most lawsuits with enough lawyers, but they'd run up such a huge tab doing so that it could easily threaten the survival of the company. Look at what happened to Dow Corning.
My biggest concern is if/when Windows no longer has the largest share of the o/s market. How will the new o/s deal with the sudden onslaught of people looking for security loopholes and writing viruses? The main flaw, which I also see as a strength with Linux is that you can fix the security flaw yourself, but how many computer illiterate people would create an expensive paperweight attempting to remove the security flaw?
So climate's changing. So what? It has always changed. The big news would be if it wasn't changing. - Dr. Philip Stone
If we really wanted to solve these problems
we probably need to make a new OS...
Enter: Eros OS.
A capability system based OS... then once we get some software, we'll be set. Yay!
Remember.. refactoring is important!
Interactive Visual Medical Dictionary
Slashdotters may want to hurt Microsoft by breaking it up, but we've seen that the legal process is slow and generally ineffective.
Nailing them with the FBI, IT professionals, and security experts may actually do real damage to sales.
The greatest part is, I bet most of the people challenging Microsoft are Slashdotters. Their arguments sound like +5 moderated posts, IMHO.
I was talking to some folks, and we mentioned that the world is becoming more dependent on information that is ONLY stored electronically, and not on paper. Perhaps the time is coming where something (like a major filesystem eating bug in XP or the next SuperVirus (TM)) will destroy a large portion of the internet's data. (An example is , who recently lost everything in a major raid update crash.
So what we should do is plan and prepare for this eventuality. If we have the equivalent of backup generators and emergency equipment in the digital arena, we can take over when the main system stumbles. It's not going to be long until someone devises a way to seriously crash a significant portion of the machines in the world - all the recent virii have been relatively harmless - it would not take much at all to program a relatively smart virus that would do serious damage (IE hit network drives first, destroy files that are heavily used, only strike at night, morph code, etc.)
Ah, well. This is just a bunch of blathering, but we should thing about how to use the "enemy's" weakness against it. We need to make sure that linux is seen as more stable and more secure because it is BY DEFAULT - if people start using it and get burned, they'll go back to Microsoft.
Fellowship 9/11
I guess they are doing the best they can. The source code for XP is probably millions of lines long. Then add in the irritated boss pushing you for a deadline. I would imagine stress takes its toll. There are huge security holes in all software. The jest is they are just waiting to be found. on a lighter note: hey Adult Swim is moving to Saturday's SOLID!!! Tenchi, Cowboy Bebop, Gundamn, holy shit can you believe it????? ROCK ON
...except instead of 'security' it was 'stability.' Now Win2K/WinXP can stay up and running for weeks and months on end, and you don't hear too much about Windows stability problems for users of the new OS versions.
Windows has been unstable for years. Did it threaten Microsoft even one iota? Nope.
Dream on, sorry...
"And like that
the govt. will require indemnity from software so the OS Vendor will push for signed software ONLY and slip DRM into the bargain.
Just look at plenty of legislation, looked good when it went onto the books
looked bad when it actually got enforced
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Hey guys, we could have this tooo...how about automatic, remote controled, random kernel rebuilds whenever "I" decide to do it! I don't know much, so you know that I won't publish any of my changes either! Think I could get a group together? That should help level out the desktop field!....yeah....OK everyone rebuild now!
Hard to establish liability for free software. But shareware authors who charge a small fee (and hence make a direct profit) might be easier to target should this liability idea take hold. Shareware would become enough of a liability for small-time authors that they would be forced to either give up and find a publisher with deep pockets, or else give up revenue all together and just give their software away for free. Perhaps a threshold could be established to determine when liability kicks in?
Why aren't we told when an Editor moderates our posts?
Making software developers liable for damage due to blatent, criminal negligence would seem to be a good idea on its surface, but given how money corrupts our political system, any such incipient bill being developed in Congress could be easily be turned on its head. If every software developer is held liable for *any* damage caused by their product, imagine the destruction such a law would wreak on the free source movement. Who would dare donate code, faced with such huge potential liability? Bye-bye gnu cc, bye bye Linux.
Reasonable diligence should be exercised to protect security, but no large, complex piece of software can be bug-free. Building software ain't the same as building bridges, boy!
The more MS screws things up and has major problems the better. The more often they have them, the better.
Why? Because the more these things happen, the more the people who REALLY need to know about them will find out.
Mr dot-com who pays others to run his damn site, will think twice about paying people to host his site on such garbage.
And the end result will be one (or more) less vulnerable sites out there.
Bring it on, damnit.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
Removing the limits on liability would not only affect Microsoft, but the GNU GPL. Would you want to be personally responsible for any GPL'ed code you wrote? Perhaps the solution would be to form a corporation and assign GPL copyright to it.
Anyway, at the very least, this sort of law would light a fire under the ass of the software engineering community. Maybe it cause some actual progress!
Ok, since when is Microsoft's troubles with security flaws being bad for business news? Anyway ....
/. users [those brave enough to admit they run XP on at least one box] seen these problems?
XP users said the updates cause systems to become unstable and some device drivers to stop working. [companion article]
I'll note that I haven't seen any problems recently on my XP box - in fact thanks to a BIOS update and a new video driver it's running smoother than ever (for what that's worth). Have any
Either way, I certainly always like to know what's going on in my system - so I never have it automatically install updates. For those interested in turning off the automatic downloads (highly recommended) - go to Control Panel, System, and the Automatic Updates tab. I have it set on the middle option (to notify, but not download/install automatically). Of course, I have a *legal* version of the OS, you warez kiddies will probably be a little more paranoid about any notifications. *grin*.
Groove Salad -- a nicely chilled plate of ambient grooves and beats.
I'm under NDA, but I can shed some light about the security testing group at MS. Actually, we use a team of infinite monkeys on infinite typewriters for the security testing suite; however, with a bit of a twist: we throw the code from the typewriter printouts away. The monkey feces is laid upon inifinite number of scanners for optical character recognition and fed into an infinite serial stream of code. Another team of alert monkeys then disects the code and processes it through their mandible compilers for another round of fecal scanning. When the sequence is right for a successful compile through VB, it passes QA.
There you have it! Now you know.
If we really wanted to solve these problems we probably need to make a new OS...
Yep.
There are hundreds of quicker ways to have your windows box become unstable...
:)
Installing programs --> unsupported
Installed additional hardware --> unsupported
System booting --> unsupported
Using a monitor --> unsupported
Bypassing a circumvention device --> unsupported
DVD Playback --> unsupported
ever try to get help from MS, or esculate a real bug with them for any of the above?
How much worse could the software be without updates?
I recently had to rebuild a web server after a machine crashed, and getting NT4, IIS Option pack, etc. up and running with all patches was a _very_ long task.
It's not enough that Microsoft patches their products -- they are still shipping CDs of NT4 and win2k with the original 'release' of the product, so installing it means the original install plus a dozen or more service packs, hotfixes, etc. This makes it very tempting for internal corporate PC usage to just skip most of the patches to save time, and makes the process of securing Microsoft software that much more difficult.
They should just release new 'point' versions of the OS with every service pack, and stop selling the out of date CDs! Maybe this would cut down on the useless churn of moving from NT4 to 2K to XP to whatever -- and that would have to be good.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
Common sense will overcome multi-billion dollar marketing? Not in this dimension...
Shift happens. Fire it up.
Why in the world would the /. editors use a SSL (https://) link for the LA Times story? Irony [since it's an article on security]? Or do they just want to tax the server a little bit more to make it more likely to be /.'ed? Bah, silly silly editors.
Groove Salad -- a nicely chilled plate of ambient grooves and beats.
they control too much of the market share, too much of everything
we will be seeing microsoft for a long time, even if they put out shit for software (compared to what they put out now)
why? they have the money. plain and simple. they can pay to make sure their software is on the majority of new pc's being made from now for 47039478390 years.
I didn't think it was physically possible, but this both sucks and blows - Bart Simpson
Of course, in the case of medical devices and automobiles, a failure can be fatal. In the case of Windows this seems unlikely. (At least until we get our WinCE pacemaker.) Instead of lives on the line we have corporate dollars.
This is the kind-of situation in which economics should be left to do its thing. If corporations view the holes as an economic hardship, they'll be more careful with the software they choose. What makes more sense is that we hold companies more liable for the software they use---if someone hacks into Company X and steals my credit card number, they should be liable since, after all, they could choose better software to keep the data secure.
Holding the software companies liable would only ensure that only large companies could compete in the software market. This is the case with automobiles, and one could argue that many pieces of software on the market today are much more complex than a car. How then could any small company or individual compete?
In the end, this kind of legislation would likely have the effect of letting companies dodge the blame for security breaches, letting them point the finger at their software provider. Most providers, on the other hand, would be pushed out of the market due to the need for massive testing and legal departments.
How is this a win for the consumer? How is this a win for anyone but the Microsofts/IBMs/Suns of the world who can scale to provide such software?
From the eWeek article:
Jim Cullinan, lead product manager for XP, in Redmond, Wash., agreed that the information released with the patches does not offer that much detail so as not to confuse and overwhelm users with technical information. "Most users did not want specific detail of source code changes," Cullinan said.
Oh? And how much of the source code were you actually going to give us, Jim?
They that would sacrifice their
in this way, only free software can thrive in such scrutiny, and i for one can't wait...
HJAHAHAHAHAHAAHh hAHAH AhahAH AHAHA
HAHAHA HAA
HOW DO YOU LIKE THEM APPLES??
You sat on top for how long, basically ruling the software market. You had every opportunity to perfect your products.. and I'll admit that you've come a long way.. but you concentrated so hard on your future, and everything ahead of you, that you didn't watch your back. Now your ass is going to be sore, and it's all your fault.
It's your fault, and I hate you and die and fuck you and yeah.
(obviously this post = my humble opinion, and isn't intended to represent any facts of any kind)
I am no fan of M$, but it isn't accurate to say they haven't tried. Their biggest problem is that, despite their efforts, hundreds of millions of lines of code isn't fast to repair -- especially not with 10,000 or so programmers who, on a curve, are merely average.
If Linux (etc) were as widely used *by inexperienced* people as Windows, it would face just as many problems.. but at least the code would be there for patches to come out. Then again, how would Mr. Schmoe get the it without some kind of auto-update?
I fear that it will be easier for Microsoft to address most security issues (as they finally have wrt stability) than for Linux, etc. to become fairly user friendly.
"People look to me for help. I'm not supposed to get stumped by trivial problems like this," Perlow said. "As an IT professional, I feel helpless and in an out-of-control situation and, as an end user as well, that sure doesn't feel good."
gee i think he just described my freshman year in college...
Comment removed based on user account deletion
I'm buying a powerbook tomorrow, I swear to Bob..
Somewhere, something incredible is waiting to be known. -- Carl Sagan
Yes, Microsoft products have security faults, whose doesn't? Microsoft's get more notice because of the insane amount of marketshare they have, also Microsoft's software is less mature than the UNIX offerings people often compare it to in terms of tight security.
I remember back in the late 80s and early 90s how much of a joke UNIX security in general was. Back then you could pretty much root any non-.gov UNIX system on the Internet, remotely, at will.. (thanks in large part to SENDMAIL though many other pieces of software had problems as well). People who bitch and moan about how long it takes Microsoft to fix bugs compared to UNIX vendors must not have been around when you could change the IFS under SunOS and easily root the box using any SUID program that did a system() or exec() call (quite a few, at the time)...Even after Sun, etc, fixed that bug it remained unpatched in a huge number of systems for years....
Unix security is better now, but that's in large part due to maturity...Microsoft software will improve as well..Look at how much they've improved stability already when compared to Win95...It will happen...slowly, perhaps.
Alternativly, Windows could end up losing market share if security paranoid foreigners (who are not a valuble market because they would pirate Windows anyway) choose to run a more secure operating system.
Actually, I do think that there should be some form of product liability, but it could come in the form of inshurance companies saing "We will stand by the security of this product." The question is do you force all consumers to pay for product liability by making the company pay for it. I could see Norton, RedHat, and MS making money as financial institutions this way if the inshurance was optional.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
Frankly, I really like WU. I run XP, and I've set it up so that I decide what to download, and it goes and downloads it in the background. I especially like the fact that it resumes downloads. I still have a 56k connection, that runs that fast only when i'm lucky, so it just sits there and downloads when I'm online, sure it slows down my connection, but I'm willing to put up with that for some added "security".
That a majority of people do not trust MS is not surprising. I don't trust my government, my bankers, my customers, hell... I doubt the guy at the supermarket.
I maybe trust my mum and dad, and aunt jemima for her tasty pancakes - but a software company???
People are cynical enough that they just bumble through life looking over their shoulder bitching about stuff.
I just bought a new laptop - it came with XP pro - already I'm having problems with it. But I bitch about it over coffee and just get on with things. I had to register the software - something I bitched about. IIS won't work properly - bitch bitch bitch. Norton seems to be checking every file every 2 minutes making the thing unusable for the first hour in a day - bitch bitch bitch.
Would I buy another the same - probably.
The trust issue won't hurt MS as much as we'd like to think. And it won't help the alternatives much either.
The movie industry sucks - but a good percentage of you reading this will run out and give them 30 dollars for Tron someday soon.
It looks like a large stake of the worlds herion supply is getting destroyed.0 2-01-14-heroin.htm
At least according to:
http://www.usatoday.com/news/attack/2002/01/14/20
I hope their security doesn't go down when he has to enter rehab.
Why shouldn't they be held liable in certain situations?
This is supposed to be a huge world economic product - they can get this way without any consequences? No worries?
The software costs money. They push a license agreement on you when you pick the product up at the store, when you buy a computer with windows pre-loaded, you are making a contract.
Okay, so in the agreement they sneak in some language that keeps them out of trouble. The problem is before you agreed to that 'contract' you were promised certain things. The product is defective.
Data problems, in most cases, won't affect someone's well-being. But there is data at stake. Their data costs $99 and up. Is your data worth any less? They promise to provide a secure and somewhat stable operating system.
This isn't always the case. It's only becoming an issue because they make so much money in the business. Shouldn't we ask more of Microsoft?
Well, if we can't sue, the gov't does nothing, and products continue to be shipped while 'broken' then something needs to be done.
Simply say it with your pocket book. Pass up on upgrading to XP. Do what ever you think is necessary. Buy an Apple.
I know it's not easy; but don't you feel that many other M$ customers - if not yourself - feel as if Windows is needed? It is in certain situations, but does everyone need it? No.
There are options. Not every option will work for all the people, but let's start to choose something else.
OR! Hold them liable
Get your Unix fortune now!
is going to mean a more secure and better one in the future. Microsoft will learn from the drubbing XP is getting. Thankfully most people dont upgrade automatically once a new OS is out. They wait till is becomes standard, then upgrade. Wait til the successor of XP (granted, how many years that takes) it will be superior. By that time hopefully Linux will have a foothold strong enough to contend with them.
Well, one thing that's definitely true is that flawed software and software that's subject to viruses are costing the economy quite a lot of money. In that way you could of course say that Microsoft is hurting the world economy by possibly a couple billion Dollars... of course that may be true for some other software companies as well...
The nightmare scenario.. Three hours from when a widespread bug (like the recent XP one) and having millions of windows machines trashing everything they touch.
That is the future, and it will happen someday.
Use the warhol worm spreading technique. Read it and be frightened. He claims 8 MINUTES from first infection to millions of infections.
I'm not quite as confident as he is in that number. But I'll definitely agree that 2 hours is more than enough time. (1 million vulnerable hosts, 5 scans/sec. Start with 1000 hosts, each second, 5000 probes, finding one vulnerable host. Thus, after 15 minutes, 2000 hosts, and doubling every 15 minutes.)
And, the more vulnerable hosts, the faster it spreads.
Now imagine a truly destructive payload. One which does not delete files, but corrupts them, starting with the fileservers. It restores datestamps to make it impossible to identify what files are corrupted.
Three hours from exploit to millions of computers corrupting thousands of files. Antivirus won't keep up, hell, warninsgs won't even reach most people until after its demolished their fileserver. With obfuscation techniques, the worm could survive 3 hours without being reverse-engineered.
It spreads so fast, there's no defense. It spreads so fast, you won't be aware its trashing all files until its already started. The only reason we've survived this long is that nobody really competent has worked on a worm.
Be afraid. Be very afraid. The only question is when it will occur, and whether you will be running Windows when the time comes. I hope you keep good backups.
http://www.sans.org/topten.htm *nix takes #1! shares 2! Takes 3, 5, 6, shares 7 &8, takes 9 on its own, and shares 10. Windows shares 2, takes 4 (IIS only), and shares 7, 8, and 10. Boy, that windows sure is full of holes. But *nix is worse.
Holding the software companies liable would only ensure that only large companies could compete in the software market.
True, but is this necessarily a bad thing? Should we really be concerned about this?
Most providers, on the other hand, would be pushed out of the market
True, but the market does not exist to give "providers" a living.
How is this a win for the consumer?
I don't know, you haven't really talked about the consumer :) You seem to be looking at this from
the point of view of small ISV's. Economics should do its thing, but not for the benefit of software developers. Economics should provide for the needs of the consumer.
You are right that this would be bad for the consumer, though. The bottom line is that, in order to build bug-free software, Microsoft would have to substantially re-tool their development process, adding things such as cleanroom development, formal verification, etc. This would cost money. Does the consumer want to end up paying, say, $1000 for a single home user copy of Windows? Probably not. Most consumers would rather just pay what they're paying now and put up with the occasional (or not so occasional) bug or security hole.
Liability means holding someone responsible for a cost: if the failure of software that shouldn't have failed costs company X $1 million, then liability is a matter of having the responsibility for that failure taken by someone who provided a good or service that didn't meet the reasonable expectations of the consumer. One doesn't wait until the invisible hand fixes things "in the long run;" like Keynes noted, "in the long run we're all dead." (Another Keynes quote: "the market can be irrational longer than you can be solvent.")
Articles like these all go into a file I keep for our clients when they say things like:
/.er might like to know the light at the end of the tunnel might be MS' shares burning! :)
"What's wrong with Microsoft?".
I'm pleased to report that it is taking less and less explaining these days.
There is a groundswell out there of clients starting to look past the whole MS-brainwashing thing and ask what else is available to meet their IS requirements. It's really quite heartening.
Just thought the average
Prisoner #655321
When I bring this up in IE, it asks whether I want "to view the non-secure items?". Ironic, for sure, but the http:// version works fine as well.
Netscape (v6.x) seems to have no problems showing both without prompting (guessing this is default)
Am I missing something?
Make sure everyone's vote counts: Verified Voting
Reports from places like cert and bugtraq show that there are just as many exploits out there for *nix based systems.
Network security of this nature is clearly not working when being applied at the OS or software levels, and a more flexible solution than the standard firewall is needed.
What would your opinion be of a 'mini-firewall' included as standard on all new network cards. The firewall would have packet filtering rules filtering out 'generic suspicious traffic' (such as bar an IP address for a day if something containing default.ida and a hell of a lot of 'N's comes through). The rules would be held on a flash ROM, which could be updated when necessary with software from a trusted source such as CERT and digitally signed by a non-trusted one such as Verisign.
Software could also be written to instruct the card to open certain ports and update the rules so that safe traffic for that software can pass through.
Unfortunately, the extra $20-30(?) would probably sink it dead in the water, not to mention the hassle of having to reprogram all network software to work with it. How does the idea stand in theory, though?
update comments set karma=-1, reason='offtopic' where sid=26315
In the "Great OSS Boom of '99" the press was all awash with Linux this, Linux that. MS stayed true to its course, kept on with the updates, and got XP out the door.
/. bias, we're nothing. An article a week like this, even as a back-page editorial, is enough to cost them how many customers?
Now it seems things have changed: more and more, I am seeing articles that are negative of MS. "XP isn't stable", "too many updates", "XP isn't secure", "W2k was fine, why did they change it?" is what I see more and more of. Red Hat gets decent nods, and now even Apple of all people is selling a Unix operating system, albeit one that is packaged in a lamp.
Is MS at risk of losing the press?
Articles like this must drive them absolutely BONKERS. Forget the
How many of the system integrators like the guy in the article will just give up and stop dealing with XP, or worse yet, call Big Blue?
If MS loses the appeal of the popular press - promoting every new release as stable and secure - then they're screwed, even without the class action suits and liability claims. Any more FBI warnings will serve as months of fodder for the rags to hammer on them.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
Hello! I'm sure everyone will be glad to know that currently IE (even
a fully patched IE6) can currently...
* Run any command or program off the hard disk
* Monitor the users clipboard, and steal the contents
* Read or steal any file off the local disk
* Check existence of any local file
* Access the DOM, cookies, or read the content of any other website
regardless of domain, protocol or security zones
* Fake the file name in a download dialog
..although most of those only work if active scripting is enabled.
These security holes are all *proven* to work, and could easily be
used to create a devastating worm. Some of them are about a month old,
and still not patched by MS. Delightful.
The two latest exploits are http://tom.vpwsys.co.uk/clipboard/ (mine!)
and http://www.osioniusx.com - see http://www.securityfocus.com for
more.
Dare Microsoft to even think about this. Their worst fear is a world where people choose software based on quality.
Seriously, we don't need to whine about what some legislators are doing about the big bad wolf's coding practices. What we need to do is start setting the example. Say "I write good code!" and stand behind those words. Somebody who knows how should create a version of the GPL that includes appropriate warrantees for Free Software. The "Quality GPL" (GQL?). You don't have to use it, if you think your code is buggy or is a development version. Right now we just click on "Stable Branch" and that sends a message to those in the know, but how much better if you go visit a software repository and find piles of code that are stamped with a license that guarantees that the product is free from defects in workmanship (modifying the source code voids the original warranty, of course, and people who re-release modified code are under obligation to change the license to reflect that).
We want people to get the idea that software that claims to be stable yet comes with the phrase "NO WARRANTY" is probably a steaming turd. Especially if they paid good money for it.
Naturally, you can't predict how some people will use your product. "No, sir, the VCR does not function under water." Your code might not work on an SGI, either, if you developed it under HPUX. Using the product in a manner not intended will void the warranty. Sometimes it's not a bug, it really is a feature (or the lack of one). But if somebody finds a bug, you WILL fix it, won't you? Why not put that in writing? Even offer a monetary reward to the first finder (how about $2.56?) of every bug.
Note that agreeing to fix bugs, or claiming that your product is bug free, is completely different from assuming liability if the user uses your program to kill himself. That's a completely different story.
This statement is inaccurate. It is well known that Microsoft hires only about 2 per cent of job applicants. This does not sound like "merely average".
Yeah, so we all know it insecure.. That's a given, however I have come up with a super secure patch. Whenever I step away from the machine I unplug the ethernet cable. When I go away for vacation I usually pull the plug AND apply a little epoxy to the ethernet jack for extra security.
So if anyone wants to see my website, please send me some email first.. be prepared for a little delay, that epoxy is tough to dig out of that little hole.
air and light and time and space
So, it is actually in their best interest to do shitty software, in order to prompt lawmakers for such a change in law. Once the law is passed, they clean up their act, and watch with glee as OSS developers get sued into oblivion by liability lawyers...
Such law should have a provision that it only applies to commercial software (i.e. software that is sold for a price, or on the base of signed license contracts). Free (as in speech) software should be excluded from such liability. Free (as in beer) software would still be covered, by considering it as promotional material to sell commercial software (i.e. give away Internet Explorter to sell Windows).
Say no to software patents.
No we make Windows
"We're going to make our systems more resistant and more resilient," said Microsoft's director of security assurance, Steve Lipner. "We want to be unquestionably, unequivocally the best."
Nobody should say Microsoft isn't taking security serious; they've even got a official 'no worries mate' person.
"Yes sir, I positively assure you that security is no problem whatsoever, I just checked with our very talented programmers, and they, on their part, assured me that they knew of no faults in our great software, and thus, I feel secure to absolutely assure you that you are safe as a lamb."
"But our server just got hacked this morning"
"So? How is this our problem sir? I suggest you contact the hackers and work it out with them. Good day sir."
---
"The chances of a demonic possession spreading are remote -- relax."
your sig! Now I understand the reason for the auto update feature.
When in doubt, have a man come through a door with a gun in his hand.
The second you decide that the author of the software is liable, you ensure that only large companies will be able to compete for that market, and this pushes out the little players. The market should allow new companies to enter the market, but new companies are usually small, and wouldn't have the ability to ante enough to compete. This seems to stifle competition itself, and most people agree that competition in the end yields benefits to consumers. (Heck, even Microsoft says that.)
Some consumers will want very secure software, and some will not. Perhaps if a company claims "100% bug free" then they ought be liable to meet that claim. Consumers that want that will expect to pay for it, but those who don't won't. Unlike the other markets that the article discusses, we don't really have an interest in preventing folks who wan't cheap, untested software from getting it.
They're doing permutation scanning.
I completely agree that the market isn't there to give the providers a living, but having a large number of players generally benefits the consumer.
The second you decide that the author of the software is liable, you ensure that only large companies will be able to compete for that market. This does not include most open source, or small independent developers. If I post a small program I write to the internet, am I now liable if someone exploits a security hole in it? I find this quite troubling. I can imagine that most free software, for example, would dissapear as the authors would fear litigation.
The market should allow new competitors to enter the market, but new competitors are usually small, and wouldn't have the ability to ante enough to meet the bar. This seems to stifle competition itself, and most people agree that competition in the end yields benefits to consumers. (Heck, even Microsoft says that.)
Some consumers will want very secure software, and some will not. Perhaps if a company claims "100% Bug Free!" then they ought be liable to meet that claim. Consumers that want that will expect to pay for it, but those who don't won't. Unlike the other markets that the article discusses, we don't really have an interest in preventing folks who wan't cheap, untested software from getting it as long as they are informed about what they're getting.
Don't get me wrong---I think that Microsoft, or any other company for that matter, should be liable for the holes in its software, but I'm worried about having legal remedies for them. As Microsoft is finding out, economic remedies may be sufficient to solve the problem.
Back in the days of vampire taps and thick-net cable, I took over a LAN at my high school. Because people disconnecting the thinnet to the AUI (or even directly into the NIC for the lucky ones!) caused resistance on the cable to go crazy, my predecessor had epoxied the BNC connectors to all AUIs and NICs on the segment. It was all well and good until we needed to move a PC.
The BNC connector with its epoxy bead (and when I say bead, I mean "ping-pong ball-sized lump") was waaaaaay to large to fit through the expansion slot opening on the back of the PC, and the card of course had a metal retainer/dust cover on it.
No problem, thought I. I'll just use a little acetone, dissolve the glue, and be on my way. I set up a little plastic splashguard and a catch cup, poured some nail polish remover, and waited. Nothing. I got some acetone from our chemistry department, poured a healthy amount over it, and waited again. Once more, nothing. I actually bathed the bead in acetone overnight (by now I'd written off both the cable and the NIC as total losses), and checked again in the morning. A third time, no effect. This was obviously no ordinary epoxy.
I ended up swiping a hacksaw from the metals shop and working for about an hour to cut the bead off (all the acetone had made the bead and the connector slippery, and me a little woozy). That epoxy bead still sits next to my computer.
Thanks for bringing back a little laugh at 3:30 in the morning...
They that would sacrifice their
Both statements could be accurate. ie, that their programmers are merely average, and that they hire only 2 per cent of applicants. It may indicate that they recruit badly, or that they attract people who are generally below par.
Having a degree does not make a good programmer necessarily. I say the proof of the pudding is in the eating. In this case, MS programmers eat alot but produce very little - a sure sign they have worms.
If the pattern goes 9am, 10am, 11am, why isn't noon 12am?
Yet Another Microsoft Apologist
What about Apple? Are we forgetting the fact that the original Mac was relatively secure for over a decade, despite granting full root access to whoever? Yes, there were virii and trojans and whatnot (can't really be prevented) but the design of the system prevented a lot of problems for the average user. These are the same average users who are going to be affected by the XP problems, not UNIX admins.
MS-DOS and its descendants were around for even longer than the Mac, and the NT system is very mature. Why can't they match Apple's security?
I'm sick of MS apologists. Microsoft makes shit. It's shit that's getting better, but it's still shit. Don't whine and say it's unfair. They have the money, the power, and the resources to make what is far and away the best software in the world. And yet we get articles like this, and we get people like you whining about how MS is being treated unfairly. Forget it.
As the market leaders who the majority of the world depend on for their computing needs they deserve heavy criticism.
As predatory monopolists they deserve heavy criticism.
As people who promise security they deserve heavy criticism.
As people who would like nothing better than to see Windows everywhere, and the GPL and Linux and Apache and SAMBA wiped off the planet they deserve heavy criticism.
So fuck whining about how MS is treated unfairly. If we complain enough then maybe they'll listen for a change.
"I may not have morals, but I have standards."
that's the most stupJ00 4r3 0wn3d!id thing I've ever heard! My Windows XP box h45 b33n h4x0rd h4h4h4h4h4! sorry, I don't know what's wrong with my keyboard10wn3dj00 it keeps messing up.. but anyway, Microsoft security is perfectly fine here
If you were me, you'd be good lookin'. - six string samurai
Jim Cullinan, lead product manager for XP, in Redmond, Wash., agreed that the information released with the patches does not offer that much detail so as not to confuse and overwhelm users with technical information. "Most users did not want specific detail of source code changes," Cullinan said.
But what about those who do? I really do not understand why they could not simply have a "more info" button that has details of what, exactly, it is patching. Don't get me wrong; I am an avid user of XP, and it has been very stable, etc., but I have been annoyed with the fact that I do not know what the latest "compatibility update" is doing. I am not asking for the exact code, just what it does. I simply do not understand how having more details can actually hurt.
Or build a housse correctly?
...
Like the houses in inland Florida when Andrew hit?
Impossible, maybe not. But highly improbable.
The key question is how good is good enough? A car at 155 is not the same as a car at 55.
You're very right about Sircam. Follow the progression since Melissa (Remember Melissa? Melissa was nice!). Now extrapolate
I will admit readily that I haven't read many of the comments here, but I have to say this:
/. crowd, this may come down on you a hell of a lot more - do you carry terribly expensive Omissions and Errors insurance? I didn't think so.
Many of you should think twice before hailing Microsoft's downfall should it happen to stem from software fault liability.
Read the article - part of the major point is that a legal precedent could be set that would allow for far greater liability on the part of software developers that deliver flawed code.
Think about that for a second - all of the software that *you* have developed for clients that have pushed the boundaries on budgets and timelines is *totally free of bugs*? Even totally free of bugs that might eat their data one day? Myself, I occasionally lose sleep thinking about a bug that I *know* is in code that I delivered to a client that has no more funding to pay me with to clean up the system.
I personally feel that I have legitimate protection from liability for loss in those situations given that I expose the problem to the client, honestly tell them how much it will cost for me to fix it, and explain that the coverage for corner cases wasn't there given the budget they provided.
Are you ready to stand in court against precedent that you are liable for the business cost of a bug in your code? I'm not.
I am not a MS loyalist in the least (yes, I'm posting this from Win2k, my work platform for clients that I do Win work for) - in fact I wish to see serious stipulations on their bundling and BIOS issues mainly - but I don't think this is the right angle to crucify them on because it will come down and affect me.
From what I understand of the current
-astro
I just received a big, glossy leaflet from the beast, titled "Microsoft's IT security guide" (approximate translation to English), full of the usual apologetics. It provided solid fun and chuckles for a while, as undoubtedly would any book entitled "Virgins' best sex techniques", should anybody be sufficiently detached from the reality to write one. Well, apparently, somebody is.
Comic - not!
Existence usually comes as a surprise (Idem)
Microsoft acheived it's monopoly in part because it does a decent job of giving people what they want. The masses wanted an OS that had a cheap up-front cost (compared to the the other proprietary OS's), and could be configured by your sub-average (thus cheaper) admin. Microsoft gave it to them.
Microsoft spends tons of money and time every year figuring out what it's customers want --- by asking them. Guess what subject constantly doesn't make it to the "important" list? It's customer base, unlike lots of UNIX (or UNIX like) users, weren't/aren't as concerned with security as they should be.
When the Microsoft marketing/sales teams start gathering data that a significant portion of it's paying customer base are willing to give a bit of convenience for security, you bet you're they'll come out with a secured OS.
However, until the Joe Sixpack's and PHB's of the word get a handle on the importance of this security "thing" (a.k.a. when hell freezes over), expect Microsoft to continue making tons of money on Software that uses swiss cheese as it's security model.
There are a number of companies that make good money selling virus checkers for WinXX products and apps. Yet M$ isn't one of them. Why doesn't M$ have a virus checker product?
Why would someone work for a company they despise?
One kiddie cannot change the company's attitude towards security.
As for the parent post, " Microsoft's software is less mature than the UNIX offerings people often compare it to in terms of tight security."
This is a lame excuse from Yet Another Blind M$ Cult Member.
Shouldn't M$ learn from earlier UNIX mistakes? Is this innovation?
If it is then I guess we should all go back and learn how to make a fire by striking two rocks together.
My boss had something similar. New laptop. Not keyboard/mouse, but couldn't make a network connection. Finally I booted RedHat 7.2 Systems Administrator Survival CD, downloaded NTFS kernal module, and put about 3 gig of stuff where I could later recover. (Hint to RedHat: It'd be easier rescuing broken XP systems if you included the NTFS (READ ONLY) kernel module.) Reinstalled and reloaded. 1000MHz with 512Meg. Pathetic performance. Turned off what eye-candy I could find. Brought it back to somewhat reasonable.
Commercial vendors are responsible for what they produce. After all they sell the work for money. Programs should work as advertised. If Win98 is advertised as faster than 95, then it must be faster. If it's better for playing DOS games, then it should be indeed better. If MS says it's secure (*snort*), then it should be secure. The vendor shall be responsible for serious security bugs, but not user stupidity. Not preventing you from doing an 'rm -rf /' doens't qualify.
GPL should remain as it is. That's logical, many GPL works are *in progress*. Open Source applications take advantage of the openess, which lets them be released early, in an incomplete state. For example, suppose I am a technician and make my own TV. A friend comes to my house.
Friend: Whoa, what's that?
Me: The TV I've been making
Friend: Can I try it?
Me: Sure, but it's not finished. Be very careful with it.
Now, should I be liable for damages if the TV that I already said is experimental catches fire? Of course not! I didn't make it as a professional work, it's just a toy I let somebody try.
An useful addition would be the QGPL (Quality GPL somebody mentioned). Standard GPL, but with additions. How about:
The software must be reasonably secure. That is, it won't let people break into computer, and won't delete all the data on your hard disk. The bug that doesn't render correctly HTML for site foo.com doesn't qualify.
All the reported bugs will be fixed in the next stable release
Perhaps as some people do, like D. J. Bernstein (the author of djbdns) offer a reward for serious bugs.
Maybe something else
Ideas? Comments?
Can you spell "Anti-trust"?
.NET extremely secure (almost impossible) Network Associates et al would form long lines at the local Unemployment office.
If they even dared to package their own anti-virus tool the likes of Symantec would be pounding at the gov.'s door.
Untill recently if you called M$ support with a virus issue you'd be advised to contact an anti-virus specialist before they " gave it their best shot".
If you called in grumpy and pissed off (many are after an infection) you'd be lucky to get thru to a tech.
If you had a data loss issue and made a ruckus, the legal dept. would wave (Not Waive) a $5 bill (per EULA) in your face. Not enough to even cover the long distance fees incurred up to that point.
So go figure.
Besides, if they made
Everyone wants to point their fingers at Microsoft for how often they release patches for their software. Has anyone looked at home? What will the media think when they see that Debian has amassed eight security-related vulnerabilities in their distribution in the past 11 days? (and speaking of "security through obscurity," which Debian denounces on their security site, why does Debian not list the glibc vulnerability as existing until January 13th, when their patch was downloadable. Suse announced the vulnerability on December 24th. Someone knew but wasn't telling. That IS security through obscurity.)
Debian Security Alerts from 2002
Exploitable software is everywhere, and common. Probably the biggest problem is, and will always be, distributing the patches. Windows Update attempts to address that, which is at least a step in the right direction. I honestly think that any desktop OS or small business solution would require such a mechanism. To Microsoft's credit, in this specific case, the first time Windows Update in Windows XP attempts to determine if there are any pending patches, it does ask the user if they want it to operate completely automatically, notify before downloading, or the user may completely disable it. This is not a forced and uncontrollable feature. Even I'm not stupid enough to have it work on it's own.
Also, the faster you pressure the vendor to fix the problem, the more likely the fix will be a problem itself. Security through obscurity isn't fun, but honestly, I'd rather Microsoft quietly hold onto a vulnerability, thoroughly test it's patch, and release it with some fanfare, hopefully before anyone managed to write the script kiddie library of the day to take advantage of it. If the vulnerability is that bad, and there is a workaround, then they should provide instructions for disabling it. With the IE bugs of late, they have; publically announcing that people should step up their internet and intranet security settings, change their MIME types, disable active scripting and ActiveX components, etc.
Is it me or do you also sense there's something in the air now? I have a strong feel Micro$hit is starting to crack. You can read M$ related problems everyday on every magazine nowadays.
As I've posted elsewhere , the US courts can bang their drum as loud as they like but if there are
no similar software laws in the country the OSS developers are working in theres not a damn thing
that they can do about it unless the developers are dumb enough to enter the US. Eg Dymitri Skylarov.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
While Microsoft has a shocking attitude towards security, the real problem is not their software itself. The problem is that they are a monopoly. If everyone runs the same software, even a small vulnerability can bring the entire network down.
Microsoft should be more security conscious but that really does not solve the core problem.
Unfortunately, most people do not see security as enough of a priority to deal with the cost and hassle of changing software. The only solution I can think of is to encourage people to make backups. Backups do not help when a virus destroys hardware but they are better than nothing.
Eventually, there will be a truly devastating internet virus. We have gotten lucky this far but our luck will not carry us indefinitely.
In a previous comment on another article, I noted that Unix has spent its time "in the trenches". Infosec history is full of Unix and its exploits... and its eventual improvement. But it is too easy to look at this history and learn the wrong lesson.
Unix's history of security flaws is less about Unix and more about infosec awareness. Unix changed as the understanding of infosec and security principles changed. While time has allowed more of these flaws to be discovered and removed from the Unix code base, the process over the years has been more about knowing what to look for (or even to bother looking). And as this understanding of infosec principles, concepts, and procedures has increased entirely new chunks of unix code has materialized - sometimes to fill a void, but often to replace another project's functionality with a new design that has taken security issues in consideration during its inception.
In short, Unix does benefit from its maturity. But the greater lesson is the infosec mind set. The tao of security, if you will. And these are concepts that can be applied to any project / OS.
The claims that Microsoft will "get there" with maturity are misleading. Microsoft may indeed improve. But its not maturity of their code base that's at issue. The issue is whether Microsoft will begin to understand Security and design systems based on that understanding.
Microsoft has shown signs of improvement with a sudden handful of security tool offerings. But unfortunately, these are really superficial afterthoughts to an already flawed environment.
Microsoft's problem is not technical; its cultural. Microsoft is a technology company that excels at marketing. Articles by Microsoft coders talk about the push from Marketing to add additional features at the cost of bug-hunting and resolution.
This kind of environment clashes with two infosec concepts. The first is that vulnerabilities are bugs - something malfunctions in an unexpected way, leaving the system vulnerable to intentional manipulation of this bug. The second is that there is an inverse relationship between functionality and security. Increasing the number of features, and the ease of using these features, often threatens a system's security.
Marketing at Microsoft will first have to care about infosec issues (this may be happening as Microsoft gets more and more negative press). Then Microsoft will have to strive to design secure systems even at the cost of features (and possibly even abandoning or severely restructuring current systems).
It will take a maturity of a different kind.
This web page from Fairfield City should be enough to convince you that Microsoft security is good enough for storing credit cards, your e-money, financial records and anything else.
Tell your friends about xenu.net
Not for long buddy!
I don't know why this is a story. Any responsible IT person shouldn't allow automatic updates of anything on their systems, let alone operating systems. corporate.windowsupdate.microsoft.comallows you to "save as" hotfixes and patches - test them in your environment, and apply them as you see fit.
Think about it. Viruses spread due to flaws in design or weaknesses inherent in that design. Why shouldn't a facility to protect against those weaknesses be a part of the OS?
Why does Microsoft feel the need to bundle and integrate a browser, media player, and instant messaging into the OS to "innovate" yet continue to not take steps to protect their core OS from virus threats?
To really implement tight security (the only kind that will prevent 95% of viruses) means a drastic change in microsoft's entire line of products. The fact is most people know better, but when they sit down at a computer their brains turn off and click everything. Only way microsoft can prevent all these email viruses isn't to turn off "launch attachment", because people will turn it on the first time they get an attachment. It's to require users save the file, scan the file and limit user account in windows. That means users have to login as the administrator to install programs and do updates. I'm sure people are saying, "just like unix."
Will people put up with less convienance after they've had it for 8 years? My guess is probably not. In the best case scenario, people will slowly get used it and take 25 years to replace all the old software. Short of giving away their software, microsoft will have a huge headache of replacing all the outdated version with hacker friendly features.
The reason I see for MS not doing this is two fold
1) Microsoft clearly don't have a clue about security.
2) Microsoft don't care, they see users are happy to purchase an os with a flawed security model and are happy to pay norton and sophos for their scanning programs.
Eventually when there are enough computer literate people in the world, something that is happening very quickly, peoples level of education towards security will change. At that point microsoft will be in trouble IMHO.
The trouble is at the moment MS seems to be an unstoppable force, but then again so have many companies and they've learned the hard way to.
Now... where is my linux cd
I disagree. Many of the virus problems that have plagued MS are because they included features along with brain-dead defaults that made it easy for viruses to propagate.
For example, hiding known file name extensions by default often tricks users into launching an executible attachment when they think it's a jpg or somesuch.
For example, executing code automatically, especially in preview windows was a stupid default.
The list goes on and on. The bottom line is the features and defaults were seemingly determined by marketing personel.
Let's face it: Anyone who has been in this business for long knows damned well that security comes in lots of different forms. Does Aunt Milli need C2 security to store her Rhubarb recipies? Hardly.
Microsoft, for better or for worse, is aimed at PHBs and Joe Sixpack. These guys don't care about security except to the extent that it *HAS* affected them. They also don't care about software that's reliable. They need to see someone running a super stable OS with easy to use features that they can comprehend. Linux has come a very long way from its roots, but it ain't there yet.
Folks, we don't all drive armored trucks to work, nor do we feel comfortable putting our families in a Yugo. We are still very much in the Model T and dirt road days of computer software and User Interface design. Crashworthiness isn't part of the equation, nor is security. GET OVER IT.
Microsoft knows this. They're still selling cars to people who don't have them. They're not selling crashworthiness or security yet. Some day, when their market gets that intelligent, they'll be there.
Yeah, that sounds nice but if you look at reality, the reason there are so many MS problems is because if wordpad has a flaw it's on the front page of every paper and web site on the planet. If apple, AOL, Linux, or anyone else has a problem you don't hear about it. Why? Because it's not big news. If a big actor gets arrested for indecent exposure you hear about it everywhere. If the local drunk is walking down the street with their dork hangin' out no one really cares. Another interesting question though is how many security flaws has Linux had since it first came out? How many in the Kernel? How many in the different distros? You people are such a bunch of misguided fools sometimes. You whine and cry and moan about any government action, but then BEG for the government to make more laws thinking they will only apply to MS. Then when your own stupidity comes back to get you, you cry. What would happen if the gov't said Linux is illegal because it allows for hackers to easily infiltrate networks and thus is a terrorist tool? You would all jump up and down, pound your chests, cry, whine, moan, and loose in the end. So why bring down more gov't than you have to? Talk about biting off your own nose to spite your face. I guess that's what happen when you let children get involved in things that are bigger than them. They don't know how to create, only destroy.
The big problem here is that Microsoft presumes that it's interest in updating software supercedes the end-user's control of his or her machine. Why would any user want Microsoft doing anything to their machine without prior consent? The interest of a software corporation and the end-user are fundamentally different... Even local IT managers often screw up work in progress when updating software--usually timed for their convenience, not the user's. I am thankful that Microsoft is so incompetent; perhaps the ill-conceived notion that a central authority should dole out and control tools that have already been purchased by end-users will at last come under question.
Oh no, there's a security problem in everybody's favourite jungle 'n' cave sideways scroller! Hang on to that rope too long and it deletes all your files!
Oh, "Security Flaws may be Pitfall For Microsoft". I really must stop speed-reading everything...
Anybody knows any windoze user that doesn't know how to type Ctrl + Alt + Del in his sleep.
There are a lot of people commenting that the GPL should remove it's no warranty clause if MS should. There is a fundamental difference though between the two licenses.
The GPL allows others to fix problems that occur, MS's license doesn't. More importantly, GPL software is traditionally not being sold. There should probably be a GPL license with a quality assurance that is specificially for selling GPL'd software.
It is obsurd to think that a programmer would enter a binding contract to work for free. It's funny though because every other industry has to stick by some sort of warranty. I don't know how the computer industry gets away with it...
int func(int a);
func((b += 3, b));
I fear that it will be easier for Microsoft to address most security issues (as they finally have wrt stability) than for Linux, etc. to become fairly user friendly.
try: apt-get update
apt-get upgrade
The security model isn't the issue. We need an OS that protects against buffer overflows.
Funny, as I write this we are trying to recover data from our compromised Linux system (RedHat).
Not to be a troll here, but don't tell me you don't trust Microsoft and also that you bought their product (XP on your laptop). You may have doubts, and certainly everyone does, but obviously your doubts don't keep you from trusting MS enough to buy their product.
If you really distrusted Microsoft, you would have bought an iBook.
When a coffee maker makes bad coffee, can you sue the manufacturer? We've heard about people sueing Mr. Coffee for burining down their house or maybe even squirt boiling hot water at their faces, but what about for bad coffee? What if your business depends on the quality of that coffee? How about televisions? Can a bar owner sue Samsung because their TV is fuzzy during a football game, which many of their patrons come to watch?
What happened to testing out and researching what you buy?
That's interesting!
In the US, the sidewalk in front of your house is the responsability of the homeowner!
You most likely will be sued, and your insurance company will settle - no contract, but you'll be at least partly liable
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
I paid for Quicken at one point (as part of the bundle I paid for on my system). As a consumer with a registered version of Quicken, I was entitled to a free upgrade when they realized that x-y versions weren't Y2K ready...and they had claimed they were....Again, I paid for Quicken.
If GPL, OSF, whatever other TLA-licensed (Three-Letter-Acronymn)code is paid for. As in If (!free beer) and (free speech)...then it should be liable. If I don't have to pay for it, then I want some liability.
If (free beer) and (free speech or !free speech) {
Then I really don't card too much about liability. Downloader beware!
}
When Code Red was disabling Qwest's DSL service all over and customers and Qwest were getting hosed (and I'm sure Qwest passed the hosing on down to its customers), I enjoyed the fact that my service provider didn't rely on M$'s pitiful-attempt-at-being-secure OS for operations. I had a Mac connected to Speakeasy...I was just fine! When vulnerability is that widespread among M$ OSes, and *n*x based systems are unaffected...there's a definite problem.
My personal solution? I don't use M$'s products...unless they're free (as in beer).
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
Not entirely true. The homeowner is responsable for keeping the sidewalk clear, but the homeowner is not responsable for upkeep. The government has to fix cracks and such. The homeowner just has to plow snow.
That just proves that common IT would settle with anything just to avoid learning something new.
First they were happy to get rid of buggy W2K, discovered even more terrible reality with XP. Now they're happy to have at least W2K back (buggy as it is, still better than XP)
Dammit' AND XP SERVER IS NOT OUT YET, this is a real success.
Um, it has nothing to do with "anti-trust" or monopolies at all. The simple fact of the matter is that Microsoft was not making any money off of a virus scanner.
If they had been able to make money then there would be an MS Anti-Virus, as there was in MS-DOS.
karma is for the weak >)
In NYC, you have to fix the sidewalk too, and if you don't the city will, and send you the bill
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
DRM? No thanks, I'll just get it somewhere else...
For example, hiding known file name extensions by default often tricks users into launching an executible attachment when they think it's a jpg or somesuch.
True. That's why I turn that feature off immediately. BTW, didn't they do that so Windows95 would look more like the Mac OS?
Comment removed based on user account deletion
We all want Microsoft to be held accountable but the little guy should be free, right? Then make this accountability the punishment that Microsoft has to suffer due to the guilty verdict in the anti-trust case.
I don't know how programming shortcomings are related to business ethics.
IMHO, these are two different things, shoddy programming and trying to monopolize the market, are punishable, or are they?
Both require some action, yet can a common punishment fix the two? By splitting M$ up, will IIS suddenly be security hole free? I think not.
Steve Lipner...gee, i'm sure he goes home everyday with a sense of having served his purpose. BWAHAHAHAHAHA
The article states, that people will start using effective strategies to prevent this from happening only after it has happened. The reactions of Microsoft in recent cases only seems to confirm that. So it is highly likely that we will see such a scenario at least once, and probably with a much more destructive damage routine than what we've seen until now (the sneaky data-corruption scenario is quite troubling, since once it started you can't trust any of your data anymore, even worse would be a virus (or a module piggybacking on it) that is stealthy enough to work unnoticed over the period of some backups).
Also the Article shows, that Virus scanners are not really a solution, since they can only react to known Virii. Also automatic updating/patching software is no solution, since that introduces other security holes and other problems, and in the end such a system also can only react. What we need to do is implementing basic concepts, and the named candidates (turning of unnecessary features, diversity, security by design, learning from the past (overflov exploits are still common), security audits, traffic control) are a very good starting point. But that costs money noone is going to spend before understanding that they have to. Very obviously it's not enough to read about such a scenario in a theoretical paper, to happen in some hazy virtual reality, it has to be in the news, and the billions of damage have to have already happened last night.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
My neighbor's dog has a 5 inch clit
This is a consequence of the computer "doing exactly what we tell it." Until we create a way of programming computers which has some room for error/graceful degradation (and consequently doesn't do exactly what you tell it), then computers will always have this problem.
"If you look 'round the table and can't tell who the sucker is, it's you." -- Quiz Show
Everybody denies I am a genius--but nobody ever called me one!
Here in the US (NYC at least), the city is responsible for the ROAD, but the homeowner is responsible to keep the sidewalk and CURB in good condition -In NYC,(s)he is also responsible to sweep the gutter of the road - in fact a business is supposidly checked up to 2x day (I thing it's 10am-11am, and 2:00pm to 3:00pm) and if there is any litter on the sidewalk, or in the gutter, they can get a ticket! I'm not saying it happens often, but...
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
First:
And then:Director of Security Assurance ??!?!
If you can imagine a more Dilbertified position within a company....
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Not quite. The Halting Problem is impossible for a computer to solve. In other words, it's impossible to automate the process of checking for infinite loops.
Programmers don't have that limitation (as least most of them don't). Since we are able to recognize and predict certain kinds of outcomes that computers can't, we are often able to be sure if the result of a program is correct, even if we can't write a program that can be sure.
Eagles may soar, but weasels don't get sucked into jet engines.
But why does anyone (on this site) care if Windows has vuneribilities and how they handle them? This site is viewed by a majority of users using alternate OS's is it not? It seems as if the only reason stories like these are posted are to poke fun at Windows and how inferior it is. Thus giving the open source community more and more reason to light a cigar, drink brandy, and pat themselves on the back.
One could argue that the reason stories like this are posted is because there are some Windows users viewing this site. To me, this isn't the case. Microsoft is looked upon (On this site, respectively.) as the bully who made fun of you growing up. So in order to avenge years of "Poopy Pants", findings of bugs and basicially flame articles are posted.
I'm not going to say the authors of slashdot need to stop doing this. If that were the case I'd simply just not view the site. All I'm asking is for the authors to lighten up, or atleast change the logo to something more conservative.
Hate to say this, but as a windows user, windows has been good to me. I run win95 on a laptop (p75 & 16 megs of memory), using it primarily with bitchX, adobe reader, and microsoft's lit reader, and the machine has rarely crashed (I can't remember the last time it did). It also doubles as a quick and dirty win32 apache + php server, plus it has e4m on it for encryption, and a few apps (Vim) and games (Nethack, Nesticle, zSNES, etc). Btw, never had a virus on that machine.
My desktop is a 1.13Ghz AMD machine with Windows 98SE and a ton of software installed. Active Desktop is turned off. It is another remarkably stable machine, save for a few things. Winamp 3 will crash it if its burning a cd at the same time. Ultramon seems to add to instability. Doom will occasionally crash. Other then Doom, I don't have any problems I can't live with by avoiding the software. Btw, this machine never had a virus either. :) Other then a bad stick of memory I had installed for 2 weeks, I've never had a problem with this machine.
So, why do people have problems with windows? Crappy software. Cracked software can be unstable. The $10 games are crap. Comet curser is another item I've seen lead to instability. And finally, poor hardware. The amount of software installed (but not running) isn't a factor, I probably have over 100 programs installed on the machine. At boot, (off the top of my head), the following programs load - VNC, E4M, PGP, ICQ, TinyFirewall, Norton Antivirus, InCD). I have a tendency to run webservering (apache) or fileserving (warFTPd) software. I run games, everything from Nethack to Diablo, including Mame32 and TuxRacer. I use realplayer, gdivx, windows media player, and even (rarely enough) quicktime. The machine gets a lot of use under a variety of circumstances. And its stable.
I'm sorry, but its not normal when windows crashes. And BSOD's aren't normal either. Its either bad hardware, a corrupt install, faulty programs, or poor drivers.
Just my $.02
On most modern PCs, the BIOS is flashable. The control chips on the IDE drives are flashable. The CPU has flashable instructions. These are all there to deliver upgrades in case of a bug.
Now, imagine a virus that destroys the IDE control chips on each drive (no accessing the data again, short of mechanically removing the platters), destroys the BIOS (no booting again short of physical replacement of the BIOS chip), and destroys the CPU (instructions are broken, starting with the ability to update the instructions).
Cross this with Warhol propogation techniques. While you're at it, delay the payload long enough to maximize propogation rates, but not long enough to allow antiviral reaction.
This could lead to *hardware kill rates* on the order of 10%-50% (or more) of the computers on the Internet. None of those computers would ever work again, and data stored on them could not be easily recovered.
All of this is doable from publicly documented information, crossed with the Microsoft wormhole-of-the-week.
Are you frightened? I am.
Hand me that airplane glue and I'll tell you another story.
If MS loses the appeal of the popular press - promoting every new release as stable and secure - then they're screwed, even without the class action suits and liability claims.
I just have to laugh when I see stuff like this. Ooh, Microsoft's gonna get in trouble! No they aren't.
The vast majority of people who buy a copy of XP aren't even aware that they are buying a copy of XP. They buy a computer. To them, if they even know the words "operating system," it has no meaning to them beyond what it is they see on the screen. They certainly don't choose an operating system. They go down to Circuit City and buy a computer because all their friends have a computer, and they want one too. Or else they need one because they have a computer at work, and they want to work at home.
Is there any evidence that Compaq, Dell, Gateway etc. are particularly concerned about security flaws in the bundled OS? No. They want to sell boxes, and they have to sell as many as possible, because their margins are low. Are people going to complain to Compaq, Dell, Gateway etc. about the OS? Sure, but they're going to complain to them about anything whether it's related to the machine or not, and at least there may be the option of foisting those calls off on Microsoft. Are Compaq, Dell, Gateway etc. going to complain to Microsoft? Maybe, but Microsoft has them by the short hairs, and they know it.
What's going to happen with some bad press? Not a damned thing. People might become irritable and insist that Somebody Do Something, but they're going to keep shoveling money into Microsoft's maw anyway, and they're not going to slow down.
Mumble mumble class action lawsuits? Yeah, right. The DOJ spend a whole lot of taxpayers' money to do nothing over several years. Half the states capitulated to a non-settlement. Microsoft isn't going to run out of lawyers any time soon.
Truth, Justice, and the American Way? It was the American Consumer (who is always right, and don't you forget it buddy) who made things this way by their choices. It isn't going to change.
The main thing is that your post is about something you payed and ordered for. (mine was about helping neighbour build a house not to earn money at all).
Read carefully, if it's a problem, try to do that slow, with increasing degree of being slow.
Have you ordered your distribution or is a part of GPL. (Don't even answer if you're a win user, if you are, well, I've just lost respect (I was too long my self, but that was long time ago))
Last time I've checked commercial distributions like IBM/Linux, HP/Linux (you pay their liability way over 0$). All other distributions are freely downloadable and last time I've checked GPL???
Original comment was about (example TV software????) taking liability for nothing. If you aggree with that I really hope you are coding (I'll be your buyer as soon as sign a legal liability contract with you))
Yes, caps lock could be a problem, but being professional was not the main intention (BEING REAL WAS).
Damn!!!! Uh, and I really love big letter Y. Here's a few of them (maybe you'll like them too): YYYYYYYYYYYYYY YYYYYYYYYYYYYY YYYYYYYYYYYYYYY YYYYYYYYYYYYYYYYYY YYYYYYYYYYYYYYYYYYYY YYYYYYYYY YYYYYYYYYYYY YYYYYYYYYYYYYYY YYYYYYYYYYYYYYYYYY YYYYYYYYYYYYYYYYYYYYYYYYYY YYYYYYYYYYYYYYYYYYY YYYYYYYYYYY YYYYYYYYYYYYYYYYYYYYYYYY YYYYYYY YYYYYYYYYYYYYY YYYYYYYY YYYYYYYYYYYYYYYYYYYYYY YYYYYYYYYYYYYYYYYYYYYYYYYYY
Is it good? I don't know, I guess it depends on what your priorities are. If what you really want is rock solid quality software, then yes it's good.
Rock solid, yep that's what M$ makes computers, kind of like a paperwheight that blinks and makes noises between blue screens. Wooohooo, don't do nothin for yourself folks, Sheldon is going to save us all with solid software. Pththth-fiiit!
Sheldon is not a real person. Sheldon is actually the name of a highschool debate team in Tel-Aviv. Not quite as interesting as signall11, but more comments. As dispair.com reminds us, when you redouble your efforts to make up for ineptitude, there is no limit to what you can't get done.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Hi,
Let's say that [insert legal technicalities here ] any software maker who's making profitable buisiness out of IP have to be liable for it's product.
It could work pretty much the same way amateur secourists do. If someone fails to save a life by doing Heinmeich Maneuvre (not sure how to spell it) on someone else, they won't be sued for criminal negligence or anything like that. But if a doctor kills someone be giving a bad dosage of some drug, it can be a totally diffrent story. I think.
If you walked over and helped him build it, with his concent, since you didn't excange any money then there still wouldn't be a problem unless you represented that you were an experienced builder when you were not. The court would throw it out since the neighbor could have told you to leave, basically.
/. poster didn't like me.
No company in their right mind would ever become liable for software. It's just too risky. You test it the best you can and, after it seems to work well for awhile (say, the F-16 flight computer software) you don't *ever* change it.
I win a lot of things. I got you pissed off without even trying. But I run Linux, Mac OS X, and OpenBSD on x86,ppc, and sparc, respectfully. I guess I still have your respect. At least, I hope I do. I wouldn't be able to sleep in a
BTW, you're so cool. I hope I can be just like you when I grow up.
karma is for the weak >)
The reason for pessimism is the number of laws and court decisions that have recently been strongly biased in favor of corporatations and against individuals. Also, more generally, in favor of the extremely wealthy and against those less wealthy.
P.S.: read the infoworld article on the remake of UCITA. In some ways it's even worse than the previous version. And I should expect a favorable outcome? I may hope for one, but expect it?
.
I think we've pushed this "anyone can grow up to be president" thing too far.
The issue of software liability is a sticky one but I agree that companies producing software should have some measure of accountability. I don't have a good solution, but here are some thoughts...
As an application developer, I am liable for the apps I produce. If I create applications that don't work, it is my job to fix the problems. If I don't fix the problems, then I run the risk of being fired. Certainly, I'd like software companies to be held to the same standards.
One might argue that, if I don't like the software that a company creates, then I can just stop using it (which is analogous to that company getting fired), just as I can change cars or toasters if the one I get is junk. But unlike cars or appliances, it's not always easy to switch software.
Aside from the cost, it's relatively easy to switch which car you drive -- doing so doesn't require a lot of preparation and generally doesn't affect other aspects of your life.
On the other hand, switching software can be a major undertaking, especially for operating systems, and especially in a business. Even upgrading software from one version to the next (and even applying security patches) can require a a good deal of resources (money, time, staff, energy, etc.). Plus, changing software can require re-education of the people who will be using it which, itself, can be resource-consuming. (By contrast, one doesn't usually need to learn how to drive again when changing cars.)
For example, I work in a hospital where changing software has ramifications far above just the monetary cost. Thus, to do so safely, changing software can require years of preparation, millions of dollars, swarms of people, etc. Certainly, we'd like to have some assurance in the quality of the software we install, and some recourse if it turns out to be crap.
In any event, I think whatever legislation gets developed will need to take this difference into account.
The legislation wouldn't have to be so open-ended that anyone could sue the company for any bug, but maybe there could be provisions that say that a software company is required to provide a patch for a significant bug/security flaw within X days or else businesses who are using the problem software can sue to be refunded the amount they paid for their support contract, for example.
Or maybe software products should require disclaimers like they have for drugs ("the most common side-effects include BSOD, dry-mouth and anxiety").
-- D.
Software liability will be a tricky because of a domino-like effect: you may want to "guarentee" the code you wrote, but how can you do that unless you also guarentee the operating system it runs on? A bug in the OS may ruin your program. Oh, did you write the compiler you used? Maybe the compiler has a bug and introduced an optimization bug. Did you build the hardware? Do you really know if it works properly under all circumstances?
That is to say, some limited liability would be very useful. It would force vendors to feel some pain when they unleash buggy code.
For example, if Hailstorm/Passport/whatever has a security problem that leaks user credit card info, who is liabile for the fradulent charges? Hint: not Microsoft. If by law MS had to back the faulty charges out of its bank account, I predict Passport would be immediately withdrawn for a couple years of "redesign".
and half the market is below average, then at least 40% of Microsoft would be below average in its compliance.
Half of the game is 90% mental.
This system will wind up being a "liability leve sticker". ie, all open source software will obviously be marked level-0, as-is, despite the fact that much o/s software is more stable then closed source. Now, it i were a company with existing software, say, MS Word, i would stamp it with level 0 too, knowing that it limits my liability, and that the user will buy it for other reasons then "quality". Products with highter "quality levels" will simply cost too much to be marketable ($1000 for a word processor? $100,000 for an o/s??)
-Michael Roy Some people are like Slinkies. Not really useful, but you can't help smiling when you see one tumble down
I see. So it's OK for people to run around advocating Linux or Apache as a serious alternative to WinXP or IIS, but the former are not to be subject to the same liability and the contributors not subject to the same incentives? Realistically, these two claims are not compatible.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Lawmakers had best not pass laws allowing people to sue software developers who put out buggy code.
:P
Why?
We'd see a hell of a lot of open source projects going down in flames as well.
Consumers are smarter than some here think. If we teach them that software doesn't have to be a stinking pile of dung, they'll catch on, and start demanding working programs - that, or switch to different products, or at the least, stop the upgrading frenzy and go with their patched to hell copies of Microsoft '98 products.
Now for an obligatory B5 quote - "And so, it begins.."
*snicker* Been waiting ages for the average Joe to start catching on to the fact that, no, computers aren't supposed to crash.
In reply to all those "Software is IMPOSSIBLE to secure" posts:
By comparison, so are pharmaceuticals.
(intravenous drugs for example: it only takes a few bacteria to cause a potentially lethal infection in the patients)
Yet scandals are rare. Why? Because of control.
Everything is controlled in incredible detail. Look at the production lines in the pharma industry (I've personally visited a few), and you'll immediately become aware of the safety.
Saftey starts *long* before production, even before the factory is built they're planning and designing for product safety. The routines of the staff are tightly controlled. Quality assurance staff are everywhere, continuously probing production. Basically, safety is a fixation, it permeates the industry from the start to the end.
Why? Because they have to. It's the most tightly regulated business in the world, if the ventilation in that clean room isn't up to code, (which means replacing the air completely in 2 minutes) the FDA will shut 'em down immediately.
Now I doubt we need this kind of regulation for software, after all, Microsofts customers don't die when MS screws up. (Thank god- what a holocaust that'd be.)
But they definetly need to get security into their heads. As usual, money provides the best incentive. Hold 'em liable.
As for OSS companies, heck, I thought Quality Management was what they did? When I buy RedHat Linux, I want a kernel that is stable and safe, packages that work together, etc. That's why I'm paying for it isn't it?
If they support a product, they should take full responsiblity for it.
"And I stood praising God looking over the destruction of our enemy, as their bodies putrified from the rotting effect if the virus that God in His wisdom had put on the Earth, of which they had no knowledge." (apologies to H.G. Wells)
The contents of this message have been doubly encrypted by ROT13
As to whether it actually meets said standard -- yes, it would be good to have an independent testing team, but who's going to fund it? Do you only get to have a rating if you can afford to help support the test process?
That being the case -- I'd suggest a twofold system: a rating the software author agrees to meet, and a number assigned by independent review when that is available. So if I claim a 3 rating but actually manage a 4, I get a 4/3 rating. Consumers have caught onto similar systems quickly in the past (such as gas mileage ratings on new vehicles).
To extend the idea another step, the penalties for failing to meet said standard should also be set on the same scale, so there will be no question how heavily any breach of performance standards will be penalized. Frex, if you claim to produce grade 5 software, but it's actually only grade 4, you get one increment worth of penalty. If you claimed grade 4 but it was really grade 1, you get 3 increments worth of penalty. And so on. That way someone who tries but didn't quite get it right doesn't get penalized as much as someone who really screws up and doesn't care.
If you can't afford the liability, then don't claim the reliability. Simple.
Occurs to me that liability insurance for software (both individual and corporate products) could quickly become reality under such a scenario, with premiums set apace with the reliability claimed for said software.
Perhaps it could start as a voluntary system, which develops coercive force on the software industry as consumers become accustomed to the concept and as more funding for independent testing becomes available -- the system would make it in the publishers' best interest to support it, perhaps with some charity testing for free software.
Anyone else have ideas for how to extend the concept?
~REZ~ #43301. Who'd fake being me anyway?
OK, OK, we've had the MS-bashing, and we've had the "Oh, no, it will destroy the free software/OSS world as we know it!" panic. Now perhaps it's time to sit back and take a realistic look at the situation from a software developer's viewpoint.
Developing software with few or no bugs is possible. Occasionally, it has even been done to prove it. Look at TeX, for example. However, you get diminishing returns for your QA effort.
One possible alternative is to adopt a genuine engineering-style approach to software development. When making a bridge, if the engineers say it isn't ready, it doesn't open until it is. Construction outfits who violate this "rule" are probably open to subsequent legal action in the event of an accident, on negligence grounds. Software "engineering" is obviously not subject to similar accepted practice, and when the engineers say it isn't ready, the managers tend to ship it anyway to keep the sales guys happy.
Producing truly high quality software (in the bug count sense) normally requires both a considerable amount of skill and a considerable amount more effort than normal development. Microsoft would have the resources to do it, I suspect, though whether even they have enough truly skillful developers, and the quality of management to support them, is open to debate. What is certain, however, is that if they tried, the price of their products would rocket. They would become uncompetitive, as their customers adopted alternatives that lost data occasionally, but cost 1/10 as much. Yes, that is the sort of cost difference we're talking about, at least.
However, even if you somehow make it commercially sensible to develop high quality software at that price level, you would still undo all the good if you allowed arbitrary liability on the part of the developers. As with things like intellectual property, you need a reasonable compromise. In that case, it's copyright or patents for a limited period, long enough to take advantage of your efforts, but not enough to keep things from everyone forever. In this case, perhaps what's needed is a set of accepted standards for liability. That would in one stroke do away with both some absurd licensing restrictions and pathetic QA on the part of certain developers, and also protect those consumers who are genuinely harmed by poor development standards.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Um yeah. You know I heard somewhere something about a monopoly. So Linux is pathetic because someone else broke the law. OK.
inky
pissed me off???? nada, niente, zero, null.
i like aggresive conversation. sometimes aggresion gives more than 10 years of peace.
int pissedoff(); {
return(0);
}
void main() {
int readthis;
readthis = pissedoff();
}
i think we at last aggree on liability when free of charge gpl software is given away, otherwise i'm going to stop making that kind of software.
you can sleep like a baby. i allow you.
???? haven't you left out sgi ???? no need for answer! i don't use sparc, sgi yes.
god i'm great on the keyboard, managed to type without caps lock, but still i couldn't do without ending with yyyyyyyy
ending quoted from antz: remember, be the ball
p.s. like the *ever* sentence.
but is pissing off people the best you can, you know in that case there's a playground and i'm the player!!! also check your last sentence????? ain't it a bit strange
been great chating, you've got !attitude
greatings from santa
Whats wrong with a little sarcasm?
I've done that, pretty much. Back in the mid-1980's, I worked on a HASP bisynchronous communications package called HASTE. Hardly anyone uses HASP anymore, but it was a bit like telnet and FTP with guaranteed delivery, error correction, and compression, over bisynchronous communications lines. The program ran at first on CP/M machines and later on MS/DOS machines. It provided redirection to console, printer, and disk file, and redirection from console, disk file, and "reader." It had full on-screen help, a built-in text editor. It was menu- and event-loop driven. Not the most sophisticated program ever, but not too shabby.
We were very concerned about making it bug-free, even to the point of including patches to operating systems and working with developers of many new computers to make sure their software and hardware could run it. We used to give demonstrations of the running program where a member of the audience would be invited to cut the cable during a transfer of a lengthy file. Then we installed a new cable, and the transfer finished.
Even though we had a No Warranty sticker to keep the lawyers away, we offered a deal. The first person to find a bug got a free dinner at any restaurant. We had to pay off exactly once--at the restaurant in the Alexandria Hotel in San Francisco. We fixed the bug, of course. It was a cheap way to learn something about our program.
Things were pretty good for five years or so. We got excited about what was happening in the field. Most other companies seemed to share our ethic. Then things got depressing. We started to see people go out of their way to buy crap and get rid of good stuff that worked seamlessly. We saw companies throw away X terminals that worked, forbid their graphics designers from using Macs, and institute All-Microsoft policies, resulting in most cases in a loss of productivity and endless headaches. We watched a new generation of people materialize with a Beavis and Butthead uh-huh all software has bugs mentality.
I think I'm the only one of the group that does any serious sofware development any more. I have gotten way better as a developer. I am even vaguely embarrassed about that first bug-free success. But, two years ago, I was unemployed for more than a year. It was a bad time, and I lost my wife and just about everything else, including big chunks of my emotional capacity. I finally did make it back and am doing very nicely financially, but I'm not doing anything important, and I keep myself sane with Open Source side projects.
I know from reading TechRepublic and similar boards that about 90% of all IT-type managers and hiring people would never consider hiring me. They have the blue-collar Beavis and Butthead mentality, too.
What's the moral of the story? I think it's that developers aren't the problem. Nor is a lack of enough lawyers. The real problem is the business of the marketplace and the ethic that drives it. There are still some good development houses out there that make stuff that works. Macromedia is, I think, one. Adobe is another, their idiocy with Dmitry notwithstanding. But they are all either games houses, industrial control shops, and companies that established themselves when the marketplace still permitted the production of quality.
Nowadays, people might bitch about poor quality or demand that some lawyers do something about it, but they still make their decisions in such a way as to encourage and reward crap.
Judging by the number of "XYZ MAKES NO REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE" clauses found in all kinds of license agreements, including for commercial software, we can suppose that everybody will give their software a zero rating, including commercial vendors. As basically everybody would label their software as 0, this wouldn't even cause a publicity backlash. So we'd be back to square one...
Say no to software patents.
Destroying a computer is not the worst you can do.
Corrupting the data on the computer is MUCH worse.
Think of a database for an ecommerce server. A virus that understands the database format, and turns every 7 into a 3 in the database. Credit card numbers (I'm sorry, sir, your card has been declined), prices, product IDs, addresses, zip codes, telephone numbers (hope this doesn't happen to your phone company), social security numbers. Everything on that database.
Then it transmits itself to another host, and removes itself from that machine, attempting to cover its tracks.
Destroying the computer is *nice* compared to letting it run for the next month with incorrect data. You just corrupted the next 7 million transactions that system processes. And how much does it cost to correct that? Restoring a nuked server is cheap by comparison.
Which would be worse for a serious ecommerce business? Being down for a day? Or having to check every transaction that was processed for the last 30 days, and dealing with mischarged customers, fraud charges from CC#s billed incorrectly, incorrect products shipped, lost packages that were misaddressed...
Destroying a system is bad for a home user... corrupting it can be deadly for a business.
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?
--
"I'm not sure exactly what an AS/400 is, however, I'm pretty certain I wouldn't want one up my ass"
Why apt-get? Why not urpmi?
i fail to see whats a new issue here.
boom.
You have misconfigured it - simple as that.
When was the last time you heard about a software company issuing a recall on a product? Maybe they should. Other businesses do it especially when a product causes harm or doesn't work as intended and causes serious problems to consumers which in these cases it does.
Can anyone say class action law suite?
I want my time and money back
MoRe... LaTeR... -=PJK=-
Not like we haven't heard this one before. Comes up about every 3 years or so.
Believe me, reports of Microsoft's imminent demise because of security concerns are greatly exaggerated.
Goddammit, if I see another person saying "Who do you trust" like George HW Bush, I will break something. It's BASIC GRAMMAR! WHOM is the direct object form of the pronoun "who."
Miss Thistlebottom, my seventh grade English teacher, asked me to relay this message: "Did you say 'flaws . . . HAS begun'"?
...OTOH, do you *really* need the apparently billions of useless "features" that Designated Software Corp rams down your throat in order to market a new version? Does anyone? They could be spending that time more productively (to us) developing less buggy software. Instead, they use a disposable economy model to keep throwing junk at you in the hopes that you'll think your last piece of junk is out of date and you really need a new Machine That Goes Bing.
Why should RedHat care about recovering broken XP systems? Shouldn't the vendor have provided said facility?
Does a Christian soccer team even need a goalkeeper?
The simplest solution would be to only partially implement product liability for software, only to the price paid for the software. In the case of commerical software, this would provide a significant incentive for quality control. It would not impede free software development, as their liability, equal to the moneys earned from sale of their product, would be nothing.
This would be a simple, fair mechanism that would be equitable to both commercial and open source software.
And if we truly can't get by without all those features, what's wrong with interoperability, APIs, modularity, and smaller non-bloatey software? While we're at it, how about world peace, an end to poverty, corps voluntarily cleaning up their pollution...Naaaah, ferget it...
Does anyone have the address those xp boxen try to report off to? I want to block it at my gateway, but I've never played with tcpdump before. Thanks.
Actually most flashable cards have a backup non-flashable ROM, mainly in case the power goes during a BIOS flashing or similar. Also, chips can't turn off write access to themselves so if you just have a valid ROM to boot it, you can overwrite the BIOS again with a working version. When there was this BIOS-overwriting virus some years ago, there were a few laptops that didn't have a backup chip, probably to save space, and they choked permanently. The remaining ones were just to reflash, problem solved. After that, they've learned.
Kjella
Live today, because you never know what tomorrow brings
Ha ha.
on my XP system at least, turning off the auto update feature in control panel - system - automatic updates didn't do the trick. i had it set so that windows wouldn't even check for updates, and made damn sure it was set properly, but upon looking into the matter further i found that microshaft had done me the favour of running it in the background anyway, despite me telling the OS not to. go to start - run and type 'services.msc' or alternately 'gpedit.msc' (i think it was gpedit, could be gl or gsedit) for a big shock - XP will still be running automatic update in there unless you specifically disable it there too. I forget where to find the option - just trawl through. i'd look it up myself to check but i'm at work on an NT comp. there was heaps of crap in gpedit that i chose to disable on top of auto updates. where do you want microsoft to take you today?
Do they really expect intelligent people to put their credit card numbers into this thing? Linux please save us.
What if every bug in windows is deliberately put there? What if every patch fixes one bug and opens up another? The true purpose of the bug would be for microsoft to monitor what you are doing on your pc. Paranoia...maybe?...reality...why not?
I think I remember the origional Morris worm as being fairly buggy and unreliable.
By this, I meant assuming a worm that was carefully tested and not buggy. Many of the worms out there are buggy. Even the origional code red had flaws.
Why should RedHat care about recovering broken XP systems?
No reason they should. They do care about recovering broken RedHat systems, but that pretty much translates to recovering broken systems, XP systems not excluded.
Shouldn't the vendor have provided said facility?
Yep. Will they? Nope.
Part of the reason I like windows is because I don't have to think about things like that. Oh sure, I never have the best security, but I don't use outlook or IIS, I don't run exes that spammers send me, and I'm behind a firewall, as well as running zonealarm. I'm fairly well protected.
Anyway, while it's possible that someday someone will hax0r windows update and slap some virii in there, I'm not too terribly worried about that, especially now that most of the big DNS railroading exploits are supposed to be patched. I just want autoupdate to keep my system relatively current so I can get back to what it is I do best; Downloading pr0n.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Okay, I have to post AC because I'm totally losing it.
THIS IS A REPLY TO THE SECOND FRIGGING POST! WHAT THE HAIRY HELL IS WRONG WITH YOU FUCKING MORON MODERATORS?!?
*ahem*
It was even only a few minutes after the post it's replying to!
HOLY FUCKING SHIT ON A HAND GRENADE! HOW THE HELL CAN YOU BE MORE GODDAMN ILLITERATE, AND STILL NOT BE AN ACTUAL FUCKING MONKEY?
There. I'm done.
If your stupid enough to purchase crappy software, you pay for your decision. If you choose to use free software thats crap, same thing. ( Since good software is not the issue here. )
:-)
Make all software free from liability or defect issues, and make all software "satisfation garaunteed or your money back"... ( sorry sears. )
With overpriced crap, you get you money back, and with free software, you get your money back... ( or even double y.m.b.
The only law we need is that a consumer can get the money back within a specified time period, for ANY reason. Software vendors can time--expire, require registration, etc. to thwart piracy. Consumers have some time frame to evaluate the software for suatability or bugs. And consumers should be able to talk about their experiances with others without it being a licence violation.
Very simple, and it would be more effective than most of what has been proposed. Bad software = less revenue and a bad reputation.