Slashdot Mirror
Security Flaws May Be Microsoft's Undoing
tarpitt writes: "According to this article in the LA Times, repeated software flaws in Microsoft products has begun to raise concerns that they 'threaten the stability of a major piece of the world economy and to raise questions about Microsoft's future.' Flawed security is seen as a stumbling block to accepting Microsoft sponsored on-line services. It is also driving discussion about making software manufacturers liable for damages caused by flawed products." This piece in eWeek on troubles with XP's automatic updates is an interesting companion; releasing often doesn't seem to be enough.
Update: 01/15 15:00 GMT by J :
Bruce Schneier's
January Crypto-Gram
came out this morning, and is also topical: "Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense..."
Just a thought... If they dominate the market... Most software is Microsoft... Microsoft software is buggy and insecure.... Most software is buggy and insecure! They're right on par for the course!
What's in a Sig?
Add in a Gartner analyst casting doubts on MS and raising the trust issue in terms of
A failure to execute (on security) could get Microsoft executed.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
Insofar as it's true that software is flakier and more vulnerable than other products, the questions we might ask are the extent to which liabiliy has motivated other product manufacturers to be a lot more careful in their manufacturing processes, and the extent to which software is "inherently" impossible to get right. Is that perception that software should be exempt from the sort of standards that other goods have accurate, or has that perception been constructed by years of poor software and a lack of accountability?
Begun to raise concerns?! That's like saying, "In other news, repeated appearances of the star Sol on an approximate 24 hour basis have begun to raise concerns that it may do so tomorrow."
Microsoft never built operating systems with security in mind. The last time I checked, the security testing group at MS consisted of two Norwegian Black rats, a four-year-old, and a blind, deaf, chimpanzee with a drinking habit. It still hasn't occurred to them that improving their security might, in fact, be a good thing.
There, I feel better.
They that would sacrifice their
A blue-ribbon panel of technology experts assembled by the National Academy of Sciences said lawmakers should consider ending Microsoft's and other software companies' special protection from product liability lawsuits, which have long forced makers of cars, medical devices and just about everything else to pay closer attention to the safety of their wares.
Interesting, but in the case of free software, what would this mean for the developers? We all want Microsoft to be held responsible in some way for their security holes and such, but would we want to be treated the same way ourselves? What would happen when an author of a piece of free software was dragged to court because the software was buggy? And what would happen if it was Microsoft who did the dragging?
"Total destruction the only solution" - Bob Marley
Has shoddy security caused Microsoft any grief so far? A month after a hole is found, they fix it, and no one seems to care after that. Sure, people that don't like Microsoft remember it and add it to their encyclopedia of Microsoft holes to whine about, but people that like Microsoft fix it and go on with life. Who do they place the blame on? The "evil hacker", not the poor software.
People are so accepting of insecurity that they are even willing to spend cash money on antivirus suite after antivirus suite every year. It's just become a part of the cost of owning a PC.
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
A surprising sign of how quickly opinion is changing came last week. A blue-ribbon panel of technology experts assembled by the National Academy of Sciences said lawmakers should consider ending Microsoft's and other software companies' special protection from product liability lawsuits, which have long forced makers of cars, medical devices and just about everything else to pay closer attention to the safety of their wares.
Now THIS is what could really get them; forget about breaking them up, this could obliterate them totally. They could probably beat most lawsuits with enough lawyers, but they'd run up such a huge tab doing so that it could easily threaten the survival of the company. Look at what happened to Dow Corning.
Slashdotters may want to hurt Microsoft by breaking it up, but we've seen that the legal process is slow and generally ineffective.
Nailing them with the FBI, IT professionals, and security experts may actually do real damage to sales.
The greatest part is, I bet most of the people challenging Microsoft are Slashdotters. Their arguments sound like +5 moderated posts, IMHO.
I was talking to some folks, and we mentioned that the world is becoming more dependent on information that is ONLY stored electronically, and not on paper. Perhaps the time is coming where something (like a major filesystem eating bug in XP or the next SuperVirus (TM)) will destroy a large portion of the internet's data. (An example is , who recently lost everything in a major raid update crash.
So what we should do is plan and prepare for this eventuality. If we have the equivalent of backup generators and emergency equipment in the digital arena, we can take over when the main system stumbles. It's not going to be long until someone devises a way to seriously crash a significant portion of the machines in the world - all the recent virii have been relatively harmless - it would not take much at all to program a relatively smart virus that would do serious damage (IE hit network drives first, destroy files that are heavily used, only strike at night, morph code, etc.)
Ah, well. This is just a bunch of blathering, but we should thing about how to use the "enemy's" weakness against it. We need to make sure that linux is seen as more stable and more secure because it is BY DEFAULT - if people start using it and get burned, they'll go back to Microsoft.
Fellowship 9/11
...except instead of 'security' it was 'stability.' Now Win2K/WinXP can stay up and running for weeks and months on end, and you don't hear too much about Windows stability problems for users of the new OS versions.
Windows has been unstable for years. Did it threaten Microsoft even one iota? Nope.
Dream on, sorry...
"And like that
Hard to establish liability for free software. But shareware authors who charge a small fee (and hence make a direct profit) might be easier to target should this liability idea take hold. Shareware would become enough of a liability for small-time authors that they would be forced to either give up and find a publisher with deep pockets, or else give up revenue all together and just give their software away for free. Perhaps a threshold could be established to determine when liability kicks in?
Why aren't we told when an Editor moderates our posts?
Making software developers liable for damage due to blatent, criminal negligence would seem to be a good idea on its surface, but given how money corrupts our political system, any such incipient bill being developed in Congress could be easily be turned on its head. If every software developer is held liable for *any* damage caused by their product, imagine the destruction such a law would wreak on the free source movement. Who would dare donate code, faced with such huge potential liability? Bye-bye gnu cc, bye bye Linux.
Reasonable diligence should be exercised to protect security, but no large, complex piece of software can be bug-free. Building software ain't the same as building bridges, boy!
The more MS screws things up and has major problems the better. The more often they have them, the better.
Why? Because the more these things happen, the more the people who REALLY need to know about them will find out.
Mr dot-com who pays others to run his damn site, will think twice about paying people to host his site on such garbage.
And the end result will be one (or more) less vulnerable sites out there.
Bring it on, damnit.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
Removing the limits on liability would not only affect Microsoft, but the GNU GPL. Would you want to be personally responsible for any GPL'ed code you wrote? Perhaps the solution would be to form a corporation and assign GPL copyright to it.
Anyway, at the very least, this sort of law would light a fire under the ass of the software engineering community. Maybe it cause some actual progress!
Ok, since when is Microsoft's troubles with security flaws being bad for business news? Anyway ....
/. users [those brave enough to admit they run XP on at least one box] seen these problems?
XP users said the updates cause systems to become unstable and some device drivers to stop working. [companion article]
I'll note that I haven't seen any problems recently on my XP box - in fact thanks to a BIOS update and a new video driver it's running smoother than ever (for what that's worth). Have any
Either way, I certainly always like to know what's going on in my system - so I never have it automatically install updates. For those interested in turning off the automatic downloads (highly recommended) - go to Control Panel, System, and the Automatic Updates tab. I have it set on the middle option (to notify, but not download/install automatically). Of course, I have a *legal* version of the OS, you warez kiddies will probably be a little more paranoid about any notifications. *grin*.
Groove Salad -- a nicely chilled plate of ambient grooves and beats.
There are hundreds of quicker ways to have your windows box become unstable...
:)
Installing programs --> unsupported
Installed additional hardware --> unsupported
System booting --> unsupported
Using a monitor --> unsupported
Bypassing a circumvention device --> unsupported
DVD Playback --> unsupported
ever try to get help from MS, or esculate a real bug with them for any of the above?
How much worse could the software be without updates?
I recently had to rebuild a web server after a machine crashed, and getting NT4, IIS Option pack, etc. up and running with all patches was a _very_ long task.
It's not enough that Microsoft patches their products -- they are still shipping CDs of NT4 and win2k with the original 'release' of the product, so installing it means the original install plus a dozen or more service packs, hotfixes, etc. This makes it very tempting for internal corporate PC usage to just skip most of the patches to save time, and makes the process of securing Microsoft software that much more difficult.
They should just release new 'point' versions of the OS with every service pack, and stop selling the out of date CDs! Maybe this would cut down on the useless churn of moving from NT4 to 2K to XP to whatever -- and that would have to be good.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
I am no fan of M$, but it isn't accurate to say they haven't tried. Their biggest problem is that, despite their efforts, hundreds of millions of lines of code isn't fast to repair -- especially not with 10,000 or so programmers who, on a curve, are merely average.
If Linux (etc) were as widely used *by inexperienced* people as Windows, it would face just as many problems.. but at least the code would be there for patches to come out. Then again, how would Mr. Schmoe get the it without some kind of auto-update?
I fear that it will be easier for Microsoft to address most security issues (as they finally have wrt stability) than for Linux, etc. to become fairly user friendly.
Comment removed based on user account deletion
I'm buying a powerbook tomorrow, I swear to Bob..
Somewhere, something incredible is waiting to be known. -- Carl Sagan
Yes, Microsoft products have security faults, whose doesn't? Microsoft's get more notice because of the insane amount of marketshare they have, also Microsoft's software is less mature than the UNIX offerings people often compare it to in terms of tight security.
I remember back in the late 80s and early 90s how much of a joke UNIX security in general was. Back then you could pretty much root any non-.gov UNIX system on the Internet, remotely, at will.. (thanks in large part to SENDMAIL though many other pieces of software had problems as well). People who bitch and moan about how long it takes Microsoft to fix bugs compared to UNIX vendors must not have been around when you could change the IFS under SunOS and easily root the box using any SUID program that did a system() or exec() call (quite a few, at the time)...Even after Sun, etc, fixed that bug it remained unpatched in a huge number of systems for years....
Unix security is better now, but that's in large part due to maturity...Microsoft software will improve as well..Look at how much they've improved stability already when compared to Win95...It will happen...slowly, perhaps.
That a majority of people do not trust MS is not surprising. I don't trust my government, my bankers, my customers, hell... I doubt the guy at the supermarket.
I maybe trust my mum and dad, and aunt jemima for her tasty pancakes - but a software company???
People are cynical enough that they just bumble through life looking over their shoulder bitching about stuff.
I just bought a new laptop - it came with XP pro - already I'm having problems with it. But I bitch about it over coffee and just get on with things. I had to register the software - something I bitched about. IIS won't work properly - bitch bitch bitch. Norton seems to be checking every file every 2 minutes making the thing unusable for the first hour in a day - bitch bitch bitch.
Would I buy another the same - probably.
The trust issue won't hurt MS as much as we'd like to think. And it won't help the alternatives much either.
The movie industry sucks - but a good percentage of you reading this will run out and give them 30 dollars for Tron someday soon.
Why shouldn't they be held liable in certain situations?
This is supposed to be a huge world economic product - they can get this way without any consequences? No worries?
The software costs money. They push a license agreement on you when you pick the product up at the store, when you buy a computer with windows pre-loaded, you are making a contract.
Okay, so in the agreement they sneak in some language that keeps them out of trouble. The problem is before you agreed to that 'contract' you were promised certain things. The product is defective.
Data problems, in most cases, won't affect someone's well-being. But there is data at stake. Their data costs $99 and up. Is your data worth any less? They promise to provide a secure and somewhat stable operating system.
This isn't always the case. It's only becoming an issue because they make so much money in the business. Shouldn't we ask more of Microsoft?
Well, if we can't sue, the gov't does nothing, and products continue to be shipped while 'broken' then something needs to be done.
Simply say it with your pocket book. Pass up on upgrading to XP. Do what ever you think is necessary. Buy an Apple.
I know it's not easy; but don't you feel that many other M$ customers - if not yourself - feel as if Windows is needed? It is in certain situations, but does everyone need it? No.
There are options. Not every option will work for all the people, but let's start to choose something else.
OR! Hold them liable
Get your Unix fortune now!
The nightmare scenario.. Three hours from when a widespread bug (like the recent XP one) and having millions of windows machines trashing everything they touch.
That is the future, and it will happen someday.
Use the warhol worm spreading technique. Read it and be frightened. He claims 8 MINUTES from first infection to millions of infections.
I'm not quite as confident as he is in that number. But I'll definitely agree that 2 hours is more than enough time. (1 million vulnerable hosts, 5 scans/sec. Start with 1000 hosts, each second, 5000 probes, finding one vulnerable host. Thus, after 15 minutes, 2000 hosts, and doubling every 15 minutes.)
And, the more vulnerable hosts, the faster it spreads.
Now imagine a truly destructive payload. One which does not delete files, but corrupts them, starting with the fileservers. It restores datestamps to make it impossible to identify what files are corrupted.
Three hours from exploit to millions of computers corrupting thousands of files. Antivirus won't keep up, hell, warninsgs won't even reach most people until after its demolished their fileserver. With obfuscation techniques, the worm could survive 3 hours without being reverse-engineered.
It spreads so fast, there's no defense. It spreads so fast, you won't be aware its trashing all files until its already started. The only reason we've survived this long is that nobody really competent has worked on a worm.
Be afraid. Be very afraid. The only question is when it will occur, and whether you will be running Windows when the time comes. I hope you keep good backups.
Liability means holding someone responsible for a cost: if the failure of software that shouldn't have failed costs company X $1 million, then liability is a matter of having the responsibility for that failure taken by someone who provided a good or service that didn't meet the reasonable expectations of the consumer. One doesn't wait until the invisible hand fixes things "in the long run;" like Keynes noted, "in the long run we're all dead." (Another Keynes quote: "the market can be irrational longer than you can be solvent.")
Reports from places like cert and bugtraq show that there are just as many exploits out there for *nix based systems.
Network security of this nature is clearly not working when being applied at the OS or software levels, and a more flexible solution than the standard firewall is needed.
What would your opinion be of a 'mini-firewall' included as standard on all new network cards. The firewall would have packet filtering rules filtering out 'generic suspicious traffic' (such as bar an IP address for a day if something containing default.ida and a hell of a lot of 'N's comes through). The rules would be held on a flash ROM, which could be updated when necessary with software from a trusted source such as CERT and digitally signed by a non-trusted one such as Verisign.
Software could also be written to instruct the card to open certain ports and update the rules so that safe traffic for that software can pass through.
Unfortunately, the extra $20-30(?) would probably sink it dead in the water, not to mention the hassle of having to reprogram all network software to work with it. How does the idea stand in theory, though?
update comments set karma=-1, reason='offtopic' where sid=26315
In the "Great OSS Boom of '99" the press was all awash with Linux this, Linux that. MS stayed true to its course, kept on with the updates, and got XP out the door.
/. bias, we're nothing. An article a week like this, even as a back-page editorial, is enough to cost them how many customers?
Now it seems things have changed: more and more, I am seeing articles that are negative of MS. "XP isn't stable", "too many updates", "XP isn't secure", "W2k was fine, why did they change it?" is what I see more and more of. Red Hat gets decent nods, and now even Apple of all people is selling a Unix operating system, albeit one that is packaged in a lamp.
Is MS at risk of losing the press?
Articles like this must drive them absolutely BONKERS. Forget the
How many of the system integrators like the guy in the article will just give up and stop dealing with XP, or worse yet, call Big Blue?
If MS loses the appeal of the popular press - promoting every new release as stable and secure - then they're screwed, even without the class action suits and liability claims. Any more FBI warnings will serve as months of fodder for the rags to hammer on them.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
Hello! I'm sure everyone will be glad to know that currently IE (even
a fully patched IE6) can currently...
* Run any command or program off the hard disk
* Monitor the users clipboard, and steal the contents
* Read or steal any file off the local disk
* Check existence of any local file
* Access the DOM, cookies, or read the content of any other website
regardless of domain, protocol or security zones
* Fake the file name in a download dialog
..although most of those only work if active scripting is enabled.
These security holes are all *proven* to work, and could easily be
used to create a devastating worm. Some of them are about a month old,
and still not patched by MS. Delightful.
The two latest exploits are http://tom.vpwsys.co.uk/clipboard/ (mine!)
and http://www.osioniusx.com - see http://www.securityfocus.com for
more.
Dare Microsoft to even think about this. Their worst fear is a world where people choose software based on quality.
Seriously, we don't need to whine about what some legislators are doing about the big bad wolf's coding practices. What we need to do is start setting the example. Say "I write good code!" and stand behind those words. Somebody who knows how should create a version of the GPL that includes appropriate warrantees for Free Software. The "Quality GPL" (GQL?). You don't have to use it, if you think your code is buggy or is a development version. Right now we just click on "Stable Branch" and that sends a message to those in the know, but how much better if you go visit a software repository and find piles of code that are stamped with a license that guarantees that the product is free from defects in workmanship (modifying the source code voids the original warranty, of course, and people who re-release modified code are under obligation to change the license to reflect that).
We want people to get the idea that software that claims to be stable yet comes with the phrase "NO WARRANTY" is probably a steaming turd. Especially if they paid good money for it.
Naturally, you can't predict how some people will use your product. "No, sir, the VCR does not function under water." Your code might not work on an SGI, either, if you developed it under HPUX. Using the product in a manner not intended will void the warranty. Sometimes it's not a bug, it really is a feature (or the lack of one). But if somebody finds a bug, you WILL fix it, won't you? Why not put that in writing? Even offer a monetary reward to the first finder (how about $2.56?) of every bug.
Note that agreeing to fix bugs, or claiming that your product is bug free, is completely different from assuming liability if the user uses your program to kill himself. That's a completely different story.
Yeah, so we all know it insecure.. That's a given, however I have come up with a super secure patch. Whenever I step away from the machine I unplug the ethernet cable. When I go away for vacation I usually pull the plug AND apply a little epoxy to the ethernet jack for extra security.
So if anyone wants to see my website, please send me some email first.. be prepared for a little delay, that epoxy is tough to dig out of that little hole.
air and light and time and space
So, it is actually in their best interest to do shitty software, in order to prompt lawmakers for such a change in law. Once the law is passed, they clean up their act, and watch with glee as OSS developers get sued into oblivion by liability lawyers...
Such law should have a provision that it only applies to commercial software (i.e. software that is sold for a price, or on the base of signed license contracts). Free (as in speech) software should be excluded from such liability. Free (as in beer) software would still be covered, by considering it as promotional material to sell commercial software (i.e. give away Internet Explorter to sell Windows).
Say no to software patents.
your sig! Now I understand the reason for the auto update feature.
When in doubt, have a man come through a door with a gun in his hand.
They're doing permutation scanning.
Both statements could be accurate. ie, that their programmers are merely average, and that they hire only 2 per cent of applicants. It may indicate that they recruit badly, or that they attract people who are generally below par.
Having a degree does not make a good programmer necessarily. I say the proof of the pudding is in the eating. In this case, MS programmers eat alot but produce very little - a sure sign they have worms.
If the pattern goes 9am, 10am, 11am, why isn't noon 12am?
Yet Another Microsoft Apologist
What about Apple? Are we forgetting the fact that the original Mac was relatively secure for over a decade, despite granting full root access to whoever? Yes, there were virii and trojans and whatnot (can't really be prevented) but the design of the system prevented a lot of problems for the average user. These are the same average users who are going to be affected by the XP problems, not UNIX admins.
MS-DOS and its descendants were around for even longer than the Mac, and the NT system is very mature. Why can't they match Apple's security?
I'm sick of MS apologists. Microsoft makes shit. It's shit that's getting better, but it's still shit. Don't whine and say it's unfair. They have the money, the power, and the resources to make what is far and away the best software in the world. And yet we get articles like this, and we get people like you whining about how MS is being treated unfairly. Forget it.
As the market leaders who the majority of the world depend on for their computing needs they deserve heavy criticism.
As predatory monopolists they deserve heavy criticism.
As people who promise security they deserve heavy criticism.
As people who would like nothing better than to see Windows everywhere, and the GPL and Linux and Apache and SAMBA wiped off the planet they deserve heavy criticism.
So fuck whining about how MS is treated unfairly. If we complain enough then maybe they'll listen for a change.
"I may not have morals, but I have standards."
that's the most stupJ00 4r3 0wn3d!id thing I've ever heard! My Windows XP box h45 b33n h4x0rd h4h4h4h4h4! sorry, I don't know what's wrong with my keyboard10wn3dj00 it keeps messing up.. but anyway, Microsoft security is perfectly fine here
If you were me, you'd be good lookin'. - six string samurai
Or build a housse correctly?
...
Like the houses in inland Florida when Andrew hit?
Impossible, maybe not. But highly improbable.
The key question is how good is good enough? A car at 155 is not the same as a car at 55.
You're very right about Sircam. Follow the progression since Melissa (Remember Melissa? Melissa was nice!). Now extrapolate
I will admit readily that I haven't read many of the comments here, but I have to say this:
/. crowd, this may come down on you a hell of a lot more - do you carry terribly expensive Omissions and Errors insurance? I didn't think so.
Many of you should think twice before hailing Microsoft's downfall should it happen to stem from software fault liability.
Read the article - part of the major point is that a legal precedent could be set that would allow for far greater liability on the part of software developers that deliver flawed code.
Think about that for a second - all of the software that *you* have developed for clients that have pushed the boundaries on budgets and timelines is *totally free of bugs*? Even totally free of bugs that might eat their data one day? Myself, I occasionally lose sleep thinking about a bug that I *know* is in code that I delivered to a client that has no more funding to pay me with to clean up the system.
I personally feel that I have legitimate protection from liability for loss in those situations given that I expose the problem to the client, honestly tell them how much it will cost for me to fix it, and explain that the coverage for corner cases wasn't there given the budget they provided.
Are you ready to stand in court against precedent that you are liable for the business cost of a bug in your code? I'm not.
I am not a MS loyalist in the least (yes, I'm posting this from Win2k, my work platform for clients that I do Win work for) - in fact I wish to see serious stipulations on their bundling and BIOS issues mainly - but I don't think this is the right angle to crucify them on because it will come down and affect me.
From what I understand of the current
-astro
My boss had something similar. New laptop. Not keyboard/mouse, but couldn't make a network connection. Finally I booted RedHat 7.2 Systems Administrator Survival CD, downloaded NTFS kernal module, and put about 3 gig of stuff where I could later recover. (Hint to RedHat: It'd be easier rescuing broken XP systems if you included the NTFS (READ ONLY) kernel module.) Reinstalled and reloaded. 1000MHz with 512Meg. Pathetic performance. Turned off what eye-candy I could find. Brought it back to somewhat reasonable.
Commercial vendors are responsible for what they produce. After all they sell the work for money. Programs should work as advertised. If Win98 is advertised as faster than 95, then it must be faster. If it's better for playing DOS games, then it should be indeed better. If MS says it's secure (*snort*), then it should be secure. The vendor shall be responsible for serious security bugs, but not user stupidity. Not preventing you from doing an 'rm -rf /' doens't qualify.
GPL should remain as it is. That's logical, many GPL works are *in progress*. Open Source applications take advantage of the openess, which lets them be released early, in an incomplete state. For example, suppose I am a technician and make my own TV. A friend comes to my house.
Friend: Whoa, what's that?
Me: The TV I've been making
Friend: Can I try it?
Me: Sure, but it's not finished. Be very careful with it.
Now, should I be liable for damages if the TV that I already said is experimental catches fire? Of course not! I didn't make it as a professional work, it's just a toy I let somebody try.
An useful addition would be the QGPL (Quality GPL somebody mentioned). Standard GPL, but with additions. How about:
The software must be reasonably secure. That is, it won't let people break into computer, and won't delete all the data on your hard disk. The bug that doesn't render correctly HTML for site foo.com doesn't qualify.
All the reported bugs will be fixed in the next stable release
Perhaps as some people do, like D. J. Bernstein (the author of djbdns) offer a reward for serious bugs.
Maybe something else
Ideas? Comments?
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
While Microsoft has a shocking attitude towards security, the real problem is not their software itself. The problem is that they are a monopoly. If everyone runs the same software, even a small vulnerability can bring the entire network down.
Microsoft should be more security conscious but that really does not solve the core problem.
Unfortunately, most people do not see security as enough of a priority to deal with the cost and hassle of changing software. The only solution I can think of is to encourage people to make backups. Backups do not help when a virus destroys hardware but they are better than nothing.
Eventually, there will be a truly devastating internet virus. We have gotten lucky this far but our luck will not carry us indefinitely.
In a previous comment on another article, I noted that Unix has spent its time "in the trenches". Infosec history is full of Unix and its exploits... and its eventual improvement. But it is too easy to look at this history and learn the wrong lesson.
Unix's history of security flaws is less about Unix and more about infosec awareness. Unix changed as the understanding of infosec and security principles changed. While time has allowed more of these flaws to be discovered and removed from the Unix code base, the process over the years has been more about knowing what to look for (or even to bother looking). And as this understanding of infosec principles, concepts, and procedures has increased entirely new chunks of unix code has materialized - sometimes to fill a void, but often to replace another project's functionality with a new design that has taken security issues in consideration during its inception.
In short, Unix does benefit from its maturity. But the greater lesson is the infosec mind set. The tao of security, if you will. And these are concepts that can be applied to any project / OS.
The claims that Microsoft will "get there" with maturity are misleading. Microsoft may indeed improve. But its not maturity of their code base that's at issue. The issue is whether Microsoft will begin to understand Security and design systems based on that understanding.
Microsoft has shown signs of improvement with a sudden handful of security tool offerings. But unfortunately, these are really superficial afterthoughts to an already flawed environment.
Microsoft's problem is not technical; its cultural. Microsoft is a technology company that excels at marketing. Articles by Microsoft coders talk about the push from Marketing to add additional features at the cost of bug-hunting and resolution.
This kind of environment clashes with two infosec concepts. The first is that vulnerabilities are bugs - something malfunctions in an unexpected way, leaving the system vulnerable to intentional manipulation of this bug. The second is that there is an inverse relationship between functionality and security. Increasing the number of features, and the ease of using these features, often threatens a system's security.
Marketing at Microsoft will first have to care about infosec issues (this may be happening as Microsoft gets more and more negative press). Then Microsoft will have to strive to design secure systems even at the cost of features (and possibly even abandoning or severely restructuring current systems).
It will take a maturity of a different kind.
This web page from Fairfield City should be enough to convince you that Microsoft security is good enough for storing credit cards, your e-money, financial records and anything else.
Tell your friends about xenu.net
Think about it. Viruses spread due to flaws in design or weaknesses inherent in that design. Why shouldn't a facility to protect against those weaknesses be a part of the OS?
Why does Microsoft feel the need to bundle and integrate a browser, media player, and instant messaging into the OS to "innovate" yet continue to not take steps to protect their core OS from virus threats?
To really implement tight security (the only kind that will prevent 95% of viruses) means a drastic change in microsoft's entire line of products. The fact is most people know better, but when they sit down at a computer their brains turn off and click everything. Only way microsoft can prevent all these email viruses isn't to turn off "launch attachment", because people will turn it on the first time they get an attachment. It's to require users save the file, scan the file and limit user account in windows. That means users have to login as the administrator to install programs and do updates. I'm sure people are saying, "just like unix."
Will people put up with less convienance after they've had it for 8 years? My guess is probably not. In the best case scenario, people will slowly get used it and take 25 years to replace all the old software. Short of giving away their software, microsoft will have a huge headache of replacing all the outdated version with hacker friendly features.
I disagree. Many of the virus problems that have plagued MS are because they included features along with brain-dead defaults that made it easy for viruses to propagate.
For example, hiding known file name extensions by default often tricks users into launching an executible attachment when they think it's a jpg or somesuch.
For example, executing code automatically, especially in preview windows was a stupid default.
The list goes on and on. The bottom line is the features and defaults were seemingly determined by marketing personel.
Come on, that list is more than 6 months out of date. No objective stats of occurrences of incidents are provided (try the CERT site for that). Many of the references to advisories/bug reports etc are even older than 6 months (a quick scan shows two or three that appear to have been logged in the year 2000, the rest seem to be mainly 1999). The newest CERT advisory on sendmail for instance was raised in 1997 on version 8.8.4. In fact, basically the whole list comes under the categories a) running out-of-date software, b) running software on machines that don't need it. e.g. DNS on a machine that isn't a DNS server.
In fact there is a more up to date and better structured list here:
http://www.sans.org/top20.htm
Even on this page, taking the sendmail example (ref U2) again, the most recent bug report they quote is on 8.8.4 which is ancient (8.8 was release before any of sendmail's current Open Source competitors were even written). Which means that this vulnerability is really an instance of not keeping your software up to date (included in G1).
Use your common sense, the biggest computer security problem at the moment is viruses and worms which affect mainly Windows systems mainly because of the popularity of Windows, particularly amongst non technical users.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
The big problem here is that Microsoft presumes that it's interest in updating software supercedes the end-user's control of his or her machine. Why would any user want Microsoft doing anything to their machine without prior consent? The interest of a software corporation and the end-user are fundamentally different... Even local IT managers often screw up work in progress when updating software--usually timed for their convenience, not the user's. I am thankful that Microsoft is so incompetent; perhaps the ill-conceived notion that a central authority should dole out and control tools that have already been purchased by end-users will at last come under question.
Oh no, there's a security problem in everybody's favourite jungle 'n' cave sideways scroller! Hang on to that rope too long and it deletes all your files!
Oh, "Security Flaws may be Pitfall For Microsoft". I really must stop speed-reading everything...
There are a lot of people commenting that the GPL should remove it's no warranty clause if MS should. There is a fundamental difference though between the two licenses.
The GPL allows others to fix problems that occur, MS's license doesn't. More importantly, GPL software is traditionally not being sold. There should probably be a GPL license with a quality assurance that is specificially for selling GPL'd software.
It is obsurd to think that a programmer would enter a binding contract to work for free. It's funny though because every other industry has to stick by some sort of warranty. I don't know how the computer industry gets away with it...
int func(int a);
func((b += 3, b));
Funny, as I write this we are trying to recover data from our compromised Linux system (RedHat).
When a coffee maker makes bad coffee, can you sue the manufacturer? We've heard about people sueing Mr. Coffee for burining down their house or maybe even squirt boiling hot water at their faces, but what about for bad coffee? What if your business depends on the quality of that coffee? How about televisions? Can a bar owner sue Samsung because their TV is fuzzy during a football game, which many of their patrons come to watch?
What happened to testing out and researching what you buy?
That's interesting!
In the US, the sidewalk in front of your house is the responsability of the homeowner!
You most likely will be sued, and your insurance company will settle - no contract, but you'll be at least partly liable
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
Not entirely true. The homeowner is responsable for keeping the sidewalk clear, but the homeowner is not responsable for upkeep. The government has to fix cracks and such. The homeowner just has to plow snow.
In NYC, you have to fix the sidewalk too, and if you don't the city will, and send you the bill
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
DRM? No thanks, I'll just get it somewhere else...
Comment removed based on user account deletion
We all want Microsoft to be held accountable but the little guy should be free, right? Then make this accountability the punishment that Microsoft has to suffer due to the guilty verdict in the anti-trust case.
The article states, that people will start using effective strategies to prevent this from happening only after it has happened. The reactions of Microsoft in recent cases only seems to confirm that. So it is highly likely that we will see such a scenario at least once, and probably with a much more destructive damage routine than what we've seen until now (the sneaky data-corruption scenario is quite troubling, since once it started you can't trust any of your data anymore, even worse would be a virus (or a module piggybacking on it) that is stealthy enough to work unnoticed over the period of some backups).
Also the Article shows, that Virus scanners are not really a solution, since they can only react to known Virii. Also automatic updating/patching software is no solution, since that introduces other security holes and other problems, and in the end such a system also can only react. What we need to do is implementing basic concepts, and the named candidates (turning of unnecessary features, diversity, security by design, learning from the past (overflov exploits are still common), security audits, traffic control) are a very good starting point. But that costs money noone is going to spend before understanding that they have to. Very obviously it's not enough to read about such a scenario in a theoretical paper, to happen in some hazy virtual reality, it has to be in the news, and the billions of damage have to have already happened last night.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
It's my understanding that anti-trust cases are brought against monopolies when their business practices to maintain their monopoly are to the detriment of the consumers. At least part of that detriment is the way Microsoft spends more of its attention on squelching competitors than on making a stable, secure product. If Microsoft was forced to focus on good coding (or at least suffer the battery of lawsuits that would start up when they didn't), they couldn't continue to focus on their illegal business practices.
Here in the US (NYC at least), the city is responsible for the ROAD, but the homeowner is responsible to keep the sidewalk and CURB in good condition -In NYC,(s)he is also responsible to sweep the gutter of the road - in fact a business is supposidly checked up to 2x day (I thing it's 10am-11am, and 2:00pm to 3:00pm) and if there is any litter on the sidewalk, or in the gutter, they can get a ticket! I'm not saying it happens often, but...
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
First:
And then:Director of Security Assurance ??!?!
If you can imagine a more Dilbertified position within a company....
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Hate to say this, but as a windows user, windows has been good to me. I run win95 on a laptop (p75 & 16 megs of memory), using it primarily with bitchX, adobe reader, and microsoft's lit reader, and the machine has rarely crashed (I can't remember the last time it did). It also doubles as a quick and dirty win32 apache + php server, plus it has e4m on it for encryption, and a few apps (Vim) and games (Nethack, Nesticle, zSNES, etc). Btw, never had a virus on that machine.
My desktop is a 1.13Ghz AMD machine with Windows 98SE and a ton of software installed. Active Desktop is turned off. It is another remarkably stable machine, save for a few things. Winamp 3 will crash it if its burning a cd at the same time. Ultramon seems to add to instability. Doom will occasionally crash. Other then Doom, I don't have any problems I can't live with by avoiding the software. Btw, this machine never had a virus either. :) Other then a bad stick of memory I had installed for 2 weeks, I've never had a problem with this machine.
So, why do people have problems with windows? Crappy software. Cracked software can be unstable. The $10 games are crap. Comet curser is another item I've seen lead to instability. And finally, poor hardware. The amount of software installed (but not running) isn't a factor, I probably have over 100 programs installed on the machine. At boot, (off the top of my head), the following programs load - VNC, E4M, PGP, ICQ, TinyFirewall, Norton Antivirus, InCD). I have a tendency to run webservering (apache) or fileserving (warFTPd) software. I run games, everything from Nethack to Diablo, including Mame32 and TuxRacer. I use realplayer, gdivx, windows media player, and even (rarely enough) quicktime. The machine gets a lot of use under a variety of circumstances. And its stable.
I'm sorry, but its not normal when windows crashes. And BSOD's aren't normal either. Its either bad hardware, a corrupt install, faulty programs, or poor drivers.
Just my $.02
On most modern PCs, the BIOS is flashable. The control chips on the IDE drives are flashable. The CPU has flashable instructions. These are all there to deliver upgrades in case of a bug.
Now, imagine a virus that destroys the IDE control chips on each drive (no accessing the data again, short of mechanically removing the platters), destroys the BIOS (no booting again short of physical replacement of the BIOS chip), and destroys the CPU (instructions are broken, starting with the ability to update the instructions).
Cross this with Warhol propogation techniques. While you're at it, delay the payload long enough to maximize propogation rates, but not long enough to allow antiviral reaction.
This could lead to *hardware kill rates* on the order of 10%-50% (or more) of the computers on the Internet. None of those computers would ever work again, and data stored on them could not be easily recovered.
All of this is doable from publicly documented information, crossed with the Microsoft wormhole-of-the-week.
Are you frightened? I am.
Hand me that airplane glue and I'll tell you another story.
If MS loses the appeal of the popular press - promoting every new release as stable and secure - then they're screwed, even without the class action suits and liability claims.
I just have to laugh when I see stuff like this. Ooh, Microsoft's gonna get in trouble! No they aren't.
The vast majority of people who buy a copy of XP aren't even aware that they are buying a copy of XP. They buy a computer. To them, if they even know the words "operating system," it has no meaning to them beyond what it is they see on the screen. They certainly don't choose an operating system. They go down to Circuit City and buy a computer because all their friends have a computer, and they want one too. Or else they need one because they have a computer at work, and they want to work at home.
Is there any evidence that Compaq, Dell, Gateway etc. are particularly concerned about security flaws in the bundled OS? No. They want to sell boxes, and they have to sell as many as possible, because their margins are low. Are people going to complain to Compaq, Dell, Gateway etc. about the OS? Sure, but they're going to complain to them about anything whether it's related to the machine or not, and at least there may be the option of foisting those calls off on Microsoft. Are Compaq, Dell, Gateway etc. going to complain to Microsoft? Maybe, but Microsoft has them by the short hairs, and they know it.
What's going to happen with some bad press? Not a damned thing. People might become irritable and insist that Somebody Do Something, but they're going to keep shoveling money into Microsoft's maw anyway, and they're not going to slow down.
Mumble mumble class action lawsuits? Yeah, right. The DOJ spend a whole lot of taxpayers' money to do nothing over several years. Half the states capitulated to a non-settlement. Microsoft isn't going to run out of lawyers any time soon.
Truth, Justice, and the American Way? It was the American Consumer (who is always right, and don't you forget it buddy) who made things this way by their choices. It isn't going to change.
Is it good? I don't know, I guess it depends on what your priorities are. If what you really want is rock solid quality software, then yes it's good.
Rock solid, yep that's what M$ makes computers, kind of like a paperwheight that blinks and makes noises between blue screens. Wooohooo, don't do nothin for yourself folks, Sheldon is going to save us all with solid software. Pththth-fiiit!
Sheldon is not a real person. Sheldon is actually the name of a highschool debate team in Tel-Aviv. Not quite as interesting as signall11, but more comments. As dispair.com reminds us, when you redouble your efforts to make up for ineptitude, there is no limit to what you can't get done.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
The reason for pessimism is the number of laws and court decisions that have recently been strongly biased in favor of corporatations and against individuals. Also, more generally, in favor of the extremely wealthy and against those less wealthy.
P.S.: read the infoworld article on the remake of UCITA. In some ways it's even worse than the previous version. And I should expect a favorable outcome? I may hope for one, but expect it?
.
I think we've pushed this "anyone can grow up to be president" thing too far.
Software liability will be a tricky because of a domino-like effect: you may want to "guarentee" the code you wrote, but how can you do that unless you also guarentee the operating system it runs on? A bug in the OS may ruin your program. Oh, did you write the compiler you used? Maybe the compiler has a bug and introduced an optimization bug. Did you build the hardware? Do you really know if it works properly under all circumstances?
That is to say, some limited liability would be very useful. It would force vendors to feel some pain when they unleash buggy code.
For example, if Hailstorm/Passport/whatever has a security problem that leaks user credit card info, who is liabile for the fradulent charges? Hint: not Microsoft. If by law MS had to back the faulty charges out of its bank account, I predict Passport would be immediately withdrawn for a couple years of "redesign".
I see. So it's OK for people to run around advocating Linux or Apache as a serious alternative to WinXP or IIS, but the former are not to be subject to the same liability and the contributors not subject to the same incentives? Realistically, these two claims are not compatible.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
In reply to all those "Software is IMPOSSIBLE to secure" posts:
By comparison, so are pharmaceuticals.
(intravenous drugs for example: it only takes a few bacteria to cause a potentially lethal infection in the patients)
Yet scandals are rare. Why? Because of control.
Everything is controlled in incredible detail. Look at the production lines in the pharma industry (I've personally visited a few), and you'll immediately become aware of the safety.
Saftey starts *long* before production, even before the factory is built they're planning and designing for product safety. The routines of the staff are tightly controlled. Quality assurance staff are everywhere, continuously probing production. Basically, safety is a fixation, it permeates the industry from the start to the end.
Why? Because they have to. It's the most tightly regulated business in the world, if the ventilation in that clean room isn't up to code, (which means replacing the air completely in 2 minutes) the FDA will shut 'em down immediately.
Now I doubt we need this kind of regulation for software, after all, Microsofts customers don't die when MS screws up. (Thank god- what a holocaust that'd be.)
But they definetly need to get security into their heads. As usual, money provides the best incentive. Hold 'em liable.
As for OSS companies, heck, I thought Quality Management was what they did? When I buy RedHat Linux, I want a kernel that is stable and safe, packages that work together, etc. That's why I'm paying for it isn't it?
If they support a product, they should take full responsiblity for it.
As to whether it actually meets said standard -- yes, it would be good to have an independent testing team, but who's going to fund it? Do you only get to have a rating if you can afford to help support the test process?
That being the case -- I'd suggest a twofold system: a rating the software author agrees to meet, and a number assigned by independent review when that is available. So if I claim a 3 rating but actually manage a 4, I get a 4/3 rating. Consumers have caught onto similar systems quickly in the past (such as gas mileage ratings on new vehicles).
To extend the idea another step, the penalties for failing to meet said standard should also be set on the same scale, so there will be no question how heavily any breach of performance standards will be penalized. Frex, if you claim to produce grade 5 software, but it's actually only grade 4, you get one increment worth of penalty. If you claimed grade 4 but it was really grade 1, you get 3 increments worth of penalty. And so on. That way someone who tries but didn't quite get it right doesn't get penalized as much as someone who really screws up and doesn't care.
If you can't afford the liability, then don't claim the reliability. Simple.
Occurs to me that liability insurance for software (both individual and corporate products) could quickly become reality under such a scenario, with premiums set apace with the reliability claimed for said software.
Perhaps it could start as a voluntary system, which develops coercive force on the software industry as consumers become accustomed to the concept and as more funding for independent testing becomes available -- the system would make it in the publishers' best interest to support it, perhaps with some charity testing for free software.
Anyone else have ideas for how to extend the concept?
~REZ~ #43301. Who'd fake being me anyway?
OK, OK, we've had the MS-bashing, and we've had the "Oh, no, it will destroy the free software/OSS world as we know it!" panic. Now perhaps it's time to sit back and take a realistic look at the situation from a software developer's viewpoint.
Developing software with few or no bugs is possible. Occasionally, it has even been done to prove it. Look at TeX, for example. However, you get diminishing returns for your QA effort.
One possible alternative is to adopt a genuine engineering-style approach to software development. When making a bridge, if the engineers say it isn't ready, it doesn't open until it is. Construction outfits who violate this "rule" are probably open to subsequent legal action in the event of an accident, on negligence grounds. Software "engineering" is obviously not subject to similar accepted practice, and when the engineers say it isn't ready, the managers tend to ship it anyway to keep the sales guys happy.
Producing truly high quality software (in the bug count sense) normally requires both a considerable amount of skill and a considerable amount more effort than normal development. Microsoft would have the resources to do it, I suspect, though whether even they have enough truly skillful developers, and the quality of management to support them, is open to debate. What is certain, however, is that if they tried, the price of their products would rocket. They would become uncompetitive, as their customers adopted alternatives that lost data occasionally, but cost 1/10 as much. Yes, that is the sort of cost difference we're talking about, at least.
However, even if you somehow make it commercially sensible to develop high quality software at that price level, you would still undo all the good if you allowed arbitrary liability on the part of the developers. As with things like intellectual property, you need a reasonable compromise. In that case, it's copyright or patents for a limited period, long enough to take advantage of your efforts, but not enough to keep things from everyone forever. In this case, perhaps what's needed is a set of accepted standards for liability. That would in one stroke do away with both some absurd licensing restrictions and pathetic QA on the part of certain developers, and also protect those consumers who are genuinely harmed by poor development standards.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I've done that, pretty much. Back in the mid-1980's, I worked on a HASP bisynchronous communications package called HASTE. Hardly anyone uses HASP anymore, but it was a bit like telnet and FTP with guaranteed delivery, error correction, and compression, over bisynchronous communications lines. The program ran at first on CP/M machines and later on MS/DOS machines. It provided redirection to console, printer, and disk file, and redirection from console, disk file, and "reader." It had full on-screen help, a built-in text editor. It was menu- and event-loop driven. Not the most sophisticated program ever, but not too shabby.
We were very concerned about making it bug-free, even to the point of including patches to operating systems and working with developers of many new computers to make sure their software and hardware could run it. We used to give demonstrations of the running program where a member of the audience would be invited to cut the cable during a transfer of a lengthy file. Then we installed a new cable, and the transfer finished.
Even though we had a No Warranty sticker to keep the lawyers away, we offered a deal. The first person to find a bug got a free dinner at any restaurant. We had to pay off exactly once--at the restaurant in the Alexandria Hotel in San Francisco. We fixed the bug, of course. It was a cheap way to learn something about our program.
Things were pretty good for five years or so. We got excited about what was happening in the field. Most other companies seemed to share our ethic. Then things got depressing. We started to see people go out of their way to buy crap and get rid of good stuff that worked seamlessly. We saw companies throw away X terminals that worked, forbid their graphics designers from using Macs, and institute All-Microsoft policies, resulting in most cases in a loss of productivity and endless headaches. We watched a new generation of people materialize with a Beavis and Butthead uh-huh all software has bugs mentality.
I think I'm the only one of the group that does any serious sofware development any more. I have gotten way better as a developer. I am even vaguely embarrassed about that first bug-free success. But, two years ago, I was unemployed for more than a year. It was a bad time, and I lost my wife and just about everything else, including big chunks of my emotional capacity. I finally did make it back and am doing very nicely financially, but I'm not doing anything important, and I keep myself sane with Open Source side projects.
I know from reading TechRepublic and similar boards that about 90% of all IT-type managers and hiring people would never consider hiring me. They have the blue-collar Beavis and Butthead mentality, too.
What's the moral of the story? I think it's that developers aren't the problem. Nor is a lack of enough lawyers. The real problem is the business of the marketplace and the ethic that drives it. There are still some good development houses out there that make stuff that works. Macromedia is, I think, one. Adobe is another, their idiocy with Dmitry notwithstanding. But they are all either games houses, industrial control shops, and companies that established themselves when the marketplace still permitted the production of quality.
Nowadays, people might bitch about poor quality or demand that some lawyers do something about it, but they still make their decisions in such a way as to encourage and reward crap.
Destroying a computer is not the worst you can do.
Corrupting the data on the computer is MUCH worse.
Think of a database for an ecommerce server. A virus that understands the database format, and turns every 7 into a 3 in the database. Credit card numbers (I'm sorry, sir, your card has been declined), prices, product IDs, addresses, zip codes, telephone numbers (hope this doesn't happen to your phone company), social security numbers. Everything on that database.
Then it transmits itself to another host, and removes itself from that machine, attempting to cover its tracks.
Destroying the computer is *nice* compared to letting it run for the next month with incorrect data. You just corrupted the next 7 million transactions that system processes. And how much does it cost to correct that? Restoring a nuked server is cheap by comparison.
Which would be worse for a serious ecommerce business? Being down for a day? Or having to check every transaction that was processed for the last 30 days, and dealing with mischarged customers, fraud charges from CC#s billed incorrectly, incorrect products shipped, lost packages that were misaddressed...
Destroying a system is bad for a home user... corrupting it can be deadly for a business.
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?
--
"I'm not sure exactly what an AS/400 is, however, I'm pretty certain I wouldn't want one up my ass"
Miss Thistlebottom, my seventh grade English teacher, asked me to relay this message: "Did you say 'flaws . . . HAS begun'"?
Actually most flashable cards have a backup non-flashable ROM, mainly in case the power goes during a BIOS flashing or similar. Also, chips can't turn off write access to themselves so if you just have a valid ROM to boot it, you can overwrite the BIOS again with a working version. When there was this BIOS-overwriting virus some years ago, there were a few laptops that didn't have a backup chip, probably to save space, and they choked permanently. The remaining ones were just to reflash, problem solved. After that, they've learned.
Kjella
Live today, because you never know what tomorrow brings
No kidding. I had to read that twice before I believed I had actually seen that in the article. "Our software may not be secure, but you'll sleep well at night knowing that our first rate Assurance Team is hard at work."
Dyolf Knip
I think I remember the origional Morris worm as being fairly buggy and unreliable.
By this, I meant assuming a worm that was carefully tested and not buggy. Many of the worms out there are buggy. Even the origional code red had flaws.
Why should RedHat care about recovering broken XP systems?
No reason they should. They do care about recovering broken RedHat systems, but that pretty much translates to recovering broken systems, XP systems not excluded.
Shouldn't the vendor have provided said facility?
Yep. Will they? Nope.
It would take a while to catch on, of course, but if it embarrassed a few QA depts. into really satisfying software quality requirements instead of merely meeting suit-and-tie marketing requirements, that would be progress.
~REZ~ #43301. Who'd fake being me anyway?
Part of the reason I like windows is because I don't have to think about things like that. Oh sure, I never have the best security, but I don't use outlook or IIS, I don't run exes that spammers send me, and I'm behind a firewall, as well as running zonealarm. I'm fairly well protected.
Anyway, while it's possible that someday someone will hax0r windows update and slap some virii in there, I'm not too terribly worried about that, especially now that most of the big DNS railroading exploits are supposed to be patched. I just want autoupdate to keep my system relatively current so I can get back to what it is I do best; Downloading pr0n.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You have misconfigured it - simple as that.
I have the default installation from the CDs, just like most windows users have the default installations.