Slashdot Mirror
Microsoft to Focus on Security
Anonymous Minion writes: "The Associated Press is reporting that Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to employees, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority". Gates said the new emphasis was "more important than any other part of our work."" People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong. (rimshot!) Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
Adopting new ideas I see..
Microsoft to Focus on Security and pigs fly, tonight at 11!
If you celebrate Xmas, befriend me (538
not after all of the problems in the past.
If you look at the other side of the story, this is pretty much admitting that they haven't cared about security at all. At least now they'll release more PR regarding security issues.
Especially if they find that anyone's distributing exploit code.
--- http://foo.ca
Hmm... Now that basically all of our code is developed and systems are embedded in concrete... let's try to secure this, shall we?
Maybe they should have thought of this BEFORE they rewrote the OS?
The ______ Agenda
sure no problem, now that we've got about 100x10^6 lines of code lets go through and ask ourselves which are not safe in combination =>
Normal slashdot staff overreacting again. You can turn that ID off. Granted, they should make it default to off, and ask you before they go around putting out supercookies, but it's possible to fix the hole. Even in WMP6.x. This was going across bugtraq today. Apparently, if you have the ID backdoor disabled, it generates a random number each time the control is queried. Spare his page, though, I wrote this with no replies (first post, almost), and the page was already horribly slow.
funny munging
for anyone who avoids M$ because of their lack of security, i think this will be seen as too little, way way too late.
Shouldn't this be in the humour section, instead?
Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority".
For some reason, whenever I boot into Windows, I have a strange feeling that it's spying on me. That quote from Billie G certianly does not reassure me.
Why does Microsoft saying they're going to focus on security remind me of the US government talking about campaign finance reform?
If using Linux is about choice, how come people complain when I choose to use Windows?
install linux, remove winbloze :)
Coding projects blog - Code Slim
After reading the article, and also having my Microsoft account rep call me up after I have told her that I wont be installing my "enterprise" (every time I say that word, my whole team breaking to ST:TNG theme song), becuase the cost of making sure Microsoft's buggy software (generally Office and Windows W2K) costs me more than the operating system does itself in both actually purchasing costs of software and man power required to check, recheck and check again that everything is set up tight... My account rep had the hide to say this afternoon, "So now we have promised to do this, will you upgrade to Office XP now"...
Nothing has changed as far as I can see, nothing will in the next 1 - 2 years because Microsoft will take that long to get what we currently have running NOW working correctly, and I just feel this is another ploy to get Microsoft to force us to upgrade to the latest and greatest operating system because they are promising that this time, really folks, this time it will be the most secure and stable release of Microsoft software EVER!, as if this is hard to to!
Grrrr, too many NT crashes, not enough intellegent techs to figure out what went wrong, other than.. oh just reboot!
`find / -name "*your_base*" -exec chown us:us {} \;`
This will undoubtably be followed by another announcement, claiming that MS pioneered the "Trustworthy Computing" movement in the computer industry.
I don't know what form this security missive may take, but I would assume years of integrating identifiers into anything they can would be hard to overcome.
HAHAHAHAHAhahahahahaHAHAHAHAHAHAHAhahahahaheeheehe e.
I guess those stories suggesting that software companies might become liable for damages arising from security holes put the fear of God into him.
so now all of the pr0n sites will know exactly what TYPE of pr0n to feature on the front page whenever I *happen* to stop by...
well, atleast maybe I'll get more targeted advertising... ya know, nothing against transvestites, but the pr0n of them in an advertisement just does NOT make me want to subscribe!
Just think of the implications!! Microsoft has already been "focusing" on performance, stability and security for many years - and look at the results! Such delightful products such as Windows 95, 98, ME, and NT.
This space intentionally left blank.
Security over function. That makes sense. I already love it everytime windows warns me that I am about to do something dangerous, restricts me from seeing files I shouldn't touch by default, and dumbs down everything to the point where it takes me 45 minutes to make the machine useful after a clean installation.
Now they are going to focus on security instead of function.
I have a pocket calculator that adds, subtracts, multiplies and divides. The square root button is broken. I just jammed an RJ-45 cable into the slot where the battery normally goes. It appears to be doing nothing.
I'm certain that my calculator now meets Bill's new objectives. It does nothing, but is entirely secure. Particularly since it is behind a firewall.
Good idea Bill.
-Rothfuss
Now that's an oxy moron!
I wonder if people actually catch that line in the EULA, "I give my soul and first born to microsoft, yarda yarda!"
I Agree.... Click!
;-)
Remember : the latest version of windoz itself is subscription-based, which means another unique ID. Not taking into account the other uids found so far in the microsoft office, processor id, network card MAC, not counting the yet to be discovered unique ids, the "passport" centralized accounting, the whole micro$oft thing is in itself a gigantic polymorohic security and privacy concern.
-- javaDragon is an instance of JavaDragon.
I almost lost my Mountain Dew when I read that headline!
"Adequacy.org: Where congenital stupidity is not an option, but a requirement."
Hmmm, I think I'll go read slashdot today...
It looks like you're trying to reach the internet, this is a potential security risk. Find out more about how your internet experience is made more secure with Microsoft by clicking "Find out more." If you wish to continue, click "Ok."
Arrgh, *click ok* (stupid microsoft)
Your computer has begun downloading information, this is a potential security risk. Find out more about how your internet experience is made more secure with Microsoft by clicking "Find out more." If you wish to continue, click "Ok."
And so on!
My Karma was at 49, then they switched to words. All that work for nothing!
This is all fine and well ... but it really depends on what MS consider to be security problems.
.. just give the old "To fix this problem we recommend upgrading". Which of course, isn't free :)
... even the oldest projects can be fixed!
:)
And will they fix security holes in older products? Probably not
This is why I like opensource so much
Anyway it's all probably only a PR stunt. Well soon find out I guess
As I am reading this discussion, I see the same story on the 10:00 news. The story ends with the line: "...to make users feel safe on the Internet," as they show boxes of Windows 98 Upgrade rolling down an assembly line. Yeah, I feel safe.
..."Trustworthy Computing". This sounds suspiciously like a buzzword-name for digital rights management, especially after that paper on making an OS that prevents anything unauthenticated from getting at secure content.
Anyone else notice this?
m:
the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
It's not a security problem to have a number assigned to you, it's a privacy problem.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Microsoft must read /.
4 25 2&mode=thread
http://slashdot.org/article.pl?sid=02/01/16/153
Need help treating your acne? Come here!
A couple of Microsoft's security people published a book - Writing Secure Code - recently.
It's obviously Windows biased with respect to code samples, but it's actually very good.
Now they just need to read it themselves - for example, all the vulnerabilities exploited by the universal plug and play fiasco (buffer overruns, trusting untrustworthy data and denial of service attacks) are well described in the book,
Hogsback
...better late than never, right?
"Adequacy.org: Where congenital stupidity is not an option, but a requirement."
How did this old story manage to make the front page of Slashdot when this new story with far greater implications didn't?
If real, it's good news, since MS products are a security nightmare.
If fake, it's brilliant, since Gates will be faced with either admitting the breach and the unimportance of security or keeping quiet and being held to his new "highest priority".
In any case it looks like this will get very interesting!
However, take a look at OpenBSD. They really are secure, or at least as secure as anyone can reasonably expect for an operating system. They have done a great job, but it takes time. A lot of time. OpenBSD was based on NetBSD, so security was always a priority, OpenBSD just made it more of a priority.
But really... even if security really is job one now at Microsoft, we aren't going to see any concrete results in the near future. Forget Microsoft's next operating system. It is going to take years, not months, to get results. I mean, we are looking at 2006, likely, until Microsoft systems have a hope of being secure. Will Microsoft (would any corporation) invest that many years of development? Are their customers really demanding security?
Oceania has always been at war with Eastasia.
Bill G could be telling the truth. Windows is a more popular desktop and one big reason is that it is 'easier' to setup and use as a web browser and word processor for the "Johnny Lunchpail"s of the world.
Since those common applications are pretty well matured, what else does he have to work on? Trying to force Apache out of the internet market by developing IIS? Not bloody likely.
Hey bill, it's too late for you. MS messed up big time with security and it's too late for you. ...sadly, most of the people will say " ... you see, MS are the most secure OS....security is important for them" .... Yeah, since Jan. 16 2002.
Nice try with your PR.
install OS X...
Microsoft does have a pretty strong track record of hearing what their big customers want to buy, and then building it.
I'm not surprised that they're hearing about security... and I won't be surprised if they find a way to build it.
Hey, I'm just sayin'.
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
Right. This is not a security problem. This is a privacy issue.
And speaking of which. Many of us have fixed IP addresses. Web sites already track our actions with cookies. Telcos sell information about us to anyone who wants to pay for it. Get over it. We have no privacy to begin with.
You make a good point that it can be turned off, but how many "normal end users" of Microsoft products are going to know this. It is not you or I, or for that matter anyone on /. (for the most part ;}) that I am worried about here. It is the people that do not have the first clue about computers, or security, and think that AOL is the internet that I am concerned about with security issues such as this one (and the countless others).
man
No manual entry for
Just because it's possible to fix the hole doesn't make it "Normal slashdot staff overreacting again." Not only does the original report contain the information for how you can turn off the ID, it makes some good arguments for why that isn't good enough.
So no, not an overreaction at all.
If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux (I swear I didn't choose that just because its the godhead of this entire forum), What would we do?
/. topics get more sensational?
Honestly, and not trying to troll. What will everyone here do if microsoft ceases being the evil empire? What if they can pull this off, and find some middle ground with the government? I said before, in a much earlier post, that most religions have an antagonist; What happens if we lose ours? Will
MS Press Release:
"Microsoft released a patch today to save 15K of RAM in explorer.exe"
Slashdot:
Microsoft wasting gobs of memory for extra red-dot in windows logo.
Personally, I say good for microsoft. Microsoft, right now, is an intergral part of so many organizations, and admittedly they have security problems; They could use the positive PR. They could also deal with less -unfounded sensationalism- nonsense from the peanut gallery (note, this does not mean the founded, intelligent, objective news items which from time to time may appear in the comments section.)
Just my $0.02, Refundable with a $2.00 restocking fee.
... but there's no way either plan is going to get anywhere.
-nate
Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
it may not be a security problem but a privacy problem...
MS foot in mouth again? didnt they try security already... this could be interesting.
Other than security problems and product activation, I have to admit, that XP is actually a nice product. I may not agree with a number of its design decisions (stuffing things into kernel space that don't need to be there, building the GUI into the kernel, Microsoft ASCII text,etc), but it IS very feature complete for the average end user.
I still won't run it by choice (FreeBSD baybeee), but having to *support* the platform will be a lot less hassle...
just my US0.01c (damn pathetic aussie dollar...)
smash
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Luckly a kind 14 year old took pity, broke into one of their Hotmail accounts and resent a plain text version to eveyone.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Is this in the same vein as the day Bill Gates ordered everyone at MS to stop what they were working on and concentrate on how the Internet would affect their products?
Of course, by that I mean Microsoft finally understanding something several years after the rest of the world "gets it?"
{
char username[8];
char pass[8];
fprintf(stdout,"enter username (8 char max please, otherwise you might corrupt the stack): ");
fscanf(stdin,"%s ",username);
if (strncmp(username,pass) != 3) return 1;
}
privacy, like .net??? My wallet? Sounds good!
All they did is issue a press release!
They're doing their best to attack open source; from buying SGI patents to kill OpenGL to this new intitiative to cut off the age-old argument that open source is more secure (at least on the PR front...) and all the rest. I guess they really do see open source as the number one threat...
What I really hate to see, however, is that we're not doing too much about it. In fact, the only new thing is Lindows, and I sincerely hope they live up to the hype. Unfortunately, Microsoft has realized that Joe Average Consumer *dosen't care* about anything that is not the easiest way to go; even in the server market the PHBs will stick to MS until they see something like the Gartner Report or the FBI declaring Windows XP to be insecure (or whatever).
IMHO, a good part of the Open Source world needs to focus on making Linux a real competitor on the desktop market; such as idiot-proof install programs that need *NO KNOWLEDGE OF PARTITIONING* (and just ask, "do you want to install Linux on separate hard drive, or should I resize your Windows partition to X gigabytes and install it on this hard drive) and autodetect hardware (X Windows configuration is a *REAL* pain in the derriere if you don't know much, if anything about computers, for example) and whatnot. In order for Linux to be a real competitor for the computer of Joe AOLuser, it should take advantage of almost (or as much or more) autodetection/idiot proof default settings as Windows.
Now I know, I know, we aren't after Joe AOLuser, but in order for manufacturers to keep making Open-Source compatible hardware, THEY NEED MARKET DEMAND. It's far easier to cave in to Microsoft if it means losing 5% of sales (to hardcore geeks) than if it means losing 50% of sales (to Joe Average User). And yes, I just pulled those figures out of my hat, but I wouldn't be surprised if they were true.
This
Oh my God, if Billy actually means what he says, what are we going to do now? We've always had a major advantage in security and stability with Linux. Our arguments have always been based on the fact that M$ windoze is a bloated hacker haven.
Linux and the open source movemnet will most certainly never die, but I would really like to see a day where mom, pop and granny all used Linux, most games and popular software ran natively on it, and windows was a weird "fringe" thing like Macs.
I honestly believed we could pull it off in 5 years, 10 tops. But with the full resources of a gigantic monopoly turned to focus on what has always been our strong point, dear lord, what are we going to do now???
Worse than that, what if ole Billy also decides to make it a lot faster? What if the deepest pockets in the world turn to actually making windows a decent OS?
First of all, it truly scares me that Bill Gates's announcement that Microsoft will "empasize security and privacy over new capabilities" is considered, in his own words, to be "a major strategy shift." Any reasonable developer knows that security is an inherent part of every feature - not a feature in itself. /. alone, this is the third article in 24 hours (not including the "Unbreakable" story) with direct relevance to Microsoft's security (or lack thereof). The case can be made that there is a low likelyhood that Microsoft would pay that much attention to the /. community - but on the other hand, I'd think they'd listen to this.
Second of all, it can't be said that this is the first time a company has put forth a gung-ho effort (if that is even the case) to secure their products - Oracle's Unbreakable database is clear evidence of this. To me, this seems Microsoft has placed itself further into the security spotlight, and that more holes will be exposed as a result.
Finally, above all else, one has to admit that this announcement seems like the reactionary brainchild of Microsoft's PR department. On
A)bort R)etry I)gnore
=tad=
microsoft = security, that's a better one than military = intellegence. A new oxy moron to add to the list.
Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
It's not a security problem. It's a privacy problem.
If it posted the user's passwords, executed arbitrary code, or removed network firewall configurations, then it would be a security problem.
[
The security guy at infoworld, a guy who isn't really a open source freak, said something about this on XP. Looking back, the more Microsoft hypes security, the more security flaws they release.
:-)
Maybe microsoft should just change platforms.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
I've had an open security issue on their site for months. [ http://www.devitry.com/security.html ] They don't seem to be too concerned with it, even though they are running the Passport system. Will this Gates email change their minds and get their butts in gear?
-- these are only opinions and they might not be mine.
Microsoft enters the security busines...
"How would you like some insurance to go with your operating system? I mean you wouldn't want any hackers to break in to your system would you?"
Two, to what extent is this an agenda for obliterating any shred of interoperability with other commercial products in the name of 'security'? Isn't it an open invitation to claim that total and complete lock-in is the only way to be 'secure'?
Here's a link to discussion of "Internet Strategy Day," but all archived info on MS's sites is missing. Did they forget to save it, or did it seem dated?
We all remember Jim Allchin saying that XP was "the most secure Windows ever." And everyone here knows about the UPnP bugs that were discovered the day XP was released. Their other recent announcements lambasting the process of full disclosure by Scott Culp also show that they have no real commitment to providing decent security in their products. Well, if this word from BillG is supposed to mean anything, we ought to see it in action. Unless "trustworthy computing" is supposed to mean trusted computers (a conceptual fiction) for use with digital rights management...
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
It's about fucking time.
In other news, why does this story have a Borg logo on it instead of the Monty Python foot?
-Legion
It's a privacy problem.
Has Big Bad Bill finally learned? Does ne now realize that customers are VERY interested in Microsoft fixing bugs, not adding new features?
"...the shortest distance between two points may be straight line, but it is by no means the most interesting."
<QUOTE>Compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are.</QUOTE>
If you know anything about managing people, that is probably the #1 way to get people who don't really want to do something to get results. Sounds like while it may be in part a PR stunt, it really is a serious push by Gates.
-Pete
Soccer Goal Plans
My stomach's killing me from laughing so hard. Quick! Call a doctor...
Sure, they're having a 'Focus on Security' this week. Next week it's 'Focus on Thai Cuisine...' with free larb gai for all senior managers...
How many normal end users would actually care in the first place?
It's the same with anything implemented for privacy - encrypted e-mail, anonymous proxies, firewalls, etc. How many people actually use these things? Very few.
Microsoft has known for years that one of their major flaws is the
"security" that it's products offer. This statement by Bill is just a
campaign to cover up the problems that exist and quell the fears of some of the
major corp. consumers that are "on the edge". Microsoft has a sold
foundation in many companies and will continue to do so for many years. However,
the recent public "discoveries" of the down side to the lack of
security in Microsoft products is putting a damper on Microsoft's rapid takeover
of many market segments.
This (the "new" public awareness, and "new" anti-M$ press
coverage) should be viewed as a blessing to those that use Microsoft products as
well as those that wish they would just die a horrible death. Press coverage
that actually tells the truth, instead of just covering the bells and whistles
added onto an insecure product, will help make large companies realize that they
can not continue to put crap products out once a year, and do much more to help
the growing usage of more secure, less-known OS's (linux, x-BSD, etc.).
On the other hand, this "security problem" is not really a
major flaw, 99% of people using M$ products have many, many, other ways of being
tracked using products like Outlook Express in the default settings. Just
viewing an e-mail with default settings in OE will allow spammers to know your
address is valid (with the right embedded code).
People (the average consumer) will never wise up and start using more secure
products, it will take bad press, and cash flow changes to make companies stop
creating insecure OS's.
http://www.codewolf.com - Just good stuff to waste time
I'm guessing Mr. Gates has been watching the Enron/Arthur Andersen news and realizing how important it is to be able to keep investigators from reading your documents -- so now, privacy and security are important :)
FWIW, I submitted this story and it was rejected....
But, that's not my point. What incintive does MS have to add new features now? They've eliminated all the commercial competition for desktop OS's, so even with users clammoring for more features, users are stuck with Microsoft.
What about Linux?
Okay, yes, sure. And Linux (and BSD) are more secure than Windows, but in many respects aren't as feature-rich yet (flame away, but I'm a confirmed Linux user). So, Microsoft's stands fast on features while it brings its security up to speed, and hopes that alternatives don't surpass Windows, feature-wise.
And how many users do they lose in the meantime?
Not many.
Some people think Bill invented the Internet. Now is his chance to invent the Microsoft System for Secure Computing (TM), which will include all of thosde features that MS wants first, and maybe a few that you feeel are important as well.
Microsoft Planet here we come! =8~|
"It is a greater offense to steal men's labor, than their clothes"
He's the geek who's responsible for the world's shittiest software. He can never get respect from his peers. How sad is that?
You're right. If you just look at it as a run-of-the-mill MS announcement, it isn't extraordinary at all: They are refocusing on the buzzword that makes them the most money. It just so happens that this buzzword has a negative connotation in relation to MS.
Slashdot 's editors are dickheads
Time to uninstall Media Player. I'm just tired of companies sneakily trying to track my browsing/purchasing habits without disclosing it. Enough.
If MS actually puts some work into security, besides their "veteran programmers" feeling a lack of job security, it could be a good thing. I don't know whether or not they will.
That being said, I thought everyone knew to uncheck the "Uniquely Identify My Browser" and "Protect Content" in WMP7?
People criticized Microsoft for treating security breaches as a public relations problem, so Bill Gates sent this email out to the Associated Press to prove them wrong
so to prove them wrong he sent out more PR... gotta love it...
Adult film star Ron Jeremy announced that in the future he would be focusing on dialog and plot development in his future projects...
Think outside the... Hey, where'd the friggin' box go?
~~~
CEE5210S The signal SIGHUP was received.
M$ brand of security: Change the name "Administrator" to "Root."
It's more difficult to obtain root than it is to get Administrative permissions.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
"Trustworthy Computing" doesn't necessarily mean "secure computing." Microsoft wants you to think that, though, just like they want you to assume "we're innovating" means "we're making products better for you." (Incidentally, MS's definition of "innovation" means "finding new ways to solidify our market position.")
Anyone remember Bill Gates's deposition in the MS antitrust trial? His version of the English language is so far out of whack he spent most of each session professing to have no understanding of common words and terms.
In this case, "Trustworthy Computing" means "convincing computer users that they don't have to wory about security... that they can trust MS."
Microsoft to secure MY private parts!
Bill Gates: "Okay! We need to talk about security. The bad news is that this could take a while. The good news is that we get to have one big pizza and pop party!"
...oOOo..'(_)'..oOOo...
The last time Bill Gates was widely publicized for announcing a major strategy shift to his employees was back in 1995, when he sent out a memo saying they were going to focus on the internet.
I bet I wasn't alone in laughing. The first version of MSIE that was out at the time was a JOKE. Netscape reigned supreme. RealAudio was king of streaming. Third parties actually had a shot at selling a Windows web server.
How long did it take them to: (a) Kill Netscape with MSIE, (b) maim RealAudio with Windows Media, (c) shutdown 3rd-party Windows webservers with IIS, etc.? Not long.
Extrapolate amongst yourselves.
Goodbye ZoneLabs (makers of ZoneAlarm). What other big Windows security players will have their security software crushed within 3 years? McAfee? Symantec?
Unix users laugh at the inherent security problems with Windows, just as I laughed at MSIE 7 years ago. I haven't been laughing lately. Will you still be laughing a few years from now?
"And like that
That racket's already taken by Symantec and McAfee, primarily.
CEE5210S The signal SIGHUP was received.
To that I say, put your money where your mouth is. Quit endorsing DRM. Quit using proprietary formats in your applications. Open your APIs. Include some decent text manipulation tools at the command line (like GNU textutils). Give the user some choice for a change.
Slashdot's first reaction to VMware
So, my question is "where is Steve Ballmer?" This seems to be the type of decision that is supposed to be published by the CEO, not the chairman of the board.
Probably what is happening is that Microsoft is using the Bill Gates brand to influence Microsoft's public image since the two are historically synonomous. Think of it. How much less attention would this announce get if Ballmer had announced it instead of Gates?
Guess we know who wears the pants and who is the bitch in this relationship.
This is directed at legislators. As PR, it's pretty poor, and against form for microsoft - it admits that a problem exists (remember their old slogans about how windows was fast and reliable?) If they can convince legislators (who are, to some or extent or another, in MS' pocket) that they're doing something, than they can convince legislators to abandon the proposal to make software vendors liable for security failures, which could open up MS to unlimited liability.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
Russ Cooper, a security expert with TruSecure Corporation, said the change occurred in part after a new security team assigned to attend every product meeting met resistance from product teams.
I am not very surprised by this
Customers could also see a downside, though. Other than fewer new features, product upgrades could come less frequently or could be pushed back.
Somehow, this is not a drawback, and hopefully this throws the subsription thing out of wack.
"It is a greater offense to steal men's labor, than their clothes"
...for corporations? I expect that increased security means making it harder for us end users to listen to our music and watch our movies whenever we want rather than protecting us from things like viruses and intruders - after all, that's where the money probably is.
-- SIGFPE
Normal slashdot staff overreacting again. You can turn that ID off.
The defaults are everything, Why do you think Microsoft has negotiated so hard for its icons to be on the Mac desktop(IE), and no other browser is allowed to be there ? Why do you think Microsoft has spent so much effort controlling system defaults for media players, and IE home pages, and startup icons ?
This is standard user behavior - they do not change the defaults. Somehow it is the fault of the guy who installed NT server and NEVER WANTED IIS that he got broken into, and not Microsoft's fault for globally enabling IIS and asking the admins to turn it off.
Giving the end user a chance to change a system default is a good way to ensure that 95% will use the default, and the company (Microsoft in this case) can blow blame aside by saying the user can change it.
Now, you can argue users need to be more savvy, or you can accept that Microsoft KNOWS end user behavior and uses it to their advantage. Or both...
Why, it's TCP/MS!
AGAIN?!?!
Please...
If I had a nickle for everytime in the last 18 months Microsoft has said that they were "going to get serious about security" my home computer would be a mainframe. There was an interesting quote from an article in E-Week this week. To paraphrase:
"Microsoft treats bugs like PR problems, not security problems."
Why should we believe that this announcement is anything other than more spin doctor PR crap.
chris
Isn't this the same as companies who clean up toxic waste simply because it makes them look better to take care of their waste then what they were used to and like to do - that is to dump it in a stream?
In related news, Wall Street reacted favorably to a report that Microsoft is slashing payroll expenses by 80%.
Fire and brimstone market prices skyrocketed 72% on the news that hell had indeeed frozen over. Satan declined to comment.
Internet search engine Google reports traffic up 17%, and that the word "security" has become the most popular search term, driven entirely by submissions from the microsoft.com domain.
Film at 11:00.
Microsoft's so-called products are CRAP . Here is the quantitative proof:
You see, it's really quite simple. Bill Gates wants to be king of the world. What he's doing is amassing a great fortune that he will use to buy the government of a small country. Then, he'll take control of that country and run it like a huge business. In other words, like Microsoft, just much, much bigger. Then, he'll use his great fortune from that to purchase another country. And then another. Until he'll own a United States of Bill Gates. Then, he'll be able to buy really big countries, and several at a time... He'll just buy a whole continent at a time. He'll buy North America. Then he'll buy South America. Then Europe. Then Africa. Then Asia. Then Australia. And finally, he'll even buy Antarctica. Just for fun.
Bill Gates will use his powers only for evil. He'll turn the entire world into a big piece of crap. All the buildings all over the world will be in ruins. The roads will be all smashed up. Nobody will have a job anymore, except to be Bill Gates' slave. People will haul big bricks to build enormous pyramids and palaces for Bill Gates. He will sit on a huge fancy throne, and everybody else in the entire world will go hungry.
Actually, I'm just kidding. We all know that Bill Gates will use all his power only for good. Every person in the world will live in a huge palace and they'll have everything they ever wanted. Nobody will ever go hungry. There will be no more bad in the world. Bill Gates will just run around making everything good for everybody.
Actually, that's not likely--I believe the first one better.
But where the hell was I? Oh yeah... to make a long story short, oh well.
Ok, what the heck does that mean? Unless Microsoft plans on solving the trusted client problem, once I send you an email there is no way I can control how you use it. The only thing I can think of is letting users add a header to outgoing email, and if it was present Outlook would not allow copying or saving when the recipient viewed it. Of course anything like this is trivial to defeat, resulting in the illusion of privacy rather than actual privacy.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
I don't think they're worried about a Gartner report, Microsoft has been slammed on its poor security record for some time now. (Maybe not by the Gartner Group, but certainly in other PHB reports.)
What probably got their attention was the recent visit from the FBI. Something most people forget is that one of the primary responsibilities of the FBI is counterespionage, and it doesn't take a genius to figure out how much damage a subtle virus could do on government computers. (Esp. after other countries had sensitive documents leak out with that "I write you for your advice" virus.)
We'll never know what the FBI told them... but we can guess based on what we now know. Every group must explicitly consider security issues, senior management remindning the troops to take it seriously. Maybe this is my one cynical-free day each year, but I really don't see this as an ploy to attack open source software such as Samba. I think they finally understand that they have a serious problem.
But, ironically, I'm now concerned that they don't have enough experienced security people. The corporate culture just hasn't encouraged development of the right skills. Any semi-decent programmer can check for buffer overflows and the like - even automated tools can do that in many cases now - but true security comes from an ability and willingness to challenge the most basic assumptions, to question the most sacred code, etc.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is an extract from the ie.c file that I managed to pilfer during that source code steal from Microsoft year before last. Revealing it is.
The lameness filter won't let me post it, so I'm linking to it instead.
Of particular interest is the peer review process, ensuring quality standards, and upping the end user experience.
Hmm . . . they say that they're going to improve security, and yet that e-mail leaks out. I am the only one who finds this ironic? ;-) And, before I get flamed, I realize the release was, in all likelihood, intentional, but it still doesn't leave me with a good feeling about this, nor does it make me willing to trust Microsoft. This is exactly what they shouldn't be doing. If you say you are going to make things secure, well, practice that with everything, including e-mail!
Now some talking paperclip is going to say to me "It look like you've been R00T3D" and a security 'wizard' will pop up to teach me (in five easy to follow steps) how it unplug my Windows BS Professional box from the network in order to make it secure.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Given the recent onslaught of IIS, XP, any Microsoft product holes, has anyone produced charts/statistics detailing the number of holes? Off the top of my head I can immediately think "ok, there's another Microsoft screwup" but I'm curious as to the total number of problems in the last 6 months.
What I'm really looking for is there a website out there that details the number of holes in IIS vs Apache? The pointy-haired folks at work are looking at webservers and I could use some hard-cold statistics to convince them once and for all IIS is a mistake. Pretty graphs would be really good to show a comparison between the two.
So.. does anyone know of a site that keeps track of "total" number of holes for any given product (Microsoft AND Open-Source solutions?)
InfoWorld
And there is this old item from a security mailing list:
The reason trusted systems are not being used right is because the way they are written they are UNUSABLE. Only someone who is forced to use them would even consider touching them!
(seen at: http://www.geocrawler.com/archives/3/90/1995/7/0/4 18940/ )
Granted, it is old, but is the point still valid?
"It is a greater offense to steal men's labor, than their clothes"
a. Bill Gates
b. Steve Jobs
c. Dubya
d. Larry Ellison
(Sorry, no option for Hemos/Taco/Cowboy Neal or George Lucas -- don't want to make things too easy.)
Incorporating features into products that aren't blatently obvious and have a lot of marketing value to joe-schmoe helpless user just doesn't seem like Microsoft's style. How are they going to sell security when most of their users won't perceive it?
I can't see them doing anything different other than turning it from a PR "problem" into a PR "vehicle".
Get ready to see Windows desktops with secruity-themed graphics and animation.
The problem with your "nothing to see here" attitude is that you have to know its a problem in order to change the defaults. If nothing else, this story alerts /. windows users that someone may be tracking them, so that they can change the preferences. And, its ironic that Gates wants Microsoft to be synonymous with "Trustworthy", while at the same time stabbing his customers in the back. Sorry, but I won't trust them with my money or my information, when they are so eager to screw me over for control of my digital media (DRM is the apparent reason for these supercookies), to the point where they would let anybody out there track me.
Negra Modelo. Because Guiness sucks.
Now THAT's a flaimbait if I've ever seen one! :)
Don't tell me Microsoft is no longer going to be sellign Operating Systems! I mean afterall if they say that they are going to make the operating system more secure the only way they could do that is to not use any version of MS Windows. Or maybe they are going to steal code from Novell or Unix and make it part of Windows and then claim they invented it!
Either they will do something along those lines or maybe they will just track everyone on the net and send notifications to you of who just hacked your system and give you their home address so you can go beat the tar out of 'em:)
This isnt as much a PR move, as it is a direct answer to a story posted on /. a few days ago about major companies shying away from MS software because of the numerous security problems.
Sorry for not posting a link. It's late.
And, yeah, I am sure it was hard to obtain a copy of that email.
That the digital rights management scheme will be uncrackable, and you will not be allowed to play that digital media stream more then once. Not that the machine will be more secure.
Security to their customer base does not include you. Only large Coorporations who want money each time you listen/see/smell/touch/etc something.
Get a free ipod.
Tools->Options->Player->"Allow Internet sites to uniquely identify your player"
Wow! I'd have NEVER known what it was for, seeing how obscure and undocumented it was...
"People that quote themselves in their signatures bother me" - athakur999
Windows is my desktop OS of choice because of it's handfull of features, ease of use and convenience. When I want a secure OS I'd use OpenBSD.
If they want to make Windows more secure, they'll have to get rid of some features and make it a little bit harder to use.
Rewrite? What rewrite? The one that killed the last 16 bit code, again? When we have seen former M$ programers talking about the "wisdom" that age brings to old code, and then mentioning horrible kludges for device drivers under the awful variety of M$ muck. Their public versioning is nonsensical and makes you wonder if they were ever able to make consistent all of the code from all of the companies they swollowed and chewed up. There's a reason that the 98 souce code had more lines than it takes to run a space shuttle, and it was not useful features.
Even if they had the desire to rewrite things, they could not. I doubt they have the resources to do so much as an audit. How many people do they have employed right now, a few thousand? How many lines of code are there, 100 million? Let's see if they can impliment something as useful as user ID's and file system permisions in the next two years. All of their sins will look down upon them and laugh as they strugle.
If history is any guide, they will once again follow the Macintosh crowd and try to impliment a BSD with a "compatiblility mode". If they follow this path, Lindows, WINE, will be targeted for destuction or assimilation.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Bloated hackers hacking bloatware...sounds like something out of Dr Seuss!
You're using her as bait, Master!
This might have been a good gimmick, but you pale in comparison to The Turd Report.
Anyone who believes they have security and privacy in today's world is either ignorant or in denial. Any black hat with a few scripts and a modicum of social engineering can get almost any information about you that's stored in some company or government database/file.
If Microsoft is truly shifting focus to increase security and privacy, that's great news. There is an awful lot of effort put into recovering from and working around Microsoft products which are too easily exploitable. My guess is the "pain" of lost business due to these security/privacy issues is finally significant enough to justify the effort to address them.
-Thomas
should declare some degree of success. One of their aims was always to raise awareness of security issues. They should congratulate themselves for prompting a thick headed company like Microsoft to dramatically shift their focus. Congratulations people, your hard work has not gone to waste.
Note: I acknowledge that it was only an e-mail that was sent. The true proof will be in the proverbial pudding.
*Condense fact from the vapor of nuance*
Few months ago, I didn't even know really what this unique GUID was used for.. But I saw it while looking through my registry...
e r\ Player\Settings]
I had set Windows Media Player to not "Allow Internet sites to uniquely identify your player." I didn't like this idea since I am somewhat a privacy nut (I don't accept cookies unless I specifically allow them from a domain, I use a local proxy to filter out identifying HTTP headers like HTTP_REFERER and HTTP_USER_AGENT.) However, I also notied that I was being branded with a unique ID, so I decided to get rid of it.
Registry entry:
[HKEY_CURRENT_USER\Software\Microsoft\MediaPlay
"Client ID"="{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}"
The "Client ID" I changed to "" (null) and other times I have set it to "0". Not sure which is better, perhaps null?
Anyways, if this is the GUID they are talking about, I wonder if this setting make me safe from being identified in the event that the "Allow Internet sites to uniquely identify your player" setting gets enabled?
The post automatically assumes that Microsoft is doing this just for the positive publicity. But let's step back for a moment and assume that they're serious. After all, their commitment to features was real. Microsoft products are nothing if not overflowing with features (some of which even work!).
Microsoft has the human capital to make good software--and secure software. They just don't. Their software is by and large unreliable and insecure. If they resolve these problems, open source is going to have a very difficult battle ahead convincing people that it is the better path. After all, to date, open source has been superior in functionality, security and reliability, while Microsoft has been the superior business. If Microsoft learns to do security (and reliability), open source is going to need to learn to do business.
Let the flames begin...
-db
This guy is right on the money. Making security a priority can only be accomplished through making good design and good code a priority. And those won't be a priority unless there's some sort of pressure for it. Lowering insurance costs is one pressure. Positive PR is another. But more powerful than both of those is the pressure to keep customers from switching to a viable competitor.
And this, I think is exactly the thing we need: a viable competitor to Microsoft. Microsoft, of course, doesn't want this. Interestingly enough, this will also help deal with Rep. Rick Boucher's recent thoughts on the prevention of cyberterrorism. With all due respect to the many good ideas that Rep. Boucher has made, when he suggested enforcing product liability requirements on software producers, he assumed that was the only way to get better software. But it's not. Competition will be much more effective. "When Microsoft starts creating good software, we've won." - Linus Torvalds. Unfortunately, not only is Boucher's suggestion not as effective as competition, it's got a really nasty side effect: it would effectively kill the only potential competitor to Microsoft on the horizon: open source & free software.
Competition will breed better software. If a competitive market place still produces unsafe products (as was the case with the automobile manufacturers of the '60s) then perhaps new laws make sense.
The point is that the solution to both problems ("cyber-terrorism" and software security) is competition. If the government is going to do anything, let's encourage them to do something that opens up competition to the MS juggernaut. There currently is none, so make laws that produce competition. If, and only if, that doesn't work, then think about other ways to enforce accountability - like product liability for software producers. But don't put the cart before the horse.
$.02
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
So do I for that matter.
The typical assumption (as I've heard it) has always been that Microsoft's poor security was a necessary side effect of their quick-to-market and add-lots-of-new-feature strategies. Though I don't think most people on this forum view those two strategies as a "good" thing, it appears that they've worked rather well for MS up until now.
So the $50,000 question is, can Microsoft focus on security without falling behind on those other fronts? And if they have to slow down on their speedy rollout of new products and features, will they suffer in the marketplace?
If MS can do security and still be as quick-to-market as they were before, they're probably going to be in a very good position. If, on the other hand, they are forced to make a tradeoff-- of speed and quantity for security, for instance-- then it might be a whole different ballgame. Worse yet, they might wind up compromising on both fronts.
Holy shit, that started out really hilarious, but all the stuff about billg was gay. Try harder next time.
Where's the any key?
When I first heard that XP had a firewall in it, I figured that it probably was just dropping random incoming packets on the floor, and in typical microsoft fashion they said "thats not a bug, its a feature" cause technically it *could* block attacks
It's interesting to note how product teams resisted the security invasion. Now, while we know very little about how offensively these security teams were implemented, it does harken to a truism about coding.
Properly securing products isn't fun.
Implementing improved, automatic PGP hooks might be fun (hint hint), but slowly and methodically picking through all of your code to make sure that no buffers can overflow is just uninteresting and unglamorous. If we can't convince ourselves to sufficiently comment the code we write, even though we routinely curse ourselves for not having done it previously, security is going to be unfortunately naturally low on the list of things to do.
Likewise, an ounce of glitzy new features tends to sell better than an ounce of better security. People are going to look down upon you if you encourage them to upgrade from the old software you sold them by pointing out the security flaws that it had. It's usually more marketable to say "Trust our products, we have new inline spell checking across all our platforms" rather than "Trust our products, we no longer grant root through tcp/ip overflows."
All of this falls down like a rotten house if you allow your security to get too bad for too long, as is obvious to anyone reading this thread. You can let the support poles wear a little, and usually the cost of a *little* more wear is much less than the cost of fixing the whole thing properly. But unless you have that long-term vision, you'll be sleeping outside eventually. Microsoft didn't, and it is really starting to hurt them. The greatest threat to their monopoly has come from people being unable to use NT in critical applications. You don't want to force your customers to have to go to competitors.
Microsoft has shown throughout history an ability to expend large amounts of money to get things done. IE... MSN... XBOX... WinCE/PocketPC... If they really do set their mind to security issues, I'm sure that they will be hammered out after several slow, unglamorous years. The press release would make it appear that they know that they are up against human nature on both sides but that the company needs to take action or they will lose their stability.
This Sig is a mnemonic device designed to allow you to recognize this author in the future.
It seems that this came at just the right time...Microsoft heard it was soon to be illegal to make stuff that isn't secure. As a public relations tactic, they make sure the public knows they are going to make security a top priority via the associated press. The stories about security being legally mandatory will start to hit television a few days later. To the normal, nonSlashdot person, this looks like Microsoft is taking the initiative, and the federal government is following suit by making such priorities legally mandatory. God, Bill is a business genius... Fortunately, there is still the Slashdot crowd who know what is going on...
"You think that's air you're breathing now?"
...that Winblows will crash.
The check's in the mail! Oh no - I sent it through Outlook, and I didn't get around to downloading and installing those latest patches - so now all my contacts have my account information!
that the whole "Passport" idea is gonna finally disapear? And, will it take "Wallet" with it?
We can only hope.
Setting his threshold to 5, Sparky eliminated most of the trolls on /.
So far, even though there are plenty 5-pointers, I've yet to see one shining, intelligent, "wow, I never thought of it that way" comment about this subject -- including mine.
Does anyone else get sick of the same old mantra?
I'm thinking about watching TV, now... how bizzare.
Whoa, what the hell did I eat today? Oh, well.
First, Microsoft has finally flushed the security-hopeless operating systems (DOS, Win3.5x, Win95, Win98, WinME) out of their product line. The current product line is Win2K and XP, both of which have reasonable underlying security machinery. It's not well-used, but it's there.
Given a reasonable underlying OS, it's quite possible for Microsoft to arrange things so that all executable content executes in a "jail". More generally, a security distinction has to be made between what the user is doing and what external content is doing, and the OS kernel has to enforce this.
If MS does this right, it won't matter if IE has security holes, because trouble will get no further than the current IE document.
We're all going to be doing a lot more forking and IPC.
My whole dorm room laughed hysterically at seeing this headline. Shouldn't this be under "It's funny. Laugh."?
Pure speculation:
Is this a prelude to Microsoft losing one of it's security chiefs to the Bush administration? I've read a story or two about some security exec. at MS leaving to become an advisor to the president or some such.
If MS loses this guy, perhaps they're planning to bring in someone who actually knows something about security.
I think it's great that MS wants to focus more on security. It's about time.
What's scary is that someone who influenced the security of MS' products in the past is now going to influence the president.
Next, we'll put Little Boy Blue in charge of the security of our nation's livestock.
dp
---
http://insipid.com
If he is actually sincere about this, weither or not I choose to use WindowsOS (haha funny pun, ok mabe not /duck) for other reasons, an increase in general security of the Windows Operating System (desktop or server, whatever the diffrence is..) leads to me fretting less at work because some pinhead decided we would impliment such and such deparment using Microsoft products (yes, despite what you teenage idealists think, this DOES actually happen to professional IT people in real workplaces)
I for one hope that he is really making a buisness decision, not a PR move (no, I'm not saying it dosen't sound like a PR stunt to me). In the past he has decided to turn his company completly on a dime before (internet company anyone?), and he has proven he is a very sucessfull buisnessman and can do such radical things, and come out millions of dollars in the positive.
Before I get mass flamed, let me clearly state, I think Windows is the worst comercial consumer operating system in common usage, even if you dont include the real operating systems for guru's. But I also think Bill is a great buisnessman (weither or not hes ethical is a far diffrent question)
Now that we have that cleared up lets look at the problems in WinXP (since I assume they are going to continue buildling from that instead of going back to Win2k, though I think it might be a wise decision for them to do so)
Other than that the majority of all complaints I could honestly extend are security related.
It is my feeling that if they did a feature freeze on the UI and driver interface and the general configuration setup, and worked soley upon improvments and security (of corse with a small team doing new UI stuff to impress the drooling x-treme programer types), and developed office/IE to use only the documented API (with the API frozen) with both products focused upon security (office is plenty usable as it is, optimization and security would be the best, and the ability to create decent 'other filetype' exports) the OS would mature rapidly
The things I really hate about using M$ products currently (not because they are closed source, I use plenty of closed source apps, I don't choose my software based upon politics, I choose it upon what works and gets the job done) is that I feel like I'm using a OS that has a lacking kernel, and whils't there are security exploits on my OS of choice (FreeBSD if your curious) they are generally quickly patched, and always workaroundable, not to mention the fact no software I've ever liked has had a major security flaw to my knowledge), there are far more security exploits for M$ windows (mostly dealing with Outlook, an app thats completly banned for use at our company, our daily bat file actually deletes the would be outlook folder if someone did install it, so they can call us up and complain about the errors caused and get promptly chewed out). While using my OS of choice, I feel that if there was a security exploit, it'd be all over everywhere, not sitting in some hackers mind (though that is possible, much less likley) whereas with M$ I feel that there might be a 9 month old exploit that hasn't even made SecurityFocus yet, that bothers me.
In conclusion, I do think this sounds an awful lot like a nice PR leak, I hope that it isn't. If I liked M$, it would be great, even though I dont like M$, since I'm forced to deal with it on a semi-regular basis, it greatly effects me anyway. This isnt a *nix vs M$ discussion or anything, I'm just stating that in the scope of M$ development, them focusing on security would actually be a good thing in my eyes.
(ps forgive the I'm sure numerous grammer/spelling errors in this post, I'm typing it while about to go to bed)
I live in a giant bucket.
If Gates just tries to make headlines that will make slashdotters stop attacking them for being so moronic.
Boycot sigs!(DOH!, forgot about the boycott)
Funny how even when MS starts to focus on the area people (Slashdot) bitch about they still give them shit.
You know honestly I have come to expect nothing less than biased reporting on issues on this site.
The news is great, but if it's OS related I don't bother reading past the headline 9 times out of 10, because the last thing I want to do is waste precious time reading garbage.
Just post the news and lose the opinions. That's what Comment sections are for.
So, what to do? Switch businesses to a software rental model (stream of income) and get a piece of B-to-C and B-to-B E-Commerce (preferably a big piece). In other words
But - for
[Insert pithy quote here]
"Compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are."
Hmmm Maybe this is just a way of cutting labor cost to conserve money for legal fees...
In a world that is Free and Open, who needs Windows and Gates?
After all, WinXP was supposed to be the "most secure OS ever!", and we know how many holes it has. Plus, I'm sure it was Bill who said something along the lines of "Computer manufacturers have been trying to make software easier to use. The simplest way was to put a sticker on the box that said 'Now even easier to use!'". Will we just get a "Now even more secure!" sticker?
I use Macs to up my productivity, so up yours Microsoft!
Microsoft will focus on security like Mr. Magoo at Coney Island...
Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet truly useful for people. Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing - or able - to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing.
.NET more than two years ago, we set a new direction for the company - and articulated a new way to think about our software. Rather than developing standalone applications and Web sites, today we're moving towards smart clients with rich user interfaces interacting with Web services. We're driving the XML Web services standards so that systems from all vendors can share information, while working to make Windows the best client and server for this new era.
.NET that we can achieve this. The key design decisions we made around .NET include the advances we need to deliver on this vision. Visual Studio .NET is the first multi-language tool that is optimized for the creation of secure code, so it is a key foundation element.
.NET Server secure by default, and educating our customers on how to get - and stay - secure. The error-reporting features built into Office XP and Windows XP are giving us a clear view of how to raise the level of reliability. The Office team is focused on training and processes that will anticipate and prevent security problems. In December, the Visual Studio .NET team conducted a comprehensive review of every aspect of their product for potential security issues. We will be conducting similarly intensive reviews in the Windows division and throughout the company in the coming months.
When we started work on Microsoft
There is a lot of excitement about what this architecture makes possible. It allows the dreams about e-business that have been hyped over the last few years to become a reality. It enables people to collaborate in new ways, including how they read, communicate, share annotations, analyze information and meet.
However, even more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony.
Today, in the developed world, we do not worry about electricity and water services being available. With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised. Computing falls well short of this, ranging from the individual user who isn't willing to add a new application because it might destabilize their system, to a corporation that moves slowly to embrace e-business because today's platforms don't make the grade.
The events of last year - from September's terrorist attacks to a number of malicious and highly publicized computer viruses - reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure, whether it's the airlines or computer systems.
Computing is already an important part of many people's lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.
Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched - but as an industry leader we can and must do better. Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it.
No Trustworthy Computing platform exists today. It is only in the context of the basic redesign we have done around
I've spent the past few months working with Craig Mundie's group and others across the company to define what achieving Trustworthy Computing will entail, and to focus our efforts on building trust into every one of our products and services. Key aspects include:
Availability: Our products should always be available when our customers need them. System outages should become a thing of the past because of a software architecture that supports redundancy and automatic recovery. Self-management should allow for service resumption without user intervention in almost every case.
Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.
Privacy: Users should be in control of how their data is used. Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time. It should be easy for users to specify appropriate use of their information including controlling the use of email they send.
Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs and achieving "five-nines" availability. It's a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services. It's about smart software, services and industry-wide cooperation.
There are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level - from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company.
In recent months, we've stepped up programs and services that help us create better software and increase security for our customers. Last fall, we launched the Strategic Technology Protection Program, making software like IIS and Windows
At the same time, we're in the process of training all our developers in the latest secure coding techniques. We've also published books like "Writing Secure Code," by Michael Howard and David LeBlanc, which gives all developers the tools they need to build secure software from the ground up. In addition, we must have even more highly trained sales, service and support people, along with offerings such as security assessments and broad security solutions. I encourage everyone at Microsoft to look at what we've done so far and think about how they can contribute.
But we need to go much further.
In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.
Going forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.
This priority touches on all the software work we do. By delivering on Trustworthy Computing, customers will get dramatically more value out of our advances than they have in the past. The challenge here is one that Microsoft is uniquely suited to solve.
More discussion of our vision for Trustworthy Computing is in the internal white paper at [link deleted]
Bill
in any large software project, there are four main goals:
.NET is better."
a) ubiquity - getting your product installed and used by as many users as possible
b) usability - making the interface as easy to operate as possible
c) security - keeping outside crackers from crashing the system
d) stability - keeping the system from crashing itself
in the past, microsoft has put most of its efforts into (a) and (b), and (c) and (d) have been put on the back burner. apple has focused on (b) and (d), and most *NIX systems have made (c) and (d) priorities.
the reason that this is bad for competitors is that microsoft has $35 billion in the bank, and if they spend a fraction of that on auditing the maybe 5% of apps that are poorly designed from a security standpoint, they really could achieve what they started out 20 years ago.
Not to mention the fact that an announcement like this is only good PR for them, especially since it comes from Gates himself.
to be honest, i dont think it'll happen, but i do think it will stall the acceptance of alternatives, i.e. "Let's wait and see if Windows
except instead of "Quality is Job #1", it is "security is job #1". And if Microsoft's version of security is similar to Ford's version of quality, we will see massive recalls on M$ products. Only M$ won't have Firestone to kick around for their mistakes. I'm sure they'll blame Roxio, Sun, or Apple...
today is spelling optional day.
Now I'm someone who will cherily click past a click-through license agreement without reading it, but Microsoft still managed to draw my attention to the existance of this ID, then told me what benifits it gave, and then how to disable it (which I did).
(They didn't mention the supercookie privacy bug tho
When you install WMP7 it brings up a Privacy Policy dialog (and those words immediately make anyone who would actually care [about web pages being able to collate info about them etc] decide 'this is something I should read') which explains pretty much in bullet points every aspect of WMP that might violate your privacy, what advantge you get by having it on, and how you can turn it off (including the Content Rights Management). You then have to tick an "I have read the privacy policy" checkbox before you can continue the install.
In that sense "an obscure option in WMP which is barely documented" is complete bollox. However, I imagine it's possible (now or soon) that you could buy a machine preconfigured from the store with WMP7, and not be provided with any information, or warning.
Windows2000 (SP2) comes bundled with a much earlier version of WMP so no worries there, but I've not looked at XP.
My question for anyone who has bothered to read this far...
(I'll word the same question it 3 different ways)
Is this just a bug, or would the only way to fix this bug defeat the entire purpose of the ID? / Can this feature exist without the side-effect? / Is it a side-effect or just the other side of a double edged sword?
Obviously, focusing on security is a Good Thing. After all, they've made these products and are selling them to all comers - it's good for them to know how to use them properly too.
Yup.
Associated Press- Correction:
Bill Gates announced to THE MICROSOFT MARKETING DEPARTMENT Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities. In e-mail to THE MARKETING DEPARTMENT, Gates referred to the new philosophy as "Trustworthy Computing" and called it the "highest priority".
Development personnel who heard rumors of this were told go go back in their cubes and stop wasting time.
- For the complete works of Shakespeare: cat
Of course the vast majority don't change the default. Conversely, the vast majority of people really don't care about this feature (honestly!). In general, the only people who care deeply about this issue are the people who would be clueful enough to disable it.
What? This is the same stupid mentality that thought the nasty "Smart Tags" thing was OK... "Oh, you can turn it off!".
I don't care if it can be turned off, it's a bad idea in the first place, it shouldn't even exist!
Yes, secure that you can NEVER be anonymous, and MS secure to KNOW they can track or BO you if they want. Important that they make their tracking software secure.
Would you trust a bank that got robbed every week? Of course not.
.net rely on them being trusted.
Microsoft wants to take a cut off every transaction on the web. They want to be a front counter to the banks and the insurance companies.
People won't trust them to do this unless they are perceived to be secure. It'll take them years to get this right, but their future plans rely on this, so sure they'll start to do it. Their plans for hailstorm and
*offtopic*
Once they are a portal for banks, this is what will happen. One friday afternoon MS will buy a small bank somewhere. That weekend all their customers will get a button on their bank login "Press this button to transfer your funds to MS bank for a 5% drop in your credit card rates". The banking industry will come into work Monday morning to find all their customers gone. The moral : never outsource your link to your customers
To block SuperCookies requires changing an obscure option in WMP which is barely documented.
Does that mean I'm obscure? I've been disabling that option for 2 years since I stopped bothering to download 'AOL' winamp on windows boxes. I mean it's hidden right there in plain sight. Although most of my mp3s I listen to using xmms, since it's easier to control over telnet.
https://www.gnu.org/philosophy/free-sw.html
The subject line was a false statement. MS will not focus on security, at least not to close it up. They will continue to focus on securiy in ways that they can destroy any sense of privacy and security, even to the extent of making their own products vulnerable deliberately, so that they can hijack tcp/ip and make themself the Internet gatekeeper. .NET certainly isn't about anyone's security, it's about MS trying to own the net, and I haven't seen any anouncement that they are abandoning it.
Just a thought. If Microsoft has its way, we won't hear anything about bugs and security holes in its products because of its discouragment of disclosing such information. So, no matter what, Windows will seem more secure, because we'll hear less about its problems.
Guys this is not a case of "big bad company wants you to think they care about security but they really don't" as the posting suggests.
This is unequivocally a case of "big bad company finally realizes their biggest PR nightmare and has no choice but to finally take security seriously."
Don't think for a minute Gates' e-mail wasn't prompted by a genuine desire to improve security. M$ has finally realised the financial implication of crappy code.
A swing and a miss.
A note to moderators:
The recent trend is to rate poorly argued points as trolls. For instance, someone will make a statement without much thought, but is serious in all respects, and gets moderated up. When someone else comes along and smashes this person's argument, the first poster then gets marked as a troll.
This moderation behavior serves to stifle dialog and downplay any positive points the first poster made.
Remember, a troll is post which attempts to illicit responses from others under the pretense of discussing the issue at hand, not a poor argument.
LS
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
What they should do is:
Allocate $5 million a year (pocket change for them) for rewarding people who find security flaws. They can hire an independent 3rd party to manage the submittals and decide how to split up the money each year. Those who wish to collect have to go through a process of reporting the flaw that is official, and doesn't release it to the public before they have time to fix it and people have time to get the patch.
The key is having the 3rd party really be independent. Maybe elected by a committee or something. Somebody could figure out the details....but this shouldn't be hard to do in a way that MS's corporate interests are not causing a conflict.
This crowd won't ease off Microsoft GPLs its software. All of it. And issues royalty-free use of any of its patents.
Interesting thought experiment, but don't hold your breath waiting for the reality to appear.
End users are not the customers. PC manufacturers and server vendors are the customers.
Translation: [serious] Users should be made to think that our ideas of how their data should be used are also their ideas.
-or-
[humorous] Microsoft should be in control of how its users are used.
Seriously, though, all those who fit Microsoft's definition of user already think they are in control of their data. They believe that Microsoft provides them freedom to do what they want. Look at those Windows XP flying commercials. People actually believe that stuff. Just a thought.
A solution to the problem with music today
Just think of all the normal users who leave the defaults!
Evan - needs to hit preview before submitting
...to take the main insecurities out of their operation:
...)
Breed a brother of clippy. Make it look like a string of barbed wire and name it, well, Barby (or appropriate alternative to avoid Mattel lawsuits).
Bring in Barby every fucking time the user tries to do something potentially harmful (like choosing the "Remember password" function, opening an attachment, sending out more than 1k of data to the net,
That would at least teach people some sense of security about their system. Hell, most car manuals even remember you to keep your car locked at all times it's not in operation and to remove the key from the ignition NO MATTER WHAT. It seems all so logical to thinking people, but most people don't want to think. They want someone to remind them. Still, some people leave their cars idling when they jump into the 7-11, but there is always stupid morons. Those who strictly obey rules had them hammered into their heads or learned it the hard way. Same should apply to OS'es.
+++ath0
I'd like to add to that. Should the default be changed, they often make it really, REALLY annoying to deal with.
Best example: Change your Cookies setting to "prompt me" and visit any site that uses cookies. You will be prompted a million times to accept or reject a cookie.
Another great example: Browser plugins. I don't want Flash 5 on my system. I don't need it. So, I keep saying "no" when it asks me if I want it. It asks me again and again, doing its best to drive me up the wall (or get it driven across the room).
No, wait, that makes no sense.
Network users who irresponsibly allow websites to run whatever scripting they want may face privacy issues with ANY SOFTWARE AT ALL.
Yeah, that sounds about right. Watch your back, or someone else will. This is nothing new.
REM Old programmers don't die. They just GOSUB without RETURN.
This is precisely what led to Outlook Express being such a useless piece of *&*#& to use: allowing the SENDER to specify how email is used. Sorry Bill, but allow the RECEIVER to control this. Spam, 4MB attachments, and OE viruses/trojans/worms are all a result of the sender being in control.
Just write me a damn email client that lets ME choose what to receive, and how to display it. Wow, amazingly 99% of the problems with OE disappear!
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
> Best example: Change your Cookies setting to "prompt me" and visit any site that uses cookies. You will be prompted a million times to accept or reject a cookie.
Um, duh. It's prompting each time the site tries to send a cookie. That's what you told it to do. A lot of sites are dumb and send dozens of cookies for no good reason. Run netscape and tell it to prompt you when you receive a cookie. You'll get the same thing. Perhaps you wanted to try enable/disable cookies on a per site basis instead of just prompting?
What if, by persuing this "Trustworthy Computing" avenue, the existing Microsoft customers begin to believe in Microsoft. They rally around the "vision", and start extending it.
Now a committee is created to "audit" all released software (funded by guess who), and Open Source software will now be subject to "approval" by a committee, probably via a pay-only system of review applications. Now this slows the release of Open Source software to a crawl, or stops it altogether, because most of us do not get paid for our work, nor can we afford to submit our releases for review. If we can, we're going to be damn sure to close every hole, therefore slowing down the frequency of releases.I, for one, hope this is not their intent, but Microsoft has always had an alterior motive with every single action they've taken. Having Bill Gates declare it so publically and firmly, leads me to believe he has some other motive here.
This announcement has brought out all levels of commentary so far... some saying "not gonna happen" or "impossible." Some are saying "if they really want to do it, they can and they will."
I sit in the second camp... mostly. But I tend the think that they will not be able to deliver on the promise for at least a couple of years.
In order for them to deliver on the promise, they will have to radically redesign their OS from the inside out and I doubt they have enough of the original coders around who can remember what they did to mess it up in the first place.
On the other hand, they can simply write an entirely new OS or build one from existing stable OSs. Making a BSD derrivative first comes to mind. And why not? Just do what Be did. Write up some support for NTFS, a little migration and throw up a really nice GUI interface that looks like Windows always has and they're 90% done.
Is it possible? Very. Is it likely? I just don't know any more -- it depends on how serious they are.
I'm a Linux fan -- I use it when I can and when I'm comfortable. I also use MS Windows for things too... especially Japanese language support. If they can deliver on their promise, I'll use the product. (Am I actually saying this?) Yeah that's right, I'll use it.
But I guess they would have to satisfy my own expectations -- make it more Unix like. Quit using backslashes!! What's with the stupid A:, C: crap? You just limited yourself to 26 drives... freakin' brilliant.
Okay, it's late and I'm tired. I actually hope they can pull this off but I have my doubts that it will be anything that benefits the consumer more than it benefits MS's own purposes... I hope they can deliver my dream OS, but I just can't believe in it yet.
You missed his point. Just as the personal data about ourselves should belong to us, Microsoft fundamentally believes that the music you listen to, the video you watch, and the software you run are not your data. They are other entities' data, who only grant you a limited license to use their data as they see fit.
The only certainty is entropy.
I don't get one thing. The self called security specialist Steve Gibson has effected many newbies not to install Realplayer, because umm... It has GUID _support_(by default, OFF)You will hardly believe what you read after this story http://grc.com/media.htm
As I now see, Wmedia player comes with GUID enabled by default? Which sort of a non-techie end user would "touch something which is already working" (e.g. listening to his/her radio w/o any problems)?
My point is, besides Grc being pointless and evilly conspires Realplayer for unknown/I don't care reason, he uses this argument to call people to switch to Windows Media, which, hardly you will find a native Linux/BSD version. So, here is your answer, GUID is importmant...
Oh, btw, people seems to miss the point that GUID is used by broadcasting companies which broadcast, not by those application vendors.
This should be taken seriously, folks. Think back - The WWW caught MS napping. They never saw it coming. And yet, in just a few years, Bill turned the company around to face the "threat," and now there is serious talk of a MS-dominated internet.
There's an old saying that goes "familiarity breeds contempt." It's all too easy to dismiss MS as incompetent - easy and foolish. MS hires hordes of the best and the brightest programmers anywhere. The numerous security holes in current MS products are not the result of idiotic programming, they're the result of idiotic policies, dictated from the top, that emphasized features over security and stability.
With the rising sentiment against "bloatware" and security problems, MS can address two customer demands at once here. MS has successfully made huge and abrupt changes in strategic direction in the past, and there is every reason to think that they could do so again.
Lost: Sig, white with black letters. No collar. Reward if found!
How is it that somewhat-well-thought-out, sincere, calmly worded posts get moderated as a Troll, while arrogant, conceited, poorly worded, angry posts are moderated as Insightful?
Don't bother moderating me.
A solution to the problem with music today
But what would Slashdot do if Microsoft changes? They'll go on. Slashdot is not the anti-Microsoft site. There would be plenty of other news if Microsoft dropped out of sight tommorow. Microsoft just manages to do things often enough to become a prime subject of this community.
Microsoft constantly stands out from their peers. The IT industry is full of large, powerfull corporations. They all put out products that could have their merrits debated. They all make marketing claims, promise things to their customers, and set company policy that impacts end users (including Slashdot readers). Yet somehow Microsoft manages to raise to the top.
Sure, there is over-the-top bashing of Microsoft (ignoring Microsoft's own PR, reputation for FUD, and zelous proponents). But there are also lots of legitimate grieviences ranging from product quality to Microsoft's marketing tactics.
Microsoft gets attention because they deserve it.
When Microsoft changes its ways, they will fade in to the background with other industry leaders like IBM. And the news will march on with or without them.
Before you go "um, duh" think about it first.
I know what it's doing in the background. For each image it's also trying to set the cookie, too, probably because of automatic session handling on the webserver.
Run netscape and tell it to prompt you when you receive a cookie. You'll get the same thing
That's what my whole post was trying to say. I use Netscape 4.76, which I should've mentioned. There is no way to enable/disable cookies on a per site basis in that browser. Mozilla has a nice per site feature, but too bad the developers are still trying to get the "find" dialog working properly. :-/
It cracks me up that Microsoft disabled Java support in XP for "security reasons". Probably removed the most secure part of their OS by doing so.
If Microsoft is serious about security, they'll supply encrypted file systems and encrypted email that are easy to enable and use, and suddenly vast amounts of email traffic will go "dark" to eavesdropping and wiretaps. The FBI tolerates some geeks using PGP now, but will completely flip out if it's deployed on the scale of Outlook encrypting everything by default. Legislated, mandatory key escrow will be a done deal. Ashcroft will read our mail forever.
It's also standard user behavior not to care if someone can ID thier media player. Caller ID ID standard users by phone number (which can be used against them in fraud), license plates ID the cars of standard users (which really sucks if you kill someone with your car.... they can find you!) and drivers licenses ID standard users themselves (again, for the same reason as license plates, this can suck.) Prove to me that everyone is against this "terrible" thing that MS is perpetrating, which is no different than placing IDs on millions of other common everyday things... then I will understand why this particular default is right up there with corporations losing millions of dollars because of NT servers being broken in to.
That's not true at all.. if you read the posts on bugtraq, then you would've seen that turning the GUID off barely helps at all!
WMP generates a new ID not every use, but every session!
It doesn't generate a new ID until you close IE and reopen it... so they can still track you until you close IE.
The GUID is a privacy problem, not a security problem.
Perfect security is a joke. If it could exists, there would be no police. Of course Windoze has holes in it, so does Linux and any other software you can name. People are fallible and programmers are people (well most of them are ;) The thing that burns me up is that people will actually believe they are safe because of this tripe. Computers are not safe. Period. Never will be. If you have a door, it doesn't matter how many locks are on it, if somebody wants to get in, they will get in. Don't leave your valuables in your house. It's simple. All this natter on /. about what a goat f**k windows is does nothing to educate the saps who buy this stuff and don't know any better. Tell your friends, your aunts and uncles, computers are not safe for important info and never will be. Oh yeah, all your money is in some computer somewhere isn't it? I guess no one wants to hear this.
Wary yes, but afraid? Fear leads to acquiescence. The only way to defeat a bully without principles is to defy that foe at every turn. Make no mistake, Microsoft is potentially the greatest threat to to the free flow of information in the world. Only in relentlessy, loudly, and repeatedly calling Microsoft to task for every attempt to control markets and information, and in supporting alternatives to the MS poison at all times can proponents of the free flow of information hope to succeed.
No, it isn't a laughing matter. But believing a Microsoft victory is fait accompli is akin to collaboration.
Acquiescence leads to obliteration
I had the option turned off and the demo tool
still was able to extract a UUID code
.NET = The Mark of the Beast
.net passport to get food and do business in the future. Could Gates be the antichrist? Signs point to yes.
I've been wondering if you will need your
[HAIL GATES]
I for one welcome our new master. jk.
What i don't know can't hurt me right?
"You win again Gravity!" -Futurama (Zapp)
Sure. But this isn't the same target.
Microsoft went after the Internet in the same manner they targeted other markets. It was a simple matter of identifying the target and applying the same business tactics they had been honing on other products / markets.
And it is some of these tactics that has caused the security issues they have today.
Microsoft will not be able to rehash their usal bag of tricks to win this new target. It will take some fundimental shifts in Microsoft's philosophy and culture. This will greatly affect their development. It will blind-side their marketing.
Microsoft began attacking the internet market by leveraging their name/reputation, new features, and quiet agreements (to name three). This fails in the current security environment.
First, Microsoft have found themselves with a failing reputation. If they hadn't, they wouldn't be taking these actions. But now, Microsoft security issues are making headlines in tech journalism. Microsoft can no longer dust these issues under the carpet just because they're Microsoft.
Microsoft's security woes have little to do with new features. If anything, it is their drive to add features without proper consideration towards security (and bug hunting) that has caused their trouble.
Microsoft has already began trying to control their security problems with quiet agreements. But keeping major security companies quiet will not end their problems. The infosec industry is full of small groups and individuals who have numerous reasons to discover and publish vulnerabilities in Microsoft products. Sometimes these entities are doing what they consider a public service. Other times it involves making a name for oneself or business. But in any case, vulnerabilities will be found and the media will pick them up and report them as it makes a good story.
If Microsoft is to be successful, it will require a major shift. A shift they have never done before, Internet or no Internet.
Why?
Because I know how Bill Gates' mind works, and if I can't see the code, I'm not going to run it. Yes, us Linux sysadms have a rep for being paranoid bastards. Yer damn right we are, and proud of it. That's what's kept me virus-free and crack-free the last five years, watching boxes powered by You Know Who drop like flies.
Linux isn't perfect, no, but it'll take him a minimum of 2 years to get his codebase in order even with the army of people he's got.... and by then we'll have our world domination, and they'll be putting Linus' picture behind that Borg eye rather than Bill's. We might even get Mozilla to 1.0, who knows.
But, seriously. Even if l0pht and friends were to publish with much fanfare, "holy penguins! I can't crack this thing!" I still wouldn't buy it, and not just because I'm opposed to getting on this $100 every eighteen months to upgrade kick.... Not when I can run a product I personally helped design if not build. And can look at the code and see that it is good... or fix it if it's not. And there's huge advantages to being able to talk to the guy that wrote it.
Real-life situation, several weeks ago. I had a problem with the Mylex raid driver. Sent email to the guy who was listed in the headers for the source. A little email tag ensues. Eventually he sends me a patch. cut, paste, compile, init 6. Blammo. It worked. Total elapsed time, about 48 hours.
You will never get that out of Microsoft. Ever.
Then there's the principle of the thing. The Borg's stated objective is to take over the world and have it for his own. I'm not giving aid and support to that cause. I'm giving aid and support to another guy who wants to take over the world... and set it Free. I may be pagan, but there are some altars at which I will not kneel. Far more likely to torch'em.
--
Nuke'em from orbit.
It's the only way to be sure.
This is most likely nothing more than the prelude to a new product line, imagine the possibilities...
M$ Firewall Pro, M$ Firewall Enterprise,
M$ Secure Server XP Advanced, M$ Antivirus,
M$ Secure Outlook, M$ Secure Browser,
M$ AntiHack Pro Deluxe, M$ IIS, Secure Edition
On the other hand, probably not.. that would be an admission that their software wasn't secure to start
Wow, is it April 1st already?
Where? I'm holding onto 6.4, tried 7.x and really hate the GUI. I can't find this option anywhere. Can't find the registry keys either. There is a "user id" in there though.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I was at a client's site and they said everyone who was running Windows XP could not access shared network resources or share resources themselves. They said they were at their wits end trying to figure it out. Turns out each one of these machines had the *NEW* Microsoft Windows XP Personal Firewall enabled.
Ha... It makes me laugh! They are not going to even be able to pull this one off without looking dumb!
Random number? Turning the option off, I still get the same hexnumber every time on 16 of the 28 letters. 16^16=1.8*10^19 which is more than enough unique id's to track all computers in the world.
Of course, the best thing to do is for everyone to use the same ID. :)
[HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\ Player\Settings]
"Client ID"="{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}"
PR Man (PR): I've just completed that study you asked for, the one on why the Slashdot editors hate us.
Bill Gates (BG): Can you give me the executive summary?
PR: It's because we don't place enough emphasis on security.
BG: Fine. We'll do more about security.
6 months later
PR: I've just completed that report on why the Slashdot editors still hate us.
BG: And?
PR: It's because we place too much emphasis on security.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
microsoft security
- Kaos games and encryption systems developer
And the earth is flat, pigs can fly and nuclear power is safe.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Guess some antisocial weenie thinks he's clever for anonymously whacking someone, color me unimpressed.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
The defaults are everything,
Will you remember that the next time somebody installs a Linux workstation with every daemon in the world running?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
I always watch that on channel V
Damn, britney's hot!
- Kaos games and encryption systems developer
It's not a security problem. It's a privacy problem.
Pardon? Security is about protecting assets. Is a list of all the music, video, and web sites I view not an asset?
I don't think so.
Ok but how do you turn it off?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Don't you think they DO have the abilities and money to really make Win secure? And the timing IS good. As we see from Window's popularity, security is not the most expected feature of a system. MS has first made Windows popular, not bothering with such silly features as security - noone demanded it of them. And now, when people start to wake up MS will simply do what people want, i.e. they will make their system secure. It's so simple. Why shouldn't they actually concentrate on it now, that they are a monopoly? They can afford it...
I believe it is impossible to write a completely safe OS or other application: there will always be some way to break into a system. People can only make it harder to do so. Security is only a feeling...
My real question is whether it will not terribly hurt Microsofts reputation when, after declaring their software "safe", somebody manages to break in. Look at Orcale, they declared their 9i suite "unbreakable" but in the meanwhile they have had their share of vulnerability discoveries (like here).
it was the default that i stabbed a knife into you and killed you. if you asked me not to, surely i would have listened and not done it! LOL. hehehe. microsoft. heheheh.
Look at it this way. Developed countries have a set of systems that can be defined as critical infrastructure. These maintain the operability of a nation on a day-to-day basis. If any of these systems break down, then society will follow down too.
Some examples? Well... water, power, sewerage, welfare, health, emergency services, police and justice, banking, government, communications, and one of the latest additions would have to be IT.
IT must been damn close to being critical infrastructure, if it isn't already. We all know MSFT is very dominant in Operating Systems. Their systems are being used within many of these critical services, which would tend to suggest that MSFT is already inextricably linked to the other critcal infrastructures.
Already countries overseas are opting for alternatives to MSFT because of some of the risks that their products provide. Govt's of Germany, France, and others are looking for more 'trusted' IT products - partly for cost, but also because some of the systems are critical.
MSFT didn't have any choice but to accept security, much as they had to accept the Internet in '95. If they didn't, they would see dwindling market share, and their products being dropped from IT solutions involved in critical infrastructure. So, they have to get on the 'trusted' bandwagon to maintain market share. Govt's do spend a bit of money on IT after all.
Check the NTBugTraq archives, there was something considering that a few days ago.
According to what I read on bugtraq, Internet Explorer is vulnerable even if you don't ever use the windows media player. I always browse trough all options of programs I use, but I can not be expected to look trough all options of applications I never use, do I?
This sig under construction. Please check back later.
i will, for one. this is why my machines don't run linux anymore, either. see www.freebsd.org, www.netbsd.org, www.openbsd.org for more details..
Sitting Walrus Blog
My bet is that they have found somthing really bad that effects all of their products and they need to take the time to fix it before someone finds it out and nails them to a cross..
Ok, I know you said 6.4, but since no one who has that version even tried to answer ur question i'll give it a shot even though I've got 7.01. Go tools-> options in the player tab uncheck "allow internet sites to uniquely identify ur player".
Hope this helps!
--why?
Pope to support Atheism.
Follow me
Some disgruntled guy will assasinate Bill Gates and the world will celebrate....
/. peeps...
Will be replaced by someone who has Linux roots....
Orders complete recoding of Windows, ease of use of Windows, Stability/Security of Linux...
Years later, Windows LX is released, with praises coming from
World enters a Golden age...
*Me waking up* OH FUCK!
I have it on good authority that this new thrust into the security realm has been code named Project Sphincter. It will pinch off any attempt to probe your ports. Hopefully they are putting enough muscle into this endevore to block access to the internals of Windows OS. 0->*
Most distros don't install every daemon running anymore. Yes, they did in the past (particularly RedHat) - but the Linux world evolves rather rapidly, and Mistakes Get Fixed. There's no corporate pride or marketing image to worry about - we all know the old all-daemons way was a mistake, we admit we made it - we fix it ASAP, and move on.
here
First, bolting on security to existing products will fail. It's impossible to close up badly designed software.
Secondly, MS relies on open (as in open door flapping in the wind) systems to rapidly deploy new innovations. As people have pointed out defaults rule and if the default is a closed system many innovations would get nowhere as few users would switch them on.
Most of you people have been bitching for years about MS products instability. So they worked on that problem and licked it. If any of you try and say that 2k or XP isn't stable, I'll call you a biased liar. I have been using 2k or xp for over a year and a half and have yet to encounter a problem that couldn't be fixed with the task manager. My 2k server has been up and running for 194 days without a restart (only 194, yeah, becausethat's when the last power outage hit). My XP install has been runnng for 34 days without a restart, and 4 different people use this machine (only 34 days, yeah, 'cause 34 days ago I had to replace a dead CDROM drive). So, in my opinion, the stability problem has been licked, and XP looks good too.
Now they intend to focus on security, and what do you people do? You call it a PR move. Of course it's a PR move. What better way to get good PR than to focus on a problem and fix it? Honestly though, what I think you're all worried about is the fact that if they do focus on this and work this out, you people might have to admit that Microsoft makes a better product.
I am expecting to be modded down, so I won't be upset if I am, it will just help prove my point. I'm not after your brownie points.
There seems to be a feeling that MS aren't doing this sincerely. Maybe not they're not but we can't possibly know that yet. I think there is every reason to believe they will go through with this. Does anyone remember what happenned when Bill Gates realised his company had taken its eye of the ball by ignoring the internet?
Will you remember that the next time somebody installs a Linux workstation with every daemon in the world running?
In all the (four or five years of) Linux experience I've had, no one blames RedHat users (except arrogant jerks), but everyone blames RedHat.
The difference between that and IIS is that when RedHat is installed as a desktop OS and still has a world of rootable daemons installed by default, that's stupid design. When Windows NT is installed with IIS by default on a desktop machine, it is, again, stupidity on the part of the company (in this case, Microsoft).
When someone gets paid to install/admin a box and they leave security holes open by default, I'm inclined to blame the person getting paid - it is their duty to be aware of problems and fix them, and if something so simple as a stupid default installation is beyond their grasp, they should look for a new line of work. For someone who just wants to use the computer, however, I don't think they deserve blame, no matter what OS they chose (or not) to install.
--Dan
Vendors will have to use Passport in order to get a "Microsoft Trustworthy Computing" seal on their website (have they trademarked that fucker yet?).
Users attempting to access Commerce sites without Passport integration will be warned with a big "THIS SITE NOT MS-TRUSTWORTHY-CERTIFIED!" messages.
After all, every consumer knows you need a big, familiar, feel-good corporation like MS to ensure your Internet security and privacy...
pr0n - keeping monitor glass spotless since 1981.
It cracks me up that Microsoft disabled Java support in XP for "security reasons".
Even with Microsoft's broken "Java", it was too secure. Of course Microsoft removed it for security reasons. Microsoft didn't say it was to increase security, did they?
I think the idea is that if all your personal information, music, videos, text, and so on don't belong to you, and your OS license doesn't bequeath anything to you but rather lets you use MS's OS for a while, then if someone breaks into 'your' computer, it's not your stuff they're deleting, so it's not 'insecure'.
New in Windows Media Player: Digital Rights Management! Remember, 'If you have no rights, there's nothing to lose!'
--Dan
Stand in a parking lot with a clipboard and write down the license plate numbers of everybody that enters. ;-)
I think you'll find the open source movement is full of geeks who donate sperm.
It's the only way they'll get it in a woman...
- Kaos games and encryption systems developer
Yes, when a default in Microsoft makes the system insecure, it's Microsoft's fault. Yet, if a default in a Linux program makes the system insecure, it's obviously the admin's fault. Even Linux daemons run as root by default, right?
Case in point, no default password in SQL Server 7.0 and prior get the governments attention as a huge security hole in the program. Scott Tiger doesn't think that is a programatic mistake, and neither does MySQL's root account.
Thanks for the reply. Finally found it. No tools menu on 6.4, it's view-options-player. Looked at that earlier but I guess I just saw what I was used to seeing, on 6.1, which doesn't have that particular button.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
From the risks digest....
Re: "Buffer Overflow" security problems (Baker, RISKS-21.84)
"Nicholas C. Weaver"
Sat, 5 Jan 2002 13:15:52 -0800 (PST)
I agree with Henry Baker's basic assessment that buffer overflows, especially in code which listens to the outside world (and therefore vulnerable to remote attacks) should be classed as legally negligent.
However, it seems to be nigh-impossible to get programmers to write in more semantically solid languages.
There is another solution: software fault isolation [1]. If the C/C++ compilers included the sandboxing techniques as part of the compilation process, this would eliminate the most deleterious effects of stack and heap buffer overflows: the ability to run an attacker's arbitrary code, with a relatively minor hit in performance (under 10% in execution time).
An interesting question, and one for the lawyers to settle, is why haven't these techniques been widely deployed? The techniques were being commercialized by Colusa Software as part of their mobile code substrate [2] in the mid 1990s. In March 1996, Colusa software was purchased by Microsoft and it seems effectively digested, thereby eliminating another potential mobile-code competitor, something Microsoft seemed to fear at the time.
The interesting RISK, and one which is probably best left to the lawyers, is that as a result, for over half a decade, Microsoft has owned the patent rights and the developments required to eliminate two of their biggest security headaches: unchecked buffer overflows and Active-X's basic "compiled C/C++" nature, yet seems to have done nothing with them.
What is the liability involved when a company owns the rights to a technology which could greatly increase safety, at an acceptable (sub 10%) performance penalty, but does nothing to use it in their own products? Especially when the result is serious, widespread security problems which
could otherwise be prevented?
[1] "Efficient Software-Based Fault Isolation", Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham, in *ACM SIGOPS Operating Systems Review*, volume 27, number 5, December 1993, pp 203--216,
[2] "Omniware: A universal substrate for mobile code"
Nicholas C. Weaver nweaver@cs.berkeley.edu
I know that this article was punted as "MS discover security", but the full memo equally covers Privacy and Availability:
Now either this is A Lie (tm), or MS SneakWare will cease to be.
The only thing you can accurately describe as "Scotch" is a sticky tape made by 3M. And it's
- ship everithing with scripting engines disabled: if user enables them, put out a big security warning window. Not real security, but good for PR : "default windows installation is secure!".
- Make stacks non-writable with something akin to the linux kernel patch shipped with OpenWallLinux. This would ensure some temporary security, until all current buffer overflow exploits are re-written. Again, PR people could again use this time to show off the improved security.
They could make a different set of boxes (Windows XXP!) and make money out of itCiao
----
FB
They will then lobby for legislation to make this mandatory for all software companies. And then small companies will not be able to keep up.
Mandatory security will slow development down and weed out small development companies. Is that what we want?
...MS to declare that the major security threat lies in other vendor's software and other OS's? After all, they used Win95 to kill off DR-DOS ("it isn't really compatible with the special code we added to Windows")
Then they will argue that they have to close up everything to bring about security: "Only MS products are really safe with MS Windows. Only MS protocols are secure."
Then the Big Lie: "you are only safe with us"
I am anarch of all I survey.
Security is not something you can add in at the last moment. Wave your magic wand and say, be secure! Its something you have to design in to the code. They can start patching and repatching the problems caused by the patches, but in the end to do this they will have to start over again. I don't see that happening after they just rewrote their operating system for XP.
Don't get me wrong, the philosophy of unions is fine with me, but so is the philosophy of democracy, and neither one works particularly well over time - both systems have been corrupted. Unfortunately, maybe it's just human nature, but whenever there is the potential for a system to be abused, it is abused.
Name, for example, one government program that has the potential for abuse, but hasn't been abused? Now name one union that has been around for any length of time that hasn't been at least investigated for abuse or had an official fired or voted out (as a scapegoat) for abuse.
Stupid sexy Flanders.
Hm, IIS is not installed by default on desktop version of NT/2K
--
Two witches watched two watches.
Which witch watched which watch?
Finally, I'm ontopic when I'm talking about KAOS, the operating system I'm developing.
KAOS is based on OpenBSD, it has all of OpenBSD and KAOS runs on top.
The kernel is different, it's an exokernel or system that does OS functions in the apps.
This makes it run faster and more stable.
The unique parts are agent applications, evolving code, samizdat censor resistance, demonic management and weapons grade cryptography.
OpenBSD is more secure (no security flaws in default install since 1997) due to better testing.
Add this to the first reply: KaosBSD.
The secure Unix with the best GUI, kernel & programs yet.
- Kaos games and encryption systems developer
server Apache which isn't part of windows like Internet Exploder.
You can use mozilla on OpenBSD.
- Kaos games and encryption systems developer
For immediate release:
Due to the current flurry of negative (and obviously biased) reports about XP's security of late, Microsoft PR 3.0 has created the following new security certification: BS1.
Achieving this rating marks a milestone in the development of the Windows eXPerience. The most recent press release lambasting the "evil, commie, terrorist bastards" who dare to release exploit code challenging the "Security is Job 3.0" corporate mantra in Microsoft has successfully pushed XP into the BS1 certification category.
BS1 is marked by the following:
* 3+ Metric tons of press releases denying any and all problems.
* 1GB+ downloadable "patches" and "enhancements" required for all new installations.
* 100,000th "grass roots" letter of support delivered to Congress
We would like to thank all of the people in Marketing and the good folks over at W&E for helping us reach this milestone in the Windows eXPerience.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
So, What's GNU?
Wrong day guys. This is NOT April 1st... Look at the date before you post the stories please?
Marnex Products
You may have heard about my porno password system I'm making as a part of KAOS the OpenBSD based system.
If you really have that much porn, I think you deserve to get a copy of KAOS when it's done so you can test the Porno password.
How does it work?
At the login password, type "dutch miracle" the login will change to porno password. Then pick the pix you want in order to login.
Another part is planned, the porno error.
All errors will then popup as porn pix.
(Imagine the "please insert disk" error pic...)
And of course, the porno desktop.
For the purposes of research I have about 6gig of porn (cable modem helps) and a CD burner.
BTW, iPhoto is good for archiving as webpages. You can make index pages for each pornstar and then just run from a CD.
- Kaos games and encryption systems developer
"Microsoft" and "security" in the same sentence! Comedic genius!
Netscape / Mozilla, Quicktime & Apache.
All 3 are the dominant power in their areas.
All 3 are on mac, OS X, windows, linux & BSD.
- Kaos games and encryption systems developer
Given Microsoft Corp. track of press announcements, vaporware and talks about "... the next version will fullfill this need.." I foresee this as YAMK (Yet Another Marketing Campaing).
Come on. You do not need to be an expert in marketing tactics. But for a company that is expending $1 billion (that is, $1,000 million in Europe) just in advertising for the XP family... It just makes sense that, after having everybody talking about how much security is needed, Microsoft promises that it will deliver just that. Next version, of course.
Microsoft has been making promises like this since it was created. It has hardly delivered... on time. The record is out there. Our money, in their bank accounts. And they still are saying that the next product will have this or that feature that we need right now.
Come on! We can be naive! But not after 20 years of not delivering!
OTOH, Microsoft Marketing Department would do great promoting the virtues of democracy around the world. In 20 years, everyone and their mothers would be triying to be a democracy.
Ah! The power of Marketing!
The next version of windows will have the most secure blue screen of death of any single version.
You could just admit that you've never used CorelDraw.
This reminds me of what the military (specifically in my case, the Navy) does after some horrible accident or plane crash. They call a "safety standown" for a day.
Everyone in the fleet (including us civilians) would stop work for a day, discuss what happened, and listen to boring lectures and filmstrips on how not to spill fuel and hydraulic fluid, and how not to get sucked into the engine's intake, and how not to crack your melon against the wing's trailing edge flaps (which really hurts).
You know, all the stuff you're supposed to know before you walk out to the filght deck.
Like the way the code is supposed to work before it becomes Release Candidate 1.
This is why I don't work with airplanes anymore.
Joe Dougherty, Florida, USA
The words I thought I brought, I left behind. So, never mind.
Interesting post on debianhelp.org, accusing some in the GNU community of acting like Microsoft with regard to community issues
evanchik.net
my father does. when i explained what cookies were, he didnt have a clue that such a thing exsisted. once i explained how they worked, he asked me how to turn them off.
my dad is what i would consider a normal end user. he just got his first computer in december.
-- john
If their next os release doesn't come as an OS!!! With nothing more than solitaire and minesweeper, this article is b.s.
"...Bill Gates announced to employees Wednesday a major strategy shift across all its products to emphasize security and privacy over new capabilities."
Security and privacy *ARE* new capabilites to Microsoft products.
geek n performer who performs morbid or disgusting acts, as biting off the head of a live chicken
FWIW, laughter is good for you.
My uncle is a doctor in Australia, I could call him...
- Kaos games and encryption systems developer
It looks like it's NOT installed if you select "default" install. However, if you select a custom intall, it's checked by default. At least, thats how it was for me.
...a Linux workstation with every daemon in the world running?
Perhaps OpenBSD would suit your needs better?
Healthcare article at Kuro5hin
This is such crap. It seems like there are two ways to get news from Microsoft: 1) A "leaked" employee memo with loads of incriminating stuff 2) An "e-mail from Bill Gates to employees" that is picked up by the AP. This is CYA at its best. Lipservice to the fact that they've fucked up royally on almost all fronts.
and what Microsoft does are two very separate entities. Any announcement from MS should be questioned as subversive drivel. The security they're concerned about is in securing market share and driving away any competition. Bill Gates' favorite cartoon is Pinky and the Brain.
PegQuin--I've got a sneakin' suspicion
Where are the userids and file system permissions for files on a FAT partition?
How do I get a directory listing with owner and file permissions for files on an NTFS partition?
Right-Click, Properties, Security tab, Permissions. File-by-file. Thousands of files. No cigar.
rumors have it that Ron Jeremy will have liposuction and get his member enlarged with the fat from his belly.
Ron Jeremy has stated that he wouldn't mind having to hide it in his sock if it reached.
This would be better than covering it in his sock to make it look large.
- Kaos games and encryption systems developer
Windows: Focused on security since 2002. Really, we're serious this time. Stop laughing.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Security is one of those things that is required to come at the planning stage of any product -- not as an afterthought during the coding and test stages.
MS needs profits to buy new companies so they don't have to pay divedends. They need big profits so that the stockholders will be happy with the 'value' of MS as a whole.
Yet, the software side of thier business is a stagnent market -- huge and captive but not growing as it used to. Because of that they need to retain customers and get them to upgrade on a regular basis (subscriptions everyone?).
Then, we're back to the schedule and the features and security getting short shrift.
Does anyone expect it to be any other way?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
What would MS have been like if a Gatesian personality had not been at the helm? Possibly not the MS we've come to love. Added attention to security now is obviously not any kind of move in the "right" direction, but instead just a CYA maneuver now that Bill's finally awakened to the fact that their security concerns could be enough to bring the whole house down unless they pay some attention to them. But he cannily waited until the problem was bad enough to be worrisome - had he been more community-minded he would have attacked this more seriously a long, long time ago.
Kind of makes you wonder what will happen to MS once Gates has removed himself entirely. Will they begin to play more nicely with others? (Insert Ballmer monkey comment here.)
Was that out loud?
I don't use MS products specifically because of security concerns - and I think it's more like "better late than never."
Any commitment focus on security is always a good thing..
Of course, I'm still skeptical - considering MS's track record, the best attitude is "wait and see"..
I find AOL/TW less scary than MS, at least on a personal level.
At least Microsoft didn't spend millions lobbying both political parties to pass the Bono Act and DMCA like AOL(tw) did back when it was just Time Warner.
If I want to avoid their media conglomeration entirely, I can. And if I do, it doesn't affect me.
It does in the United States, where you can go to jail merely for watching a DVD.
Microsoft, on the other hand, by trying to extend its monopolies
Except AOL(tw) doesn't try; it succeeds in extending its monopolies.
Updated!
Will I retire or break 10K?
I think it is also important to note that a GUID is NOT a security hole. That would be like saying having a MAC address on your network card is a security hole. It may be a privacy hole, but it does not effect the security of your system.
The real problem is not whether machines think but whether men do. - B.F. Skinner
They moved the link on us. It's now here.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Microsoft decides to focus more on security, which is the main complaint you /. folks have, yet you still find ways to bitch about it. How sad.
Armand28
"-LINUX was a good OS, before it became a religion."
That part is really central to the problem.
Microsoft has been the dominant player for so long now (what, about 15 years?) that it has become complacent and arrogant. They can say, with all credibility,
even if it grates on the ears of their competitors and users.There are definitely some brilliant people working in Redmond, but if they are managed by the same people that bred this culture of arrogance, then only rare glimpses of that brilliant work will be revealed to the world. Most of that good work will be muffled and warped beyond recognition under various business pratices such as supporting Windows, leveraging Office, promoting .NET or whatever the fad (cf, Trustworthy Computing) of the day happens to be.
The sooner that megalithic company is split into smaller pieces the sooner it will have a chance to bring genuinely good products to the marketplace.
"Provided by the management for your protection."
Or does this sound far too much like the old story about the Fox guarding the Hen-house?
And I can just bet that with their stellar record of security practices that they will succeed in this move.
Thanks, but I think I'll put my money in my sock and go live in a cave. Because the world is about to have a major security problem.
Goran
Carpe Scrotum - The only way to deal with your competition.
And speaking of people missing the patently obvious...
You can turn it off with two clicks.
--
Todd's Law: All things being equal, you lose!
So you are telling us that RedHat has no corporate pride and no marketing image to worry about?
Right.
It is installed by default on NT Server.
I still get pinged by dozens of locals machines that are rooted through that one.
Will you remember that the next time somebody installs a Linux workstation with every daemon in the world running?
Remember it - I've had to live it. On two separate occasions I had to reinstall RH on machines with BIND. These were not nameservers. Since then I do regular audits of machines on which I might be asked to work.
"netstat -al | grep LISTEN" and nmap -sT
Secure by default should be the motto for default server installations. Redhat has learned from its mistakes. So have all other linux vendors. Debian and the BSDs never had such problems to begin with.
But there are still several million Windows machines displaying the default IIS home page.
Look at Arthur Anderson... to recover their lost reputation...after screwing many thousands out of many millions of dollars...they fired a partner and told us things were going to change around there. The effect of untrustworthy audits and accounting practices cracks the foundation of investing in securities. In my mind, Bill Gates is the same kind of person. Make as much as you can, even if in doing so you produce software that puts the internet infrastructure, personal privacy, corporate security...all at risk...simply because you could get away with it. Now that you're caught up in this, we are supposed to say fine...fix your shit and don't do it again?
I want to be alone with the sandwich
Somewhere, a rim shot could be heard.
Well, the phrase "Better late than never" comes to mind. Of course, they've already got the obscurity part written and debugged.
Maybe M$ should try focusing on stability first... it's much easier to have a secure OS when it doesn't crash on a new mouse driver install....
I didn't.
Microsoft controls the platform. So they can make/break any package that exists on that platform, but changing the platform. I knew Netscape was dead the minute Microsoft announced IE.
Now, what I laughed at was then they said WinNT was unhackable. Now that was funny. I laughed my ass off when l0pht broke NT.
. I may be pagan, but there are some altars at which I will not kneel. Far more likely to torch'em.
Whuhu, i got me some matches!!!
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
So now Microsoft announces that security is now a priority for them. That basically tells me that MS didn't give a squat about security during the development of their past products.
With the release of every OS they make, they always create a big hoopla about how this is the "most secure and stable" yet.
I take this announcement the same way I take everything else that comes from Microsoft, as marketing and hype. Because, in my experiences, that is all Microsoft is really good at.
Also, knowledge of this feature is useful to administrators of systems where there is policy that the privacy of the users is to be protected.
For example, it is illegal for any federal website to collect personally identifable information about any of their website's users without their explicit permission. While there is an exemption for the temporary collection of browser info and IP found in server logs, since these in and of themselves are not very reliable at identifying individuals (and there are regulations in place to prevent their use without judicial guidance), the level of individual identification allowed by this feature/bug likely would not be allowed.
Without these privacy violations being widely announced, its likely that federal website administrators could unknowingly violate the privacy regulation.
Work for Change & GET PAID!
I know this will probably be redundant......but what a fucking joke! Nothing but PR......Micro$hit is, and will always be $hit!.....their products have been $hit from the get go! Now that the FBI, and the media is questioning the security of their products....Gates all of the sudden starts talking about security being the main focus........what a freaking joke!
"Look where we worship" -- Jim Morrison
"This is like bolting the barn door after the horses have eaten your children."
- "Saturday the 14th"
watching boxes powered by You Know Who drop like flies.
Voldemort does software too? Man, you'd think he'd have his hands full with that Potter kid...
In other news, Microsoft announced it was leaving the software business and refunding all of the money it cheated people out of over the years. Bill Gates was shown on TV apologizing to the world for his actions and promises to never do it again.
Brielle
Meanwhile, Richard Smith notes that the Globally Unique Identifier in every installation of Windows Media Player allows websites to universally track users, and Microsoft does not consider it a security problem.
Of course not - it's a privacy problem. (rimshot!)
Dammit, people. that is not a rimshot. A rim shot is hitting the rim of a drum (typically the snare) instead of the head. What you're looking for involves a cymbal and has no name. Figure out what the hell you're talking about before you post your ignorance to the world. Geez!
But it doesn't have to be done manually! A simple Google search turned up lots of tools that eat raw C and C++ code and detect potential buffer overflows. Use of tools like these ought to be a mandatory quality control step for any organization that really cares about secure and reliable applications.
And of course, all of this completely ignores the possibility of using other languages where buffer overflows and stack smashes are implementation problems rather than application programmer errors.
In my opinion, shipping code written in unsafe languages without at least an automatic static check for potential security problems should make the shipper liable for damages.
To a Lisp hacker, XML is S-expressions in drag.
Normal Microsoft cheerleader underreacting again. Don't wander too far from your flock, little sheep. Baah. Baah.
You can laugh all you want, but soon M$ products are going have fewer security problems. When these guys set their mind on something they usually get it.
BTW: Are plain old bugs considered "security problems"?
They've dominated the market for years, mainly because they were there first, but also because of usability/convenience factors. People put such things above security (and most likely privacy). They want something that works easily with little effort or configuration that does what they need it to. Windows has always been that.
On the other hand, no real OS of the time could really equal that level of user-friendliness and simple interface that Windows offered. As times are changing (and many people are figuring this out), a vast shift in many UNIXes has been towards developing a friendlier interface (Window's strongpoint). It only makes sense that Microsoft should shift its goals towards security and stability (UNIXes strongpoints). Basically, if Microsoft gets there first (stability, security, AND an easy UI) before any of the UNIXes gets more firmly cemented in the market, it will become _drastically_ harder to get people to switch over.
Magius_AR
Doesn't this fall under one of those holidays...Oh wait, that's april fool's! He! He! He! ha! ha! ha! ha!
Bill Gates is Microsoft's Chief Software Architect. Security is an Architecture issue. So why is he aiming his comments at developers?
I know that Bill doesn't draw up architecture documents for all (any?) of MS products but he should have, at least, been passing on the importance of security to his under-Architects.
Sure there are things that programmers can do to make a product secure or not secure but I think it's largely an Architecture and Requirements issue.
I'm sure the phrase, "how much security can we afford?" has been uttered around MS halls on more than one occasion.
The bright light at the end of this tunnel is that when Microsoft changes its vision, big things happen. For instance, Microsoft went from dismissing the Internet to embracing it (to monopolizing it?) in a very short period of time.
Isn't it a little early for April Fools? This is like stinking up a bathroom and spraying air freshener with the hopes that it will destroy the smell, when in reality it only smells worse.
I think that this message may be a way of sneaking the Secure Execution Mode that MS is working on into the public awareness, and that is in fact one of MS' highest priorities. The capitilized phrase "Trustworthy Computing" is what tipped me off, because it is very much what they want, if you use a different context for "trustworthy" than what they want you to assume.
The key thing to note about "Trustworthy Computing" is that it has nothing to do with you trusting them. It has to do with them not trusting you. Basically it's about preventing anyone without a logic analyzer from being able to tell what is in memory, as a way of enabling DRM that you can't (as easily) laugh at.
So you're right. You have absolutely no reason to be reassured.
The enemies of Democracy are
None of the revelations about XP surprise me. I've known them for a year or more. So has every reasonably intelligent person who has paid attention.
The problem is that an awful lot of people played "what if." They saw the promises that said that XP would be great and secure. They wanted it to be so, and as a result they believed the promises. Since the promises worked and ensured sales, they didn't actually need to do it.
Microsoft seems obviously in love with their own PR. The problem is when people go along with the gag, which they've been doing for far too long. Now you want to play some more. As long as you play, get used to bending over.
I also have a hard time understanding the idea of "middle ground." What, like Microsoft gets to abuse its monopoly on Mondays, Wednesdays, and Fridays? Being a monopoly is legal. Abusing monopoly power is. The government wants them to stop but won't do anything to make them stop. So, what exactly do you want?
I'm also getting more than a little tired of this Linux As Religion stuff. Sure, there are zealots, but this is mostly a Beavis-and-Butthead-style dismissal. Most geeks like cool stuff. I've been a computer geek for about 30 years, and Microsoft used to be cool. Nobody cared that they monopolized the microcomputer languages field, because Microsoft BASIC was good. RTF and SYLK were good. The first version of Excel was good. Even MS-DOS, for all its primitiveness, basically worked. It isn't some sort of religious conversion that makes me dislike what Microsoft has been doing over the past decade; it's the fact that they've been doing bad.
I just read that as "Microsoft to F*ck us on Security." No, I'm not using a hallucinogen.
-Shaunak.
This just strikes me as a result of his last board meeting.
Not much on the new features list from the idea departments and therefore, "security could be a reason to force new upgrade revenue line for our software. That would give our idea guys some time to think on the next new feature."
"But we're all out of nifty ideas for new features! What can we possibly do for our OS that will make it appear that we still need to keep cranking out a new OS every year, and that will make the customers keep buying them?"
Denver Isuzu Suzuki
So... expect the next update to watch your every move... to report everything back to MS... so they can nail you on trumped up charges.
Expect the next release to covertly install software you didn't pay for... so their software alliance can send the federal marshals to fine you hundreds of thousands of dollars.
THAT is how they will increase security - and their bottom line.
Face it folks... MS couldn't code their way out of an elevator without it crashing. What makes us think they can start now!
MS is nothing but a marketing mafia... they do NOT know how to write quality code... and Gates saying they will start... is a bunch of hogwash.
I still pray daily for Mt. Ranier to erupt and take out ALL of microsoft... their *coders* (hahahahahahahah) and Gates and his house.
Throw out your PC's... your MS software... after all, there is nothing on it you need anyway.
Alas I suspect that even then 'this crowd' would simply move on to complaining about how terrible the MS coding is, how the NSA backdoors have clearly been removed and how it should have been released under the BSD license.
how about trustworthy business?
Microsoft who? Never heard of them.
Linux=OpenSource=Freedom
Bill Gates: a true visionary - imagine! secure computing! what a wonderful new idea!! I wonder when he'll invent open source?
I'm finishing up Lawrence Lessig's latest book "The Future of Ideas", and one of his main points both in this book and in "Code and Other Laws of Cyberspace" is that the open, accessible by all with all being equal nature of the TCP/IP protocol is the central point around which the internet has grown, allowing anyone who wishes to use the internet however they wish.
In this latest book he does a good if sometimes abstruse job of showing how not only computer companies but all kinds of businesses are trying to prioritize/demarcate/segment/control the net and prevent any more innovative uses ala P2P to occur because it threatens the old way of doing business. It's a good related read if anyone's interested.
In other news, even if this is true, there's no reason us geeks can't continue to use our own TCP/IP & not use any new proprietary protocol. Who knows? Might be nice to have the spamming, virus-spreading masses that don't know anything about their computers all off on a different protocol & all. Remember too that AOL/Prodigy/Compuserve never volunteered to provide access to the 'net. They were forced to by customer demand for the content TCP/IP made it possible to provide.
The only tool you've got against psychosis is experience.
Apparently the billg security memo was only meant to go out to 3 people but he had Sircam.
Is it April 1 already?
JET Program: see Japan, meet intere
So does anyone know of a website which has posted the complete text of his email?
[some filter defeating comments]
ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha
Laws affecting technology will always be bad until enough techies become lawyers.
I say this as a long time Microsoft detractor and Mac fan.
This is a very significant change. I think it is as significant as when Gates decided that the company should focus on the internet. Since then, Microsoft has made efforts to improve their internet technology, integrate it into the OS, and evangelize it. I'm not saying their technology is always great, but their efforts have moved them to the point where they are a very significant player in areas where they weren't such as web servers (IIs sucks, but is a pretty widely used web server), browsers, web development, etc.
I think Gates correctly recognized security as being a weakness that the competition can exploit. Their main competitors that can attack them on security being Linux, Sun, and IBM (I'm referring to both MVS and IBM's new Linux initiatives) in the OS space and Oracle and IBM in database space. There are others.
Gates is definately a smart businessman and I think he's making a good call for Microsoft here. It's really about protecting their OS business and recognzing that Passport can't succeed without a perception that it is at least reasonable secure. The security holes they have had in the past have been very bad publicity for MS.
Will this initiative succeed?
I think Microsoft has demonstrated in the past that when they put their collective attention on a problem (such as internet integration), they can make significant progress in a relatively short time. However, security is harder and more runs counter to their corporate culture of keeping their costs very low and getting product out the door regularly and quickly. (Again, these terms "regularly" and "quickly" are relative to the rest of the industry.)
In order to do what Gates wants, they are going to have to evolve to be more like IBM. I've worked at both Microsoft and IBM doing dev work on actual products. The differences between the two in terms of their overall development processes are very different. IBM's processes are more focused on producing quality products than are Microsoft's. My experience is that IBM is willing to spend more money and time on really getting a product "right" than Microsoft. Microsoft has a much greater degree of urgency about getting things done. For small software companies, urgency about getting things done is very important, but I think Gates knows that Microsoft has enough of an established business (understatement) to slow down a bit and concentrate more on quality.
The good thing about the current culture is that they can respond to new innovative products somewhat quickly. Once they start caring more about security and quality, it will be harder for them to use their OS to squash competitors. If they can't integrate new technology into the OS at the drop of a hat, then the best they can do is have a product dev group create a competing application to whatever the new hot thing is and compete head to head. I think it will be easier for the third parties to win under this scenerio. What MS gets in return is a greater ability to compete effectively against competitors who have eluded them in the past such as Intuit, Oracle, and Linux.
Avoid Missing Ball for High Score
Hugh Daniel went up there some time last year, to do some interoperability testing between NT's IPSEC, and free S/WAN. He asked them, what crypto they'd implemented and could test. They told him that they'd only done 40-bit DES.
He just left.
Personally, I'm not holding my breath for MS to ever implement a securable system. They'll do things that let them check off the boxes in their product literature, but as for those features being truly robust, I wouldn't count on it.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
(This isn't meant as a funny or trollish comment, but I can't seem to exactly what I want into words I know won't be taken for "M$ wants to stamp out alternatives". *sigh*)
~REZ~ #43301. Who'd fake being me anyway?
Let's put bars on the windows of our glass house!
i have my doubts, but if they can get their act together maybe i'll have a change of heart, but this assumes that they finally start writting better code and do it for a few years to prove to us that this isn't a one time thing
I believe sex is highly over rated... unless it involves me
Anyone sent off to training comes back knowing some new buzz words and maybe even understanding a couple new concepts. No one comes back cleansed of old habits. I'm reminded of the limerick the you can train a dog but you can't make it think.
I think the problem you're facing is systemic, Mr. Bill. Detecting and eradicating security defects in your products is impossible. If it could be done, at best the effort such a feat would most likely cost many times that of developing and testing the products in the first place. Automated tools will help pick off the low hanging fruit, but won't get at the really nasty pathological connections. You seem to have made your choices early on Mr. Bill. There's no practical way to rectify them, except starting from scratch.
Even starting from scratch won't fix the problem, Mr. Bill. The real culprit seems to be the corporate culture you've created. Getting a culture's head straight is a very difficult, if not impossible.
Unfortunately Mr. Bill, the fundamental problem you're facing isn't an engineering one, but a human one. You may be powerless in solving it.
Now, you can argue users need to be more savvy, or you can accept that Microsoft KNOWS end user behavior and uses it to their advantage.
Indeed - you never hear Bill Gates saying that computer users need to develop more tech know-how. The MS line is that the computer should take care of all this stuff for the users. Defaults are everything and Bill would just as soon people didn't know there was anything but defaults available.
To quote from the 80's Wendy's commercial:
"Where's the beef?!"
Gee Willekers, Bill Gates is using his bully-pulpit with the press to announce that Microsoft is going to do something that all of there customers have been _wanting_ them to do for aeons. This is about as pressworthy as Larry Ellison advocating a gigantic national database -- running Oracle software.
This "leaked" email is rather silly. The press should have more restraint in printing patently self-serving "inside scoops" like this. Microsoft is insanely rich -- make them pay for their marketing.
Shane
Uh, dude? You do realize that the same people who bitch about Microsoft's stupid defaults bitched loudly and frequently at Red Hat for their stupid defaults, right? And you do realize that Red Hat now ships their distro with significantly less stupid defaults, which is why they don't get bitched at as much anymore, right? And you do realize that Microsoft's defaults are only marginally less stupid than they were, which is why they currently get bitched at, right?
Apparently not.
There is no sin except stupidity -- Oscar Wilde
Unlikely. Now there's an understatement.
An unsafe scripting interpreter is more powerful and easier to use than a safe scripting interpreter. To be safe, it probably easiest to run the interpreter in a sandbox where one does not need to trust the interpreter, let alone the script.
(if it is even possible to write useful scripts in such a limited environment)
Possible? Yes. Necessary? Yes. Easy? No.
Gives an idea why Sun gets all uptight about people screwing around with Java. They aren't about to let anybody turn their baby into some sort of Viral Basic.
I see what you're getting at, but that doesn't apply. Try this one:
:) There's a difference between doing something that is fairly benign in a flagrant way and doing something benign that no one knows about. When you're flagrant about anything, people tend to respond in an equally flagrant (and occasionally irrational manner.)
Hide in a 3rd floor window near the parking lot with binoculars, and write down license plate numbers of everybody who enters. Now who gives a damn? Are you going to start bringing binoculars when you drive so you can make a quick security check of the parking lots you stop in?
Hey, MS didn't HAVE to provide a checkbox for you to turn it off...
lol !!!!!! lmao !!!!!!! rofl !!!!!!!!!!
That's gotta be a joke.
:)
If so, it's damn funny.
If not, it's damn scary.
It's been a long time.
He said servers on Windows and he was right.
How is Apache HTTP Server not a "server on Windows"? Since around 1.3.12, Apache has worked fine on Win32 systems, even Win9x systems. Many people I know use it on their workstations for file-sharing and personal web pages. Of course, you shouldn't be running a Microsoft OS on a production server, but sometimes IE and Mozilla react slightly differently when retrieving pages from http://localhost than from file:///C/web (for example, you can use SSI and PHP), and in any case, you often don't want to be FTP'ing your files around all the time between the development box and the test server, or you can't afford a dedicated test server for the content creators.
Will I retire or break 10K?
It's not coincidence that Bill's email was sent out on Tuesday. The release to manufacturing (RTM) of the .NET Framework and Visual Studio .NET came out at the same time.
.NET that we can achieve this."
.NET framework and Common Language Runtime (CLR) are able to deliver on his "new priority" and save Microsoft's reputation. These are not your average Microsoft products; they are potentially a new lease on life for Microsoft. It will take a while for these products to change the anti-Microsoft momentum that public opinion has gathered, but they will. Either that or Microsoft is going under. They've bet the company on this, and there's no going back.
Bill's quote: "No Trustworthy Computing platform exists today. It is only in the context of the basic redesign we have done around
Bill knows better than to make rash promises he can't keep. This email is evidence of how deeply he believes that the
why dont you get webwasher and block the flash domain....works great for x10, and all those annoying popups.
Beer, now there's a temporary solution -- Homer Jay S.
That being said, if i was installing linux for a newbie, i sure as hell wouldnt use Slack, I'd use Mandrake. You have to pick the right OS for the users...I also use win2k, but my parents run winme. There's a reason different product lines are there.
Now, that being said, its the same issue as "Guns dont kill people, people kill people"
you cant blame the gun manufacturer for the dumbass user who blows away his coworkers.
My point is that people should take responsibility for their own actions. Someone getting paid to sysadmin'ing should know to secure a box AFTER installation. But on the flip side, M$ has no business releasing an end-user aimed product that has more holes in it than a sponge.
Beer, now there's a temporary solution -- Homer Jay S.
Yeah! It's obvious that the normal guy on the street doesn't give a rat's ass about his privacy, or he wouldn't be on the street!
The ssh problem was solved years ago, by the OpenSSH team...
Because I haven't seen any proof yet...
I went ahead and wrote a program for the people who want to get rid of the unique identifier in WMP. You can grab it here. Of course, it does change the identifier to a message for microsoft... can you figure it out? =)
And when you discover someone in a 3rd floor window snooping with binoculars and writing down license plate numbers, ....
What is benign about writing down people's license plate numbers?
OK, MS provided a check-box somewhere for this. What guarantee is there that MS provides a check-box somewhere for everything affecting my privacy? Do I have any way of knowing if I have found all of them?
blah blah blah Trustworthy Computing, blah blah, Trustworthy Computing, blah blah blah blah, Trustworthy Computing...
"Chiswick! Fresh horses!"
So when will I be able to to visit any of the Microsoft websites with IE browser security set to High?
See this for more info on the connection between Colusa Software and Microsoft. They mention a virtual machine based on Colusa's technology called CVM. This is now Microsoft's Common Language Runtime (CLR), recently standardized by the ECMA, and inspiration for the open source Mono project.
They also mention Colusa technology involved in the COOL programming language. This is now Microsoft's C# programming language.
More info on the .NET Framework security features can be found here. Especially interesting to note is how the CLR's "managed code" concept affects security. "Common vulnerabilities--such as buffer overruns, the reading of arbitrary memory or memory that has not been initialized, and arbitrary transfer of control--are no longer possible." Sounds a lot like Colusa Software's philosophies in action!
Microsoft executives said the memorandum resembled previous broadsides that have been fired off by Mr. Gates, the company's co-founder and chairman, when he thought that the company's strategic direction needed radical changes.
In 1995, for example, Mr. Gates sent a companywide e-mail message exhorting employees to turn the direction of the Microsoft "battleship" and focus all the company's efforts on the threat of the Internet to Microsoft's business.
They viewed the free comunications media that was growing as a threat. This is why they did not rush to embrace it, but fought to destroy or dominate it. Sure, billg made a vanity web page and company policy was to tell everyone that was all it was good for. I remember it from being there. They rolled netbios out on the majority of their victims and tried to hold off TCP/IP for freaking ever, or at least till winsock was ported from BSD for free and they could steal and sell it. Since then they have done everything in their power to cram their stupid propriatory formats over it by buying out companies and perverting them to spam sites. Like bolshivicks, they seek to disrupt the medium until they can control it. They are evil, and we have yet to see if the internet will win this one but freedom has a way of ignoring snake oil until there is nothing left but a fringe market for fools.
Security on M$ platforms is impossible. There are no real user ID's, nor file permisions built into the kernel or the file system. The PNP hole on port 5000 iw a great example of this. Why did it take so long to find it? Where were the comercial firewall companies that so many trolls like to tout here? You would think that they would have spotted it and closed it if such things were possible on an OS that does not really keep track of all the processes that are running.
As I lost two karma points for in an earlier post, the only M$ is going to be able to provide any kind of security is to follow the Apple example and dump Windows. I imagine they will roll a BSD and make some kind of WINE like compatibility mode. It's not going to work. They are far to behind, after all Apple bought up Next and it still took them years. They canned all their good VAX people and gutted the majority of their work as they shifted focus from their failed Unix killer, NT. I don't think so much as their mediocre korn shell made it to win 2000. The ridiculous proposition of a month long "focus" on security by all of their employees shows that they have an impossible task on their hands. Their sins are all looking them in the face and laughing. Had they spent as much time working with other platforms as they did breaking interfaces, swapping print methods and ruining other companies in general, they would be in a much better position today.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
The point is, do you lose sleep over the fact that someone can easily take note of your license plate number without your knowledge? Without you having any control over whether they can or not? Or over the existance of the many other ways you personally, and your belongings, can be IDed, without you knowing about it? I really doubt it. There are so many things we DON'T have control over related to privacy, so we choose to bitch about the things that we do. It's a flawed arguement that something you can control (if you care) is a privacy issue at all, when 99% of the things that are (more severe) privacy issues can't be controlled.
Does this mean that Microsoft is going to steal Linux? Sure, it's their arch-enemy, but hey! Oh! Now it all makes sense! No wonder they're suing Lindows! Duh! They want the name for themselves!
...They are good...
[insert witty comment here]
Um, think about it for a minute. If they want to stay in business, they have to "reinvent" their OS every couple of years anyway. If they don't, what will they have to sell? Have they come up with anything truly new in the past 3 years? (And, no, I'm not counting .NET. They bought most of that when they bought other companies.) Maybe they'll actually build in security the next time around.
We can dream, right?
Oh, the trials and tribulations of a network geek! Read about them at: http://www.ryumaou.com/hoffman/netgeek/
You mean like the CIA onion's project or the AT&T Crowds proxy?
At every bootup Windows will contact Microsoft for security activation based on User, Password, HardwareID, and comprehensive SystemLog of all activity.
Any unauthorized access will result in immediate shutdown. Reactivation will require voice confirmation and explanation of unauthorized activity. 1-900-ILO-VEMS. To enhance your security and combat privacy, fines will be conviently billed to your phone.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Microsoft HAS to lock down security BIGTIME.
Microsoft just got a patent on Digital Rights Management Operating Systems.
If you read the patent you'll see they plan to keep the user locked down with an iron fist.
If you secure an operating sytem from attacks by authorized users, what chance does an unauthorized attacker have?
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Yeah, "{00000000-0000-0000-0000-000000000000}" sounds good...
True that M$ is nowhere near as secure as *nix; however, as you bash away and curse M$, remember one thing -- if it wasn't for M$, it's bugs, flaws and SIZE, you probably would never have been able to afford the computer you are using to post your bashings. If NOTHING else, at least Bill G. has pushed the market forward and the Windows monopoly has in turn pushed the hardware developers. It is irrelevant which operating system is the most widely used because there will always be the groups of people who don't want to conform and as such feel the need to promote whatever product they use as superior. Well often those people perceive "Alternative" to be synonymous with "Superior" -- that doesn't mean its true. If MAC's ruled the world, you can bet you ass that OSX would be nothing like what it is today - it would not have the slightest traces of *nix and would be the endless target of rants, bashes and various posts by people who just wanted to be "non-conformists". Funny thing about non-conformists though; most of them conform more than they admit. I'd be willing to bet that the majorority of the vitrolic posts concerning this article were derived by someone sitting at their PC - and if they had just finished playing a game (OTHER THAN freakin another freakin quake engine clone) they may still be logged into that hated Windows OS! Yes, bitching all the way, but still, somewhere secreted away is their installation of Windows. So stop ranting about the advantages of Linux and just be happy that perhaps somehting is now going to be done about the security issues at hand and have a little damn respect for the develpers that (misguided or not) have put an OS onto more machines than you can possibly imagine! Monopoly - sure, but at some point those monopolies server/ed a purpose... if it wasn't for the AT&T monopoly years ago you'd still be turning a damn crank to talk to Martha the switchboard operator to call Andy and Barney down at the sheriff's department...
So in closing - who gives a rats ass what OS you run, ANY attention to security is good for EVERYONE!
...n8
I have discovered the perfect solution for M$ security problems. It's called the power button, turn off your windows boxes before you hurt someone please.
I have personally sent out emails saying I would end world hunger, put the earth at peace, make the israelis and palestinians stop fighting, wake up earlier in the morning, start working out, eat better, but to date not a one of them has done anything other than sit in an inbox, get deleted or just plain ignored. Its MS ya know, whats good for them is never good for us.
And provide money amounting to that cap to all candidates.
Offer free political advertising.
Part of campaign finance reform is controlling the campaign expenditures, not just controlling donations.
Ummm, At the risk of feeding even more trolls, use LyX. Who needs WYSIWYGif you can get WYSIWYM! (What You See Is What You Mean).
LyX works less like word and more like what I'm used to from truely professional DTP software. It uses style definitions throughout for starters. And it can export to LaTeX. What more could you want?
Is a UNIX-like OS!
Everything he describes is Unix or Linux.
-No Registry
-Run server applications as users
-Configurable installation
-Seperation of Protocols etc../
I find it ironic that Bill Gates is being lectured on how to design a 30+ year old operating system.
It's not only the defaults, but the Microsoft "Trojans" during installations. 99.9% of all end users will use the "Reccomended" install choice when installing Bill's programs and his OS's. i.e. - when installing office 2000, you get the demonic Outlook duo, and internet 'tools'. Programs, that even if you don't use them, still provide holes.