Slashdot Mirror
Microsoft News Update
Microsoft news of the past few days: Media Player 9 is the subject of a few articles, including one on its integrated digital restrictions and one on changes in its privacy options. Microsoft is releasing certain API's, and is releasing a service pack for Windows XP, under the requirements of its antitrust settlement with the Federal Gov't. On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net, and there's been more publicity of the vulnerabilities in Microsoft IIS/SSL.
I mean come on... We've been nuking win95 machines since '96... It's time to find a new protocol!
I apparently forgot that sig != uptime...
I still think Microsoft's actions are shifty. Ok, let's release some code, but not a lot of it or enough to be completely useful. We'll bring a few *nix users over, a few Mac zealouts back, and more customers for us because they no longer think of us as the "bad guy" because we showed we can be open source. BS. It's a half-assed solution to a ass-backward situation. If they can't do it right, should they even be doing it at all?
On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net
Well, one good way to help the propagation along would be to post a link to it on slashdot so thousands of script kiddies can get ahold of it... oh wait..
Apparently, you can also crash a Windows box by pouring beer into the fan outlet of the power supply. Code to be posted soon.
Roving Web-Teleoperated Robot
According to this article anyone using cracked WPA activation or certain serial numbers will not be allowed to use windows update or install SP1. This will apparently not affect the OEM copies that have been floating around for month before the windows XP release date.
HMM... as if script kiddies don't have it easy enough, lets put a link to a 'crash' script on the front page of slashdot... Do the editors on slashdot ever think before they post links?
---
Programming is like sex... Make one mistake and support it the rest of your life.
By that logic, is this part of Microsoft's plan? Since Linux is seen as good by the general public for, amongst other reasons, giving away the source code, is Microsoft trying to make the (erroneous) impression that they're giving away source code as well?
All you have to do is winess the general confusion when a game maker releases some source code ("The RtCW Source Code has been released! This means the game is free!") to see that the general public still doesn't "get" this idea.
Schnapple
Five years, and they still can't spell assimilated?
One article says Media Player 9 will allow the user to select how much information is set to content providers. But the other goes into detail about the new DRM featurs of MP9. One of the biggest is a 3rd party clearing house for certificate athentication and authorization.
So you get a DRM enabled media file. When you play it, Media Player has to contact this server to find out if you are allowed to play it. They can track every time you play this file.
Maybe you'll have a feature that protects your privacy, but if you don't let the player contact the clearing house, you can't play the files.
Also, I'm sure everyone saw it coming. The reason Microsoft changed their EULA is because of this new DRM crack down. They want any program that can open a DRMed file to have to be authenticated, and they want to be able to disable any program that will attempt to get around these restrictions, and they don't want to get in trouble for messing up software you have installed.
Good thing I use a free and open OS. But if this type of thing continues, all media produced will be encrypted and you'll have to contact the DRM server to view it. So it won't matter. Just wait until router manufacturers are convinced to not all their producted to transmit any packets that haven't been DRMified properly.
Oh blame Microsoft for it, those are the morons who installs "client for ms networks" by default,when you install dial up networking or any sort of NIC.
Now, mail to MS in same tone, please.
Well, im not sure about everyone else.. But I know us developers at the WINE project have found the new APIs (documented here) to be anything but useful..
Well, the register does say "what Microsoft has got in there is a grotesque, badly-documented pile of poo it doesn't fully understand itself." (in regards to the fact that the few new APIs microsoft released doco's on are other useless or all together wrong!.)
David.
stuff
Maybe it's not too smart, but neither is running a Windows box with SMB/CIFS enabled on the public Internet, which is what the program requires. SMB is a bit like having an open mail relay; a quick and easy solution which is fine on a private network, but try it on the Internet and you are probably going to get shafted sooner rather than later.
UNIX? They're not even circumcised! Savages!
Link to the code but don't tell us non-coders how to defend against it. "NetBIOS enabled" can mean many different things, after all. NetBIOS enabled on the target interface or on any interface? Anybody with NetBIOS running on their internet interface is a fool to begin with and probably deserves to be crashed...
Of course, even that could be solved easily enough with a router and/or port blocking.
You know, the funny part is I am actually willing to pay a reasonable amount to get the OS, and even a reasonable amount to use additional copies. But that into about discounts on the price is crap...
Sell me the first license for whatever cost(although the current price is way to high, $49.99 for Professional/Home is much more reasonable) and charge a nominal fee for additonal licenses, like say $9.99....Honestly they would probably have less of a pirating problem if they would charge resonable fees....
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
I thought Windows already came with a code to crash it. That being Windows itself.
Ah am not a crook! (\(-__-)/)
- A new feature will enable computer manufacturers to selectively hide and display Microsoft's integrated programs displayed on the start menu of the operating system, including Microsoft's Internet Explorer Web browser, Windows Media Player and Windows Messenger programs.
Isn't this tantamount to purjury? Their claim that it would criple the system and that it couldn't be removed was obviously false, if all that was necessary to satisfy the courts was to remove the icon from the desktop. Sure, MS is allowed to spin things a bit in the media, but in the courtroom, nearly explicit lies are illegal, no?During the federal antitrust trial, Microsoft argued that such a change would cripple the Windows program.
The change will make it possible for hardware vendors to customize their systems by striking business deals to include alternative programs from companies like America Online and RealNetworks.
It will also permit computer users to reselect the hidden Microsoft programs if they choose.
However he has now topped himself by linking to a script kiddie tool to what may be an unpatched bug on a website that gets hundreds of thousands of hits a day. What the fuck? Do you see MSNBC or C|Net linking to r00tkits whenever a Linux vulnerability is released?
Roblimo as Editor-in-Chief, you are responsible for his work and quite frankly he is the worst part of the Slashdot experience (now that I've upped my threshold to 4).
Are we talking about MS02-045 ? If you really MUST supply a link to the attack tool you should AT LEAST supply a link to the fix as well!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
From the article:
"Welcome to Windows Media Player 9 Series," the opening screen of the Privacy Options panel reads. "Microsoft is committed to protecting your personal privacy. To enhance your experience with features including album art and pay-per-view-services, data must be sent and received over the Internet and/or saved on your PC. The options below enable you to customize these privacy settings."
OK, so right from the get-go users are presented with the issue of sending information from their computer. Certainly this is an enhancement feature, if done correctly and the user really has control over what is going on. In the long run, the real power and benefit of computers and networks comes with sharing information, and as people become more comfortable with it, software that includes network features will be more powerful and more popular. For example, see the popularity of the CDDB in CD players.
However, how do you really know what sort of information your software is sending over the network? As we start to take advantage of network features, it will become impossible to rely on personal firewalls to curb outbound traffic - you want your CD player to send some ID to the CDDB so it can retrief the correct tracklisting for the CD you're playing, so you have to tell your personal firewall to allow your CD player to connect to the net. After that point, you are trusting the CD player to behave properly and not betray you.
The article acknowledges this:
"As more applications become Web-aware in order to provide services and information back to the user, consumers need to be aware of the quid pro quo that's taking place and exactly what information is being provided to the vendors," Gartenberg said. "What Microsoft appears to have done here looks like a step in the right direction, if it makes it into the final product."
So the issue boils down to trust. Do you trust Microsoft? I'm sorry, but I do not. No matter what they put in their GUI as far as options go, you can never quite be sure about what their software is sending back to them.
With open source, at the very least you're allowed to look at the code and see what your software is really doing...
Has anyone reading this **ever** seen any MS source code for their OS's?
There's one guy here (hello Dave) that counters my open-source arguments with, "Oh but you can now get the source-code to WinCE", but that doesn't hold water for me.
Get your own free personal location tracker
http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-045.asp
But I assume it's 'better' to let people suffer instead of helping them out, is it? You dont have to post links to security bulletins, but if you post a link to a DoS tool, why not supply the link to the patch as well, to let the reader decide if he/she wants to be vulnerable or not.
(good system administrators have already disabled TCP/IP over Netbios (disable Tcp/IP over NetBios helper service) of course and stopped the server service as well, on online systems, among other netbios related crap which is not needed on the internet (NetBios package: "whohoo a router, what's that!")
Never underestimate the relief of true separation of Religion and State.
All software is inherently flawed, I have yet to see ANY software put out by ANYONE that is bug free. Just because 90% of the computers in the world run a certain piece of software thus giving any bug more exposure that doesn't make microsoft products any worse than any other product out there.
Maybe I'm wrong about this, but I'd like to see proof if there's any *nix distrobution that is 100% bug free or has absolutely no security vulnerabilities.
Honestly, if windows is so bad, so full of bugs, why does it keep selling? Lack of alternative? I think not, according to the slashdot community, linux is a more than viable alternative. People are stupid? Well I can see a point there but if you get down to it, it hasn't been as horrible as the slashdot community makes it out to be since it keeps selling.
My main problem with microsoft is that they keep selling updates as new operating systems (Windows ME as my case in point).
I'm just tired of seeing a bunch of posts on slashdot everytime microsoft relesases a bugfix about how horrible microsoft is.
According to the Microsoft whitepaper found here, there are 11 components of XP that automatically download material from the Internet. If you've ever clicked the "always trust Microsoft" box (something unlikely here, I realize, but many have), then things like Media Player will download and install new media codecs without any notice, for example. Another thing that we're all concerned with relate to DRM: a built in feature of XP will silently download and install "revocation lists", which list programs that are not allowed to play DRM-encoded content.
You mean like the fix that was out August 22nd?
Objects in the blog are closer then they ap
Hardware doesn't crash, software does. So your point is invalid.
Maybe it's not too smart, but neither is running a Windows box with SMB/CIFS enabled on the public Internet...
Bzt. Don't need public Internet. You could use this at work, or, in my case, this would apply to the majority of our college campus. In those cases, Windows boxen with SMB/CIFS enabled make sense, because machine access is limited to the group of people who should be able to access it (e.g. sharing files with friends, through a password protected folder, or if your campus has a licence to a certain piece of software, providing a method for obtaining it).
slashdot!=valid HTML
From Russ at BugTraq:
Before too many more messages;
1. SMBDie = RedButton = Wow, incredibly talented programmer. This sure was a tool we needed.
2. If RestrictAnonymous is set, non-authenticated users can't use it, any authenticated user can.
3. If you're in an environment where any old computer connected to your network can use TCP139/TCP445, set up a sniffer (Network Monitor works) and watch for the source of the traffic. Then beat that person over the head with their PC. Do that either before or after you patch your systems with MS02-045. If more testing of the patch is required, beat them a little every day until your testing is complete.
4. If you're in an environment where you have TCP139/TCP445 open to the Internet, you don't need NTBugtraq, you need Dr. Phil. Buy a $50 Linksys router and put it in front of your machine and use it to block all but those few you really want open (which doesn't include those two).
5. Randy Hinders suggests that disabling NetBIOS over TCPIP works, I'm not yet 100% convinced. Either way, it should be easier to apply the patch than disabling NetBIOS over TCPIP.
The MS Security Bulletin honestly did do a great job of explaining all of this, more people should read it more carefully.
Cheers,
Russ - NTBugtraq Editor
Was I asleep or somthing when did the Microsoft case get settled?
I thought they were doing it out of the good or there harts.
thank God the internet isn't a human right.
The potential further exists for oppressive governments to use the revocation feature to censor what we see and hear. In this Orwellian scenario it would be possible to erase from the collective consciousness striking images of the lone student facing down a tank in Tiananmen Square ...
.NET servers.
.NET servers like hotcakes? Maybe in communist China. With enough bad press I think a lot of companies will think twice about buying server software from microsoft. Oh right... we don't have much choice.
But instead of censoring, he says, Microsoft's aim is more mundane - simply to use the free player to sell more
I suppose that being able to censor anything on people's computers will sell
So what do new Windows versions have to offer me? More restrictions, more limitations, more tracking of my viewing/usage habits, a direct interface with the "copyright clearing house" to check every time I go to play an MP3 if I actually have 'rights' to play it.
I stopped "upgrading" at windows 2000. I suggest you do too.
mike
On the flipside, at least WRT the APIs, the specs they are releasing are totally useless. They're either incomplete, or wrong, and so far, most of what's been released has been known for some time now. So, yes,MS might do something good from time to time, but this isn't one of those times.
"all you ever do with respect to MS is sneer at them and post negative shit. cunts."
Not the most elegant way of putting it, but he's got a point. If that's not bad enough, the tone of the guy posting the article is pretty much judge/jury/executioner.
I'm getting really sick and tired of reading through the articles to find out things aren't near as bad as they're made out to be. If somebody wants my attention regarding norti shenanigans that MS is pulling, try to sound more objective. I feel like I'm watching commercials for Jerry Springer.
- Client for Microsoft Networks is not a network protocol. It works at a completely different layer.
- By default, 2000 and XP install TCP/IP as the only protocol (not NetBIOS).
Sure, it sucks regardless. But please get your facts straight before attacking.why not supply the link to the patch as well
That's what comments and moderation are for - in case the author misses something glaring, like a link to a bug's patch, the general public has a voice to let everyone know.
So stop bitching, ass.
--
And MS plans (apparently) to "bomb" any cracked installations of XP. (I gather some sort of cracked DLL or file monkeyed with the WPA and allowed for pseudo-activation.)
MS is still not clear about this. But I'm curious if MS finally got the hint and is now planning to keep a database of all "authentic" Windows XP keys. If this is the case, then I assume the various keygens won't work. (Or they'll work, but when it comes time to activate, you'll find that you don't actually have an "authentic" key.)
Slightly OT, but I thought I'd share my own XP activation experience. It happened last night and it bascially stumped Microsoft.
The short story goes something like this: I'm an MSDN subscriber. My MSDN subscription entitles me to Windows XP keys that will activate up to 10 pcs. So far so good.
Anyway, I go to the MSDN site, log in with my usual username and password. Generate my keys. Get my "10 activation" key for Office XP, Pro XP, Home XP.
Now, according to the license, these generated keys will activate 10 pcs for each application. (In other words, I can put WinXP Pro on my workstation at work and my workstation at home. This counts as two "activations" on two different PCs and is completely within the terms of the license. Each computer, of course, has to be for "development" purposes -- which, oddly enough, they are. My computer at home is actually a computer I use when I telecommute. And I develop on it. So, again, I'm completely within the terms of license agreement.)
Okay, so that's the background. Here's the good part: I install WinXP Pro on my home "work" workstation using the MSDN supplied key. (The copy of WinXP Pro I'm installing, BTW, is the ISO I downloaded from the MSDN site. The copy of Windows XP I'm legally entitled to according to the terms of my MSDN unverisal subscription.)
The MSDN issued key passes the first XP keycheck -- the check that appears before it actually installs. No complaints, install goes smoothly. I boot to the desktop. All's fine. Looks like it installed perfectly.
Except Windows tells me my key is no good.
But wait! It *took* the key when it asked for it, right? Yes. It took it.
I re-enter the key. (And, yes, I'm using the MSDN supplied key on the MSDN ISO -- not the volume license CD, the actual ISO downloaded from the MSDN site.)
Still says my key is no good. It then generates an installation ID -- an obscenely long number -- and tells me that I have to call the 1-888 toll-free activation center.
I call. I give my installation ID. Wait, I'm told, that's not the right installation ID. Generate another one.
I generate another installation ID. (There's a button that can do this when you install XP.)
I read it back. It's still not a valid installation ID.
The activation center guy said he never saw this happen before. Am I reading the correct ID? Did I transpose any digits?
Nope. It's all correct. Read it from right to left, he tells me. I do. Read it from left to right, he tells me. I do.
Wow, he says. I've never seen this before. You have a valid key, he tells me, but Windows is generating an *incorrect* installation ID.
I say, well, I don't care what's going on, I want this thing activated.
Pause. Sir? Can you read me the ID again?
I do. This is the sixth or seventh time I read the ID. Nope, he tells me. Still no good. He puts me on hold. I stay on hold. Sir, he tells me. I'm sorry. Sorry? We can't do anything. You what?
We've never seen this before.
You're kidding.
If you have a correct key, you should get a correct installation ID.
Yes, I say.
Can you read me your key?
I read it. Read it again. And again.
Sir?
Yes?
The key is correct.
I know the key is correct.
Can I put you on hold again?
So I sit and wait. And wait. All told, I've been "activating" for 30 minutes by this time.
Guy comes back on the phone. Sir? We can't do anything.
You're kidding.
He apologizes. He tells me again that he's never seen this happen. You're sure you're using a legit copy?
I explain my MSDN subscription (active, BTW), my MSDN key, my MSDN ISO download.
I'm sorry, he tells me. Try MSDN.
I call MSDN.
Go through the same thing.
Wow, the MSDN tech support guy says. I've never seen this before.
What now?
Good question, he tells me.
He puts me on hold. Consults with a manager.
Sir? There's nothing we can do.
Give me another key.
I can't. I don't have authorization.
Give me someone who has authorization.
We can't generate another key until the morning.
You're kidding. I'm stuck?
I'm afraid so. I've never seen this before, he says.
By this time I'm furious. I want this motherfucker activated.
Finally, the guy puts me on hold.
Sir? I've got a brand new copy of Windows Pro Retail. In my hands. I'm going to read you the key. But you didn't get this from me.
You're giving me another key?
You didn't get this from me, he repeats.
He reads the key. I read it back. That's all I can do, sir, he tells me.
I appreciate it. (Trying to stay calm.) Thank you.
I'm only doing this because you've got a problem we can't fix. You have a valid key, but it's not generating a valid installation ID.
By this time, over an hour has passed. I'm still trying to activate.
He has me enter the new key. I enter it. Try to activate. Comes up with a message: "This key has no more activations."
I wig out. You're fucking shitting me, I tell me. You're fucking shitting me.
Okay, he says. He explains that we'll have to wait until tomorrow morning to get the key re-activated. He'll make sure it gets re-activated first thing. But that's all we can do, he says. I can't do any more tonight.
I tell him that this -- my situation -- is why people pirate software. It's quicker to get a keygen and generate a phony key than to go through this, waste my time and waste my money.
He's sympathetic. I understand, he says. But we'll get this fixed.
Then: Sir?
Yes?
You didn't get that key from me.
Flash forward: right now. It's the next morning. I'm at my desk. I'm reading Slashdot. I'm on hold with Microsoft tech support. I've called three different tech supoort numbers this morning.
They cannot get my copy of Windows XP Pro activated. They cannot re-activate the "mystery" key that my friend last night gave me.
This is the first time they've seen this problem.
Can we get some more specifics? they ask me.
New hard drive, new CDROM, new motherboard. Everything is new.
They're mystified.
I'm still on hold. I'm reading Slashdot while I'm on hold.
A moment ago: Sir? Can you read your key?
I read it.
Yep, they tell me. That's a valid key. Wow. I've never seen this before.
I didnt' notice any slagging off. Just some factual information about WMP 9, and a couple of MS bugs. Where was the slagging off ?
Besides, it's funny how this doesn't mention anything like, the OpenSSL trojan/crack, or the fact Konquerer was affected by the same SSL bug as IE some times ago and why not mention the recent Apache bugs as well?
Why would it ? Those stories have been covered already, and the bugs have been fixed. This is about a new bug, an SSL exploit in IIS, not just in IE as was previously reported.
But to link directly to the crash-windows-in-one-easy-step binary? That's just plain irresponsible.
/. reader would stoop to running that code?
But, to be fair, they linked to a Windows executable. What self-respecting
But to link directly to the crash-windows-in-one-easy-step binary? That's just plain irresponsible.
Are you one of those grade school kids or MCSE who don't grasp a clue to the reality?
I just need it in the security audit meeting this afternoon.
One working tool worths a thousand words. We might have to find our way to prove the validity of a security alert if we are not given a tool nevertheless. Now it helps saving lots of man hours, and helps to protect our company from security hazard at early stage.
So you think IT secuirty's jobs is just repeating security updates/news/alerts? We'd be happy to get that $70,000+ salary for doing that.
"I love it when MS stories are posted. It's so easy to rack up karma!"
"Don't provide an alternative point of view or anything, you got those mod points to burn! Use'em like bullets!"
I'd be happy if I got modded down for a comment like that. It means that you've struck truth.
I haveta agree, though, it's a pity that the moderators that disagree with you think that moderation points are used to surpress alternative ideas. I post this with the fear that I'll get modded down as well. It'll say 'off-topic' although it isn't.
Worked on all of our boxes. SP'd to the tits. Representative of a good portion of Winboxen out there I imagine.
;)
If your boxes aren't vulnerable, then you've done something 'nonstandard' to make them that way, or you're using the program incorrectly. So either, you're a competent admin, or an incometent hacker.
What are you talking about?
NetBIOS over TCP/IP is installed by default on Windows 2000 and WIndows XP
fslg503-985-8686503-985-8686503-985-8686503-985-8
"Clicking the Start button will suffice in crashing M$ Windows."
Hey look! A graduate of the Bob Saget School of Comedy finally got some print work!
Good job buddy!
Oh goodie, it runs under WINE.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
In the era of security conscious people, running someone else's .exe file is really stupid, even if you think it might be funny.
And this tool got front-paged on Slashdot. How stupid can you possibly get?
Eat your words now.
Me too! I was just breezing thru when this protest in bold caught my attn. - had to scroll up and read the header agn - Hmmmm! A potentially useful tool to fight Software that Sucks.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Why?
Why is Slashdot responsible for the vulnerability that allows this?
Why is Slashdot responsible for the actions of users that choose to download and try this out?
You seem to have a very strange understanding of responsibility, albeit one that's rather popular in Redmond and Washington at the moment.
If you were blocking sigs, you wouldn't have to read this.
YOU FOOL! Everyone knows TeX is bug free :-)
Belief is the currency of delusion.
Installed, but not enabled.
What?
About posting a link to an exploit tool?
How many of you posting or modding this up also support the free exchange of ideas, including how to back up or media shift a DVD, or extract a portion for review?
You think there's a difference? Bullshit. Your argument is "raise the cost of entry to put off casual abusers". How is that different from the argument that (e.g.) librarians or teachers can gain access to knowledge to let them make copies or extracts from a DVD, if they know exactly who to ask and how to ask them?
That's the trouble with the free exchange of ideas. It's easy to pay lip service until you see something that you don't like being made freely available, at which point the prissy voice gets put on and cries of "Well, that's just irresponsible!" get made. One more step down that line, and you'll be exhorting us to think of the children.
One issue, one standard. The issue here is the free and frank and convenient exchange of knowledge, including knowledge that you don't want people to have. Pick a position.
If you were blocking sigs, you wouldn't have to read this.
Windows needs it so they ship it with Windows already. IE the application can be removed. IE the underlying HTML rendering engine is intertwined with Windows and third party applications such that its removal would break applcations. The nine states are using the courts to dictate tehcnology Microsoft's competitors don't agree with. There is nothing that preculdes me from using Mozilla on my Windows XP system and completely ignore the existence of IE.
Just tested against a locked down Win2k Pro system and no go. Also tried a Win98 box and didn't work there either.
Do really dense people warp space more than others?
Extraordinary Vacations. Exceptional Prices
That's all I want to know. MP7/8 worked fine on my Win2KPro PC at work, but fritzed up my CD burner software completely; it wasn't until our hardware administrator told me there was a known incompatability that I took it off and had a working burner again.
Of course, my CD burner software came with the PC, and it's at least one and a half releases out-of-date. But it sounded like our hardware admin knew this to be a consistent problem with MP7/8. I'm still using MP6, along with Media Jukebox when I absolutely have to.
Microsoft has ported DivX (not the codec) to the PC with Windows Media Player 9. Now get out there and explain the analogy to your non-technical friends and colleagues.
CEE5210S The signal SIGHUP was received.
I don't think that anyone will disagree with you that software is buggy. Yes, its true that you can't determine "how" buggy software is based on percentages, etc (likewise statistics can be twisted in many ways to show the untruth), however based on user experience I'm sure a large amount of people making these complaints are making them for a reason.
For example, here is why I stopped using Windows: in August of 1995 I started taking CS classes. I had just gotten a new system and bought Windows 95. After successfully crashing my system over and over again, I went to the bookstore and bought a copy of a book that contained Slackware. I installed it, went back to my programming and was able to write code without crashing my system. Yes I was an unskilled programmer then and I wrote buggy programs, but the difference is that with one of them, the program just had to die (linux) with the other one, I had to wait for the OS to restart (windows).
Since then I've gained a lot of experience, and the one thing that I keep re-enforcing to myself everytime I even think of going that way is that windows is a waste of money and a waste of time. If you do read through their programmers documentation they do not point out problems in their APIs that they do not intend to fix (for example there are some bugs in the Keyboard driver that have been around since DOS that windows will not fix because they don't want to make something not backwards compatible -- my friend who found that out had to pay $50 even though they are a member of MSDN and even though the bug has been around for years). I don't even have the time to get started on the bugs that persist through VB that M$ has no intention of fixing. They will only fix bugs that bring bad press to the company in national media.
Programmers dislike windows because windows is bug ridden with no chance of being fixed. In other words its hell to program for windows. Its and unenjoyable experience. From a programmers perspective, its not worth betting the company on.
If you really can't figure out why windows sells...its because of marketing. Business people tend to look at what "looks pretty in marketing" not meaning what really looks pretty, but who has the best marketing. Most people know that M$ is the kind of marketing and that is why they are successful. Programmers are not typically given the chance to decide what products will make their company tick -- that's typically left up to the "business analysts" -- people who know nothing about how difficult it will be to actually work around all the bugs that you uncover in a peticular system.
Come watch my system BSOD all day and you'll understand why programmers hate windows. The go hang out with my boss who sends me screen shots of windows explorer instead of just sending me a path name to a file and you'll understand why people are still buying windows.
"Everybody knows the moon's made of cheese," Wallace.
I have yet to see ANY software put out by ANYONE that is bug free.
I can write you a bug free "Hello, World" program if you like.
Installed, but not enabled.
Oh, it is indeed installed and enabled. NetBios is the protocol used for windows machines to acquire each others ip addresses and names without using DNS.
Windows sells better _because_ it is riddled with bugs, mis-features and quirks. This is one of the reasons I can't behave like a "proper" OSS advocate and recommend an alternative desktop OS. (I won't mention the fact that MS still has the productivity software suite market by the gonads.) If Windows were to be a mature and stable product, clueless business users wouldn't continually impose MS-only "standards" on all their colleagues. The sad fact is that it is far easier to put up with the cruft than it is to instigate a change. It is not acceptable to loose time due to in inability to handle the files from a lunatic customer using whatever is the latest and greatest MS format or feature. "Everyone uses MS" - we are tied by the shackle of compatibility.
I was already patched days before this was posted here thanks to Windows' Critical Update Notification. I mean, if the sky is falling with all of these exploits like /. would like you to think, how come script kiddies don't take down Microsoft.com, Dell.com, or any other major IIS site?
P.S. Awesome Sig.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Maybe I'm wrong about this, but I'd like to see proof if there's any *nix distrobution that is 100% bug free or has absolutely no security vulnerabilities.
Almost no piece of software, UNIX included, is bug free. However, in UNIX, I can isolate my web browser, for example, to run in an unprivileged user account, even with a faked root directory, to ensure the occasional HTML or JavaScript hack doesn't compromise any other part of my system. Granted, not many people do this, but at least there is the option of doing this, for those people who really care about security. Also, most companies behind UNIX implementations don't have creepy EULAs like those from Microsoft.
Honestly, if windows is so bad, so full of bugs, why does it keep selling? Lack of alternative?
Yes. You may find this suprising, but most people simply don't percieve that there is something other than Windows. Microsoft has so successfully driven competition out of the consumer PC market that most people don't even think "well, maybe I'll try a Mac". They simply default on the choice of Windows.
Also, look around at the meager selection of operating systems. Only the Mac OS truly is as "user friendly" as Windows. All other attempts at commercial user-friendly systems have been crushed by Microsoft. Now, only things like GNOME and KDE remain to add to the MS and Apple duo, but these efforts are still several years from maturity.
Healthcare article at Kuro5hin
Ever heard of Godwin's Law?
Re: Windows Media 9, who runs the licensing/authentication servers to authenticate the player? Microsoft? Or does each provider have their own server? The article did not state this.
There's 10 types of people in this world, those who understand binary and those who don't.
You have to read the legalese in the EULA to see what the end consumer is left with, the big flashy headlines are pretty meaningless when you have to sign those very rights away.
All software is inherently flawed, I have yet to see ANY software put out by ANYONE that is bug free.
/.ers, how could it still sell? Two words: Abusive monopoly. There's a lot in that one word that explains it (and I've spelled it out before), but they all fall under the umbrella of that. Let me put it another way: Even if MS products were much crappier than they are (irrespective of how crappy you believe they are), they would still sell and the current situation would only be marginally different today.
/. story about an MS bug (note that in this case, it isn't a bugfix, just a bug). Why? Because I already know. I mean, it's not like this is the bug that made me decide that MS products are crap. It's horribly redundant, and yeah it does make them look like screaming MS-bashers. But I'm also sick of the "No software is bug free!" defense, which sounds more lame with every passing bug[fix].
I actually like this response, because it is an interesting dichotomy. It is simultaneously clever and stupid. It is clever, because it is true, and being unable to argue against the truth of the statement it will often be accepted as a valid argument for why the particular bug or buggy software in question should not be judged harshly.
It is stupid, because it is not in any way a valid argument against judging such things harshly. Logically speaking, the statement simply says that for every piece of software, there exists a bug. It is not a statement at all about the quantity or severity of those bugs, and thus cannot be used to erase differences between software.
Though in the end the statement is more stupid than clever, because in what other areas would the same statement be accepted as valid, even by those who aren't experts in the field?
"Your engine has horrible efficiency!"
"Hey, no engine can be 100% efficient."
"Your tires keep self-destructing!"
"Hey, no tire is completely immune to failure."
"Your condoms are too thin and tear all the time!"
"Hey, no birth control is completely effective."
"You murdered 374 people with a salad shooter!"
"Hey, no human is completely without sin."
Yeah, I can't see that working, either.
Now, the exposure argument isn't completely bald-facedly invalid. The effect of that is really hard to say, however, since usage isn't the relevant statistic, but people trying to find bugs is. It would be premature to assume that the latter scales linearly with the former. The degree of technical people attracted to the other platforms, the degree of such using other platforms in more important situations than home desktop use, etc. all contribute to blind the equation. Also, Microsoft attempts to decrease the exposure of the bugs found by others (and who can say how many bugs they find internally that are not exposed at all?).
My point is that "There are so many bugs found in MS products only because it is more exposed" does not hold.
As to why it still sells... Well, that's not exactly the question. The question is if it is as buggy as supposed by
But you know what? I'm sick of the "MS sucks" posts in every
Though really, my main complaint with MS isn't their bugginess at this point, it's how they deal with the bugs, trying to spin them to save face rather than presenting honest information. It's irresponsible. "No, SSL can never be hacked! Ignore the hacker doing it RIGHT NOW!" *sigh*
The enemies of Democracy are
I just installed a fresh w2k last night, after not being able to get my ATI All in Wonder Radeon 7500 to work with XF86 (what's with that? btw... tried RH7.3, Mdk8.2, and Lycoris to no avail, although they all recognized the card). The only things installed thus far are the OS and the ATI drivers/apps (for running the USB remote and such). I can assure you that this binary took the box out as quick as I could hit enter.
put the what in the where?
START DEVILSADVOCATE
At home I use windows XP pro and to date I've had only had one crash that caused me to have to reboot the machine
At work (I'm also a developer) we use windows 2000 pro, and reboots due to bad code (on my end) have been few and far between.
END DEVILSADVOCATE
Yes, there are bugs out there that haven't been fixed, but on the whole I think the latest releases of windows (2000, XP Pro) are very stable. Granted the older releases (9X, ME) are complete Sheit and I cringe every time I get a 'bug' reported in our software and it turns out to be they're running 9X/ME. In those cases I usually want to personally go and shoot bill gates in the head.
Agreed, you have some very good points, and I do agree microsoft could be more timely with their bug fixes/fix the longstanding existing bugs, but overall I think they're finally doing a good job with their windows products (2000/XP pro). I think most of the slashdot community who haven't tried XP Pro and have given up on windows in the past might change their minds just a little if they only tried it.
Oh sorry I meant, who notices MS security failures anymore. Was that more on topic? Seriously, do you admins really think you can rely on it? Do you take offense at my meaning? Why are you even worrying about MS minutae anymore?
Eh? Got an answer? Well it should be it doesn't matter because whatever happens you should be treating MS components as the most insecure pieces of your network and build with that one premise in mind. Surround MS code with firewalls, filters, mail scanners, DMZ's the whole shebang. That you really don't have to worry about massive security failure #3,256,609 fixed by emergency patch SP2360.4555 which is going to have its own horrendous problems. You know it.
So was that on topic enough for you or is your fucking world paradise?
NetBIOS (I admit that the name has meant a few different things as it evolved) is not the same as NetBEUI. NetBEUI is a layer 2 protocol, and is not propogated by most routers. (unless the "router" is really an ethernet bridge in disguise)
NetBIOS is a programming interface implemented as a bunch of packet types which can be sent out either over NetBEUI or over IP. (sitting mostly on top of TCP, though I think some packets are sent out with UDP). IP is extremely routable.
The CSRSS Backspace Bug is a bug in the Win32 subsystem server process (csrss.exe) in Windows NT. It is particularly notable for several reasons:
- It crashes the entire operating system.
- One does not have to have administrator privileges in order to trigger it.
- One does not even need to execute programs in order to trigger it.
If you don't believe me, then check it out for yourself. BTW, M$ has fixed this in Win2k SP3 and WinXP SP1 but since WinNT4 will have no more Service Packs, this is a permanent bug in WinNT4.Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
"It enables finely tuned licensing terms and conditions, such as limited 24-hour play, a set number of plays over a given time, or an outright purchase licence that lets the viewer watch the video or listen to music whenever they want. It will also be used to bind content to a specific PC, so that it cannot be redistributed"
:)
Oh, this also means that when your internet connection is down, OR the "certificate clearinghouse" server is down, you can't listen to music or watch videos that you already purchased, since the certificate can't be verified. We all know how stable M$ servers are, and of course the certificate server will have to run M$ software, or it couldn't trust itself.
Oh, and while I'm grumbling... today's DMCA thought: Does humming a copyrighted tune violate the DMCA? You are using your neurons to circumvent copy-protection and allow others to hear the tune without paying...
"Don't expect Slashdot to post anything remotely anti-Linux. "
Slashdot is constantly posting stuff that is anti-Linux.
Most of that anti-Linux stuff is run of the mill laughable Microsoft FUD:
Linux is un-American
Linux is a cancer
If the anti-Linux crowd could come up with some better anti-Linux stuff, then maybe it would get posted here.
According to the XP service pack 1 website:here
There are some open license keys floating around the internet that will stop working. Can you imagine the fallout from this?
You are a systems administrator for a large company and your whole tech staff has taken home the open license keys (illegally) for their home machines...and then they get on the internet. Now, after deploying XP sp-1, all your corporate desktops stop working. Your company hasn't done anything illegal, yet the company will suffer the consequences.
This may be the best thing yet for Linux.
-ted
Probably more true of cable than DSL, but some early DSL installs essentially used ethernet bridging with no broadcast filtering, enabling the neighborhood to become a network neighborhood, too.
The DSL providers I've used prevented that; doing a tcpdump on my DSL facing interface never showed any traffic that didn't have a destination address of my machine.
The dissenting states wanted IE completely removed from the computer. Which would have taken MSHTML.DLL with it, which would have broken countless other programs that use MSHTML.DLL to do HTML rendering.
In which case it should be possible to replace MSHTML.DLL with another rendering library.
If you let FTP traffic through. malicious code will get in through there. If you leave port 80 open, malicious code will get through there. If you leave port 23 open, malicious code will get in through there. If you let e-mail in, even if you virus-scan it, malicious code will get in. If there is a single floppy disk drive on your network, malicious code will get in. Same for CD-ROM drives.
Firewalls can make things inconvenient for people (users as well as crackers), but there is always a balance that must be met between how much inconvencience the users can tolerate and how important it is to inconvenience crackers. That balance is never going to lean very far towards the 'inconveniencing crackers' side.
Smart? Who knows... Ethical? Depends on whose rules you're playing by. Does it make the point? Duh. Not-smart is running an unpatched, default version of ANY operating system, windows included. Unfortunatly, most computer users/owners are morons... have a field day, script kiddies.
I guess if they are getting better at fixing bugs, then that's good. I guess in my mind, since timing is key, they already missed the boat technologically. That doesn't mean that I'm going to ignore them or needlessly flame them, but it does mean that I'm only going to pay attention to them if they have any ground breaking technological break throughs that I can't get anywhere else. Granted if I want to keep getting money in my account for work, I know that I can't ignore them if they continue to nock perfectly good companies off the market with their monopolistic powers, so I will deal with that when I get there.
Do they still make you pay for support when you're reporting a bug?
"Everybody knows the moon's made of cheese," Wallace.
That's because we've known about this exploit for over 2 years. Yes we told them. I had a linux executable on my laptop that would do this for the Windows 2000 launch show (to which I was invited to give a talk :-). They didn't let me connect to the show network :-). I guess it takes an exploit in the wild for them to fix *anything*. So much for the new "focus on security".....
Jeremy Allison,
Samba Team.
Ah, but the point of having the APIs documented is for compatibility. You're suggesting that people write their own software, which is something the Linux community would love--if all their favorite software was ported to Linux. As is, we have to live with interoperability, which currently is still developmental code (the Wine project, for example).
/wants/ people to link to the DLLs and use the APIs. And then they incorrectly document. It's...absurd :)
And anyway, Microsoft
I agree fully. I run MPlayer on a 433 Celeron BookPC (128 ram) with TV-Out as my main entertainment system. It has a few minor bugs, but write a good front-end wrapper for it and it's perfect. It plays everything (video) Windows Media Player (WMP) can play, and a few WMP can't.
On my Win2k box, WMP broke itself; it lost the ability to zoom, and most audio playback is distorted (sounds like wrapped samples - a lot more disturbing than clipped samples).
I upgraded to the highest version available at the time, and within 2 weeks it broke again. Not to mention, WMP breaks many of Microsoft's own UI rules, with how buttons are handled and such. Were it someone else's software it wouldn't qualify for the Windows logo.
Needless to say, MPlayer will not likely change its behavior for no good reason like that...
I run Winamp 2.x for MP3/Wave playback only. Winamp3 is just too bloated for my taste; even 2.x includes an MSIE component, which ends up bloating the player. I almost miss the 1.x days of Winamp, when it loaded fast on a 486 DX...
NGWave - Fast Sound Editor for Windows
Check zinf out, (formaly known as freeamp). Its has plenty of good features (inc skins which u dont like) but it very small (compared to wmp), it also has a playlist editor similar to wmp media library (which i like)
Yup, that's nonstandard for most users... Sad but true.
Why on earth does Microsoft allow its affiliates to advertise on Slashdot? Nothing like opening up a Windows-bashing article only to be taken out by a low-flying Microsoft.NET ad. I bet they generate tons of .NET sales on the OSDN.
Winston Chan, the MS digital media mgr, says a couple things that need translating.
The purpose of DRM is, "to keep honest users honest." Translation: to keep everybody paying, and paying, and paying...
Censorship through license revocation will not be a problem because, "You [would] need all the content to be able to be revoked, and to do that you need all the content to come from the same service, which is unlikely. This is not something that is possible." Translation: we haven't figured out how to pull that one off.
Hitting a major site is the fastest way to find yourself in the clutches of the FBI. Hitting your SMB competitor down the road is less likely because they probably won't know what hit them anyway.
I can't speak on an "in the know" basis, but I know that if I was a Black Hat and had wonderful exploit X, I would save it for A) something worth taking a huge risk B) A low on the radar company/web site and C) One that doesn't have the proper resources to track intrusion effectively.
Just because there haven't been a lot of crackers/hackers (choose your term) being wisked away by the FBI on CNN does not mean they don't exist and that there is no intrusion happening.
The reason Windows patches take so long to be released is not that no one cares -- it's that it has to go through extensive quality control, managerial approval, etc. If say the Linux folk release their 10 minutes-later patch, and something breaks, what are you going to do? Nothing, it's your tough luck. If Microsoft messes up, and since they have a much greater market share, they'd be in a deep pile of doo-doo. (Yes, I know this has happened before, and there was an uprising against the MS camp).
No you can't unless you have audited your code, the OS and the compiler. That will be one hell of an expensive 'Hello World'. Don't belive me? Try this (Hello World)++ on an NT kernel based Windows system:
#include <stdio.h>
int main()
{
printf("Hello World");
for(int i=0;i < 666; ++i){
printf("\t\b\b");
}
return 0;
}
--
Reverse outsourcing: it's the future
First of all, you had to write that bug into it. simplifying it to:
#include
int main() { puts("Hello, World"); return 0; }
Would help immensely.
Secondly, who said I was going to use a compiler, or even a real OS for that matter? I could easily write a bug-free DOS based Hello World prog in assembly. Any bugs would be outside of its code, before or after it gets executed. I could go one step further and create an embedded device that would immediately start up with my code and halt when it's done. No bugs in software.
How is Slashdot breaking this news? Answer: By burying in a story amongst numerous other updates to do with Microsoft. It's not even the first of the updates.
Nor is it FUD to describe bugs in Microsoft's software, especially something as serious as a DoS vulnerability in a protocol, NetBIOS, enabled on the vast majority of Windows machines. I think that's pretty serious. A few machines running this against consecutive IP addresses could knock a huge number of people off the Internet. If anything, Slashdot hasn't taken this seriously enough.
You are not alone. This is not normal. None of this is normal.
You mean, such as taking out Windows Update itself, as well as a number of internal Microsoft servers and desktops? Code Red did that.
And don't forget those Russians who broke into Microsoft's internal network and rifled through their source code repository. "Trustworthy computing," indeed.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Is it really FUD? Add a sound or video recording to your presentation. Forget to uncheck an obscure box. Transfer it to the auditorium computer. Do the presentation minus the audio you recorded yourself and minus the video from your camcorder. Is it really FUD? See www.sdmi.org for details. Sorry to those who are PDF limited. Your own created content is to be encoded upon creation and bandwidth limited to monural voice grade recording. It won't play when transferred to the auditorium computer. It is not FUD, it is in the specification.
The truth shall set you free!
But I assume it's 'better' to let people suffer instead of helping them out, is it? You dont have to post links to security bulletins, but if you post a link to a DoS tool, why not supply the link to the patch as well...
Because people that are venerable to this exploit are dumb. They run an inferrior operating system that is venerable to lots of easy to use cracking tools. They choose not to update it regularly. In essence, these people have called down the thunder on themselves. Why should we be obligated to help them out? If we post links to programs that can knock their computers offline, mabey they will see the light and switch to the more secure *nix operating systems and stop bothering me with their Code Red and their Network Neighborhood. Remember, these people are so stupid that they need to be rudely awakened to the fact that the software they are using is written by a terrible, malicious company, and should be abandoned.
Or so I read on slashdot.
~Will
sig?
How far out of context can one go? Code Red was a DOS, something that has plagued all network enabled OS's.
Yes, those sneaky Russians and their internal Microsoft contact that helped them get in.
Yes, trustworthy computing sounds stupid, but IF Microsoft has actually done anything we will not see the affects of it until the next major product releases. If you know anything about software development you don't just state an initiative and get results overnight.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
You have got that right - We have basically entered the era when it is necissary to break the use^H^H^H copy protection before using your software.
I have experienced similar troubles with other products - I won't go into details now - where in the end using a cracked copy instead of the available legit copy was by far the best way to proceeed.
My Karma: ran over your Dogma
StrawberryFrog