Slashdot Mirror
Windows 98, Me, NT4, 2000 and XP SSL Flawed
JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the
SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions
that Konqueror was patched against the same bug in 90 minutes.
There's a difference? I thought they were the same thing...
Can we stop with the "Foo blah blah DMCA foo!" jokes already? The first 600 or so were funny (ok maybe not), but it's getting old. Especially when the subject matter has nothing to do with copy control circumvention or the ??AA businesses
I am so shocked to hear Microsoft didn't follow the standards when implementing SSL.
Neither did Konqueror. Blame where blame belongs, please. It's trendy to just blame everything on the Big Evil Empire, but let's not forget they aren't the only ones who have bugs.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
You know what? I bet the 'soft could do this too. I mean have a guy, or team of guys available 24/7 to patch bugs. And you know what else? They'd still get flack for it, as Microsoft don't release patches straight away - for better or for worse, they do actually test them first (usually), make sure they don't kill wierd and exotic installs etc. I know they've released dodgy patches, but my point is that Microsoft isn't an overnight operation.
And more to the point, how does this patch get to people? Via autoupdate of course. The patch may have been written in 40 minutes, but it's still not available on SuSE auto update (as far as I can tell) despite the fact that Waldo works for SuSE! We really need to stop patting ourselves on the back simply because we can see the progress of the patch and Microsofters can't, otherwise this bullheaded arrogance WILL bite us on the ass.
Here's a question - who do I sue if that bug in Konqueror causes me to lose money? Nobody!
Here's another question. Who do you sue if that bug in IE causes you to lose money? Nobody! Read the EULA!
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology
Yes, indeed, it does make sense for the OS to provide such a service to any program that wants to use it, so long as that's a GOOD service.
In general, it makes sense to provide everything from outside the program, and just have the program call on outside services. However, that means you need to make the outside services good, and it means that those writing programs don't just string together a bunch of requests (i.e., draw this, check that calls) but also work on looking for fixes to the common outside service, which would be shared by many programs.
In other words, this approach only makes sense when the outside services are OSS / FS / public domain, which means that developers of programs can check their integrity and submit improvements. Otherwise, its just a big black hole for developers: should I trust this cryptographic routine, or shouldn't I? One never knows with proprietary routines. One can check, and improve such routines provided OSS / FS.
social sciences can never use experience to verify their statemen