Slashdot Mirror
MS Exec: 'Our products just aren't engineered for security'
Various Microsoft news tidbits contributed by numerous readers: Phoebus0 notes that Microsoft's Vice-President in charge of Windows development states flat out that Microsoft products aren't engineered for security, absolutely guaranteeing he'll have tomorrow's Ditherati quote. Many readers submitted this Knowledge Base article stating that Microsoft is mystified by a wave of successful hacks on assorted versions of Windows (there's also a news report on this). Microsoft has another security bulletin out on the digital certificate spoofing bug that has caused them so many problems recently.
Talk about stating the obvious... Microsoft doesn't engineer for security, stability, or efficiency.
They engineer for features and for maintaining monopoly control over the OS and word processing market.
Doug
Venn ist das nurnstuck git und Slotermeyer? Ya! Beigerhund das oder die Flipperwaldt gersput!
Microsoft products are not engineered period.
They're thrown together, spend half their time making it look pretty, and the rest of the time (after it's sold) releasing patches that are just as buggy as the original, if not more so...
---
Programming is like sex... Make one mistake and support it the rest of your life.
...has finally gotten through to them -- Security is something that starts from the ground up, not when you reach the top and back down.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Umm...tell us something we didn't already know.
Another excuse to let people believe that palladium is needed :/
Maybe if they stopped worrying so much about the loss of revenue due to piracy (and writing software like WPA), they could worry about the lost revenue due to people being fet up with MS's lax security model and moving to Linux, BSD, Solaris, etc.
The XFree86 team admits xfree86 is not engineered for speed and RMS admits that GNU is not engineered for user-friendlyness.
The masses are the crack whores of religion.
I just ported a large amount of code to windows, and I was very surprised to notice that snprintf() is _snprintf() on windows. It's like they hid it (or implemented it much later) and it's not part of "their" standard. Without widespread use of this function, god knows how many lines of their code uses regular sprintf() and insecure functions like it. And I doubt they use "%13s" or directives like this in sprintf(), or if their version even supports these constructs.
Lenny Primak PP-ASEL-IA,Heli
The first step is admiting you have a problem.... now that Microsoft has gotten past the denial stage they can now move to stage 2, that is doing something about it....
the link above just goes to front of a tech section, here's a direct link to the story3 25075&REQSESS=HM5797&REQHOST=site1&REQAUTH=2313828 &2131REQEVENT=&CARTI=115571&CCAT=1&CCHAN=13&CFLAV= 1
http://www.cw360.com/bin/bladerunner?REQUNIQ=1031
DUH, it's YOU baffoons that keep stating it's insecure. I mean I was shocked to hear that people still use, purchase and sell a 7 year old obsolete OS (windows 95) so no wonder it's *insecure*.
I guess the news is that they just realized it.
The link to the CW360 page with the quote from the Microsoft VP is "currently unavailable". If anyone can post a mirror to the information, please reply here.
Gates got lucky. He was at the right place at the right time. Now its all coming to a head. Sell your M$ stock now.
...the sky is blue, and less fat and more exercise is good for you.
"Ask not what your country can do for you." --John F. Kennedy
To install Debian on my Xboxen before it gets hax0red
This might be a stupid point, but of course microsoft products aren't engineered for security. The common man doesn't buy products for security, and even now the common man largely does not understand that they could even have their functionality in a secure environment (though arguably most salesguys cannot have the functionality they demand in a secure environment, but that's another debate.)
Brian Valentine, formally senior vice-president in charge of Microsoft's Windows development, looking for VP/management job with software company.
I have to use this cause I can't afford a real sig...
Think about it! These guys run one of the most successful businesses in the world! Yet they act like this...but, one things for sure, they're NOT a monopoly, cuz they said so.
;)
Beer, now there's a temporary solution -- Homer Jay S.
While working at Sony, Microsoft closed down a UK R&D facility. A whole department of ex-MS software engineers came to work in my department. They were the some of the best engineers I have ever worked with, designing innovative and stable code years ahead of its time.
Stop picking on MS engineers for poor products, and level the blame at the correct place - marketing and management.
----- Documentation is worth it just to be able to answer all your mail with 'RTFM' - Alan Cox.
Does this really come as a surprise?
Everybody has known this for the longest time. The only interesting thing about this article is that Microsoft admitted it at their own conference.
Maybe they should have handed out *BSD CDs at the door.
Seriously just wondering.
This is not good. I wonder if some companies using Microsoft will react?
So far all the replies to this story have been "we already knew that" and "duh". I find those comments idiotic. In that spirit, when cigarette execs admitted they knew their products were bad for people, there should have been no story.
This event is significant, because from the mouth of someone significantly important in MSFTs power structure, there is an admission of failing.
Maybe the exec just wanted to confess his (their) sins?
Is whether this will make the national news. Trust me, if CNN and MS/NBC and all the rest choose not to cover this, the general public won't know, and won't really make a decision based on this information.
Of course, this could just be a ploy to get M$'s most vile next O/S out, Palladium, that will let them 0\/\/|\| j00r s0ul (and credit card, and email, and music, and movies, and any personal items that may happen to be sitting on top of your computer...)
Well said. Funny how one side of the 'argument' needs to lie and scream and shout and whine to get their point heard ain't it ?
It seems he tries to say that it is impossible to make it 100% secure, because hackers are becoming more sophisticated in their attacks.
Sure, you can't make anything 100% secure (short of keeping it turned off), but there is a difference between something that has a few exploitable holes and something that resembles a sieve.
If you can't beat them, embrace and extend them.
My question would be whether the take-up of applications such as Outlook Express and Internet Explorer is greatly hindered by their having security holes. I'm sure some people will refuse to use Outlook on security grounds, but I've the suspicion far more people will choose to use it on its features, and it will be the feature set that keeps them with Outlook as an email client. From a marketing perspective, then, there would be no point in directing a high proportion of development effort into ensuring security when it will only affect product adoption minorly. Now given that Microsoft's chief strength is in desktop apps, I'd be tempted to think that they've been applying the same marketing mentality that they have for the debug/add feature work split on desktop apps to server app development.
Savant
Arthur Anderson Heads: We Ignored/Covered Up Every Accounting Fraud That Ever Came Our Way.
Because a lot of their code can have buffer overruns due to the lack (or precieved lack) of this function by their own programmers. Makes it easy to create insecure programs and harder to create secure ones.
Lenny Primak PP-ASEL-IA,Heli
Simple question....yeah, security wasn't so big an issue back when win3.1 was out, especially as far as home desktops go, but once they moved into the "server" market that should have been one of their top priorities!
Laziness?
Lack of Foresight?
Underestimated end-user savvy and knowledge?
Too much emphasis on Microsoft PLUS! development instead?
All of the above?
I wish I could say things like that quote at my job and still have a job; and make the money they do to boot!
Sehr geehrter Toilettenbenutzer!
I wrote this the other day in an idle moment. It needs a bit more work but I'm thinking of making it into a Flash cartoon or something (if someone wants to steal the idea, feel free):
Billy Boy and Tux
One very hot day in summer, Billy Boy is stilling under a huge, impressive sign. It says "Lemonade, $5 a glass".
Customer: $5 a glass! That's expensive!
Billy Boy: Well, go buy from someone else.
Customer: But there's nobody else to buy drinks from here!
Billy Boy: Aha! I bullied all the other boys and they've gone home!
Customer: That's not very nice.
Billy Boy [Chuckling and rocking back and forth]: $5 a glass. Take it or leave it.
Customer: Damn. You're a nasty little boy, but it's a very hot day and I really need a drink.
Billy Boy takes the money.
The afternoon wears on, Billy Boys coffers fill.
The next day...
Billy Boy: Lemonade! Lemonade! $5 a glass!
A fat penguin waddles up and sets up a stall beside Billy Boy.
He erects a little badly drawn sign "Iced water. Free."
Billy boy [whispering, chuckling to himself]:Loser. You'll not get any custom with a crappy sign like that.
Tux ignores him.
The next customer approaches Billy Boy, but then notices Tux's sign and goes to him.
Billy Boy[angry]: Hey fatty, get off my patch. I was here first!
Tux ignores him.
Billy Boy: Hey stupid. Nobody wants iced water, everyone wants my lemonade, it's the best! I've got 100% of the market in soft drinks in this street.
Tux ignores him.
Another customer comes and has a glass of water from Tux.
Billy Boy: Listen idiot! How do you expect to get rich like me if you don't charge anything! What an idiot you are!
Tux ignores him.
More customers go to Tux.
Billy Boy [shouting at his customers]: Don't drink the penguin's water!! I won't make any profits and, erm, the economy will collapse!
Customers laugh.
Billy Boy [really angry]: If you drink the penguin's water, your next glass of lemonade from me will be $10!
Customers give Billy Boy the finger.
Billy Boy [insanely angry]: Don't drink the penguin's water! It'll give you cancer!
Customers shake their heads and move to Tux's queue.
All customers go to Tux now.
Billy Boy starts screaming and crying and runs home.
Tux and his customers ignore him.
Step 1: Admit that current MS OS is insecure.
Step 2: Allege that problem is fundamental due to the nature of the hardware platform. Fear. Uncertainty. Doubt.
Step 3: But wait! MS has the solution that will solve this crisis -- Palladium.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
neither was UNIX. UNIX is best in trusted, academic settings where it grew up. But, after some big problems with too much trust people figured out how to make it at least "secure enough."
MS needs to stop complaining and fix their buffer overflows.
The article also mentioned the code freeze to search for security problems. I really wonder how they expected to find any problems. Why would the people that wrote the insecure code in the first place be expected to actually find the problems the second time around? It is like allowing school kids to grade their own papers. You will always get a passing grade. You've gotta love open source. It holds the truth up to the light of day.
Karma: Positive. Mostly affected by the lack of a karma joke in your sig.
Tell me something that I don't already know. This is like running a story telling the world that the sky is blue, that Linux is good for business, or that linking from slashdot can kill a weak server. File this one under News For Idiots. Stuff Everyone Already Knows.
Oh shit! I forgot to click "Post Anonymously"...
For the better part of a month Microsoft has been saying that they weren't even sure that the SSL problem was a security hole. Now it is considered critical? What changed? Or aren't they telling us something that we might like to know about?
And WTF happened with FTC to cause them to do an unexplained backtrack on Microsoft Passport? No we didn't lie about Passport's security, but we promise not to do it again. BTW if you are using our service, better recode your stuff because it is horribly insecure, but we are not telling you what is insecure about it.
My suspicion is that there is another story floating around that has not been broken yet, and this security patch is also patching something else that is much worse. Paranoia? Possibly, possibly not.
But damn. I would love to have been a fly on the wall for the conversation that caused them to call this "critical". As well as for the conversations with the FTC. (Which may or may not be separate conversations, wouldn't I love to know the answer to that?)
And in Classic Microsoft style the security bulletin notes that patches are avaible ONLY for Windows XP and NT
95 isn't supported ( ok, I can understand that )
98 isn't supported ( getting a little too close for my comfort )
ME isn't supported ( didn't that just come out 2 years ago? )
2K isn't supported ( What about people running servers? )
Just another tactic to force people to upgrade
With the recent change in Licensing terms and the inability to support products they've made within the past 2 years they have the gall to say that using anything else is insecure on the part of the government?
I hope you aren't getting on MS's case for releasing this notice early. This is the type of behaviour everyone has been wanting to get out of MS. In the past everyone has complained that microsoft doesn't release security information soon enough. I think this is a good change for once.
SL33ZE - Artificial Intelligence is No Match For Natural Stupidity -
Gee, slashdotted.
Come on people, look for google caches when submitting stories.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
Slashdot is not engineered with people with real lives, an IQ below 50, or possibly small children... :-)
Microsoft: "Our products aren't engineered for security"
.net developer conference in Seattle, USA.
Friday 6 September 2002
Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server
"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.
In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.
Microsoft's regular stream of security bulletins has continued despite Bill Gates company-wide Trustworthy Computing Initiative, announced earlier this year.
The Initiative was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, and saw the company halt production on new code in all of its products while employees scanned every line of existing code in search of vulnerabilities.
"We realised that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.
But the company is dealing with a problem that is not easily resolved. Valentine told developers at the conference that as the company works to shore up its products the security dilemma will evolve as hackers become more sophisticated.
"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."
Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.
According to Chandra Mugunda, a software consultant with Dell who attended Valentine's presentation, buggy software is "an industry-wide problem, not just a Microsoft problem. But they're the leaders, and they should take the lead to solve them," he said.
Stop the brainwash
Admitting you have a problem is the first step to recovery. Anybody want some more coffee!? *puffs on a cigarette* I'm gonna get some more coffee... *shakes and walks around of the room*
Why bother.
... I'm glad I'm using something so obselete that not only does it not need a patch, you couldn't apply one to it to begin with.
This space for rent.
directions on microsoft Check out that link, it is run by I think two former Microsoft employees.
I thought it was Microsoft's policy to keep their mouth shut when it comes to lack of security in their OS. It just seems that after spending all sorts of money into advertising and marketing Win2k/XP as very secure platforms, M$ would rather not have a SVP in development blow it all away. I wonder how long he will last talking openly about these problems.
"I bet I'll get blamed for this." --Mayor Quimby
What does 'PSS' stand for in that Microsoft Knowledgebase article? [P]lease [s]top [s]niffing? ([s]poofing? '[s]ploiting?)
We have one windows web server left that we are now converting to run on linux. Our windows web server has been compromised over 8 times in the last week. We applied every single security patch we could on the machine. We also locked every single port but 80 out at the firewall. We shut down every single service that is not necessary and stripped the site to the bare minimum, but it continues to be compromised. Yes we even reloaded from scratch 3 times still no good. Even our MCSE is now a linux convert and begging me to get it converted quick as possible.
Got Code?
- sig? who is this sig of which you speak?
Microsoft: "Our products aren't engineered for security"
.net developer conference in Seattle, USA.
Friday 6 September 2002
Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server
click here
"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.
In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.
Microsoft's regular stream of security bulletins has continued despite Bill Gates company-wide Trustworthy Computing Initiative, announced earlier this year.
The Initiative was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, and saw the company halt production on new code in all of its products while employees scanned every line of existing code in search of vulnerabilities.
"We realised that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.
But the company is dealing with a problem that is not easily resolved. Valentine told developers at the conference that as the company works to shore up its products the security dilemma will evolve as hackers become more sophisticated.
"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."
Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.
According to Chandra Mugunda, a software consultant with Dell who attended Valentine's presentation, buggy software is "an industry-wide problem, not just a Microsoft problem. But they're the leaders, and they should take the lead to solve them," he said.
Any publicity is good publicity.
I hope companies _do_ react to this and help Microsoft achieve their goal as of lately, being kicked out of the software business altogether.
don't bother, it's obvious and boring
boring and obvious
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Microsoft: "Our products aren't engineered for security"
.net developer conference in Seattle, USA.
Friday 6 September 2002
Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server
"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.
In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.
Microsoft's regular stream of security bulletins has continued despite Bill Gates company-wide Trustworthy Computing Initiative, announced earlier this year.
The Initiative was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, and saw the company halt production on new code in all of its products while employees scanned every line of existing code in search of vulnerabilities.
"We realised that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.
But the company is dealing with a problem that is not easily resolved. Valentine told developers at the conference that as the company works to shore up its products the security dilemma will evolve as hackers become more sophisticated.
"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."
Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.
According to Chandra Mugunda, a software consultant with Dell who attended Valentine's presentation, buggy software is "an industry-wide problem, not just a Microsoft problem. But they're the leaders, and they should take the lead to solve them," he said.
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Designing a product like Outlook, that is intended to run code sent to you by unknown parties (for office automation), is an invitation to crackers, and about as far from secure as you can get.
Microsoft designed what security they had for sharing a computer between multiple people on a desktop. I can make sure you can't see my data if I use their access controls. They didn't take network access security into account, and certainly never took the possibility of unfriendly network access into account. Welcome to the real world guys!
SAME STORY ON YAHOO HERE
The MS executive went on to state that, "out studies have shown that the average end buser is intimidated by security. In an attempt to find middle ground between acceptable security and just thowing sensitive information on your front lawn, we have implimented our trademark "random crash functionality" and "resource hog feature suite." Anecdotal evicence suggests that these measures will be sufficient ensure that no self respecting hacker will come near our crummy operating system.
Furthermore, we volunteer to personally maintain an extensive database of all your valuable data, including credit card numbers, filenames pirated media files, and love letters from your high school sweetheart. Just in case.
We graciously accept your thanks in advance. You're very welcome."
The angel in the oatmeal.
so... no one ever told you about the middle button, eh?
No really, don't laugh. Who cares how it's engineered. It's how it is supported and fixed that's crititcal. Your software forces you to make an assumption about it's reliability. So assume that MS code has low reliability and move from there.
The real problem is that MS the vendor choses not to deal these problems with any sense of urgency or permanence. I swear it's like being forced to eat green beans and hear about starving children in Asia. Beyond some point it's hard to care or worry about it when you know that your parent doesn't really plan to deal with it.
Yeah!
I mean, the Windows 2000, 1.6GHz Pentium 4 stand-alone, un-networked machines at our school, with 256MB of RAM and brand new ATA/133 40GB drives take a blazingly fast 3 minutes from hitting enter to actual log in! That's just frellin' amazing!
Oh wait, my 266MHz iMac, running OS X 10.1.5, with less than the required RAM, significantly more and more memory and processor intensive software, several user accounts(as opposed to 2 on the W2K machines), and a pokey 66MHz bus goes from hitting enter to actually logged in in 30 seconds.
Now that I think about it, something doesn't add up.
Microsoft products are like cars without locks that you can drive by pressing a button. Sure, they're great inside your fenced domain or on your private island. The problem is Microsoft is now marketing them as cars that can be used on public roads and parked in public spaces. It's obvious you'll be h4X0red if you do that.
Try changing the password.
My deviantArt site
Seems to me that a large amount of my software woes came from the use of crappy drivers and/or incompatible software. Not that I like MS, but I think it would be pretty hard to dish out a fully functional product when you've got a bazillion people writing software that is not necessarily cross compatible.
We should also count the hardware vendors who design crap drivers (hello ATI, my Radeon AIW sucked in XP and it's YOUR fault so now I've gone GeForce) that were tested by chimpanzees. This is probably one of the reasons behind MS-driver certification, which does often seem to make more compatible drivers, if oftimes less functional
I used to work in a software distribution branch at a large company. Every time we got new software, we tested it to find out which DLL's etc were installed, and if new ones from new software killed old software, or if old software libs worked better on new software. Surprisingly, machines with the right DLL's and certified apps did in fact rarely crash. I got a lot of nasty dialogs and bluescreens while actually testing the inter-ap compatibility though.
If you want something that doesn't crash, get a console (and even that's not always true, I've crashed an NES before).
Good OS, no software. Buggy OS, good software. *sigh* - phorm
This only accounts for the OS, and I cannot speak for back-end products (which is probably the basis for the security issues) however we've seen over and over again, it's access through the terminal boxen that create the biggest hole in any network's security.
Other OSes have different markets, and they capitalize on that (Everyone knows that linux is the de facto for web hosting) and in the /. community, we are more linux inclined (I too run SuSe). But there is a big market for what Microsoft creates, and whether you like it or not, there is no easier OS (except for my dead fave BeOS...).
This is my digital signature. 10011011001
But not nearly as apt as Neal Stephenson's vehicular analogy. See In the Beginning Was the Command Line. "Stay away from my house you freak!"
--Jim
Of course they are not able to determine the technique used to break in. First Microsoft complains about bug reporters telling people about problems, HP threatens to sue, and now they're complaining that no one is telling them? Why should they?
Full disclosure is a good thing!
Personally I don't believe that this was a BUG, do you trust mr X who verisign trusts less than you truct verisign?
You should always check certificates and always save that certificate for that person.
thank God the internet isn't a human right.
More precisely I have heard that Microsoft is full of people who are damned capable and smart and are perfectly capable of making the right decisions, but who are always under pressure and never get the time to. In short they have capable people and simply value different things than we would want them to.
(Note that you don't get where they are by being incompetent.)
I have not heard of any instances of marketeering guffbags and manglement ruining code, primarily because they don't code.
They ruin the code by ruining the requirements. In a firm that produces mass-market software, the marketing department generally writes each product's requirements document. If resistance to buffer overflow attacks isn't specified as a must-have in the requirements document, then it will surely get cut at the last minute in favor of other requirements such as ship date.
Will I retire or break 10K?
Developers! DEvelopers! DEVelopers! DEVElopers! DEVELopers! DEVELOpers! Woo! Developers! Developers! DEVELOPERS! DEVELOPERS! YEAH!
My beliefs do not require that you agree with them.
That certificate bug he mentions was fixed the same day the buy was announced. Oh, "oops" forgot to mention that, huh?
Go spread your propaganda elsewhere, k?
However did you reach that conclusion and what are you basing it on? I mean really- box specs(Cpu, HDD, Memory, Graphics system etc), Windows versions, benchmarks taken. Give us figures.
I have a linux box that is dog slow for image processing. But its great for apache. This is because it is a P2 at 266mhz with 512Mb of ram and 20gb hdd. Its ancient. I have 3 other different boxes. One of them dual boots. I would not compare my 1ghz Athlon with 1gig of ram running windows and Adobe Photoshop performance to the PII.
OrionRobots.co.uk - Robots From sol
"If you believe that you have been hacked, you may want to contact your legal counsel or law enforcement about your legal options. "
It seems to me that the Department of Justice was already contacted about the monopoly practices that have led to this colossal failure of security. Net result: no change.
Perhaps the option of taking your business elsewhere will be more effective. If the US government gets the message they will start using opensource solutions for infrastructure the way many other nations have begun.Ethics II Axiom 2. "Man thinks." B. Spinoza
Or maybe it's FUD to push the necessity of Palladium. This is strongly hinted at by the way he whines "it never ends," as if any efforts to secure their products are pointless because hackers are so dang clever.
Either way, this shouldn't sway anybody into the Palladium camp. MS is admitting that they have done jack squat for security, in spite of having told many, many lies to the contrary. And now they expect people to buy into their new technology for a "trusted platform?" Trust isn't bought, folks, it's earned.
Yes, there will always be hackers (crackers, whatever, use context people). But you can't argue a complex situation (computer security) in black and white terms. One security breach a month is better than one a day. Defeatism in the face of adversity isn't exactly the lauded "Microsoft spirit."
I'm glad to see this news. Ulterior motives or not, the truth is being spoken. But if they think they're gaining anything by scaring people, they're dead wrong. So let's just hope they're simply being honest. Hey, a guy can dream.
My deviantArt site
Did I understand you? Microsoft fired the good engineers. Maybe that's why the products are so poor. Yup. Poor management.
I think I have to give the guy credit for admitting to the truth. It's a lot less tedious to listen to someone telling the truth than it is someone imputing that your company's virility is related to it's adoption of .NET technology.
What else is true?
Unix was not immune to software not designed with security in mind. I used rsh for years. But a transition was made.
If security is regarded as important, then slowly and inexorably Microsoft will move in that direction. Despite being a monopoly, they will respond in their sluggish way, just as they made Win2K substantially more robust with regards to crashing after everyone laughed at their early versions of NT.
"Provided by the management for your protection."
I hope those were bills famous last words...
Dog slow? Not Jagwire (10.2). Maybe your still using 10.0.0, because the current release is faster than 9 in many areas, though not perhaps UI (but I've never seen Quartz Extreme in action, as I'm running 10.2 on an unsupported ancient iMac -- I have no problems with speed even with this thing).
weren't they the ones who said, using a non-microsoft product in Government would lead to security problems.
btw, is the guy fired yet ?
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
duhhhh maybe I should have thought about that....dork we changed them each time we reloded.
Got Code?
int wnsprintf(
...
LPTSTR lpOut,
int cchLimitIn,
LPCTSTR pszFmt,
);
Microsoft wraps all its C runtime functions with macros that switch effectively between wchar and char types seemlessly.
They also have a little security note at the bottom of the their documentation detailing how null termination is not guaranteed with this function-- along with some alternatives.
My problem with most of the library documentation they have is that until recently it was rather poor (at least every section I had to use was). Looks like they're taking steps to improve the standard library docs.
sprintf is evil.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
What worries me about this is not that microsoft products are not engineered for security, we've all known that for years. It's that microsoft is admitting to it openly.
.net and he told me that they were working on developing the .net virtual machines for Unix and other non-Windows OSes, but they were specifically planning on not releasing them if .net did well, as that would force developers to use Windows. I suspected as much, but the fact that they would come out and say it worries me.
In terms of marketing, Microsoft knows what they are doing, and they must believe that admitting this wont hurt their sales significantly. Has their customer base become so lowtech that the idea of insecure products doesn't bother them? Or are they simply so powerful that we (the rest of the world) can do nothing to stop them. I'm hoping that this is some kind of horrible mistake on their part, but I doubt it.
I spoke to a microsoft engineer once about
"Probably the toughest time in anyone's life is when you have to murder a loved one because they're the devil." -Philips
There is a guy recognized as a genius in the Tobacco industry. I read that twenty odd years ago he told other Tobacco industry executives that, while they could afford to hire the shrewdest, meanest, most dishonest lawyers on planet Earth, they could only fight a rear-guard action.
Eventually, he told his colleagues, even the meanest lawyers couldn't hold off lawsuits over the lethal effects of their product. Once suits go to trial, everything will start to unravel. We have no real defense. So, we need to plan ahead.
His plan? Pretend to fight against mandatory warnings, but actually let them go ahead. Keep stalling on the trials -- so that when the trials happen we have a defense.
"But, your honour, we have had to have health warnings on our products for fifteen years. The claimant can't say they didn't know our products were dangerous."
Are Microsoft executives any more ethical than Tobacco executives?
Nah.
I believe that MS planned ahead too. I believe that MS has wanted to "own" the desktop, to own our computers, all along.
Anyone could have foreseen that embedding a macro language in their data files, that was automatically executed when the file was opened, was a sure guarantee of terrible security problems.
This was not an accident. This was a design decision. They did this on purpose. I don't believe it was a mistake. I believe they knew exactly what they were doing.
I believed that they looked ahead, and planned to distribute insecure products, so that the could harness the publics anger at vandals, interlopers and spam artists to justify draconian security measures that we never wuold have agreed to otherwise.
I'd like to see Gates, Ballmer and the whole filthy crew serve serious hard time.
are you running php per chance? there's a nasty default setting that allows running a file url as a command...
My goodness, what are you porting? And from what platform? Any WHY would you be porting TO Windows?
:) compiles flawlessly with no tweaking for any OS to Linux, BSD, and OS X (my preferred GUI, thank you).
Everybody I know that writes code (myself included) is porting everything they have to a Unix based platform. Heck, all my code (ported obviously
Good luck...
Now, let's be honest here...
The story is good, except it's not quite the whole truth. If it were, everyone would be using Linux instead of Windows.
You could make the story more accurate by noting that the $5 lemonade comes in a an easy to hold cup that occasionally springs a leak, whereas the free water comes locked inside a small combination safe, and it might take you a while to be able to drink it.
"And like that
"...the Windows 2000, 1.6GHz Pentium 4 stand-alone, un-networked machines at our school, with 256MB of RAM and brand new ATA/133 40GB drives take a blazingly fast 3 minutes from hitting enter to actual log in! That's just frellin' amazing! Now that I think about it, something doesn't add up."
I agree that something doesn't add up. I would say your Win2k machine is seriously broken. My P-266 XP machine takes 15 seconds from 'enter' to ready-to-go desktop.
A.
...bringing you cynical quips since 1998
This is obviously part of the groundwork to get
the public behind palladium. Microsoft has
consistently proven itself to be the masters at
porting govermental public opinion swaying tactics
for their needs. It's almost admirable. Following
tradition, they'll produce stats and figures and
submit them as "proof", and the majority of
America will say "wow, we need to do this". Or,
as demonstrated recently, they'll hint at the
existence of proof for their "cause" and that
alone will swing a majority of people to their
side and give them time to fabricate it, or
draw attention away from producing it. Microsoft
will get palladium, and Dubya will get the war
he wants that nobody a few weeks ago wanted, but
now seem too want since they keep waving the flag
hard enough and hinting at "new evidence" that
probably doesn't exist as of yet.
Step 1: Convince everyone that your selfish
agenda is in their best interests in any way
you can.
Step 2: Pursue your selfish interests.
Being manipulated this way is part of being an
American. Microsoft is the most American company
I know of.
The most important thing any republican needs to know.
secure systems are hard to build and cst alot of money. they are also generally less easy to use (usually because lots of convenient, insecure shortcuts are not available)
as for Microsoft, the "worst thing" they could ever do was build a rock-solid operating system with everything you ever needed that ran lightning fast. why? because they only make money when they sell you something (their new licensing plan aside for the moment).
the real purpose of Microsoft's products are to take up more room, run more slowly and add more and more features with each version. that way, you need to buy a new computer and a new copy of the operating system just to run them. by adding features they can assure that everyone will eventually need to upgrade, just to view your company's new Word XP documents, even if they'd be just fine as ASCII text
in the end, of course, it's all about money and keeping their investors happy and thus keeping their customers just happy enough not to dump them completely
I think Trustworthy Computing is a very good initiative. Generally, the entire industry needs to slow down and secure our products. It is extremely tempting to push for ever more functionality, at ever greater pace. Indeed, Microsoft is showing all the signs of having badly burnt itself badly in this respect. Bypassing security procedures and security people opinion can be lethally risky business, also when it comes to product development.
An important point is that Trusthworthy Computing should have been an ongoing process. By failing to do the obvious, they have been forced to launch a project that should not have been unnecessary.
That being said, I like the fact that they are performing widespread code/doc reviews and whatever other methods they are using. Even though I'd rather everyone used Linux, it's good to hear that we as a technology-driven society are slowly becoming less vulnerable. And, when they are done with the project, they will hopefully have figured out how to make more secure products.
After all, in an ideal world, every product would be so secure that we could concentrate on the other merits of the competition.
Stop the brainwash
Microsoft does make good products, that's how they got to their position. Give them a few years and they will have secure platforms.
If there was a level playing field today, would the majority of users choose Windows if they knew of all the choices? I doubt it.
Fish ... Barrel ... Shoot
You may think this is a troll but some of the ideas behind Palladium and that longhorn thing? might just blow any competition away. (kinda like BeOS but more so)
Security is run at data packet level not just the application/user, providing identified data packets in this way not give incredable security, but allows the OS/cluster of OS's to thread and distribute workloads seamlessly. In 5 years time linux and probably Sun/HP &co. won't be able to compeate with that level of natrual paralisation(or maybe not?)
thank God the internet isn't a human right.
95 isn't supported ( ok, I can understand that )
98 isn't supported ( getting a little too close for my comfort )
ME isn't supported ( didn't that just come out 2 years ago? )
2K isn't supported ( What about people running servers? )
Just another tactic to force people to upgrade
As someone who is actually subscribed to receive these bulletins from MSFT, I note that they sent a second revision out today. I quote:
"And like that
http://www.gavinroy.com/fixxp.php
Cheers,
Gavin
I interpret what he said refers to current products. The current version of windows isn't dos based anymore.
-asb
I would imagine that you have a roaming profile dragging loads of junk back and forth accross the network.
Not an OS issue more a netwerk thing.
One file, "gg.bat," attempts to connect to other computers using various administrator accounts. If successful, the file will then copy other files over to the compromised system. This behavior is usually considered characteristic of a worm--but Miller stressed that since the file doesn't copy itself to the victim's hard drive, it shouldn't be considered a worm.
Er... can anyone explain what he's on about? Sounds like worm behavior to me... I suppose it's only LAN-wide, though... ?
I use Lotus Word Pro, its fast, easy to use, and doesn't get in the way of things. Only downside is the .lwp format is kinda large compared to .doc and especially .sxw
How can you /.'ers take yourselves seriously? This post was blatanly wrong, yet the theory he pushed is one you like, so it gets moded up, never mind the fact that he fabricated his evidence.
You guys are a joke.
As I mentioned, the machines aren't networked yet. They're also brand new, with fresh installs of W2K, the only legacy parts being the floppy drives, as well as externals likes the mouse, keyboard and monitor.
Repeated tests of the hardware have shown that everything is working perfectly.
"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."
Following Valentine's lead, OpenBSD calls it quits.
Bullshit... you prioritize the problems your customers ask you to prioritize. Home users don't want security? Fine, then stay the hell out of server-land, because those customers expect you to fight that battle tirelessly.
PDHoss
======================================
Writers get in shape by pumping irony.
Which Rule of Acquisition is this?
I'm gusssing #10: Greed is eternal.
Is my video card going bad or does that knowledge base entry look like shit in Mozilla? I know the knowledge base search won't work in Mozilla (by design I would imagine) but this time the text is all squished together...unreadable.
FoundNews.com - get paid to blog.,
Why any 'standard' should be set by Microsoft is beyond me. So far they have corrupted HTML, JAVA, XML, and pretty much any other standards (the names of which escape me right now) they've come in contact with.
A Macintosh is in my future.
He might as well have said that Microsoft's operating systems are not built to be networked, which is equally true. And most likely those 2 things are very much linked. When an OS is intended to be networked from inception, the entire concept behind it acknowledges realities that do not exist for an OS that was intended to be totally stand alone. Starting from DOS, which is still a very basic idea embedded in Windows, getting to a networked OS with any kind of security at all is fairly impossible. Windows needs to be scrapped completely and rebuilt with interconnectivity in mind before Microsoft can ever have anything resembling a secure platform. And this is exactly what they refuse to do.
"Suppose you were an idiot..... And suppose you were a member of Congress... But I repeate myself."
If you're an NT shop, do you really think that you've got enough Linux experience to keep that locked down successfully? Unless you know what you're doing, it could be an even bigger liability to you.
This information applies to the following OS's:
All MS OS's
Linux
Summary
Mozilla displays fonts in MS Knowledge Base incorrectly.
Solution
Please uninstall Mozilla web browser and install Microsoft Internet Explorer 6.0
If using linux please erase your partitions, create a primary FAT32 or NTFS partition, purchase MS WinXP Pro $300 and install.
The author claims that current Microsoft coding practices are different. But it doesn't matter much, of course. Microsoft is still using plenty of code from that era as is evidenced by a rendering bug on Windows 98ME (GDI StretchBlt) I ran in to a while ago. It turned out the bug dates back to Windows 3.0 if memory serves.
Move Inetpub to a drive other than the one that contains \Winnt
Move 'exploitable' executables out of the path (i.e. cmd.exe, tftp.exe, etc.). There is alot of relevant information on securing IIS 5.0 on the IIS 4.0 checklist.
There is alot that can be done to tighten an IIS server to the point that exploitation is close to impossible. If you are being owned 8 times in a week, either your config is not secure or else there are security issues on the site itself. I am assuming you are building the server OFF the network and installing the patches from a trusted CD-ROM.
Step one: Microsoft admitted it was powerless over it's bugs, that the operating system has become unmanagable.
Step two: Came to believe that managment better than ourselves could bring the company to sanity.
*wonders when we'll see Microsoft Alcoholics Anonymous 2.0*
Can you run apache on your windows web server? If they keep attacking, it would be interesting to see if they are hitting IIS or something else (assuming they are shitty little script kiddies).
Another possibility is to set up a Linux box with no open ports on the same ethernet segment and sniff all traffic so that you might be able to tell how they hack you, and where they come from (at least the box they are coming from).
But - changing to Linux is also a really good alternative. Just keep in mind that Linux itself does not offer you security, only an improved possibility of security. You will need to stay rigorously patched up, with a good firewall and a good intrusion detection system. I used my IDS to tighten my firewall whenever I found monkey business in the network traffic - with good results. The box ran without external protection or upgrades for a long time, and it was port-scanned every day. Of course, they eventually hit jack-pot at first try. Then, an IDS will only alert you that something is wrong..
Also, whatever application you run on your web server will need to be secure.
Remember - one vulnerability is usually enough.
Stop the brainwash
Well, if Microsoft PSS can't find HOW Windows machines are being compromised, this is one of the few times a 'black hat' has stumbled on a security hole and started exploiting it before any 'white hats' found it to reported it the 'red(mond, WA) hats'. It must be a tiny, obscure hole if they haven't got it yet, and I hope they find it soon before my server goes!
"... I declare our city to be a free and independent state to be named Tri-Insula!" --Fernando Wood, Mayor of NYC 1861
.....Maybe then it can actually make a difference.
I hate the fact that whenever a new MS computer virus hits, news reports always neglect to mention "This virus only infects computers running Microsoft operating systems". That would go a long way to convince people to look elsewhere.
A sentence you'll never see on an Internet discussion board: "You know what? You're right."
Mac os x was never slow at least from my g3 laptop. However when you design something. You are bound to find ways of building and improving code like mac osx.2. Lets face it Linux was not good when it was 1.0, but after time and revisions to the code it became better than before. This is the crux of what the person is saying.
I beleive there is a util to enable Quartz Extreme on PCI Macs available. You could look on XLR8, that's where I read the article on it.
As always. Windows and mac users comparing GUIs in a security thread. When will they stop.
You have drives that contain \Winnt? That's a problem too: install to a different directory.
How many people create a restricted user for IIS, rather than running it as LocalService?
I suspect the problem lies more with the components installed on the system, than on Windows & IIS themselves. For example, our Linux server was being exploited for spam recently. They shut down sendmail as a daemon, but the spam still flowed. It turns out that somebody had installed an old version and buggy version of Formmail. Grrr.
Probbably one of the best resources for tightening ANY Windows machine is the NSA's own guide(nsa2.www.conxion.com)
We have used this for our migrations and proved indespensible.
You obviously have never worked in the software industry. When presented with poorly designed codebase with all the original authors gone management tends to "wish away" technical problems and blame the problems on the lazy new programmers forced to work on the problematic codebase.
"Of course, this could just be a ploy to get M$'s most vile next O/S out, Palladium, that will let them 0\/\/|\| j00r s0ul (and credit card, and email, and music, and movies, and any personal items that may happen to be sitting on top of your computer...)"
Thank God that, in Linux at least, we have a choice. But that is precisely why Microsoft absolutely hates Linux - because it gives us a choice that frees us from their power.
I bought a laptop from Compaq with XP pre-installed. Of course I installed Linux on it, but then discovered that there was a hardware problem. One of the memory chips had a defect and was causing random crashes. When I called support, they said that they couldn't help me if I ran linux on it EVEN THOUGH IT WAS A HARDWARE PROBLEM.
In my discussions with them I asked them if my warranty was effectively invalid if I ran anything other than XP. The support rep said that yes, that was essentially the case.
So, is the average consumer going to drop $50-100 for a copy of linux if they've already got windows on their machine? Probably not. If they could get their money back by returning windows, they might have some incentive. But if I can't get technical support because I run Linux, then I have a strong disincentive to do so.
But thats where the easy to install Linux distros come in... right????
Mandrake.
---
So why aren't the masses jumping on it (Linux)? Because they are (almost) not allowed to buy a machine that doesn't run Win*.
But thats where the easy to install Linux distros come in... right????
But the point is that they already have an OS. Why would they bother installing anything else? BTW, have you ever tried to install Win9x, Win2K, or WinXP from scratch?
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Anyone who so badly needs to assert their superiority is more than likely just insecure. Want people to think you're smart? Say smart things. Don't just put your 'Clever' hat on.
- SMJ - (It's not just a name: it's a bad aftertaste.)
They also tend to understaff projects which makes getting the important details right. Imagine two project managers running identical projects. One hires 6 guys to do the work the other hires 4 guys. They both finish at the same time. The project with 6 engineers cost 2.5 million and the one with 4 cost 1.65 million (leaving $850,000 that can now to used for the all-important Executive Bonus Plan). Which manager is going to be perceived by upper management as doing the "better" job?
When TheRegister came out with their first article there were only 2 platforms supported, XP and NT.
Someone who just read that article and didn't follow the other links could easily have been mislead.
Emphasis was on getting the job done as quickly as possible with frantic finger pointing when things went wrong. Being a good programmer meant having connections with people in other development groups who could send you code examples that you cut-and-pasted into youe own code (usually without any real understanding of the functionality). These connections were based on give-and-take with the default response being "why should I do this for you?"
Since leaving, I've focussed almost entirely on Java and have been in heaven with it's culture of well-defined software contracts. Performance issues has been addressed by writing small amounts of code in C++ using JNI.
I wouldn't blame the individual engineer, but the whole software process. I wouldn't call it badly designed, because it wasn't designed - it just accumulated.Back about DOS 5 or 6 FORMAT started insisting on putting a serial number on disks. It was 4 bytes long. I remember going in with Norton's sector editor, finding it and changing it to DE AD BE EF
Yeah, I know...
MjM
I only mod up...
XKCD:Xeric Knowledge Comically Dispen
well, it obviously isn't working perfect. With that said, Win2000 can definitely fuck itself up, but i would say that this is not really a PC problem but more of a Windows problem.
Everething from MS is piece of junk. So .Net is piece of crap is nothing new ....it has the same memory leak and security issues
Press Release For Immediate Release:
Microsoft today graciously conceded what the world already knows. Windows platforms to date have been notoriously insecure. While Microsoft is, by their own admission, somewhat to blame for this in having not foreseen the Internet revolution (Bill Gates: "Yeah, so shoot me - I was short-sighted), which enabled unprecedented access by the brightest hackers to everyone's machines, it is in fact Microsoft who has been victimized by those very hackers.
Battered and bruised by hackers and security problems, but never one to cry foul, Microsoft chose to make lemonade from lemons. Microsoft re-grouped, re-designed, and announced today that the future is truly bright for Microsoft OS security. "We've learned a lot from our many years of experience and now know how to build a totally secure operating system", said Ralph Buttgoode, chief MS PR man. "Who would know better than us - we've endured many orders of magnitude more hacking attempts than the next nearest "competitor" (snort, chortle, snicker). The totally secure OS will be called Palladium. It will be so secure that even the legitimate user of a Palladium machine will feel that their underwear is too tight. Trust us. We got this one right. Really. Honest. Who would know better? When Palladium is released, for your own security, you must abandon your Windows 95/98/ME/NT/2K/XP, Linux, Unix, BEOS and all other O/S's and install Palladium. Governments must write laws and enact legislation to make sure that Palladium is the only legal operating system. Do it for your own and for your nation's security. When all 2 billion of the earth's computers are running Palladium, we will live in a secure world. And Microsoft will have 14 trillion dollars and have incurred no development costs, since all Palladium development was sponsored by those good folks at the RIAA and MPAA. Bwaa ha ha ha ha haaaa! We are the Borg."
Nope, 100% wrong. Nothing could be more friendly than having 100% control of your computer.
The goal of GNU is to produce the world's best software and that includes ease of use. The current state of development for GPL'd software now includes several excellent mouse driven user interfaces, extensive help files, just as many examples and the easiest installs available anywhere. Is there a single piece of comercial software that you can point to that does not have a free analog that's just as easy to use and more powerful?
Now back to topic, which is that M$ has no security clue. If you have read this much, you deserve what follows.
Here is my favorite qoute from the technical details section of their silly warning about software other people put on your machine when they crack it:
Finding any backdoor Trojan indicates that the server is extremely vulnerable to privilege escalation and hacking.
What the hell is a "backdoor Trojan"?! Oh my God, they said that. Ha ha ha ha ha ha. Is it more effective than M$ at preventing the spread of viruses? Is that all they got out of their monthlong security hug? Can you help me out Mr oyenstinker? Someone at the knowledge base is going to have a hard time getting his supervisor off his back after that gafe. Ahhh! Send more Trojans, fast.
What kind of privilege escalation is there on a userless OS?
There once was a game where a virus was designed to look like a popular OS. Reality has caught up with parody.
Friends don't help friends install M$ junk.
I used to deal with microserfs at IETF meetings. M$ can and does hire the smartest people they can. One of their biggest problems is that they do. What happens when you take a bunch of guys (and girls) that have spent thier whole careers (and lives) being the alpha geek and put them in a company full of other alpha geeks? The answer is: Windows. Alpha geeks generally don't like to follow each others lead, what you get is too many forces pulling in too many directions. M$ product don't suck because they are made by stupid people. They suck because they are made by people that can't work well together, and it shows.
I'd say that the main issue is that Linux doesn't relly have a COM/OLE type model(pipes don't count!), and Jesus it needs one.
The kernel could be written more modular and I could get binary drivers that work with different kernel builds!. I could re-use all of that great code out there very easily becasue it would be encapsulated and modular. I could do things like COM+ and Longhorn for no-coding-required multi-threading. Unless SUN HP Linux etc... start thinking towards the multi (10 or more) processor as standard world there going to get left behind.
thank God the internet isn't a human right.
Did you say they handed out LSD?
You didn't read the links did you ??? It looks like MS has some realy scary shit on their to-do list. A security problem they know exists, but don't know what is, and is in active use (enough to issue a bulletin).
You should have read This
As of August 2002, the PSS Security Team has not been able to determine the technique that is being used to gain access to the computer. However, because of the significant spike in activity, the PSS Security Team has determined that these techniques are similar and/or automated in some cases.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
We already have 5 linux web servers and none have ever been compromised. We are a very savy linux shop and we have not purchased a windows server in over a year and it is likely we will never purchase another one.
Got Code?
...so none at MS can read it and get the idea! ;-)
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
I've noticed that on a few boards that I hang out on there is the astroturfer overusing the term zealot when referring to people that like and use open source software.
Nope it has damn ASP apps running on it that maketing had contracted out without IT knowledge. We run a very good Cisco Pix Firewall. It is not so bad that it is being exploited it is the sheer amount of time to rebuild the machine. Some have suggested moving some things around and I like that, it should keep them off my back long enough to move it to a Linux box and apache.
Got Code?
Marketing guy: - We want to store a permanent cookie on the users machines so they don't need to enter their passwords every time they come to the machine (for a web based accounting application).
Programmer: That would be very insecure. Anybody could view the information stored on this system.
Marketing guy: - The client wants it.
Programmer: Has the client been informed of the potential risks? They might not want this feature if they understood the ramifications.
Marketing guy: (who has seniority) Just do it.
Similar problem here, but so far I don't think mine's been hacked, yet. What I've done is set up a Squid server on the public and redirect all web requests back to the Win2k machine sitting on the private network. A reverse proxy, if you will. I also monitor all network traffic on this machine and am pretty confident it's doing only those things I ask it to do (well, when it's willing to, anyway...).
www.dedserius.com
VB != VisualBasic
ASP apps running on it that maketing had contracted out without IT knowledge
That's not a valid reason to stick with IIS.
I say incompetence. Sorry I cannot give them enough credit for malice.
Half of Microsoft designed web pages just come up blank when using lynx. BLANK
Microsoft may have become honest NOW, in this one instance, with this one press release.
But how long has Microsoft been in existence before this?
For that length of time, they have been dishonest in every way (and incompetent too)!!!
Nope, 100% wrong. Nothing could be more friendly than having 100% control of your computer.
I agree if we use "user-friendly" to mean "we are as accommodating to the user as possible, and we trust the user". However the conventional usage is "we make things as easy for the user as possible", which GNU does not do (emacs, as just one example). GNU authors are geeks who write for geeks, and I think they secretly like the feeling that they are part of a secret club that nobody else can understand.
The goal of GNU is to produce the world's best software and that includes ease of use.
From the horse's mouth: The principal goal of GNU was to be free software. And: The goal of GNU was to give users freedom, not just to be popular.
the easiest installs available anywhere
Newbie software install in Windows: double click on setup.exe, keep clicking OK. Done.
Newbie software install in GNU: Let's see, it's .tar.gz, so I have to untar it ... can't remember how that works ... man tar ... OK, there it is. Now let's read the README. Configure, fine. GCC not found? What the hell is that?
Is there a single piece of comercial software that you can point to that does not have a free analog that's just as easy to use and more powerful?
Linus certainly seems to think so. Remember the kerfuffle over his use of some proprietary package to maintain the Linux kernel? He said he just wanted to use the best tool, whether it was free or not.
What kind of privilege escalation is there on a userless OS?
As many on this forum have established, although Win 95/98 are userless, WinNT does have privilege checking and administrator accounts.
And with reference to your spelling of MS with a dollar sign, you might find this Penny Arcade cartoon helpful.
Toronto-area transit rider? Rate your ride.
are you accountable for insecurities if you admit that your product is insecure? more importantly for microsoft, if it admits that the products are insecure, can it squash any talk of security legislation?
Sure you can. You start by disabling all contact with the outside world by default. If I'm not listening, they can't tell me what I don't want to hear. You then, slowly and with rigorous testing, implement a small set of interfaces that let you talk where you need to, e.g., by reading and drawing a body of text. Bingo, you just covered most of e-mail, Usenet, web browsing and the rest in one go.
The problem is MS' approach: every application should do everything. For goodness' sake, Office 2002 apps that I use to write my letters and do my accounts have several dozen hooks that try to access the Internet in them. Why? That's just silly, and it's not surprising that in such an environment, people get careless.
Writing basic interfaces to support e-mail, ftp, web browsing, Usenet, time sync'ing and such is not hard. Writing them to be secure requires a modest amount more effort. It shouldn't be beyond the average CS grad, though, and it certainly shouldn't be beyond a group with the resources that Microsoft has at its disposal.
People have been telling me for years that since I program in C++ and don't use a GC, my programs must have memory leaks. I've told them no, because I use good basic practices. They claim I'm wrong. I claim I have rigorous, objective diagnostic tools that back me up on this. That's not hard, either, but most of the programming world would tell me it can't be done. So it is with security.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I highly, highly, highly doubt that Microsoft programmers are unaware of this non-standard C library call (indeed, if you search in the MSDN library it will filter show you results prefaced by _, __, etc, by default). It's pretty damn silly to say that Microsoft is "hiding" this when they're hiding it in brutally plain sight.
KDE fixed their bug in 95 minutes, but the IE bug was exposed on the same day, August 12. Now, go stick your FUD in your ear.
But then Microsoft discovered that the really big money lay in corporate users.
That's when the proverbial shit hit the fan! Microsoft, in their genius, is only discovering their problems now with the corporate user, not to mention with the average user who wants to do banking over the internet!!!
Microsoft should have tackled their security weakness immediately upon their first sale of any product to a businessman (or when they pushed out into the internet world)!
You will have the same problems on Linux. The problem is your process and design. Sounds like you do not know what you are doing for running a secure shop, nor do you have even the beginnings of an IDS installed, which can detect attacks without patching boxes.
There are W2K shops with thousands of servers that do not install patches, and just let signatures and patterns from IDS's get the exploits. This gives the famed uptimes, and saves a lot of time overall for hosting firms.
fslg503-985-8686503-985-8686503-985-8686503-985-8
He wants a fish. He looks for the free fish stand. There is no free fish stand.
What ISAPI filters do you have loaded?l easeID=33961
IIS can be made *much* more secure by eliminating all of the ISAPI filters that you don't need. Look in the properties for the web server click the Master Properties Edit button. Find the Home Directory tab, click the Configuration button, and remove all application mappings other then ASP.DLL. Double check that the delete has propogated down to the default web site and your web site, and you should be much better.
The asp.dll (IFAIK) doesn't have any remote exploits.
The other suggestions of moving the WWWRoot are very helpful. Also make sure you are running URLScan. I wouldn't even turn on an IIS server without it. http://www.microsoft.com/Downloads/Release.asp?Re
www.christopherlewis.com
You could add in there, "We of the Republican Party regret that we have passed every amendment we could and cut every budget of every enforcement agency we could to make it possible and even legal for every corrupt CEO to loot his corporation and move the prodeeds of his crime to an off-shore tax shelter."! And also, "We of the Democratic Party went along with the scan.".
Now that would be honesty! By the way, where is "Newtie Babie" and his contract against America now? Why don't we hear more from the Reagan laisser-fairies now?
Really dense customers?
If you've been compromised even once, you frankly don't know what you're doing.
I work NOC in a mostly Windows shop. We have several hundred NT and 2K boxes, and have never been compromised. The only machines that got hacked *ever* were customer owned boxes that the customer failed to patch against CodeRed.
If you patch the box properly, firewall it properly, turn off unnecessary applications and services, and run a correctly configured IDS, then a windows box can be just as secure as any other OS.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Sure, I would admit it. The Beta was dog slow (but still useable as a primary OS for 4 months). X.0 was a little faster but not much. X.1 was a noticeable improvement, the system was useable beyond minor tasks. X.2 I've only toyed arround with in stores, but it sure as hell seems much much faster than X.1
Besides, what's wrong with admiting it? Linux was sluggish in it's early stages too once the GUI kicked in.
T Money
World Domination with a plastic spoon since 1984
Eat what you want, be a couch potato. Life is the leading cause of death. Ignore the establishements media. DARE TO THINK FOR YOUR SELF............
Given the present revelations, why would anyone believe in Palladium? Why should it be any more secure than Windows?
Even if Palladium could be made secure, why should it not then become so complex that it would be beyond the average clueless klutz Microsoft customer?
Ideas:
1) Show Tux working on a tan while distributing water
2) Have Tux invite several friends and they all sit around having a good time while watching the stand, talking to the customers, and spending time being community driven, while Billy sells his Lemonade and then tells the customer to call tech support when the cup springs a leak
3) Show Tux with a selection of glasses to choose from, some similar to Billy's, some similar to Steve's, and some completely unique (IE the Super Size Mug)
This guy should flat out admit that MS products are not engineered at all.
Some choice quotes by Jeremy Allison (Samba Team) about the Windows network printing protocol:
"The implementation is APPALING",
"The implementers did not understand network protocols. At All."
and, my favorite, "The print subsystem looks like it was cobbled together by sophomore (1st year) CS students"
However, the "Every operating system out there is about equal in the number of vulnerabilities reported" statement of Valentine's fails to take into consideration that in most cases Unix, open source and free licensed software has been designed from the outset with at least the issue of security in mind.. Whereas, some Microsoft systems such as their embedded scripting systems have not.
The result is that is far easier to exploit an easy, scriptable vulnerability in a Microsoft system, that has no patch for months, than to exploit a difficult, binary hole in a LInux/BSD system that has a patch within days.
winzombie: ijustgotwindowsxplemetellyouit...
me: ummm, SCREAMS?
winzombie: yup!
me: you said that about windows me, does xp SCREAM more?
winzombie: yup!
me: you said that about everything since dos 3. does the pitch go up each time or something?
winzombie: icanbemoreproductive!
me: yeah yeah ok
How can they claim Windows 2000 wasn't built with security in mind? From the very beginning of the NT line, which W2K is a part of, MS has claimed that NT was built to be secure. They advertised it and everything.
Seems like revisionist history, if you ask me.
Spot on - I work in mechanical engineering. No wonder I tend to think engineers are somewhat empowered. In the mechanical field, it's easy - if something doesn't work, you fix it. Before it goes out. It's such a simple concept, that I naturally assumed it applied to other areas of engineering/development.
-- Never hit a man with glasses. Hit him with a baseball bat.
Continuing....
Billy Boy: Lemonade! Lemonade! $5 a glass!
Previous Customer [moaning]: Oooo... I don't feel so good...
Billy Boy: Was it something you ate? Here's a list of approved foods to go with my lemonade.
Customer: No, it started when I drank your lemonade. Ow ow!
Billy Boy:It couldn't have been my lemonade. My lemonade is the best. You must have eaten something wrong.
Customer barfs on Billy Boy.
Billy Boy: Ewww! Fortunately, I have some antidotes. [Takes out pills.] Take this, and this, and this, and these. If you wait a month, I'll have one superlarge pill that will take care of all of these pills!
Next time, on BB& T:
(Customer roughed up by two Keystone Kops looking down his mouth.)
Billy Boy [yelling]: Get him! Make him spit it up! He MUST have stolen my lemonade! He MUST have! His mouth isn't dry! Make him PROVE he bought it!
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
http://online.securityfocus.com/news/606
Thus the name "Stench" given to the vulnerability. And very telling about just how bad the security issues with Windows are when you add them together. Three "insignificant flaws" deemed to be "minor annoyances" are put together form a serious trojan that requires no user input other than clicking on a link in IE.
It just goes to show that security can't just be an afterthough to be patched with little band-aids. You really have to stay on top of it, otherwise someone figures out how to create a huge vulnerability out of your "minor" low severity flaws. (They note 18 known existing flaws in IE in the two day old article I linked.)
Oh yea what is your IP address idiot!
Got Code?
You need to hire someone who knows something about security, perhaps on a contract basis. If your crew can't secure your Windows box they won't be able to secure the Linux one either.
;).
It is hard to guess how the box is compromosed without knowing more, but you might run nessus against the box on a test LAN before reconnecting it to the Internet. Enable auditing and use IDS. An IDS would be useful for determining what sort of exploits have been tried against the box and correlating IDS logs with security logs to determine how the box is compromised next time
If you do run Linux, run the bastille script to harden the box. Run tripwire so you can track which files change in the future. Are you running sql queries? No user input should be permitted to directly access a SQL database.
This list goes on and this is the wrong forum. Good luck.
In the 'Information Week', a manager newspaper in germany, Bill Gates himself stated "We are the only company that can say it produces a SECURE operating system" (buggy translation by myself, sorry).
Amongst other blah, that was one of the statements which really made me laugh - and cry at the same time...
I would very much like to know which apps and services you "turn off". Can you share that information?
I wrote a quick apache filter proxy that routes all request through apache on linux to the machine in question in the dmz. It filters all post, put and get routines for content, good by script kiddies.
Got Code?
I *love* Linux. But, if you only need the http service, have you considered OpenBSD? Do a minimum install, and then add Apache.
Not sure it'd help.
///, which had funny memory at $FFD0.FFEF ... bank switch regs, timers, etc... those 32 bytes worked similar to $C0XX page in a II series.
/// here :o)
The address pans out to $FFD7. It may be of use in the Apple
I'd like to find some detailed docs, but we're talking about the
--
Me spell chucker work grate. Need grandma chicken.
If you've been compromised even once, you frankly don't know what you're doing.
Well that would be a long list of who's who, now wouldn't it?
Excluding your incredible self, who would not be on that list?
My IP address is 2130706433.
Decode that, and you're the ultimate 31337 H4X0R dude!
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
check your sig, chief:
I have no TOLERANCE for STUPIDITY.
that is all.
Finding any backdoor Trojan indicates that the server is extremely vulnerable to privilege escalation and hacking.
Well, no kidding!
Lets rephrase the statement: "The fact that someone has cracked your box indicates that someone could crack your box."
IMHO, the only secure IIS server is one that's not running.
I stopped reading this article the second I hit that Code Red and Nimba attacked vulnerabilities in the OS. This is probably from the same people that insist that Linux and BSD are perfectly secure because the only exploits occur in components which aren't technically the kernel. That's bullshit. If an IIS exploit can be labeled an OS exploit than certainly so can wuFTP or the other various associated exploits that happen to occur in userland. Security might not have been priority #1 at Microsoft, but it wasn't ignored. There's a reason Windows NT 4.0 achieved a C2 certification. There's a reason Windows NT was modelled after VMS. Is Microsoft the most secure OS in the world? No. Can a Linux claim that title? No.
Read about it in Show-Stopper!: The Breakneck Race to Create Windows Nt and the Next Generation at Microsoft
Random is the New Order.
How nice, you're using the same password as I am. And you have the same files as I am. And...
PSS := "Poor Server Software"?
-- Terry
Not that I disagree that Microsoft products are insecure. There are a couple of points that I must make. 1. You must be doing something wrong. I work for a company that hosts a very large amount of websites for some very large companies. We do not have any security issues with our Windows machines, nor our Linux machines. 2. There are just as many security patches for linux related applications as there are for windows. 3. I am assuming that you work in the IT industry in some capacity. Do you realize that Microsoft has played a very important role in helping to pave the way for the IT industry to be as large as it is today? Just some things to think about :) ...>SK...
Nobody asked for your ignorant opinion, mmmkay?
Naaa...he means this FUD for Thought:
Bug Triad Whacks Microsoft Browser
Researchers discover that three "low risk" bugs can combine to send a Windows system up in flames.
By Brian McWilliams, Sep 4 2002 9:25AM
To prove that no security bug is truly harmless, a security group has stitched together two minor flaws in Microsoft's Internet Explorer 6.0 browser with a small glitch in Windows Media Player to create one seriously powerful attack.
By coaxing IE users to view a Web page containing the special code, an attacker can silently force Windows 98, Windows 2000, or Windows XP users to run a malicious program of the attacker's choice.
The security group, Malware.com, has created a harmless demonstration micro shit of the flaw which downloads and runs an executable program that fills the victim's computer screen with flames.
A Malware.com member who uses the nickname "Http-equiv" says he named the vulnerability "Stench" to dramatize why it's dangerous for Microsoft to downplay and delay patching security bugs that it considers minor.
"Their patching tiny pinprick holes and not the overall problems, their mitigating factors, their ignoring small demonstrated flaws, all add up into a monster problem, which basically stinks," said Http-equiv in an e-mail interview Tuesday.
Internet Explorer currently contains at least 18 security bugs, many of them low-risk annoyances. Because it allows an attacker to run code on a victim's machine, Stench is the most serious security issue currently facing IE, according to Thor Larholm, a researcher with Pivx Solutions who tracks IE vulnerabilities.
Larholm said the information provided in the Malware.com advisory could easily be used to create a harmful exploit.
"Follow the steps and you're done. I could let my 12-year-old cousin do this," said Larholm, who added that because all three bugs have been known to Microsoft for many months, Malware.com's release of the information was "by the book" and does not constitute what Microsoft calls "irresponsible disclosure."
A Microsoft representative said the company was currently studying the report and would take appropriate action.
Company Patchwork Faulted According to Http-equiv, the exploit depends in part on a known quirk in how Microsoft's media player handles self-extracting Windows Media Download (WMD) files.
"If we can place our 'goodies' inside the
Using a year-old IE bug known as the "codebase local path" vulnerability -- a bug that was only partially fixed by Microsoft last March -- the Stench exploit is able to unpack and execute the malicious code without triggering IE's security settings, he said.
According to Larholm, a major update to Internet Explorer known as IE6 Service Pack One could include fixes for numerous bugs, including those exploited by Stench. Microsoft quietly released SP1 to its download servers in late August but removed the upgrade shortly afterwards without explanation.
On August 22, Microsoft issued a cumulative patch for IE that addressed several severe bugs did not include complete fixes for the codebase localpath and numerous other vulnerabilities, Larholm said.
Malware.com's Stench advisory, posted to security mailing lists on August 21, concluded with the following statement: "Instead of sitting around trying to thinking up ways that all these things cannot work, simply fix it the first time round. There is no such thing as 'mitigating factors' and 'hurdles'. This is a lie. Pure fantasy. Fiction. Fix it when you can! For every way you think it cannot be done, there are 10 ways it actually can!"
This is from the first article referenced, the one about products not being engineered for security. Where Valentine says that it applies to Linux and Unix as well...
Right so granted OpenBSD did have that 1 security hole, and there's the Ramen worm for Linux right? So yeah, how many different holes and viruses came out for Windows YESTERDAY? Right, Industry wide problem my ass...unless of course you redefine computers in general to be the Microsoft Industry.
Stupid cop-out.
"But that's just my opinion, I could be wrong" - Dennis Miller
More secure, easier to use, and good performance. Also, has lots of BSD bells-and-whistles-stuff, which makes it easy to integrate in big networks, AND it looks good :)
You really should consider alternatives of WIndows AND Linux when you make blanket statements.
Slashdot. It's Not For Common Sense
Emphasis was on getting the job done as quickly as possible
Probably true, but in the case of COM I think you're actually being a little too kind. COM was talked about for years before it emerged, and I believe its designers were more or less aware of the existence of NCS/DCE, CORBA, Sun RPC etc., but this didn't stop them making an astonishing number of misjudgements. Apartment threading, 'interface' references and UUIDs were just the tip of an iceberg, and ultimately they were only able to dig themselves out of this hole by copying Java.
At the time I put it down to having a balance tilted towards very young staff who had little experience of enterprise-level computing. TP, EAI, name resolution, security, concurrency etc. are not issues you can address straight from training.
Looking back I'm not so sure - lack of technical strategy was certainly part of the problem, but really the process was broken in that basic requirements like security, resilience, manageability etc. weren't factored into developments from the outset.
It would be nice to think that Linux's collaborative model protects it against equally shortsighted hacking, but it would help a lot if there was a truly common framework equivalent to J2EE or Dotnet to leverage.
...the sun came up today.
What's that? you already knew that? Then why are you reading this thread because we all already knew this too....but it doesn't stop us from getting out the "I hate microsoft" for the day.
Sorry, I'm just really bored.
"But that's just my opinion, I could be wrong" - Dennis Miller
From a Microsoft Representative:
"The current wave of security breaches in Windows is due to several open-source programmers, who we mistakenly hired. Their poor coding techniques created the holes that are now being exploited."
"Rest assured, they have been fired. And after discovering that they modified their car stereos in a garage, they have subsequently been arrested for violations of the DMCA."
Why are you bothering giving advice that might fix a problem that shouldn'texist in the first place?
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
PLEASE mod this correctly as either Redundant or Troll like it deserves.
...I just generated a message to people and potential clients regarding these issues.
The jist of it is that there are security problems that cannot ever be fixed by Microsoft with their products. If they wish to stay with Microsoft, they have to remain vulnerable until such time they release their new products which address the concern and in most cases, pay a lot of money to get them.
Meanwhile, free solutions exist to replace the proble products and while they aren't trouble-free themselves, they do tend to get fixed much more quickly and there is no additional cost for those fixes in most cases.
When addressing securty concerns of today, NOW is the time -- not waiting for the next generation OS and then waiting for it to be stabilized.
One of my targets for the message was "Resident Data" (http://www.residentdata.com) which is a company that functions by serving up the results of background checks to its subscribers. (It shares sensitive and private information about individuals for money to clients.) They are PROUDLY a ",,,Microsoft Only..." shop.
Frankly, that attitude scares the $#!+ out of me. It's all well and good to favor one product over another due to familiarity and comfort, etc. But it's utterly irresponsible to attempt to call "secure" their data when it's housed in a "...Microsoft Only..." environment.
If the company I cite as an example is any indication of what is actually going on out there in practice, I'm genuinely frightened at how our public and private records are being managed.
To me this is a major privacy concern and there should be an initiative that demands that SECURE STORAGE and SECURE METHODS be deployed to secure the information. If there are significant threats discovered, it should be their legal responsibility and requirement to either secure the data properly or shut down the operation until such a time that is can be certified as secure. This is not "Anti-Microsoft" sentiment speaking -- this is Privacy/Security sentiment.
The problem is much larger than just the products -- it's how and where they are used.
Security Focus has some good recommendations for securing IIS.
Make no mistake, this phony confession is nothing but a strategic move to begin grooming the world to the idea that Palladium is the only hope for "Trustworthy Computing".
It's groundwork for a bald-faced pack of lies, Micro$oft FUD in it's purest form.
It's also further proof that Micro$oft's upper level minions are utterly without any moral compunctions whatsoever, always willing to pimp themselves again and again for the good of the Motherland.
Micro$oft uber Alles!
Seig heil!
t_t_b
I'm on PJ's "enemies" list! Are you?
My athlon xp 1800 system boots winXP in 25 seconds and I have several user accounts.
My friend's top of the line g4 system with 384mb ram takes about 2 or 3 minutes to boot OS X, so you are obviously lying.
GoatPigSheep, the 3 most important food groups
"How many people create a restricted user for IIS, rather than running it as LocalService?"
Nobody who wants to run their IIS server within spec. Unfortunately, that's not a real solution.
So they say, "Our products aren't secure... but our NEW stuff will be! For real! Honest!" And then Palladium comes out. And wonder of wonders, it won't be secure. And they'll say, "Oh, well, yeah, this isn't perfectly secure, but our *NEXT* generation will be! For real! Honest!" And then the next generation will come out, and it will have holes, too.
I'm fairly well convinced at this point that Microsoft's history of poor security technologies and practices is, if not entirely deliberate, at least unconsciously encouraged. An evolutionary defense, perhaps. If products are touted as secure, but aren't really secure, and if the next generation is claimed to be the fix to all the current problems... then the average person/company will probably eat it up. Why?
Because eternal vigilance is the price of freedom, and most people don't want to believe that. There is no magic bullet for safety or security. The only way to have anything resembling good security, is to keep working at it. The more you work at it, the better it will be. There's a point of diminishing returns, of course, and if you spend all your time on safety, you'll never get to spend any of your time doing the things that you're protecting... but if you spend no time on security, you have no right to complain when it fails. This goes for computer software, physical security, national security, whatever.
But a lot of people don't understand that. They hear about "new, *really* secure" things, and they think, "Well, once we have that, then we'll be secure, and won't need to think about security any more!" But it doesn't work that way. It never has, and it seems unlikely that it ever will. People need to be made to understand, whether they like it or not, that the only way you can have security, is if you keep working at it. And a lot of people don't want to have to think about failures of security, and what they have to do to prevent them.
The worst part is, no matter what you do, there's always ways around it. Before a year ago, how many people would have thought it absurd that terrorists could simultaneously hijack four airplanes and use them to entirely demolish the World Trade Center towers and severely scar the Pentagon? Surely our security was better than that?
This is not a call to action for our country, or Linux advocacy, or whatever. I'm just trying to analyze why it is that Microsoft can keep getting away with this. I think the main reason is that when Microsoft says things, people believe them, even when what Microsoft says is the same known lies they've been saying for years. Why do they believe? Because human denial is an immensely powerful force. And Microsoft knows it.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Windows is not the problem and Linux isn't the answer. If Linux is so great then why do you have to recompile the kernel just to install a browser? I have been an MSCE for 2 years now
and I feel that I have much experience in this game. All one really needs to do is just install Zone Alarm Pro, the set-and-forget firewall. That's how I have advised my organization to solve our old Klez problems. Face the facts, as long as you're running Zone Alarm, you don't even need to check any logs but about every 6 months. No virii either.
Can this statement from mr vice president be used as a statement of guilt stating that systems are not C2 compliant? Does this mean another slap on the wrist for MS or will some meaningful result actually come out of this.
Also will other businesses be able to press for some sort of compensation or can we all be expected to buy a new version of "windows secure" in the future? This, as they pare down their support in security just because Microsoft has admitted they cannot write secure code for an operational product.
When I was your age we didn't have music file sharing utilities. We had to go out to a store and shoplift the CD.
Too easy.
Here is the best way to secure IIS. Go here and dowload the win32 version of apache. Edit the config files and reboot. Problem solved.
http://saveie6.com/
It's obvious to me what happened to Napster. They allowed files to be hosted on renegade Linux Apache servers. These computers not only served copyrighted materials, but they also were portals for hackers and script kiddies to execute DOS attacks on many websites. The RIAA clearly realizes the importance of IIS and the evilness associated with Apache, and is willing to go to extreme measures to ensure that these Linux fools are shutdown for good. Good riddance to bad rubbish!
In other news, Linus Torvals remarks that Linux is just not engineered to be easy to use by the average home user.
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
Thanks for alerting all of the script kiddies who read /. that there is fun to be had.
If you've been compromised even once, you frankly don't know what you're doing.
Or maybe he's getting hit by this which MS hasn't figured out yet either. Regardless, an IDS is a must.
the no
8. Make a list of all persons we had harmed, and become willing to make amends to them all.
Wu-Tang Name: Half-Cut Skeleton Get your own Wu-Na
M$ Marketing droid 2: I know, let's admit that Win2K is full of security holes we don't have a clue how to fix! That will force everybody to upgrade!
Can I possibly be the only person to have noticed that Microsoft only admits to a problem in their software when they are try to sell you an upgrade to a newer release of that software?
"Freedom means freedom for everybody" -- Dick Cheney
You mean its not a feature?
One thing Microsoft isn't good about is owning up to their own responsibilities. Check out the last sentence of this article, where Brian Valentine talks about how bugs are an industry-wide problem. "We all suck," he said. I am sorry, but there are finely engineered products like Red Hat Linux, Free/Open/NetBSD, and then there are what I call the Frankenstein of operating systems. This reminds me of the early days of FreeBSD, when it was really just a patch kit. In that case, FreeBSD got a LOT better. In this case, MS has been staying with their patches and made things worse. Come on, Brian - can't you just say "Microsoft sucks"?!
You called it, today's Ditherati quote was indeed the line about 'Our products just aren't engineered for security'. Furthermore, there's a footer in the Ditherati email: "A special welcome to Slashdot readers -- thanks for subscribing to Ditherati."
Interociter
-=What do I want? I'm an American. I want more.
2130706433 = 127.0.0.1
Apparently, you are too chicken to actually give out your IP. You want to talk the talk, but not walk the walk. Go away little girl.
Comment removed based on user account deletion
I know that Microsoft KB uses this term, but why would Slashdot? The term "hack" should refer to something good, some sweet way to make something work. Instead, Slashdot chooses to further the bastardization of this term, synonymizing it with "crack"
The best thing about a boolean is even if you are wrong, you are only off by a bit.
Some people like seemless integration and ease of configuration. Apache configuration is insane, complex and confusing (ie, after I uncomment mod_whatever why doesn't the feature work?).
Yeesh- all through the article they're pointing out that Win2k has been riddled with security holes-
"Most notable are the Code Red and Nimda worms, which exploit a vulnerability in the operating system."
Last I checked, IIS was not part of the "Win2k OS"-
Doesn't this bother anyone?
It's kinda like someon finding holes in apache, or sendmail, or OpenSSH, (all come fairly standard on all distros) and then saying "Multiple security issues found in Linux!"
I browse at +5 Flamebait- moderation for all or moderation for none.
Sure, buddy. You're about to read the real reason why cars run on gasoline:
Cars run on gasoline because of a recognized genius in the OPEC world. Over a century ago, he saw that his country had no natural resources except a heap of decomposed dinosaurs. So he persuaded Henry Ford to design the automobile, so there'd be something to use refined oil in, thereby ensuring the wealth of his descendants.
Did you believe that? I think you probably did. So who's this tobacco genius? Name? Source?
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Which costs money, and firewall specialists, licence fees. Bigger sites have economy of scale, but smaller sites don't. There is the assumption that because brandname software is expensive, it works out the box. These Managed Security Providers may be worth the go, while competency levels are being raised
He was joking. By the way, "Reloded" is actually spelled "Reloaded".
Who's the dork now?
Bill
Upon seeing the box was too small, Schrodinger's Elephant breathed a sigh of relief.
"Do you realize that Microsoft has played a very important role in helping to pave the way for the IT industry to be as large as it is today?"
This is like saying if you go back in time and kill a butterfly you can alter the history you knew. Maybe though, the environment can support a given number of butterflies and some other one will survive.
Have I a point?:) Yeah, someone else other than Microsoft would have driven the industry, or a group of companies together. The timing and technology was right, Microsoft had nothing to do with it.
Bill
Upon seeing the box was too small, Schrodinger's Elephant breathed a sigh of relief.
.......microsoft has security and application bugs...because they got fat and lazy and GREEDY. Pure greed, as in the Bible definition of greed.
Microsoft took a fabulous advantage they had, the world leader in OS and office apps, and just got greedy. Right this second they have FOURTY BILLION DOLLARS CASH on hand in the bank. Think about it, they could now have TWENTY BILLION DOLLARS CASH ON HAND IN THE BANK, and have put that other 20 billion into WRITING CODE that works well, is secure like nobody's business. They chose NOT to do this, they took the cash, laughing at the rubes who kept plunking down their money for the same old repackaged crap for years and years. They been updating the sheet metal, changing body styles, but it's basically the same old pushrod engine under the hood. "New and improved" sheet metal mostly.
Gates needs to goto JAIL. to prison, federal pen, they have been engaging in mafia like RICO behavior, an on going criminal enterprise that uses fraud, deceit, unfair business practices, and on and on. He's buying his way out of jail same as any other connected fatcat would, except he's got a LOT more money than most fatcats, and a lot more pull. think about it part two, behind the scenes, WAY behind the scenes. microsoft has some smart uberalpha geeks working for them. think they don't know how to crack their own boxen? think they don't have a secret set of files on top government people they can use for blackmaiol putposes? I don't believe all their public pronouncements of lack of knowledge of security holes. some yes, some no, some I'd bet a years pay on they let slide so they can go around the world and accumulate-or plant-dirt on people. this is how corrupt governments work, and how corrupt businesses work, and basically how criminal cartels work. they are by all measures a criminal cartel as well as a front "legit" business. they could let it be known to fed prosecutors through the grapevine to "not go there" with any significant fines or jail time for high level microsoft goons, including gates. they could easily crack/hack some pretty important boxes that the feds are running, and not have it pinned on them. what the lamer feds gonna do, take a chance on that happening? They ain't stupid, microsoft is so big and important that they can't bust them up, or really prosecute any high level people, from possible retaliation. Talk about trying to nuke your buddy for fun, when you are talking global influence and billions of dollars, people freeking die over those sorts of levels, it's not some lame 3-d video game, "ooh, look, I made it to level 17 with all these cool weapons". Nope, this is real life, and it's warfare. big international business is warfare, and all big international business MUST tippy toe in and out of what is criminal behavior, else, they don't get to the big dog level. This is just reality.
Remember all those good words about how NT5, now Windows 2000, with its Advanced Security and Kerberos was going to make things secure?
Paid the money, didn't ya?
Wanna pay again?
give him points for honesty.
Just as long as it's not one of your *other* machines that has been compromised, and someone is using it to compromise your windows box from a system internal to your network.
Better get a network sniffer up and running, and see what's connecting locally to the box too - just in case.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Step 4: ???
Step 5: Profit!
... oh, wait a second, yes, yes it was. Never mind.
(This is supposed to be *funny*, damnit, laugh.)
=brian
It was "Our products just aren't engineered for personal computing of any kind"
If you think
128.0.0.1
How sickeningly cute.
Nicotine free Amish .sig.
Er, sorry, I'm not an expert on Windows sysadminning, but how could changing \Winnt to something else improve security? All I can see is that this might break lazily programmed viruses/rootkits/etc (as well as legitimate applications ...) that have \Winnt hardcoded instead of looking in the registry. Isn't this kind of like renaming the root user on a Unix system?
You rooted his machine too? Damn, that is bad.
A lot of the automated IIS hacks look for C:\Winnt\system32\cmd.exe (or some variation of that, such as root.exe in the same dir if it's already been exploited by Nimda), i.e. a lot of exploits leverage tools in known locations. For the same reason that the other person suggested relocating C:\InetPub, so should C:\Winnt. Relocating it reduces the risk from most current and future exploits. As yet, I haven't seen an IIS hack that could use the registry or %SYSTEMROOT% environmental variables, not say that it won't happen. Moving the system directory to a non-standard location will often force a blind brute-force search for it, which probably isn't worth most people's time. I've also never had problems running with Windows installed in to a different directory - that would have to be a very badly written app.
Better DOS than DOS, you know.
Better Windows than Windows.
That's OS/2 v2.0
Enjoy your job, make lots of money, work within the law. Choose any two.
I couldn't agree more. And as even added security, I recommend disconnecting the Winblows box for all 110Vac outlets.
Actually, I wasn't talking about boot time, but rather the time between hitting enter after typing in the requisite login information, and getting something other than a blue screen, and being able to actually use the computer.
:-)
I've actually tried this with the other login, so I doubt it's a user account specific problem.
I have noticed that these machines boot quite quickly. My iMac boots rather slowly, but whn it almost never gets shut off, that becomes something of a moot point.
Come to think of it, maybe it's a good thing Windows boots fast.
really?
...at first sign of Palladium. Told You So
Cake or Death? Cake Please!
It was Truss-Worthy computing.
"An OS that'll hold your cock!"
I believe is the working marketing line...
If you don't believe, it'll disappear.
"UPDATE: As of September 6, 2002, the reports of hacking activity following the pattern indicated below have diminished significantly. The Product Support Services Security Team has modified the alert and its associated Knowledge Base article to reflect this information and to refine detection and repair criteria." This was posted at the top of the article that was pointed out in that post (http://support.microsoft.com/default.aspx?scid=kb ;en-us;Q328691)
It looks like they decided to change the contect rather than have it so widely read...
"Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said"
WOW, what a revolutionary idea... a debugger!!!!
What will those amazing M$ R&D guys come up with next?
The T-Shirt I got had 'Financial' between Political and Session Layers. I got it at an IETF meeting in the mid-nineties... sorry no more details than that but I got a lot of Tees during that time.
Well, I give you an A for effort. I honestly didn't believe you, and you've supported your case.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Is this what they teach in MSCE school? Do they teach that you have to recompile the kernal to install a browser? I would ask for my money back if I were you. Go get a real education.
Religion is the main cause of atheism.
LOCK
THE
DOOR!
The cracker's probably sitting right next to you, chiming in with everybody else: "How did they get through our firewall??!!"
Democracy. Whiskey. Sexy. Pick any two.
How many remote exploits have there been in Apache over the past 3 years? Now how many in IIS?
Now how many remote exploits have there been in OpenBSD? How many in Windows 2000 Server?
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
"We realized that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said. I read this as "We realized that we couldn't continue with the way we were building software, and expect to deliver products." :p
smash
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
"Every operating system out there is about equal in the number of vulnerabilities reported"
There are a lot more diseases reported now than there were in the middle ages. We must be a lot sicker now than then according to that logic.
Google search on "Hate Microsoft": "Results 1 - 10 of about 303,000. Search took 0.14 seconds."
Havn't seen anyone else post it, so. "Now when anyone gets a gift of wood, they will think of Trojans" -- Ned Flanders
Thank you for taking the time to write to us.
The article also mentions that "While Microsoft has confirmed that the flaw
does exist, it's important to note that actually exploiting it would be
difficult, for several reasons... etc."
The security of your personal and financial information is of the utmost
importance to us. Your access to Internet banking is secured through the use
of firewalls, cryptographic techniques and stringent internal access
procedures. In addition, we have regular and independent audits on our
computer banking systems to ensure that security meets or exceeds banking
standards.
As you may already know, we use secure 128-bit encryption - one of the
highest forms of encryption technology available today. Encryption scrambles
all information between your personal computer and our computers and
guarantees one of the highest levels of security, privacy and
confidentiality. There are literally thousands of millions of possible
"passwords", or combinations of 128 bits. In order to unscramble the
information, someone would need to find a digital "key", or a very large
password. This requires months, or even years of calculations using
sophisticated computers. It took the Swedes the equivalent of 70 years of
computer time to decipher 10 increasingly difficult codes set by author
Simon Singh in his international bestseller ``The Code Book.'' Since the key
changes with every connection (*session* encryption), the calculations would
have to be performed all over again when unscrambling additional
information.
As you know, the Internet banking service does not provide access to cash
withdrawals. In the case of an account discrepancy, however, we would trace
the details of the transaction using our complete audit trails. If your
Internet Banking password does not work and requires a password reset in
order to access the secure site, we must follow a stringent verification
process to validate your identity. Once the password is reset, you are
required to follow the registration process before gaining entry.
We welcome comments and suggestions about the content of future upgrades to
our on-line services. Your remarks have been noted for review with the PC
and Internet Banking team.
well it takes 25 seconds to boot windows, and once I'm at the login screen and enter my password and press enter I would say it takes about 8 seconds before everything is ready for action (that includes loading startup programs, etc...)
I rarely reboot the computer, maybe every 2 or 3 weeks and thats normally when I am installing some sort of software. Windows XP runs well once you have it set up properly.
GoatPigSheep, the 3 most important food groups
Far from it.
It just doesn't tailor itself to those users who have such trivial requirements.
I'm happy to spend an hour learning an editor if it gives me that hour back in productivity.
Read more of this story at Slashdot.Read more of this story at Slashdot.Read more of this story at Slashdot.
Even the top managment in Microsoft are now publicly admitting that Microsoft's products cannot compete on technical merits. However, this looks like a play to fast track Palladium. Now that OS X and Linux cover most or all workstation needs, there is not time to rewrite Windows from the ground up and a lock on what code is/isn't allowed to run is the only way to continue the monopoly and to try to bring the company's books out of the red.
It looks like Microsoft is beginning to play the Palladium card. It is in the process of dropping Win2000, squeezing Windows users into License 6, thus controlling future upgrades. Microsoft also needs Hollywood-style DRM to keep even weak competition from killig it in the marketplace. Hollywood wants DRM and will help Bill get it.
Or, even simpler, if it's not just a play to fast track Palladium, then it looks like it a move to delay the collapse long enough for the execs to offload their stock options.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.