Slashdot Mirror
MS Exec: 'Our products just aren't engineered for security'
Various Microsoft news tidbits contributed by numerous readers: Phoebus0 notes that Microsoft's Vice-President in charge of Windows development states flat out that Microsoft products aren't engineered for security, absolutely guaranteeing he'll have tomorrow's Ditherati quote. Many readers submitted this Knowledge Base article stating that Microsoft is mystified by a wave of successful hacks on assorted versions of Windows (there's also a news report on this). Microsoft has another security bulletin out on the digital certificate spoofing bug that has caused them so many problems recently.
Talk about stating the obvious... Microsoft doesn't engineer for security, stability, or efficiency.
They engineer for features and for maintaining monopoly control over the OS and word processing market.
Doug
Venn ist das nurnstuck git und Slotermeyer? Ya! Beigerhund das oder die Flipperwaldt gersput!
Microsoft products are not engineered period.
They're thrown together, spend half their time making it look pretty, and the rest of the time (after it's sold) releasing patches that are just as buggy as the original, if not more so...
---
Programming is like sex... Make one mistake and support it the rest of your life.
...has finally gotten through to them -- Security is something that starts from the ground up, not when you reach the top and back down.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Another excuse to let people believe that palladium is needed :/
The XFree86 team admits xfree86 is not engineered for speed and RMS admits that GNU is not engineered for user-friendlyness.
The masses are the crack whores of religion.
I just ported a large amount of code to windows, and I was very surprised to notice that snprintf() is _snprintf() on windows. It's like they hid it (or implemented it much later) and it's not part of "their" standard. Without widespread use of this function, god knows how many lines of their code uses regular sprintf() and insecure functions like it. And I doubt they use "%13s" or directives like this in sprintf(), or if their version even supports these constructs.
Lenny Primak PP-ASEL-IA,Heli
The first step is admiting you have a problem.... now that Microsoft has gotten past the denial stage they can now move to stage 2, that is doing something about it....
the link above just goes to front of a tech section, here's a direct link to the story3 25075&REQSESS=HM5797&REQHOST=site1&REQAUTH=2313828 &2131REQEVENT=&CARTI=115571&CCAT=1&CCHAN=13&CFLAV= 1
http://www.cw360.com/bin/bladerunner?REQUNIQ=1031
The link to the CW360 page with the quote from the Microsoft VP is "currently unavailable". If anyone can post a mirror to the information, please reply here.
...the sky is blue, and less fat and more exercise is good for you.
"Ask not what your country can do for you." --John F. Kennedy
This might be a stupid point, but of course microsoft products aren't engineered for security. The common man doesn't buy products for security, and even now the common man largely does not understand that they could even have their functionality in a secure environment (though arguably most salesguys cannot have the functionality they demand in a secure environment, but that's another debate.)
Brian Valentine, formally senior vice-president in charge of Microsoft's Windows development, looking for VP/management job with software company.
I have to use this cause I can't afford a real sig...
While working at Sony, Microsoft closed down a UK R&D facility. A whole department of ex-MS software engineers came to work in my department. They were the some of the best engineers I have ever worked with, designing innovative and stable code years ahead of its time.
Stop picking on MS engineers for poor products, and level the blame at the correct place - marketing and management.
----- Documentation is worth it just to be able to answer all your mail with 'RTFM' - Alan Cox.
So far all the replies to this story have been "we already knew that" and "duh". I find those comments idiotic. In that spirit, when cigarette execs admitted they knew their products were bad for people, there should have been no story.
This event is significant, because from the mouth of someone significantly important in MSFTs power structure, there is an admission of failing.
Maybe the exec just wanted to confess his (their) sins?
Is whether this will make the national news. Trust me, if CNN and MS/NBC and all the rest choose not to cover this, the general public won't know, and won't really make a decision based on this information.
Of course, this could just be a ploy to get M$'s most vile next O/S out, Palladium, that will let them 0\/\/|\| j00r s0ul (and credit card, and email, and music, and movies, and any personal items that may happen to be sitting on top of your computer...)
It seems he tries to say that it is impossible to make it 100% secure, because hackers are becoming more sophisticated in their attacks.
Sure, you can't make anything 100% secure (short of keeping it turned off), but there is a difference between something that has a few exploitable holes and something that resembles a sieve.
If you can't beat them, embrace and extend them.
Because a lot of their code can have buffer overruns due to the lack (or precieved lack) of this function by their own programmers. Makes it easy to create insecure programs and harder to create secure ones.
Lenny Primak PP-ASEL-IA,Heli
I wrote this the other day in an idle moment. It needs a bit more work but I'm thinking of making it into a Flash cartoon or something (if someone wants to steal the idea, feel free):
Billy Boy and Tux
One very hot day in summer, Billy Boy is stilling under a huge, impressive sign. It says "Lemonade, $5 a glass".
Customer: $5 a glass! That's expensive!
Billy Boy: Well, go buy from someone else.
Customer: But there's nobody else to buy drinks from here!
Billy Boy: Aha! I bullied all the other boys and they've gone home!
Customer: That's not very nice.
Billy Boy [Chuckling and rocking back and forth]: $5 a glass. Take it or leave it.
Customer: Damn. You're a nasty little boy, but it's a very hot day and I really need a drink.
Billy Boy takes the money.
The afternoon wears on, Billy Boys coffers fill.
The next day...
Billy Boy: Lemonade! Lemonade! $5 a glass!
A fat penguin waddles up and sets up a stall beside Billy Boy.
He erects a little badly drawn sign "Iced water. Free."
Billy boy [whispering, chuckling to himself]:Loser. You'll not get any custom with a crappy sign like that.
Tux ignores him.
The next customer approaches Billy Boy, but then notices Tux's sign and goes to him.
Billy Boy[angry]: Hey fatty, get off my patch. I was here first!
Tux ignores him.
Billy Boy: Hey stupid. Nobody wants iced water, everyone wants my lemonade, it's the best! I've got 100% of the market in soft drinks in this street.
Tux ignores him.
Another customer comes and has a glass of water from Tux.
Billy Boy: Listen idiot! How do you expect to get rich like me if you don't charge anything! What an idiot you are!
Tux ignores him.
More customers go to Tux.
Billy Boy [shouting at his customers]: Don't drink the penguin's water!! I won't make any profits and, erm, the economy will collapse!
Customers laugh.
Billy Boy [really angry]: If you drink the penguin's water, your next glass of lemonade from me will be $10!
Customers give Billy Boy the finger.
Billy Boy [insanely angry]: Don't drink the penguin's water! It'll give you cancer!
Customers shake their heads and move to Tux's queue.
All customers go to Tux now.
Billy Boy starts screaming and crying and runs home.
Tux and his customers ignore him.
Step 1: Admit that current MS OS is insecure.
Step 2: Allege that problem is fundamental due to the nature of the hardware platform. Fear. Uncertainty. Doubt.
Step 3: But wait! MS has the solution that will solve this crisis -- Palladium.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
neither was UNIX. UNIX is best in trusted, academic settings where it grew up. But, after some big problems with too much trust people figured out how to make it at least "secure enough."
MS needs to stop complaining and fix their buffer overflows.
Tell me something that I don't already know. This is like running a story telling the world that the sky is blue, that Linux is good for business, or that linking from slashdot can kill a weak server. File this one under News For Idiots. Stuff Everyone Already Knows.
Oh shit! I forgot to click "Post Anonymously"...
And in Classic Microsoft style the security bulletin notes that patches are avaible ONLY for Windows XP and NT
95 isn't supported ( ok, I can understand that )
98 isn't supported ( getting a little too close for my comfort )
ME isn't supported ( didn't that just come out 2 years ago? )
2K isn't supported ( What about people running servers? )
Just another tactic to force people to upgrade
With the recent change in Licensing terms and the inability to support products they've made within the past 2 years they have the gall to say that using anything else is insecure on the part of the government?
Admitting you have a problem is the first step to recovery. Anybody want some more coffee!? *puffs on a cigarette* I'm gonna get some more coffee... *shakes and walks around of the room*
Why bother.
directions on microsoft Check out that link, it is run by I think two former Microsoft employees.
I thought it was Microsoft's policy to keep their mouth shut when it comes to lack of security in their OS. It just seems that after spending all sorts of money into advertising and marketing Win2k/XP as very secure platforms, M$ would rather not have a SVP in development blow it all away. I wonder how long he will last talking openly about these problems.
"I bet I'll get blamed for this." --Mayor Quimby
What does 'PSS' stand for in that Microsoft Knowledgebase article? [P]lease [s]top [s]niffing? ([s]poofing? '[s]ploiting?)
We have one windows web server left that we are now converting to run on linux. Our windows web server has been compromised over 8 times in the last week. We applied every single security patch we could on the machine. We also locked every single port but 80 out at the firewall. We shut down every single service that is not necessary and stripped the site to the bare minimum, but it continues to be compromised. Yes we even reloaded from scratch 3 times still no good. Even our MCSE is now a linux convert and begging me to get it converted quick as possible.
Got Code?
Microsoft: "Our products aren't engineered for security"
.net developer conference in Seattle, USA.
Friday 6 September 2002
Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server
click here
"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.
In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.
Microsoft's regular stream of security bulletins has continued despite Bill Gates company-wide Trustworthy Computing Initiative, announced earlier this year.
The Initiative was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, and saw the company halt production on new code in all of its products while employees scanned every line of existing code in search of vulnerabilities.
"We realised that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.
But the company is dealing with a problem that is not easily resolved. Valentine told developers at the conference that as the company works to shore up its products the security dilemma will evolve as hackers become more sophisticated.
"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."
Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.
According to Chandra Mugunda, a software consultant with Dell who attended Valentine's presentation, buggy software is "an industry-wide problem, not just a Microsoft problem. But they're the leaders, and they should take the lead to solve them," he said.
The MS executive went on to state that, "out studies have shown that the average end buser is intimidated by security. In an attempt to find middle ground between acceptable security and just thowing sensitive information on your front lawn, we have implimented our trademark "random crash functionality" and "resource hog feature suite." Anecdotal evicence suggests that these measures will be sufficient ensure that no self respecting hacker will come near our crummy operating system.
Furthermore, we volunteer to personally maintain an extensive database of all your valuable data, including credit card numbers, filenames pirated media files, and love letters from your high school sweetheart. Just in case.
We graciously accept your thanks in advance. You're very welcome."
The angel in the oatmeal.
No really, don't laugh. Who cares how it's engineered. It's how it is supported and fixed that's crititcal. Your software forces you to make an assumption about it's reliability. So assume that MS code has low reliability and move from there.
The real problem is that MS the vendor choses not to deal these problems with any sense of urgency or permanence. I swear it's like being forced to eat green beans and hear about starving children in Asia. Beyond some point it's hard to care or worry about it when you know that your parent doesn't really plan to deal with it.
Yeah!
I mean, the Windows 2000, 1.6GHz Pentium 4 stand-alone, un-networked machines at our school, with 256MB of RAM and brand new ATA/133 40GB drives take a blazingly fast 3 minutes from hitting enter to actual log in! That's just frellin' amazing!
Oh wait, my 266MHz iMac, running OS X 10.1.5, with less than the required RAM, significantly more and more memory and processor intensive software, several user accounts(as opposed to 2 on the W2K machines), and a pokey 66MHz bus goes from hitting enter to actually logged in in 30 seconds.
Now that I think about it, something doesn't add up.
don't bother, it's obvious and boring
Do you think so? Perhaps you might be able to suggest some ways I could improve it?
Try changing the password.
My deviantArt site
But not nearly as apt as Neal Stephenson's vehicular analogy. See In the Beginning Was the Command Line. "Stay away from my house you freak!"
--Jim
I have not heard of any instances of marketeering guffbags and manglement ruining code, primarily because they don't code.
They ruin the code by ruining the requirements. In a firm that produces mass-market software, the marketing department generally writes each product's requirements document. If resistance to buffer overflow attacks isn't specified as a must-have in the requirements document, then it will surely get cut at the last minute in favor of other requirements such as ship date.
Will I retire or break 10K?
Developers! DEvelopers! DEVelopers! DEVElopers! DEVELopers! DEVELOpers! Woo! Developers! Developers! DEVELOPERS! DEVELOPERS! YEAH!
My beliefs do not require that you agree with them.
Or maybe it's FUD to push the necessity of Palladium. This is strongly hinted at by the way he whines "it never ends," as if any efforts to secure their products are pointless because hackers are so dang clever.
Either way, this shouldn't sway anybody into the Palladium camp. MS is admitting that they have done jack squat for security, in spite of having told many, many lies to the contrary. And now they expect people to buy into their new technology for a "trusted platform?" Trust isn't bought, folks, it's earned.
Yes, there will always be hackers (crackers, whatever, use context people). But you can't argue a complex situation (computer security) in black and white terms. One security breach a month is better than one a day. Defeatism in the face of adversity isn't exactly the lauded "Microsoft spirit."
I'm glad to see this news. Ulterior motives or not, the truth is being spoken. But if they think they're gaining anything by scaring people, they're dead wrong. So let's just hope they're simply being honest. Hey, a guy can dream.
My deviantArt site
Did I understand you? Microsoft fired the good engineers. Maybe that's why the products are so poor. Yup. Poor management.
I think I have to give the guy credit for admitting to the truth. It's a lot less tedious to listen to someone telling the truth than it is someone imputing that your company's virility is related to it's adoption of .NET technology.
What else is true?
Unix was not immune to software not designed with security in mind. I used rsh for years. But a transition was made.
If security is regarded as important, then slowly and inexorably Microsoft will move in that direction. Despite being a monopoly, they will respond in their sluggish way, just as they made Win2K substantially more robust with regards to crashing after everyone laughed at their early versions of NT.
"Provided by the management for your protection."
duhhhh maybe I should have thought about that....dork we changed them each time we reloded.
Got Code?
int wnsprintf(
...
LPTSTR lpOut,
int cchLimitIn,
LPCTSTR pszFmt,
);
Microsoft wraps all its C runtime functions with macros that switch effectively between wchar and char types seemlessly.
They also have a little security note at the bottom of the their documentation detailing how null termination is not guaranteed with this function-- along with some alternatives.
My problem with most of the library documentation they have is that until recently it was rather poor (at least every section I had to use was). Looks like they're taking steps to improve the standard library docs.
sprintf is evil.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
What worries me about this is not that microsoft products are not engineered for security, we've all known that for years. It's that microsoft is admitting to it openly.
.net and he told me that they were working on developing the .net virtual machines for Unix and other non-Windows OSes, but they were specifically planning on not releasing them if .net did well, as that would force developers to use Windows. I suspected as much, but the fact that they would come out and say it worries me.
In terms of marketing, Microsoft knows what they are doing, and they must believe that admitting this wont hurt their sales significantly. Has their customer base become so lowtech that the idea of insecure products doesn't bother them? Or are they simply so powerful that we (the rest of the world) can do nothing to stop them. I'm hoping that this is some kind of horrible mistake on their part, but I doubt it.
I spoke to a microsoft engineer once about
"Probably the toughest time in anyone's life is when you have to murder a loved one because they're the devil." -Philips
There is a guy recognized as a genius in the Tobacco industry. I read that twenty odd years ago he told other Tobacco industry executives that, while they could afford to hire the shrewdest, meanest, most dishonest lawyers on planet Earth, they could only fight a rear-guard action.
Eventually, he told his colleagues, even the meanest lawyers couldn't hold off lawsuits over the lethal effects of their product. Once suits go to trial, everything will start to unravel. We have no real defense. So, we need to plan ahead.
His plan? Pretend to fight against mandatory warnings, but actually let them go ahead. Keep stalling on the trials -- so that when the trials happen we have a defense.
"But, your honour, we have had to have health warnings on our products for fifteen years. The claimant can't say they didn't know our products were dangerous."
Are Microsoft executives any more ethical than Tobacco executives?
Nah.
I believe that MS planned ahead too. I believe that MS has wanted to "own" the desktop, to own our computers, all along.
Anyone could have foreseen that embedding a macro language in their data files, that was automatically executed when the file was opened, was a sure guarantee of terrible security problems.
This was not an accident. This was a design decision. They did this on purpose. I don't believe it was a mistake. I believe they knew exactly what they were doing.
I believed that they looked ahead, and planned to distribute insecure products, so that the could harness the publics anger at vandals, interlopers and spam artists to justify draconian security measures that we never wuold have agreed to otherwise.
I'd like to see Gates, Ballmer and the whole filthy crew serve serious hard time.
Now, let's be honest here...
The story is good, except it's not quite the whole truth. If it were, everyone would be using Linux instead of Windows.
You could make the story more accurate by noting that the $5 lemonade comes in a an easy to hold cup that occasionally springs a leak, whereas the free water comes locked inside a small combination safe, and it might take you a while to be able to drink it.
"And like that
"...the Windows 2000, 1.6GHz Pentium 4 stand-alone, un-networked machines at our school, with 256MB of RAM and brand new ATA/133 40GB drives take a blazingly fast 3 minutes from hitting enter to actual log in! That's just frellin' amazing! Now that I think about it, something doesn't add up."
I agree that something doesn't add up. I would say your Win2k machine is seriously broken. My P-266 XP machine takes 15 seconds from 'enter' to ready-to-go desktop.
A.
...bringing you cynical quips since 1998
This is obviously part of the groundwork to get
the public behind palladium. Microsoft has
consistently proven itself to be the masters at
porting govermental public opinion swaying tactics
for their needs. It's almost admirable. Following
tradition, they'll produce stats and figures and
submit them as "proof", and the majority of
America will say "wow, we need to do this". Or,
as demonstrated recently, they'll hint at the
existence of proof for their "cause" and that
alone will swing a majority of people to their
side and give them time to fabricate it, or
draw attention away from producing it. Microsoft
will get palladium, and Dubya will get the war
he wants that nobody a few weeks ago wanted, but
now seem too want since they keep waving the flag
hard enough and hinting at "new evidence" that
probably doesn't exist as of yet.
Step 1: Convince everyone that your selfish
agenda is in their best interests in any way
you can.
Step 2: Pursue your selfish interests.
Being manipulated this way is part of being an
American. Microsoft is the most American company
I know of.
The most important thing any republican needs to know.
I think Trustworthy Computing is a very good initiative. Generally, the entire industry needs to slow down and secure our products. It is extremely tempting to push for ever more functionality, at ever greater pace. Indeed, Microsoft is showing all the signs of having badly burnt itself badly in this respect. Bypassing security procedures and security people opinion can be lethally risky business, also when it comes to product development.
An important point is that Trusthworthy Computing should have been an ongoing process. By failing to do the obvious, they have been forced to launch a project that should not have been unnecessary.
That being said, I like the fact that they are performing widespread code/doc reviews and whatever other methods they are using. Even though I'd rather everyone used Linux, it's good to hear that we as a technology-driven society are slowly becoming less vulnerable. And, when they are done with the project, they will hopefully have figured out how to make more secure products.
After all, in an ideal world, every product would be so secure that we could concentrate on the other merits of the competition.
Stop the brainwash
95 isn't supported ( ok, I can understand that )
98 isn't supported ( getting a little too close for my comfort )
ME isn't supported ( didn't that just come out 2 years ago? )
2K isn't supported ( What about people running servers? )
Just another tactic to force people to upgrade
As someone who is actually subscribed to receive these bulletins from MSFT, I note that they sent a second revision out today. I quote:
"And like that
As I mentioned, the machines aren't networked yet. They're also brand new, with fresh installs of W2K, the only legacy parts being the floppy drives, as well as externals likes the mouse, keyboard and monitor.
Repeated tests of the hardware have shown that everything is working perfectly.
"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."
Following Valentine's lead, OpenBSD calls it quits.
Bullshit... you prioritize the problems your customers ask you to prioritize. Home users don't want security? Fine, then stay the hell out of server-land, because those customers expect you to fight that battle tirelessly.
PDHoss
======================================
Writers get in shape by pumping irony.
Is my video card going bad or does that knowledge base entry look like shit in Mozilla? I know the knowledge base search won't work in Mozilla (by design I would imagine) but this time the text is all squished together...unreadable.
FoundNews.com - get paid to blog.,
Why any 'standard' should be set by Microsoft is beyond me. So far they have corrupted HTML, JAVA, XML, and pretty much any other standards (the names of which escape me right now) they've come in contact with.
A Macintosh is in my future.
I was mistaken and I admit. And although it was modded up to 5 it's been modded back down. Plus the plethora of posts that didn't mind telling me I was wrong.
/. system works quite well. Even when I'm on the receiving end of a branding iron
I think the
You mean fixed the same day it was announced by Microsoft. This bug has been discussed on Bugtraq for a month now.
Can you run apache on your windows web server? If they keep attacking, it would be interesting to see if they are hitting IIS or something else (assuming they are shitty little script kiddies).
Another possibility is to set up a Linux box with no open ports on the same ethernet segment and sniff all traffic so that you might be able to tell how they hack you, and where they come from (at least the box they are coming from).
But - changing to Linux is also a really good alternative. Just keep in mind that Linux itself does not offer you security, only an improved possibility of security. You will need to stay rigorously patched up, with a good firewall and a good intrusion detection system. I used my IDS to tighten my firewall whenever I found monkey business in the network traffic - with good results. The box ran without external protection or upgrades for a long time, and it was port-scanned every day. Of course, they eventually hit jack-pot at first try. Then, an IDS will only alert you that something is wrong..
Also, whatever application you run on your web server will need to be secure.
Remember - one vulnerability is usually enough.
Stop the brainwash
.....Maybe then it can actually make a difference.
I hate the fact that whenever a new MS computer virus hits, news reports always neglect to mention "This virus only infects computers running Microsoft operating systems". That would go a long way to convince people to look elsewhere.
A sentence you'll never see on an Internet discussion board: "You know what? You're right."
This is one of the key points that traditional software companies use to attack Linux: basically people code for entertainment and there's no guarantee that a component that's critical to a particular user won't fall by the wayside when the developer gets bored of it. What keeps Tux from getting hot/bored and going home?
And of course there's the point others have made; that Linux is free in cash but much more expensive in time and effort. People should at least need to pour their own glass :)
You have drives that contain \Winnt? That's a problem too: install to a different directory.
How many people create a restricted user for IIS, rather than running it as LocalService?
I suspect the problem lies more with the components installed on the system, than on Windows & IIS themselves. For example, our Linux server was being exploited for spam recently. They shut down sendmail as a daemon, but the spam still flowed. It turns out that somebody had installed an old version and buggy version of Formmail. Grrr.
"Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said"
{clippy}It looks like you are writeing a SQL query.. Would you like some help?{/clippy}
Clippy for code, may god have mercy on their souls.
Not everyone deserves a 320i
But thats where the easy to install Linux distros come in... right????
Mandrake.
---
So why aren't the masses jumping on it (Linux)? Because they are (almost) not allowed to buy a machine that doesn't run Win*.
But thats where the easy to install Linux distros come in... right????
But the point is that they already have an OS. Why would they bother installing anything else? BTW, have you ever tried to install Win9x, Win2K, or WinXP from scratch?
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
in all honesty, if all of slashdot wanted to bring M$ down fast, anyone with M$ stock would start selling and convice others to sell. It's a snowball effect like a stock market crash. A few people sell, other look at them and say they must know something we don't, so they sell, then other sell becasue they sold and on and on and on.
T Money
World Domination with a plastic spoon since 1984
eek... irony stacked on irony. this place is just getting too weird for me.
The Free desktop that Just Works
Emphasis was on getting the job done as quickly as possible with frantic finger pointing when things went wrong. Being a good programmer meant having connections with people in other development groups who could send you code examples that you cut-and-pasted into youe own code (usually without any real understanding of the functionality). These connections were based on give-and-take with the default response being "why should I do this for you?"
Since leaving, I've focussed almost entirely on Java and have been in heaven with it's culture of well-defined software contracts. Performance issues has been addressed by writing small amounts of code in C++ using JNI.
I wouldn't blame the individual engineer, but the whole software process. I wouldn't call it badly designed, because it wasn't designed - it just accumulated.What's Tux's motivation for getting ice and water together, and sitting in the hot sun all day to give them away?
:)
Alturism?
People should at least need to pour their own glass
That's an interesting idea. I'll need to think about how I can work that in.
Nope, 100% wrong. Nothing could be more friendly than having 100% control of your computer.
The goal of GNU is to produce the world's best software and that includes ease of use. The current state of development for GPL'd software now includes several excellent mouse driven user interfaces, extensive help files, just as many examples and the easiest installs available anywhere. Is there a single piece of comercial software that you can point to that does not have a free analog that's just as easy to use and more powerful?
Now back to topic, which is that M$ has no security clue. If you have read this much, you deserve what follows.
Here is my favorite qoute from the technical details section of their silly warning about software other people put on your machine when they crack it:
Finding any backdoor Trojan indicates that the server is extremely vulnerable to privilege escalation and hacking.
What the hell is a "backdoor Trojan"?! Oh my God, they said that. Ha ha ha ha ha ha. Is it more effective than M$ at preventing the spread of viruses? Is that all they got out of their monthlong security hug? Can you help me out Mr oyenstinker? Someone at the knowledge base is going to have a hard time getting his supervisor off his back after that gafe. Ahhh! Send more Trojans, fast.
What kind of privilege escalation is there on a userless OS?
There once was a game where a virus was designed to look like a popular OS. Reality has caught up with parody.
Friends don't help friends install M$ junk.
You didn't read the links did you ??? It looks like MS has some realy scary shit on their to-do list. A security problem they know exists, but don't know what is, and is in active use (enough to issue a bulletin).
You should have read This
As of August 2002, the PSS Security Team has not been able to determine the technique that is being used to gain access to the computer. However, because of the significant spike in activity, the PSS Security Team has determined that these techniques are similar and/or automated in some cases.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
We already have 5 linux web servers and none have ever been compromised. We are a very savy linux shop and we have not purchased a windows server in over a year and it is likely we will never purchase another one.
Got Code?
Nope it has damn ASP apps running on it that maketing had contracted out without IT knowledge. We run a very good Cisco Pix Firewall. It is not so bad that it is being exploited it is the sheer amount of time to rebuild the machine. Some have suggested moving some things around and I like that, it should keep them off my back long enough to move it to a Linux box and apache.
Got Code?
Similar problem here, but so far I don't think mine's been hacked, yet. What I've done is set up a Squid server on the public and redirect all web requests back to the Win2k machine sitting on the private network. A reverse proxy, if you will. I also monitor all network traffic on this machine and am pretty confident it's doing only those things I ask it to do (well, when it's willing to, anyway...).
www.dedserius.com
VB != VisualBasic
ASP apps running on it that maketing had contracted out without IT knowledge
That's not a valid reason to stick with IIS.
You mean apart from the fact that there are several times as many desktop boxes running Windows in the world as every other OS there is put together?
Feel free to write code for whatever platform you like. Me, I'll write it for whatever platform pays my rent. :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I believe by the next Windows distro, we'll have security that will stand for something.
Except that you miss exactly what Valentine means:
Windows cannot be secure - MS has finally realized (and admitted) this.
Security is something that must be designed in from the beginning - it's not something that can be 'bolted on' after the product is finished, any more than you can make pudding, and decide you want it to be a house instead - you can't make a house out of pudding.
I think we can all agree that MSFT has succeeded in creating simple, easy-to-use products
You think wrong. I certainly wouldn't characterize MS products as easy-to-use. Easier than some other products, in some situations, perhaps.. but not easy.
As for simple? Have you seen MS Word lately? Bloated with dozens upon dozens of feeatures that nobody uses - you categorize that as simple?
whether you like it or not, there is no easier OS
Spoken like someone who's never tried any other OS.
Ever try MacOS?
How about Amiga?
VMS? Anything besides Linux and Windows?
As an advanced user, I find Linux MUCH easier to use than Windows, because everything is laid out as I expect. I used Windows before I used Linux, and most of the learning curve I experienced came from attempting to do things the Windows way - but after one or two times, I realized that the best way to learn a task was to ask myself "if I had designed this system, how would I implement it?" - and all of a sudden, everything became easy.
Nope, 100% wrong. Nothing could be more friendly than having 100% control of your computer.
I agree if we use "user-friendly" to mean "we are as accommodating to the user as possible, and we trust the user". However the conventional usage is "we make things as easy for the user as possible", which GNU does not do (emacs, as just one example). GNU authors are geeks who write for geeks, and I think they secretly like the feeling that they are part of a secret club that nobody else can understand.
The goal of GNU is to produce the world's best software and that includes ease of use.
From the horse's mouth: The principal goal of GNU was to be free software. And: The goal of GNU was to give users freedom, not just to be popular.
the easiest installs available anywhere
Newbie software install in Windows: double click on setup.exe, keep clicking OK. Done.
Newbie software install in GNU: Let's see, it's .tar.gz, so I have to untar it ... can't remember how that works ... man tar ... OK, there it is. Now let's read the README. Configure, fine. GCC not found? What the hell is that?
Is there a single piece of comercial software that you can point to that does not have a free analog that's just as easy to use and more powerful?
Linus certainly seems to think so. Remember the kerfuffle over his use of some proprietary package to maintain the Linux kernel? He said he just wanted to use the best tool, whether it was free or not.
What kind of privilege escalation is there on a userless OS?
As many on this forum have established, although Win 95/98 are userless, WinNT does have privilege checking and administrator accounts.
And with reference to your spelling of MS with a dollar sign, you might find this Penny Arcade cartoon helpful.
Toronto-area transit rider? Rate your ride.
Conway's law states something to the effect that the structure of a program is isomorphic to the structure of the group that produces it. Everything clammoring for attention. Popups that try to show how important they are. Things scattered across menus so that everybody gets to have "input". Sheesh, I prefer the relative sanity of BSD vs Linux, KDE vs Gnome.
you can CHOOSE not to upgrade to a palladium enabled version of windows. you can CHOOSE to use open source software with windows. the only thing you really can't CHOOSE with windows is to view/modify it's source code or uninstall internet explorer (however you can CHOOSE to install any other browser and use it as the default browser if you are so inclined). I am not a wintroll, but using windows does not restrict your choice that much. btw, you can CHOOSE to not install software with eula's you don't agree with or you can simply CHOOSE to ignore the eula. MS is pretty powerful but do you really think that palladium is even gonna make a dent? Motherboard manufacturers enabled ACPI features on most of thier motherboards. microsoft wrote a very buggy implementation of ACPI for windows, and released a technote to motherboard manufacturers to fix thier ACPI stuff to work with windows, however motherboard manufacturers ignored it. What makes you think the motherboard manufacturers are going to build palladiums features in when they won't even build in features to help microsoft crush a few bugs in thier bad code. think clearly for a moment. how is palladium going to work anyway? there is always an analog hole, and besides, it's just gonna get cracked by the warez d00dz within 3 days of it's commercial debut anyway. (if it even has a commercial debut, which i doubt) ok, ... cya karma!
Sure you can. You start by disabling all contact with the outside world by default. If I'm not listening, they can't tell me what I don't want to hear. You then, slowly and with rigorous testing, implement a small set of interfaces that let you talk where you need to, e.g., by reading and drawing a body of text. Bingo, you just covered most of e-mail, Usenet, web browsing and the rest in one go.
The problem is MS' approach: every application should do everything. For goodness' sake, Office 2002 apps that I use to write my letters and do my accounts have several dozen hooks that try to access the Internet in them. Why? That's just silly, and it's not surprising that in such an environment, people get careless.
Writing basic interfaces to support e-mail, ftp, web browsing, Usenet, time sync'ing and such is not hard. Writing them to be secure requires a modest amount more effort. It shouldn't be beyond the average CS grad, though, and it certainly shouldn't be beyond a group with the resources that Microsoft has at its disposal.
People have been telling me for years that since I program in C++ and don't use a GC, my programs must have memory leaks. I've told them no, because I use good basic practices. They claim I'm wrong. I claim I have rigorous, objective diagnostic tools that back me up on this. That's not hard, either, but most of the programming world would tell me it can't be done. So it is with security.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
You will have the same problems on Linux. The problem is your process and design. Sounds like you do not know what you are doing for running a secure shop, nor do you have even the beginnings of an IDS installed, which can detect attacks without patching boxes.
There are W2K shops with thousands of servers that do not install patches, and just let signatures and patterns from IDS's get the exploits. This gives the famed uptimes, and saves a lot of time overall for hosting firms.
fslg503-985-8686503-985-8686503-985-8686503-985-8
Getting too weird? Hang in there.
I know you have tolerance.
You are being MICROattacked, from various angles, in a SOFT manner.
If you've been compromised even once, you frankly don't know what you're doing.
I work NOC in a mostly Windows shop. We have several hundred NT and 2K boxes, and have never been compromised. The only machines that got hacked *ever* were customer owned boxes that the customer failed to patch against CodeRed.
If you patch the box properly, firewall it properly, turn off unnecessary applications and services, and run a correctly configured IDS, then a windows box can be just as secure as any other OS.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Sure, I would admit it. The Beta was dog slow (but still useable as a primary OS for 4 months). X.0 was a little faster but not much. X.1 was a noticeable improvement, the system was useable beyond minor tasks. X.2 I've only toyed arround with in stores, but it sure as hell seems much much faster than X.1
Besides, what's wrong with admiting it? Linux was sluggish in it's early stages too once the GUI kicked in.
T Money
World Domination with a plastic spoon since 1984
This guy should flat out admit that MS products are not engineered at all.
Some choice quotes by Jeremy Allison (Samba Team) about the Windows network printing protocol:
"The implementation is APPALING",
"The implementers did not understand network protocols. At All."
and, my favorite, "The print subsystem looks like it was cobbled together by sophomore (1st year) CS students"
However, the "Every operating system out there is about equal in the number of vulnerabilities reported" statement of Valentine's fails to take into consideration that in most cases Unix, open source and free licensed software has been designed from the outset with at least the issue of security in mind.. Whereas, some Microsoft systems such as their embedded scripting systems have not.
The result is that is far easier to exploit an easy, scriptable vulnerability in a Microsoft system, that has no patch for months, than to exploit a difficult, binary hole in a LInux/BSD system that has a patch within days.
Continuing....
Billy Boy: Lemonade! Lemonade! $5 a glass!
Previous Customer [moaning]: Oooo... I don't feel so good...
Billy Boy: Was it something you ate? Here's a list of approved foods to go with my lemonade.
Customer: No, it started when I drank your lemonade. Ow ow!
Billy Boy:It couldn't have been my lemonade. My lemonade is the best. You must have eaten something wrong.
Customer barfs on Billy Boy.
Billy Boy: Ewww! Fortunately, I have some antidotes. [Takes out pills.] Take this, and this, and this, and these. If you wait a month, I'll have one superlarge pill that will take care of all of these pills!
Next time, on BB& T:
(Customer roughed up by two Keystone Kops looking down his mouth.)
Billy Boy [yelling]: Get him! Make him spit it up! He MUST have stolen my lemonade! He MUST have! His mouth isn't dry! Make him PROVE he bought it!
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
http://online.securityfocus.com/news/606
Thus the name "Stench" given to the vulnerability. And very telling about just how bad the security issues with Windows are when you add them together. Three "insignificant flaws" deemed to be "minor annoyances" are put together form a serious trojan that requires no user input other than clicking on a link in IE.
It just goes to show that security can't just be an afterthough to be patched with little band-aids. You really have to stay on top of it, otherwise someone figures out how to create a huge vulnerability out of your "minor" low severity flaws. (They note 18 known existing flaws in IE in the two day old article I linked.)
Oh yea what is your IP address idiot!
Got Code?
You need to hire someone who knows something about security, perhaps on a contract basis. If your crew can't secure your Windows box they won't be able to secure the Linux one either.
;).
It is hard to guess how the box is compromosed without knowing more, but you might run nessus against the box on a test LAN before reconnecting it to the Internet. Enable auditing and use IDS. An IDS would be useful for determining what sort of exploits have been tried against the box and correlating IDS logs with security logs to determine how the box is compromised next time
If you do run Linux, run the bastille script to harden the box. Run tripwire so you can track which files change in the future. Are you running sql queries? No user input should be permitted to directly access a SQL database.
This list goes on and this is the wrong forum. Good luck.
I wrote a quick apache filter proxy that routes all request through apache on linux to the machine in question in the dmz. It filters all post, put and get routines for content, good by script kiddies.
Got Code?
At this point you should start wondering if maybe he's having some fun at your expense, and thinking about just what his subtle joke might be.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
My IP address is 2130706433.
Decode that, and you're the ultimate 31337 H4X0R dude!
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
IMHO, the only secure IIS server is one that's not running.
Naaa...he means this FUD for Thought:
Bug Triad Whacks Microsoft Browser
Researchers discover that three "low risk" bugs can combine to send a Windows system up in flames.
By Brian McWilliams, Sep 4 2002 9:25AM
To prove that no security bug is truly harmless, a security group has stitched together two minor flaws in Microsoft's Internet Explorer 6.0 browser with a small glitch in Windows Media Player to create one seriously powerful attack.
By coaxing IE users to view a Web page containing the special code, an attacker can silently force Windows 98, Windows 2000, or Windows XP users to run a malicious program of the attacker's choice.
The security group, Malware.com, has created a harmless demonstration micro shit of the flaw which downloads and runs an executable program that fills the victim's computer screen with flames.
A Malware.com member who uses the nickname "Http-equiv" says he named the vulnerability "Stench" to dramatize why it's dangerous for Microsoft to downplay and delay patching security bugs that it considers minor.
"Their patching tiny pinprick holes and not the overall problems, their mitigating factors, their ignoring small demonstrated flaws, all add up into a monster problem, which basically stinks," said Http-equiv in an e-mail interview Tuesday.
Internet Explorer currently contains at least 18 security bugs, many of them low-risk annoyances. Because it allows an attacker to run code on a victim's machine, Stench is the most serious security issue currently facing IE, according to Thor Larholm, a researcher with Pivx Solutions who tracks IE vulnerabilities.
Larholm said the information provided in the Malware.com advisory could easily be used to create a harmful exploit.
"Follow the steps and you're done. I could let my 12-year-old cousin do this," said Larholm, who added that because all three bugs have been known to Microsoft for many months, Malware.com's release of the information was "by the book" and does not constitute what Microsoft calls "irresponsible disclosure."
A Microsoft representative said the company was currently studying the report and would take appropriate action.
Company Patchwork Faulted According to Http-equiv, the exploit depends in part on a known quirk in how Microsoft's media player handles self-extracting Windows Media Download (WMD) files.
"If we can place our 'goodies' inside the
Using a year-old IE bug known as the "codebase local path" vulnerability -- a bug that was only partially fixed by Microsoft last March -- the Stench exploit is able to unpack and execute the malicious code without triggering IE's security settings, he said.
According to Larholm, a major update to Internet Explorer known as IE6 Service Pack One could include fixes for numerous bugs, including those exploited by Stench. Microsoft quietly released SP1 to its download servers in late August but removed the upgrade shortly afterwards without explanation.
On August 22, Microsoft issued a cumulative patch for IE that addressed several severe bugs did not include complete fixes for the codebase localpath and numerous other vulnerabilities, Larholm said.
Malware.com's Stench advisory, posted to security mailing lists on August 21, concluded with the following statement: "Instead of sitting around trying to thinking up ways that all these things cannot work, simply fix it the first time round. There is no such thing as 'mitigating factors' and 'hurdles'. This is a lie. Pure fantasy. Fiction. Fix it when you can! For every way you think it cannot be done, there are 10 ways it actually can!"
Emphasis was on getting the job done as quickly as possible
Probably true, but in the case of COM I think you're actually being a little too kind. COM was talked about for years before it emerged, and I believe its designers were more or less aware of the existence of NCS/DCE, CORBA, Sun RPC etc., but this didn't stop them making an astonishing number of misjudgements. Apartment threading, 'interface' references and UUIDs were just the tip of an iceberg, and ultimately they were only able to dig themselves out of this hole by copying Java.
At the time I put it down to having a balance tilted towards very young staff who had little experience of enterprise-level computing. TP, EAI, name resolution, security, concurrency etc. are not issues you can address straight from training.
Looking back I'm not so sure - lack of technical strategy was certainly part of the problem, but really the process was broken in that basic requirements like security, resilience, manageability etc. weren't factored into developments from the outset.
It would be nice to think that Linux's collaborative model protects it against equally shortsighted hacking, but it would help a lot if there was a truly common framework equivalent to J2EE or Dotnet to leverage.
Why are you bothering giving advice that might fix a problem that shouldn'texist in the first place?
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
...I just generated a message to people and potential clients regarding these issues.
The jist of it is that there are security problems that cannot ever be fixed by Microsoft with their products. If they wish to stay with Microsoft, they have to remain vulnerable until such time they release their new products which address the concern and in most cases, pay a lot of money to get them.
Meanwhile, free solutions exist to replace the proble products and while they aren't trouble-free themselves, they do tend to get fixed much more quickly and there is no additional cost for those fixes in most cases.
When addressing securty concerns of today, NOW is the time -- not waiting for the next generation OS and then waiting for it to be stabilized.
One of my targets for the message was "Resident Data" (http://www.residentdata.com) which is a company that functions by serving up the results of background checks to its subscribers. (It shares sensitive and private information about individuals for money to clients.) They are PROUDLY a ",,,Microsoft Only..." shop.
Frankly, that attitude scares the $#!+ out of me. It's all well and good to favor one product over another due to familiarity and comfort, etc. But it's utterly irresponsible to attempt to call "secure" their data when it's housed in a "...Microsoft Only..." environment.
If the company I cite as an example is any indication of what is actually going on out there in practice, I'm genuinely frightened at how our public and private records are being managed.
To me this is a major privacy concern and there should be an initiative that demands that SECURE STORAGE and SECURE METHODS be deployed to secure the information. If there are significant threats discovered, it should be their legal responsibility and requirement to either secure the data properly or shut down the operation until such a time that is can be certified as secure. This is not "Anti-Microsoft" sentiment speaking -- this is Privacy/Security sentiment.
The problem is much larger than just the products -- it's how and where they are used.
Security Focus has some good recommendations for securing IIS.
Make no mistake, this phony confession is nothing but a strategic move to begin grooming the world to the idea that Palladium is the only hope for "Trustworthy Computing".
It's groundwork for a bald-faced pack of lies, Micro$oft FUD in it's purest form.
It's also further proof that Micro$oft's upper level minions are utterly without any moral compunctions whatsoever, always willing to pimp themselves again and again for the good of the Motherland.
Micro$oft uber Alles!
Seig heil!
t_t_b
I'm on PJ's "enemies" list! Are you?
My athlon xp 1800 system boots winXP in 25 seconds and I have several user accounts.
My friend's top of the line g4 system with 384mb ram takes about 2 or 3 minutes to boot OS X, so you are obviously lying.
GoatPigSheep, the 3 most important food groups
So they say, "Our products aren't secure... but our NEW stuff will be! For real! Honest!" And then Palladium comes out. And wonder of wonders, it won't be secure. And they'll say, "Oh, well, yeah, this isn't perfectly secure, but our *NEXT* generation will be! For real! Honest!" And then the next generation will come out, and it will have holes, too.
I'm fairly well convinced at this point that Microsoft's history of poor security technologies and practices is, if not entirely deliberate, at least unconsciously encouraged. An evolutionary defense, perhaps. If products are touted as secure, but aren't really secure, and if the next generation is claimed to be the fix to all the current problems... then the average person/company will probably eat it up. Why?
Because eternal vigilance is the price of freedom, and most people don't want to believe that. There is no magic bullet for safety or security. The only way to have anything resembling good security, is to keep working at it. The more you work at it, the better it will be. There's a point of diminishing returns, of course, and if you spend all your time on safety, you'll never get to spend any of your time doing the things that you're protecting... but if you spend no time on security, you have no right to complain when it fails. This goes for computer software, physical security, national security, whatever.
But a lot of people don't understand that. They hear about "new, *really* secure" things, and they think, "Well, once we have that, then we'll be secure, and won't need to think about security any more!" But it doesn't work that way. It never has, and it seems unlikely that it ever will. People need to be made to understand, whether they like it or not, that the only way you can have security, is if you keep working at it. And a lot of people don't want to have to think about failures of security, and what they have to do to prevent them.
The worst part is, no matter what you do, there's always ways around it. Before a year ago, how many people would have thought it absurd that terrorists could simultaneously hijack four airplanes and use them to entirely demolish the World Trade Center towers and severely scar the Pentagon? Surely our security was better than that?
This is not a call to action for our country, or Linux advocacy, or whatever. I'm just trying to analyze why it is that Microsoft can keep getting away with this. I think the main reason is that when Microsoft says things, people believe them, even when what Microsoft says is the same known lies they've been saying for years. Why do they believe? Because human denial is an immensely powerful force. And Microsoft knows it.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Can this statement from mr vice president be used as a statement of guilt stating that systems are not C2 compliant? Does this mean another slap on the wrist for MS or will some meaningful result actually come out of this.
Also will other businesses be able to press for some sort of compensation or can we all be expected to buy a new version of "windows secure" in the future? This, as they pare down their support in security just because Microsoft has admitted they cannot write secure code for an operational product.
When I was your age we didn't have music file sharing utilities. We had to go out to a store and shoplift the CD.
Here is the best way to secure IIS. Go here and dowload the win32 version of apache. Edit the config files and reboot. Problem solved.
http://saveie6.com/
In other news, Linus Torvals remarks that Linux is just not engineered to be easy to use by the average home user.
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
If you've been compromised even once, you frankly don't know what you're doing.
Or maybe he's getting hit by this which MS hasn't figured out yet either. Regardless, an IDS is a must.
the no
8. Make a list of all persons we had harmed, and become willing to make amends to them all.
Wu-Tang Name: Half-Cut Skeleton Get your own Wu-Na
well if it is as grim as the picture you paint, how is linux the answer? if laws come down that it has to be used, how does CHOOSING linux help?
M$ Marketing droid 2: I know, let's admit that Win2K is full of security holes we don't have a clue how to fix! That will force everybody to upgrade!
Can I possibly be the only person to have noticed that Microsoft only admits to a problem in their software when they are try to sell you an upgrade to a newer release of that software?
"Freedom means freedom for everybody" -- Dick Cheney
You mean its not a feature?
Comment removed based on user account deletion
Just as long as it's not one of your *other* machines that has been compromised, and someone is using it to compromise your windows box from a system internal to your network.
Better get a network sniffer up and running, and see what's connecting locally to the box too - just in case.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Actually, I wasn't talking about boot time, but rather the time between hitting enter after typing in the requisite login information, and getting something other than a blue screen, and being able to actually use the computer.
:-)
I've actually tried this with the other login, so I doubt it's a user account specific problem.
I have noticed that these machines boot quite quickly. My iMac boots rather slowly, but whn it almost never gets shut off, that becomes something of a moot point.
Come to think of it, maybe it's a good thing Windows boots fast.
Xant, here is a link to a summary of documents released by the US congressional committee on Commerce. I believe it is as close to a smoking gun as I am going to get tonight.
Unfortunately, the links don't seem to be up tonight.
"Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said"
WOW, what a revolutionary idea... a debugger!!!!
What will those amazing M$ R&D guys come up with next?
my question was not answered. the guy originally posted "CHOOSE linux and you will avoid palladium" basically. It gets really old when you look at slashdot and see people saying "CHOOSE linux" whenever there is a flaw with what they are currently using. And when someone talks about palladium, someone always says "CHOOSE linux". well, why? if palladium is at the hardware level how will linuxhelp me avoid it? won't the law force it upon linux? "CHOOSE not to upgrade to the latest hardware" you say? well i could do that and stick with a non palladium version of windows too. what's the difference? I don't use software because of the philosophy behind it, I use windows because it is extrememely easy to pirate the software for it. Sure, everything in linuxland is free anyway, but most of it just doesn't work for me. And I have tried to make it work, on and off for the past 4 years I have tried to be a linux desktop user. It just isn't happenening. No photoshop? dealkiller right there (don't even mention that toy GIMP). BTW I am a linux admin at work, so I do not have anything against using linux where it belongs. I would never CHOOSE to run a microsoft machine in our server room!
Anyway my point is that I am an educated person, I know a little bit about how things work, but I don't see how "CHOOSING linux" will get me away from palladium, when the warez crackers will help me avoid it without having to switch to an inferior desktop platform.
Now if microsoft could just work out that security thing... they have the programming tools down, contrary to popular belief, I feel that they have the interface design thing down, they've got the stability thing down, windows xp runs great for me, only hiccup was some bad RAM. Seriously folks, I don't think I am gonna convert anyone with this diatribe, but maybe all the "CHOOSE linux" people will read it and stop wondering why people are satisfied to "CHOOSE microsoft" even when they are an "evil corporation".
Disclaimer: I bought a mac 2 months ago and really haven't touched my windows xp/debian machine since.
LOCK
THE
DOOR!
The cracker's probably sitting right next to you, chiming in with everybody else: "How did they get through our firewall??!!"
Democracy. Whiskey. Sexy. Pick any two.
How many remote exploits have there been in Apache over the past 3 years? Now how many in IIS?
Now how many remote exploits have there been in OpenBSD? How many in Windows 2000 Server?
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
"Every operating system out there is about equal in the number of vulnerabilities reported"
There are a lot more diseases reported now than there were in the middle ages. We must be a lot sicker now than then according to that logic.
Google search on "Hate Microsoft": "Results 1 - 10 of about 303,000. Search took 0.14 seconds."
Isn't it ironic that this guy, complaining about how stupid someone else is and completely fails to consider that the original sig is clearly meant as a joke.
Anyone who so badly needs to assert their superiority is more than likely just insecure. Want people to think you're smart? Say smart things. Don't completely miss the joke.
You are in a maze of twisty little passages, all alike.
while it may be the right thing to do, I, among many other people do not wish to inconvenience ourselves in order to perpetuate the morals. I am running ximian gnome on my xp/debian box, and while it is nice, it's still a bit rough on the edges. things need to be a bit more comfortable to windows users (the users that should switch to something that is not pro-palladium). Copy/paste and resolution switching are 2 complaints i see alot on slashdot, and they have become standard wintroll arguments, but there is some validity to them. copy and paste do not work consistently among all applications. in some applications all that needs to be done to copy is to select the text, and then click the middle mouse button to paste it somewhere else, but then there are times that i get a URL in my email copy the text, fire up mozilla, select the text in the URL box, and all of a sudden my text copied from the email is gone from the clipboard, and now I have the URL copied from mozilla's URL box. quite annoying, that. And then when i want to switch resolution, it's ewasy to do with a keyboard shortcut, but when i do that it just changes the displayed resolution, not the desktop dimensions, so you get that "slip sliding desktop" effect that is not too intuitive. also a consistent gui would help ease the transition (redhat's new beta is making great strides in that area). I also fell in love with UNIX and for quite a while i just ignored the inconveniences of xfree86 (cuz that's all i am really saying is wrong with linux on the desktop anyway), however i do not have the programing skills, or motivation to go and correct these issues myself. I really did try to give desktop linux a chance, and i may try it out again after it has matured a few more years, and maybe someday it will match OS X in usability. We are in agreement on almost all points brought up in your posts except that xfree86 is not really ready for prime time, and i think more realistically about the average person's will to inconvenience themselves with xfree86's shortcomings just to keep their computer palladium-free. most people don't even know what palladium is, and with the spin microsoft has put on it it looks almost good for the users. And the users that htink it looks good are not the type to read about it here, or anywhere else. they are your mom, or my niece, or my brother in law that just want to use thier computers for light web surfing and music downloading. and these kinds of people will be affected the most, but care the least, and if every knowledgeable geek converted over to linux despite it's desktop ineptness, the real world won't even notice.
sorry for therepost. i really need to change the default formatting away from "HTML Formatted".
while it may be the right thing to do, I, among many other people do not wish to inconvenience ourselves in order to perpetuate the morals.
I am running ximian gnome on my xp/debian box, and while it is nice, it's still a bit rough on the edges. things need to be a bit more comfortable to windows users (the users that should switch to something that is not pro-palladium). Copy/paste and resolution switching are 2 complaints i see alot on slashdot, and they have become standard wintroll arguments, but there is some validity to them. copy and paste do not work consistently among all applications. in some applications all that needs to be done to copy is to select the text, and then click the middle mouse button to paste it somewhere else, but then there are times that i get a URL in my email copy the text, fire up mozilla, select the text in the URL box to delete it, and all of a sudden my text copied from the email is gone from the clipboard, and now I have the URL copied from mozilla's URL box. quite annoying, that. While i know what's going on and how to get around it, the normal user will give up after a few tries and ask his geek brother in law to put windows back on his computer because "this leenooks thing doesn't work right". And then when i want to switch resolution, it's ewasy to do with a keyboard shortcut, but when i do that it just changes the displayed resolution, not the desktop dimensions, so you get that "slip sliding desktop" effect that is not too intuitive. also a consistent gui would help ease the transition (redhat's new beta is making great strides in that area).
I also fell in love with UNIX and for quite a while i just ignored the inconveniences of xfree86 (cuz that's all i am really saying is wrong with linux on the desktop anyway), however i do not have the programing skills, or motivation to go and correct these issues myself. I really did try to give desktop linux a chance, and i may try it out again after it has matured a few more years, and maybe someday it will match OS X in usability.
We are in agreement on almost all points brought up in your posts except that xfree86 is not really ready for prime time, and i think more realistically about the average person's will to inconvenience themselves with xfree86's shortcomings just to keep their computer palladium-free. most people don't even know what palladium is, and with the spin microsoft has put on it it looks almost good for the users. And the users that htink it looks good are not the type to read about it here, or anywhere else. they are your mom, or my niece, or my brother in law that just want to use thier computers for light web surfing and music downloading. and these kinds of people will be affected the most, but care the least, and if every knowledgeable geek converted over to linux despite it's desktop ineptness, the real world won't even notice.
to thread and distribute workloads seamlessly
Sounds like sucker-bait to me.
With PCs getting faster and more reliable, consider *why* IBM is selling more mainframes than ever.
Thank you for taking the time to write to us.
The article also mentions that "While Microsoft has confirmed that the flaw
does exist, it's important to note that actually exploiting it would be
difficult, for several reasons... etc."
The security of your personal and financial information is of the utmost
importance to us. Your access to Internet banking is secured through the use
of firewalls, cryptographic techniques and stringent internal access
procedures. In addition, we have regular and independent audits on our
computer banking systems to ensure that security meets or exceeds banking
standards.
As you may already know, we use secure 128-bit encryption - one of the
highest forms of encryption technology available today. Encryption scrambles
all information between your personal computer and our computers and
guarantees one of the highest levels of security, privacy and
confidentiality. There are literally thousands of millions of possible
"passwords", or combinations of 128 bits. In order to unscramble the
information, someone would need to find a digital "key", or a very large
password. This requires months, or even years of calculations using
sophisticated computers. It took the Swedes the equivalent of 70 years of
computer time to decipher 10 increasingly difficult codes set by author
Simon Singh in his international bestseller ``The Code Book.'' Since the key
changes with every connection (*session* encryption), the calculations would
have to be performed all over again when unscrambling additional
information.
As you know, the Internet banking service does not provide access to cash
withdrawals. In the case of an account discrepancy, however, we would trace
the details of the transaction using our complete audit trails. If your
Internet Banking password does not work and requires a password reset in
order to access the secure site, we must follow a stringent verification
process to validate your identity. Once the password is reset, you are
required to follow the registration process before gaining entry.
We welcome comments and suggestions about the content of future upgrades to
our on-line services. Your remarks have been noted for review with the PC
and Internet Banking team.
I realized that the best way to learn a task was to ask myself "if I had designed this system, how would I implement it?" - and all of a sudden, everything became easy.
That's exactly how I found the learning curve with Linux. (except that I was just learning comp. sci. when I started with Linux, so as well as being used to Atari ST, my problem was that I didn't know enough at first to be able to think of how to implement things.) People don't usually mention that strategy for understanding things when using Linux, but I find it very useful. I find it interesting that I'm not the only person who's come to that realization.
happy hacking,
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,