Slashdot Mirror
Microsoft Plans An Overhaul For Patch System
sckienle writes "ZD-Net has an article about Microsoft's plans to overhaul their patch system. 'Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued' says Scott Charney, chief trustworthy computing strategist at Microsoft. Basically, Scott is promoting the idea that Microsoft can do a better job, in many ways, so people will trust and be able to install patches quickly. Microsoft has a transcript of Scott Charney's talk on their site."
As reader sweeney37 summarizes, " Microsoft's plan is to reduce the patch installers from eight to two, they want to have one patch installer specifically for the OS side and one specifically for the applications." Sweeney37 points out this InformationWeek article on the planned change.
"We are now doing security audits on all our products as part of development."
No comment necessary =)
Vonal Declosion
What about the recent patch that "broke" peoples net connections... I don't want something like that automatically applied.
If you are running WinXP, you can set up Windows Update to download the latest patches anytime you are connected to the web. This will get you the latest updates just about every time you use your computer.
If you turn off this feature, it's really your own fault that you get hacked. If it is true that most attacks occur *after* the patch has been issued, there is no one to blame but the user.
But I'm sure we can twist this into an anti-MS thread anyway.
I have been pwned because my
In the commercial world, because of restrictions on software distribution, there is no single place to go for patches. There is no debian or RedHat that distributes 100s or 1000s of applications and will provide you patches for ALL of them promptly and consistently.
Maybe with this overhaul they'll come out with better microtine patches and I'll be able to look my friends and family in the eyes, once again.
Bill Gates' book was 'Business @ the Speed of Thought'
The whore/troll's link doesn't even make sense.
I'm not Seth.
It's so difficult for Administrators to manage all these patches.
We take a risk by delaying patches, we take an even bigger risk by patching without decent amounts of testing.
The last thing we want is to have tested the patch and find out we rolled it out incorrectly. MS appears to be going some way to help us good guys out.
.. I sincerely doubt that their reputation for releasing patches that break as much as they fix will be affected very much by this move. I think most business users will see it as an attempt to appear as though they're trying to address the issues instead of actually doing anything.
It's kind of like a balding man with a really bad comb-over. It looks okay from a distance, but it doesn't really fool anyone.
Yo Bill! Here is my "patch".
PATCH THIS"
Users who do not patch their default Linux installs are the ones to blame when they get hacked, but Windows users who turn off automatic updates are off the hook because Microsoft didn't roll out a patch correctly?
Double standard, anyone?
Quoting from the interview ...
>when I came to Microsoft on April 1st, 2002, yes it was
>really April 1st -- it was an April Fools joke, but I just
>stayed on. But when I came on, what customers said to
>me first and foremost is that patch management was their
>biggest concern.
It took them until 2002 to realize this? I've always thought the whole hotfix/patch/service pack mess was MS's biggest albatross around their neck, but I'd assumed there was at least a semblance of order behind the scenes that we never saw.
Of course, being Microsoft, they'll probably mess up the implentation for the first two revisions, and then hail the third version as the greatest thing since MS Bob.
Give me Apple's "Software Update" and apt-get/rpm anyday.
As I read this little blurb, I was thinking to myself that this probably won't help me any, since I have a pirated copy of XP (as do a nontrivial number of other users, I would imagine). My first thought was that Microsoft would require you to have an "activated" and properly registered copy of Windows and/or the MS applications you were running in order to receive the updates.
But as I thought about it, I realized that not letting the pirates patch their installs of Windows might not be in MS's best interests either. If some worm gets loose, and 98% of registered Windows users are patched, but none of the cracked copies are, the worm will replicate to the 2% of unpatched registered users much faster than if you'd allowed the pirates to receive patches instead of trying to screw them with an insecure version of the OS. That would increase the ultimate number of infected machines and influence whether or not the worm becomes a PR problem.
I'm not sure what I would do in this situation; I'd probably end up allowing pirated copies to update anyway and just try to capture their IP addresses on the sly in case I could use them later.
This tagline is umop apisdn.
After i just go through hell with m$s last patch to fix a security problem... connection problems. That thing took 5 hours to remove and still i see side effects of it (like aim wont connect and stay connected for long). But hey, that's how they make their killing: tech support. Sadly I'm not (dumb|smart) enough to (write|call) them on this one. Maybe its time for a patch system that simply removes the files they over wrote and stores the old ones somewhere.... that'd be really nice..
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
That brings me to another point: Isn't it relatively easy to hack a machine that has insecure services running on any port - such as telnet? In theory, it should be easy to get a cleartext of a password sent in through telnet or FTP.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
It embiggens the smallest open source advocate.
If anything will topple Microsoft's dominance of the operating system market, it's an ascii middle finger.
Bravo, good sir, you have done us all a service.
Please attribute any typos in this post to the numerous tasty newcastles I have consumed.
--
the strongest word is still the word "free"
Wait, that's a comb-over? I could have sworn it was real!
OMG. Quick, someone patent "one-click" software updates before Microsoft does and then sues everyone!
Seriously, they had to go out and hire someone two _years_ after Win 2000 to come up with the revelation that maybe their crappy software might be more secure/stable if customers could trust a centralized and organized patch management system?
Ye gods.
Hi, A good idea to improve the speed of patch adoption should be not to use patches to sneak in system "enhancements". I use XP for some tasks at home and once I applied one "cumulative security patch for Internet explorer" I found out Windows was keeping me from watching my region 1 DVDs ( I live in Spain ). Of course I re-installed windows and I stop installing whatever patch and I am trying to move all my desktop needs to Linux; anyway I believe this behavior is shameful if not criminal. I have since advise all my clients to plan an exit-strategy from Microsoft products. The belief from Microsoft they can restrict product features set, after you already bought it makes dangerous to "bet" your business on their good faith as they do not have any
US Democracy:The best person for the job (among These pre-selected choices...)
How about writing secure code that is secure right out of the box?
Oh, but wait... this is M$. Sure they do not have resources for that. Nevermind.
“Wait for Hurd if you want something real” –Linus
Come on, that's hardly reasonable.
How is a user supposed to trust a patch being issued by a company that is known to release vulnerable software in the first place?
Yes, it's not a reasonable standpoint for a user to have, but it's still valid!
Take this example: My system works. Apple releases Quicktime 6.3, iMovie 3.0.3, iSync 1.1, and Bluetooth 1.2.1 today. You expect me to update all of them?
Why? Just because? Because there are new features? Because they fix bugs? Because they improve performance? Just because Apple decided to release them?
But the difference is that I do trust Apple. Having used their OS and system for 2 years, now, I have found that Apple updates don't introduce more problems, do increase functionality, performance, and reliability, so I *will* update just because.
However, there *are* pieces of software I haven't updated. I haven't updated my base station software, yet, because it works and I don't want to restart it. I haven't updated my iPod software, again for the same. I haven't updated my IE because I don't use it, and have deleted it.
But I *don't* trust Microsoft. I've been using them for 10 years, and I won't update until there's feedback on whether there are new instabilities, problems, crashes, etc.
That... and did I mention I don't trust Microsoft?
GPL Deconstructed
if microsoft sold you a box of 20 fish sticks, you'd
open it up, and there'd be 7 sticks. 2 would be fish,
but not the kind of fish the box said, and they would
be broken in several places. 4 would be unknown
material, the other would be a promise for another
fish stick at a later date. and they promise that
other fish stick will be really good when you get it.
and there'll be a license in that box that says it's
illegal to discuss the contents of the box with anybody,
and that the sticks-patent pending, are not warranteed
to be fit for any particular purpose except that of
their existance as sticks.
Not only do they need to standardize the patch installers more, they also need to put into patches the ability to slipstream them with new installations, like you can do with a service pack. The number of critical updates we have to install after every new installation of XP is ridiculous when they could just provide us with an easy method of integrating the changes into the source files.
Because writing all new code from scratch is the best way to avoid security problems!
Get a hint. Code clarity and maintainability first!
I would rather be ashes than dust!
This is a GooD Thing(TM) -- since MS will be rolling all updates into a single update without exposing the flaw itself. Well, at least not until a later date.
This may provide temporary security, but it is by no means an excuse for a lazyassed system admin/IT professional, or whatever.
If you find a bug, let us know beforehand, that way we can save fac....err... issue a patch behind the script kiddies backs. Thanks, Microsloth
-William
God is everything science has yet to explain.
After the spam legislation becomes law I hope to see your ass in the slammer.
http://saveie6.com/
so now i can depend on windows update to have one more reason to fail installing critical updates.
----
http://www.hellection.com
I agree with this. And do not forget that most users of pirated windows-version often have a registered copy at work. And Microsoft recently changed most licences so it's now legal to have a copy installed at home too. So even if they use a pirated version, it might still be a legal copy.
Sorry, Charney, it's not the patch installation software that's the problem. Sure the changes you suggest will make things a lot easier, but their absence isn't why people don't install your patches. The problem is the patches themselves.
Yes, the patches themselves. People don't install them because they break critical production software which must not be broken. And in some cases those patches can't be backed out without a complete wipe and reinstall of the system, witness the recent VPN protocol "fix". As long as this is the case, people will still not install the patches no matter how easy the installation process is.
If MS wants to improve their patch process, they need to do a few things:
Microsoft never fails to surprise me with their futile attempts to try to gain the trust of the IT world. Here we have another story of a billion dollar company, run by a 10 cent brain, i.e. Bill Gates, et al.
I don't think this patch problem is all about number play, i.e. reducing from 8 to 2. They should be more focused at producing a good product in the first place, not just creating a quick podge-job and then bombarding their customers with patches (which are usually also full of bugs).
They claim to be "Secure by Design" and yet they probably one of the worst track records when it comes to security related issues. This is just Microsoft spreading propaganda just to make it look like they're doing they're job.
So they can automagicly patch my system so that the "world" doesn't hear about it until almost everyone has the patch.. and right about that time (lets say 48 hours later) I find out that all my e-mails have been going to someone else, or my firewall settings are broken because of the patch.. and I spent two days working like a dog trying to find why it suddenly stopped working.
My wish of MS, would be to improve their OS and application design philosophy BEFORE they make it, so these patches aren't so damned regular in requirements or DIRE in consaquences.
Mongrels.
>:-|
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
Any time something wrong with Linux is pointed out, you are then reminded that somehow, this is a good thing. Linux is always perfect.
Not so with MS. They can do no good ever. According to Slashdot, MS has NEVER come out with anything decent. They could compile an exact duplicate of Linus' personal kernel, and somehow, the Zealots would find something wrong.
It's amazing how MS is slagged as not having an ounce of innovation, what about Linux itself? This is not an OS that was developed independently, with no legacy ties. In fact, it was written to be a substitute for Unix, a copy, a clone. Linux could not exist with Unix.
This is the thinking of the supplicants who recently touted "Feet of Fury" as innovative.
Of course, this will be modded down. Contrarian opinions are not tolerated here (the supposed bastion of free thinking). You think Bill is the Borg? You haven't met a Zealot.
So I decided to look at the patch counts of some other OS's just to make things look silly when in comparison.
First up, my favorite... OpenBSD! On average for all releases excluding the current ones (3.3 and 3.2), the average patch count is... (note that for 2.2 to 2.6 I doubled the count because at that time they were only supported for 6 months not 1 year like post 2.6 releases were, thus the patch counts rose this isn't really all that fair but as you'll see it doesn't REALLY matter):
32 patches per release. Which is about fair when compared to redhat since they also only patch for a year (yes yes yes, you aren't getting patches for all this other software that you'd use out of ports but hey microsoft isn't providing many patches for other peoples products if at all)
Now lets do VMS (this is scary...)...
A look through bug-traq archives starting at 1997 the average count over the past 6 years has been 4 patches per year. But hey when you've been around the same evolving codebase for 20 years you're bound to hit that point of diminishing returns. Of course if you're not throwing out your codebase due to limitations and problems in the original design *cough* ...
Okay, so given their history I'm sure a large number of you (and a big part of me) could see how microsoft might be making these changes to force patches and upgrades on people to enforce all sorts of bad stuff like DRM and all that. Or even if the people at microsoft who studied the current patch system and are sincerely looking for a better alternative, microsoft will surely use it for something evil...
But still... is the borg icon absolutely necessary even when there aren't really any aspects of evilness in the story? Especially since if the same exact story came out for another OS everyone would be fine with it.
We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
Just because passwords are being sent in the clear, doesn't mean you can necessarily intercept them. You need to be able to intercept the packets containing the username/password combination from the remote user. You could do this at one of three locations: the remote machine, the server, or in transit. If you own the remote machine, you could just trojan *any* client used, so telnet isn't any worse off than a more secure protocol. If you control the server, the point is already moot.
So let's look at the "intercept the packets in transit" approach. You could try to sniff the packets by compromising one of the routers, or listening in on a wireless LAN if that's what the client was using, or installing a physical wiretap. None of these would work against a secure protocol.
Anyway, let's assume the attacker has intercepted a username/password combination for a particular machine. He could then do anything that user could. However, that doesn't get the attacker full control over the system. For that, the attacker could then use a local root exploit.
Additionally, many of the daemons that provide services like FTP or telnet have had many remote root holes in them.
So, whilst telnet and non-anonymous FTP have their security issues, and you probably shouldn't be running them and certainly shouldn't be exposing them to the world, exploiting their weaknesses isn't quite as easy as you might think.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
I see this as Microsoft taking a much needed step towards addressing the #1 security problem plaguing the Internet: Joe User.
Joe User doesn't even know what Windows Update is, so never installs any patches for the operating system. Joe User clicks on any E-mail he gets that says "L@@K NEW WINDOWS SECURITY PATCH!" or "ANNA KOURNIKOVA NAKED!!1" As a result, Joe User is running several different trojans, and his system is being used as a DDoS attack drone whenever it is online.
As much as we might decry a percieved invasion of our right to run our own systems, forcing Joe User to keep his system up to date with the latest patches is a good thing for all of us. Fewer packet floods, fewer lamers on compromized hosts, and possibly less spam. It's likely that Joe User doesn't even CARE that Microsoft is installing whatever it wants, whenever it wants, on his box. In the end, as long as those of us who know what we're doing can disable this feature (and those of us who don't CAN'T), I can only see this being a good thing for everyone concerned.
Wow, now they're patching the patch system. Talk about innovation!
Nothing from nowhere I'm no one at all
So, uh... what's changed, exactly?
They should target overhauling their entire OS. Obviously their security is not scaling too well, it will only take so much before it completely broke down.
First, you didn't write it. Secondly, Tom Christiansen thought he was oh-so-fucking-CLEVAR 4 years ago, but Vidomi tried to do the same "trick" 2 years ago to steal VirtualDub and GOT BURNT. This linking trick is just as stupid as saying "delete these romz after 24 hours if you don't own the original". You know you're trying to use GPLed code without adhering to the license. So does everyone else. It'd never stand up in court.
Good 'ol Bob.
I won't add anything about patching, but I do wish to say that I am interested in one point : MS states that it will define a patch system for the OS and one for the apps. :-)
I will be very interested in finding out what MS defines as OS and what it defines as application in its new patch system.
Oh, and of course, I look foreward to being very entertained by all the new patches coming out in the OS system to correct bugs implemented by patches for applications
Yes, the patches themselves. People don't install them because they break critical production software which must not be broken.
That critical production software NEEDS a patch, f.e. it has a security hole, or runs on top of an OS that has a security hole. THerefor it IS already broken and thus needs patching. THere is NO excuse for not patching your software, like there is also no excuse for having security holes in your software.
Never underestimate the relief of true separation of Religion and State.
"A small piece of material affixed to another, larger piece to conceal, reinforce, or repair a worn area, hole, or tear. "
- or -
"Computer Science. A piece of code added to software in order to fix a bug, especially as a temporary correction between two releases. "
Temporary correction... Microsoft, I'm afraid, took this literally.
I have always wondered why each patch is distributed as a standalone executable... .RPM and it is installed using the rpm program already on the system. .MSI file?
Why is there no standard program on the Windows system, that installs a patch that is distributed in a file that contains only the update?
When I patch my Linux system, I retrieve a
Windows even has that "MSI" stuff, then why is a Microsoft patch not distributed as a
- the guy who wrote cuckoos egg isnt Cliff Stowe or Cliff Stole - acctually his name is Stoll .. and btw - we wont trust your employer ..
[Apparently MS's FUD group managed to 'clean up' the transcript before it got out. Here's how part of the _real_ interview went.]
... customers ... when our patches break working programs. A Patch Testing working group is being formed and is anticipated to be in place for Windows Server 2003's release in late 2004.
"And we'll not be stopping there. Their second biggest concern after patch management was patch suitability and correctness. And that's when I realized that the patches themselves were broken!
We had this engineering group making patches for this and that public relations group announcing patches for that vulnerability and management saying 'why don't you patch the hardware so the bandwidth will be smaller.' And what ended up happening is that no one was actually checking to see if the patches fixed anything." (Nervous Laughter)
So one of the next things I will be doing is to create a Patch Verification working group. Get all the people together to agree on a common nomenclature. What's a "bug" anyway? And how does it differ from a "feature?" No seriously. Can anyone define those terms for us?
Anyway, another thing that seems to bother our hostages. I mean customers. Yes, customers. That's it. It seems to bother our
We are furthermore developing 'New Technologies' within Microsoft including one we're calling 'debugging,' that I'm very excited about. We think it'll vastly improve the quality of our "MacOS Jagger OS" 'Longhorn' release in 2010. From there we'll be setting our sights on matching Linus Redtop 7's innovation and code quality. [I'm pretty sure he means "Jaguar" and "Redhat 7" -ed]
By then of course, our "Trustworthy Computing" initiative will be in place. Microsoft Big Brother (TM) will impliment Software Update Services to push 'Code we Trust' on enterprises so we can prosecute those who try to back out patches from any of our 25 installer applications, 13 hotfix downloaders or 7 service pack updaters."
[At this point some Microsoft Thugs (TM) confiscated my recorder, though I managed to switch out the tape first -ed]
Patche's Patch
The lunatic is in my head
While a patch system overhaul is long overdue given the number of affected legacy systems, Microsoft should see this as an oppurtunity to save themselves some serious money (and, as a side effect, do some actual good). If they can learn from this experience, and use this as a learning experience on the importance of writing good code, this could be a great oppurtunity for them.
Instead of having the large full time support staff they do, as well as the crews of people scanning the web for new exploits, how much time, effort, and money could they save by hiring a couple of full time people to check _all_ buffers on all code after it's been committed to sourcesafe? Also, it would reduce data loss due to crashes and other problems. Wow, Microsoft increasing their bottom line in a way that actually helps consumers. What a thought.
Contact Me (got tired of viruses emailing me).
tough one. I'd go for the CoyboyKneel option.
----
Coy Coy, v. t. imp. & p. p. Coyed (koid); p. pr. & vb. n.
Coying.
1. To allure; to entice; to decoy. Obs.
2. To caress with the hand; to stroke.
Boy Boy, n.
In various countries, a male servant, laborer, or slave of a native or inferior race; also, any man of such a race.
Kneel Kneel v. i. imp. & p. p. Kneltor Kneeled (?); p.
pr. & vb. n. Kneeling. OE. knelen, cneolien; akin to D.
knielen, Dan. knaele. See Knee.
To bend the knee; to fall or rest on the knees; -- sometimes
with down.
good luck bringin this down to 2.
at least trying..
very trying...
I think they should put the effort into finishing the development before they release the product instead so that the patches were less relevant.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
Reading some of the concerns posted here about MS automatically downloading patches to your machine reminded me of the Windows Update feature added to Win9X and its automated feature.
It seemed like a horribly bad idea then and it seems like an even worse one now if only because MS still, in the intervening years, hasn't managed to figure out how to write secure software.
Or even good software but thats another issue.
And one also wonders how you are going to apply patches to the new patching system?
Qui custodiet ipsos custodes?
well, critical updates are *mostly* distributed by the ever-popular windowsupdate service. I recently created a slip-streamed, unattended CD-R for XP Pro that has SP1a && corp activation (via corp $erial) && m$ft jvm && every critical update & patch. And, if you want, you can download WinINSTALLER to create .MSI files from any/all your programs and automagikally install those too. It's basically what the dell "repair" disks. See this, this, this, this, and this
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
it's not the # of patches. it's the number of bugs that make Microsoft products unsafe and unusable.
The EULA gives me the right to define what usable means.
if you'd allowed the pirates to receive patches instead of trying to screw them with an insecure version of the OS
;-)
Good one, you steal their software, and then accuse them of screwing you?
I'd rather deal with software that is open, so you can instantly, and in great detail if need be, tell if something breaks what you need. I'd also rather deal with updating individual software packages rather than everything at once, like you say (the OS is a "software package"; the apps it runs are not). Using emerge, apt, and even RPM lets the admin figure out what needs to be installed. If the printing subsystem has an issue, that's a patch. If one of the file managers has problems, that's another. If the built-in firewalling needs updating, then you have yet another patch. They're all separate.
You just never know whjat ll you will get with a "service pack" even though MS tells you what's in it.
But I'm preaching to the pope...
-b
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
I update/patch my system daily, usually nothing serious is happening (and if, then there is nobody to blame but me because I use the developer version of my OS). So why can't M$ come up with a update/patch system which works as reliable as apt-get?
There is this patch tool which rolls software de-protector utilities into the ISO which becomes part of the install.
FYI
I was once infatuated with the "free software" and GPL, but the more time I spent with that crowd, the more I became to realize that their underlying philosophy was fundamentally anti-corporate, socialist and had typical characteristics of a cult.
It's either their way, all the way, or the high way. Rational discussion is made impossible by hysterical groupthink resembling that of a communist totalitarian state, egocentric reasoning ("closed software is eeevil because it doesn't let us steal the code!"), fondness to the Appeal to Authority logic ("closed software is eeevil because RMS said so!") and cults of personality of Linus, RMS and ESR.
As far as I can see, this attitude stems fundamentally from your run-of-the-mill blue-collar envy of those who are financially successful and who have actually had the courage to risk their reputation and fortune in business.
BOO! TERRO
Hmm, they're separating out patches for the OS and its applications? Interesting, considering their recent move to make the latest version of IE the last 'standalone' one... How will they differentiate OS and applications if they keep doing this? (Real question, not sarcastic/rhetorical)
...and reliable.
one line, fixes the lot, every time a coconut.
No fuss, no bother, just do it regularly.
I'm glad to see that some people at least realize the problem with GPL.
GPL advocates like to boast how free software is about freedom. But what kind of freedom is that when you effectively cannot use the code freely or even be sure that the license you yourself chose is valid anymore?
The infectious nature of GPL is designed to force people into a certain way of thinking. "You don't like our license? Well, too bad. See/touch/smell GPLd code and your code is going to be GPLd as well! Why? Because we are RIGHT and you are WRONG! We are GOOD and you are EVIL!"
So go fuck your GNUs and stuff your "free" code where the sun doesn't shine. We'll use truly free licenses such as public domain or BSD license if we want to release our code for the common good.
From reading this story closely, it appears that Microsoft has once again run into a problem which the open source community has successfully solved: how to effectively deliver patches and security updates to a wide audience across the internet. Existing mechanisms for distributing updated software for Microsoft's operating systems and applications are currently only semi-effective and are in urgent need of overhaul. They certainly do not represent a best-of-breed, enterprise-level approach.
At this point, I would like to put forward a suggestion to both the readers of Slashdot, and to the management of Microsoft which may address the aforementioned shortcomings: win-apt-get. As Debian users across the planet know only too well, apt-get is a robust, convenient, scalable and enterprise-ready solution for managing not only Debian packages, but also the rapid dissemination of updates and patches when they become available. Apt-get is in fact listed as the number one reason for choosing the Debian GNU/Linux distribution above other competing distributions by respondents in a recent LinuxWorld survey. Given such tremendous community support and technical advantages, why is it not worth considering a version of apt-get tailored specifically for Windows...a win-apt-get, if you will.
Please...I hear you reaching for your 'Troll' and 'Offtopic' moderator buttons. Certainly many high-ranking Debian luminaries exhibited similar responses when I approached them with this idea at this year's Open Source Expo. However upon listening to my plans, they were all convinced. Bruce Perens was particularly enthused, as I had offered to buy him lunch at the cafeteria if he listed to my pitch, an offer which he accepted vigorously, let me tell you!
But enough ancedotes of rubbing shoulders with the 'Debian doyens'. What I need are volunteers to help with the porting of apt-get to the Windows platform. This is in fact part of a much larger initiative, which unfortunately has been met with much hostility by the overwhelming Gentoo community on Slashdot. This initiative is the production of a new version of Debian, one which uses a new underlying operating system: Debian GNU/Windows XP.
Let it sink in. I will be back shortly to tell you more. I'm excited!
Best regards,
Debian Troll
It's nice to know that Microsoft are listening, but until they stop releasing patches that break their end-users applications and even their own OS, noone will trust them.
I run a couple of production servers on NT4, and am exceedingly wary about patching unless I have a snapshot on our SAN for quick DR.
The last time Microsoft broke my server, I only had a tape backup, and was very embarrassed to have to admit to 3 hours downtime.
oh brave new world, that has such people in it!
Stipulative Definitions:
;) No stack or buffer-overflows there... and u can SetSecurityManager's all over the place, and java applets are sandbox'ed anyhow (except microsoft's JVM is an insecure PoS.) I'm wondering if a POSIX && a Secure UNIX && a Trusted OS would be any better. I hear they use the "root-isnt-root" trick, everything is encryptable (mem, process name even), and memory has ACLs everywhere.
"Bug" - a serious flaw or unforseen condition that results in unexpected or unintended consequences or actions.
"Exploit" - a creative use of a "bug" to utilize a program for uses not intended by it's user and/or developer.
Premises:
(1) If we assume that every networkable and sizable program contains is not perfect; meaning, it contains one or more bugs.
(2) That bugs are the basis most exploits.
Conclusion:
Every networkable, sizable program is likely to contain one or more bugs, resulting in an possible exploit.
The sad truth is that OSes that use unsentry'ed stacks for method invocation are inherently susceptible to stack overflow xploits. Btw, everyone STOP USING strcmp() && gets() in your programs!!!!!!! use strncmp() && fgets() damnit !!!!! Buffers (fixed & malloc()ed) must NEVER be exceedable from command-line or other user actions!!! In fact, there should be no way to exceed a buffer, though u ALWAYS have the first byte available AFTER the end of an array as a safe place. Write defensive code!!! Code as you would drive in Oakland, CA. assert() never hurt anyone (just never put any code w/ side-effects inside asserts()). I've ran sec audits on so much source, there's always some little util around somewhere that checks argv's with these suckers. Instant buffer-overflow exploit, no water neccessary! There are modified linux kernels that check the stack pointers and the integrity of stack w/ so-called "canaries" random, magic bytes on either size of the stack frame to check for stack overflows. For buffer overflows, it's a little harder, since u need something checks array indicies and malloc(). Even then, there are some exploits that write to valid portions of a user-space app to gain some privileges. My solution: use a language w/ tons of security already in it -- Java.
"You can take that to the bank!" -- I dont know.
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
And they will be able to reduce the number of attacks to 5% from the current level!
Funny, I always thought the key to software security was to write good code in the first place. Automating a patch system to improve software security is like building automatic bandaid dispensers into children's clothing to make playgrounds safer. It's an extension of security-through-obscurity, at the expense of user freedom.
The majority of hack attacks happen immediately after a patch is announced, implying that announcing the patch announces the vulnerability. So MS is saying the problem isn't the vulnerabilities themselves, it's that hackers respond more quickly to the announcements than ordinary users do. Microsoft's solution is to speed up the response. So what if the users have to give up control of their computers? They're going to have to turn over the keys anyway when Palladium gets shoved down their throats, right?
Casting users as the weak link is ultimately a lame defense for the fix-it-later commercial software development philosophy. Rushing software out the door because the marketing dept has promised it to retailers who want to sell it before Xmas is not the only possible way to do development.
The free software world may not be perfect but it doesn't suffer from that particular disadvantage. One way to make your system more secure might be to run code that was released when the developers decided it was actually ready.
..or is it that Ninety-five percent of known attacks happen after they've decided to let everyone know about the "known" software vulnerability so they have a vulnerability to attribute the attacks to?
Perhaps the 5% before hand is more like 30% but only 1/6th of that 30% are able to figure out what the vulnerability was due to?
Shoot Pixels, Not People!
could be released at a special time. all the clients could be notified of the release time before hand and if you miss out its your problem.
Why does he bring up and emphasize April Fool's Day?
Is he trying to imply that every day that you have to apply a Microsoft patch is pretty much like April Fool's Day?!?!?
There are definitely a few screws loose at Microsoft!!!
I take this as proof that even $50 billion can't cure Asperger's!
This is simply another example of Microsoft's ongoing strategy to sell products:
1. Release lots of marketing hoopla about initiatives to improve security, each of which is followed by an embarassing new security breach.
2. Spread FUD about other products that are gaining ground against their products because of an established record of security they just can't seem to produce (see 1 above).
3. Rush patch after patch after patch out the door without proper testing, creating more problems than they fix.
4. Blame the user for each new embarassing security breach.
5. Do anything EXCEPT address the underlying design and implementation philosophies that created all of this mess in the first place!
I no longer patch my Windows systems. I don't have to. I have to run Windows for some of the software that is only available on Windows, but I don't have to expose them to the 'net. My Windows systems hide behind a firewall. Outlook and IIS are banned from my systems. I don't send out Word or Excel files and any that come in are screened and cleaned before I open them.
My Windows systems are sealed in jails with only tight little windows (every pun intended) through which to look out at the Wide Wide World (get it?). Attempts to communicate with the family in Redmond are blocked; contraband coming in from the outside world are routinely scanned for and removed.
And who is the jailer? Right now, Linux. Linux runs on the firewall. My server is Linux. Mail is routed and cleaned though Linux software incoming and outgoing.
Get a clue, Microsoft. This is the way of the future. This is my Microsoft strategy. Increasingly, it is also the strategy of people I consult for: if not now, soon after the next virus attack or server hack. Microsoft software simply cannot be trusted to work in the Wide Wide World.
If Microsoft is serious about wanting people to install their patches, they should institute a policy against making 'retroactive' changes to product EULAs in the patches. If they want me to patch this stuff on a weekly basis, having to parse through a few pages of EULA-ese in order to do so is a substantial 'barrier to entry'.
This is just naive. Can you name any software released in the past 5 years that hasn't required any patches at all?
"It's better to have a gun and not need it than need a gun and not have it." ~ Christian Slater, True Romance
Here's something to think about. Microsoft's patch system authenticates you before it will give you patches (not you specifically, but the Activation Code you're using, I believe).. with the last service pack they made a whole lot of pirated corporate editions not able to use Windows Update.
:)
This doesn't mean all the pirates are going to say "gee, guess I'll go legit and buy a copy", it more likely means they'll stay unpatched.
It would be interesting to know how many systems that are participating in DDoS attacks are not patched because they can't patch because they're illegal copies of Windows...
(Yes, patches are available in other ways than Windows Update, but Microsoft is doing all their work to make Windows Update easy - maybe what we need is a "rogue Windows Update" for the pirates
- Steve
I have not had during my time using Windows a security exploit personally affect me, nor have I had any real stability issues(save 95 and Me, which BSD'd a lot). What irritates me the most about Windows is the weak CLI, and the way 2000 and XP to a greater degree decide what is good for you, and don't let you override that decision. Windows System File Protection for example, I have not found a way to disable it(even the reg hacks I found will not work). I have had XP refuse to install a different driver for a device because it feels the one that is installed is the best option. And my most recent bitch is that XP seems to decide to find the weakest 802.11b signal and connect to that, despite what I have in my preferred networks list.
Having the OS make decisions for me isn't always bad, but I want the option to override that decision.
"Windows Me offers tremendous reliability and stability improvements..." -- Paul Thurott
You want to see his ass in the slammer? your there as well? ;)
Change your number and forget to tell eBay! How dare you.
At least in theory you should own the domain name for the length of your fee.
I never said I didn't trust anything... I meant, if you don't initially trust the patches a company makes (for whatever reason), will you trust the unsolicited and unverified comments on a system *run* by the selfsame company?
I trust the comments on Slashdot, slightly, because it isn't outright owned by Microsoft.
I trust the comments on Ars Technica more, because it isn't run by Microsoft and because the people on there have proven themselves technically adept over the course of multiple years.
But if there was a site actually run by Microsoft, I am at least going to be skeptical of astroturfing, censorship, and bad moderation; to be perfectly fair, I also have to be skeptical of anti-Microsoft folk who might try to skew the data the other way, too.
GPL Deconstructed
I've got nothing to bitch about, really, I haven't used Microsoft in two years now.
Are you trying to tell me that Microsoft, in the past two years, has become a more reliable, trustworthy, and capable software provider?
GPL Deconstructed
The thing that drives me nuts about most Windows patching isn't that its hard, but that most of the time the patching process relies too much on computers that are online to a fairly high speed connection and involves too many individual patch files.
I updated a Win2K machine from SP2 (fsck'n help desk too lazy/braindead to upgrade the image) yesterday and it took nearly 200MB of patches to get it updated and three reboots to get it to a current state.
What'd I'd like to see is:
1) Post-service pack patches consolidated into a single patch executable, available for download and offline installation.
2) A tool that would allow someone to build their own current SP file from both past Service Packs and available individual patches.; essentially a patch linker that downloads the patch files and merges them together into a single executable. This will allow a machine running at any patch state to be updated to current in a single step.
#1 would be useful for most people, and #2 would be useful to people who want to eliminate specific patches for stability/manageability concerns.
... I accepted 2 automated updates from MS last saturday ... didn't pay much attention and did an automatic reboot ... the system wouldn't come up ... the OS was missing ... after 2 calls to MS, they said we have to do a clean install.
> That thing took 5 hours to remove and still i see side effects of it
And it would have taken you 2-3 hours to reinstall your computer and configure all your apps, right? And it would have been working perfectly when you are done? I can't imagine a technically literate Windows user not just reload Windows when things like this happen. It would probably save time and you'll have a fresh install when you're done.
I usually reload my Windows machine about once a month, and I don't have any performance problems. Granted, I shouldn't have to do this, but it's a lot easier to reload Windows and throw in my "reload CD" (which contains my unique drivers, favorite misc apps, and some important patches and codecs) and be done with it. The process usually takes 2 hours to get it exactly how I like it, which is a small price to pay for a machine running lean (especially with the stuff I throw at my machines).
And if that isn't simple enough for you, ever hear of Ghost?
This is yet another way to get .NET on the Windows machines.
-BeDammit
BeOS is dead quite yet.
Just did a windows update and it's intalled the wrong eth drivers and so I now have no network connectivity on it and have to locate manually working drivers. Luck I have another PC on which to locate the drivers.
----
Out of curiosity, if you're so much smarter than Mr. Gates, why haven't you started your own billion dollar company?
..... [ad infinitum].
Sounds like to me you're a person who defines "intelligence" solely financially. I guess Einstein wasn't intelligent either by your definition, since I don't remember him being a billionaire. Nor Stephen Hawking. Nor Carl Sagan. Nor
Don't give me crap about how I feel jealous over one man's incredible success, because I certainly don't. 99.9% of the time, when someone criticizes Bill Gates, the first thing that sparks into the person's brain is "you're just jealous" without even trying to think about what the other person is trying to say. The Bill Gates of today is NOT the same Bill Gates that used to be an avid hacker and created traffic-control software at the age of 14. The Bill Gates of today is NOT the same Bill Gates that scored a perfect 800 in his math ASA. The Bill Gates of today IS nothing more than a monopolistic dictator. He is a person that sells overpriced, crappy software that gets half the job done that it's designed to. He is also a person that exploits 3rd world resources (not just him, many others) and gives away "donations" for the sake of wide spreading his software. The fact that I criticize all this AND by mere coincidence, Gates happens to be a billionaire appalls me how you jump to the conclusion that I am jealous of his "success".
Why haven't I started my own billion-dollar company? The same reason why you haven't: I want to actually enjoy a quality of life that far extends the barriers of financial success. This is not the place to be talking about the personal life of anyone, but for your sake, I question the social success of Mr. Gates.
There were no spelling mistakes in my previous post. So quit the schmoozing and try to think about what someone is writing before you start making false accusations about them. You may also want to read some articles at www.worldsocialism.org to see the world through my eyes.
Of course they WILL!
With ignorant TOSSERS like YOU using there products!
it's all part of the game baby..
Like it, or lump it. You know what to do.
The biggest difference is that Microsoft extorts money from people; provides no real means to implement an alternative (post-entrenchment); is a closed, proprietary system; etc., etc. You can bet that if I'm paying Microsoft for something, it damn well better work.
or, gee, how about being able to order (with proof of current ownership, of course) a CD with the software incorporating ALL the patches and updates for a clean install?
Nawww! what was I thinking?
Really? So you'd take a Win2k clean install over Win2k Sp3? What about NT4 Sp1 over Sp6a? And before you say, "I wasn't talking about service packs!" realize that service packs are not much more than a slew of updates applied at once.
It seems like this so-called "reputation" for bad patches is nothing more than a vocal minority who have an axe to grind with Microsoft. I'm sure that a few legitimate users ARE affected by mistakes in patches. But on the whole, Microsoft's patches work, are remarkably easy to apply given the complexity of the underlying software, and fix MANY TIMES more bugs than they create.
You might come up with a handful of counter-examples, but that would be the extent of your evidence. Considering the sheer number of QFE's and SP's that Microsoft ships across all their products, can you condemn all Microsoft patches based on such anecdotal evidence?
From this related article:
Nathan Hanks, managing director at Continental Airlines, said, 'All the guys hacking Windows are Linux guys.' Continental was hit hard by SQL Slammer and 'our CEO said we'd failed,' Hanks said.
and
Having one vendor throat to choke is helpful in crisis situations,and the Linux/open source alternative does not offer that, Hanks said. An IT pro can't go to the CEO and say that a server is down, 'and hopefully some guy in Amsterdam' will get to a fix when he gets back from the 'dope house,' he said./p
While it is admirable that Microsoft is trying to improve their patching system, anyone with any experience whatsoever administering their products will know to wait until the first service pack patches for the new patch intaller are made available. A 1.0 anything from Microsoft is an invitation to re-image the machine in question after it irrevocably locks up and thus requires a rebuild.
My direct experience has been that with every service pack comes a host of new problems. Some have devestating effects on networking, the behavior of applications, or security. It's true, many of the things are benign or simply patch things that nobody uses. However, it is also true that the network administrators and IT managers at the companies I have worked for (and I've worked for some major players) are reluctant to roll out patches released by Microsoft until they've been fully tested and their effects known.
Nope, I wouldn't take a clean Win2K install over Win2K SP3. But I'd definately take it over SP1 and SP2. Each of those services packs screwed up networking, added new security vulnerabilities or broke system DLL's that applications I had been using at the time depended upon. It took Microsoft two tries to get it right.
As for NT 4.0, at least two of the service packs left NT networking horribly broken, and the IT managers wisely chose to skip them and wait for the next ones up before rolling out those upgrades.
It's a great idea, but the lag in production and ordering would be staggering, and your "up-to-date" install CDs would be behind constantly.
A better solution would be one or both of the following:
(1) A checkbox in the install sequence which would say "Apply user-supplied patch kit during install" which would then prompt you for a CD that had the patch kit.
(2) A way to re-burn the CD to include the patch kit on the install CD so that installs from the new CD are automatically patched to the right level. This would require MS to provide a disk image suitable for making the CDs bootable.
I vote for the latter, but the former would be usable as well.
Then DON'T USE GPL'ED CODE!
In your case, the GPL is no different than any commercial license. You can't use code from closed source software *at all*!
If you don't like the license, then write your own code! Why should developers who GPL'ed their software give away all your code for your own selfish reasons?
"But what kind of freedom is that when you effectively cannot use the code freely or even be sure that the license you yourself chose is valid anymore?"
I call it inherited freedom: all derived works "inherits" the same freedom. You cannot stop people from enjoying the same freedom of the work your work is based on.
"You don't like our license? Well, too bad. See/touch/smell GPLd code and your code is going to be GPLd as well!"
Nope. If you include GPL'ed code in your non-GPL(-compatible) software, intentionally, then:
1. You deserved to be sued for violating copyright.
2. Your code does not automatically become GPL'ed! You are just in a license violation. Either GPL your code, or remove the GPL'ed code from your codebase!
You anti-GPL zealots are acting all mighty as if you're right and everybody else is wrong. You aren't. Answer this question: Why should developers who chose to release their code under the GPL, give away all their code for your own selfish purposes?
Brag all you want about "true freedom" or whatever, but the fact is that I and many other people aren't going to help you if you keep acting selfish ("gimme your code! I won't release improvements! ME ME ME!").
You can't use code from closed source software *at all*!
Of course you can, you twit! Consider Oracle's client library. Or SGI's ImageVision Library. These are all closed-source libraries. And you can use them to your heart's content.
Of course, you have to buy a license, but that's true of everything.
Why should developers who GPL'ed their software give away all your code for your own selfish reasons?
Let me get this straight. The twits who use the GPL are trying to tell ME what to do, and somehow I'M the one who's selfish? Whatever, dude.
You would not BELIEVE the number of compromized Windows systems running DDoS and IRC flood bots I deal with on a daily basis. In many cases, a simple security patch would have prevented the installation of the trojan causing the problem.
Make no mistake, I don't like the idea of MS having control over my system. However, I dislike even more intensely the idea of millions of unpatched Windows installations just waiting to be used to attack my system. As long as it's possible to disable the automatic updating feature, I think that MS has done it's duty to give users the freedom of choice.
probably looks something like this: code -> wait for someone to report a problem -> fix!
or, more commonly known as "code and fix".
Sure, most of us can get away with that, but when you are building the most used operating system in the world...
TallGreen CMS hosting
I've just gotten 3 replies about this comment, even though I used such strong, defensive words like may, might, some. Come on, guys, get a grip! We all know how old buffer overrun bugs are, of course it's MS's fault that Outlook only uses IE to render HTML, and sure Linux deals with the same hassle, but I was just pointing out, very timidly I might add, that they had one issue that Apple didn't have. Oh, yeah, and they have a knack for putting out buggy code. ;)
Sure I'm paranoid, but am I paranoid enough?
Dear Microsoft
Here's a tip: PREVENTION. Just stop releasing buggy, insecure software. It's win-win -- for you and the end-user.
the goal of this isn't to affect patch quality.
.SQL files after you read the code and verify that you wont cook your data (!!!)
the point is that people shouldn't have to deal with 80234 ways to get their machines patched. there should be ONE patch format. Also, the bar for what qualifies as a consumable patch is wildly different - some SQL server patches require you to stop sql server, copy files to places (!!!) and then run some
The goal is to make all that better.
My opinions are my own, and do not necessarily represent those of my employer.
Yes, I "demoed" it, but after a weeks trial I went and got me an inexpensive OEM copy, despite that the King of Warez was my roommate. Even though I use it, I can honestly say there's one thing about it I wish was better. The memory management could have been better. Even then I still won't upgrade to XP yet, even if Bill himself handed me a gold disk he burned and shit on personally just to bless it. When the programs I currently use would be better served by using XP instead of Millennium, then I'll switch.
Linux? Yeah I got a disk here. I messed with it, tried to install it, then gave up on it. 3 days of my life was enough. None of the apps I use were available for it anyway, and the substitutes available, I wouldn't even use Windows versions. When Bill finally puts out MS-Linux, yeah, I'll probably put it on.
I am as cheap and niggardly as the typical FOSS Zealot with my money, but I have no problem paying for a product I will use on a regular basis.
I call it inherited freedom: all derived works "inherits" the same freedom.
You're ignoring the key problem: it's not freedom. It's restriction. I don't care if you call the process of causing those restrictions to apply to only tangentially related software "inheriting" or "infecting," it's still restriction.
As an aside, calling it "inherited" is laughable. Software that links to other software is not derived from that software. In OOP terms, it instantiates. It does not inherit.
You anti-GPL zealots are acting all mighty as if you're right and everybody else is wrong. You aren't.
Uh. Sorry, but calling restrictions freedom and infection inheritance IS wrong. And calling shenanigans on it IS right.
Brag all you want about "true freedom" or whatever, but the fact is that I and many other people aren't going to help you if you keep acting selfish
I don't recall asking. We don't care whether you release your code or not. In fact, since 99.999% of all GPL-licensed code is shit that's not worth the ferrite beads its encoded in, we'd rather you DIDN'T release your code.
It's all your bullshit talk of "freedom" (and, in this case "inheritance") that pisses us off. Because, see, we know what freedom is, and it makes us mad to see you abusing the term so blatantly.
Man, I am rolling on the floor laughing at all of these posts about Windows Update. It makes me really appreciate everything I have gained with moving to Linux last fall. I mean, what is better than a system that only reboots when you tell it to, only shuts down when you tell it to, only patches when you tell it to, etc. ?
:)
Yes, I still have to use Windows at work ( for now ), but even just getting rid of it at home removes so many headaches that you have to try it just to appreciate it. Now, I am not going to sit here and lie that I can play all of my favorite games( all 1 of them ) on Linux, but gaming isn't the best use of my time, anyhow.
For those of you who ( like me ) are forced to use
Windows at work, use the patching/security issues to at least shed doubt on the viability of Windows, and get the company IT Managers to consider other options ( like linux ). If you have to have Windows apps for your users, perhaps setting up a Windows server cluster hosting the apps and sharing them via Citrix Terminal Server, and with the end users running everything on a browser on their Linux system would be a vial solution.
Oh, as far as windows patching, I guess letting the user set the updater for "Joe User" mode or "Joe Guru" mode would be fair enough. But all patches should be listed in line-item style, with full explanations of what files they replace/add, and any other effects that they have. AND they should be removable at the users discretion. AND they should not include/change any EULA's. Since this is obviously too much to ask, I recommend you
look at other OS's for peace of mind.
Wouldn't you rather go JetSkiing than waste time trying to recover from a buggy patch? I knew you would.
I can't afford a sig!
Success? You call enslaving millions of people from third world countries to do the same job or better than American programmers do and yet paying them a fraction of what they should be earning ...
Youâ(TM)re arguments are full of so much doggerel that Iâ(TM)ll have to tackle them bit-by-bit.
I REALLY hate this argument. You know what--if the thousands in India and elsewhere didn't have programming jobs, or call center jobs, they probably WOULDN'T have jobs. What this "enslaving" as you melodramatically put it has done is create a middle class in India that's HUGE.
Firstly, I myself am from India (Indo-Canadian, but liked to be called a human, I donâ(TM)t like associating my existence with political barriers) and I have a better and clearer understanding of whatâ(TM)s REALLY going on there, not the stuff that you hear in CNN and take for granted. Youâ(TM)re a fool to begin with if you think thereâ(TM)s such a thing as a âoemiddle classâ. There is no such thing what you refer to a âoemiddle classâ. There are only two classes: master and slave. The rules are simple: if youâ(TM)re not a master, then youâ(TM)re a slave and vice-versa. You claim that this âoemiddle classâ is âoeHUGEâ. If thatâ(TM)s what you think, then youâ(TM)ve seen nothing in India at all. More than 85% of the people live below the poverty line and the rest are enslaved to do work simply because they have no other choice.
Believe me, I've been to India, and I can't think of any reason why you would begrudge these people their educations and employment. I'm sorry, but imho, if you think he's enslaving these people, you really should travel around the world and see how things are.
Youâ(TM)re very definition of enslavement is flawed. If you donâ(TM)t own your own company, then youâ(TM)re enslaved. Yep, itâ(TM)s true. That may be a mouthful for you to swallow, but let me try to shed some light. After every political campaign, does your quality of life change drastically? Probably not, and Iâ(TM)m not talking about a tax break or two. Do you follow youâ(TM)re superiorâ(TM)s orders at work? Probably so, otherwise, you know where youâ(TM)ll end up. This definition may seem a bit extreme, but itâ(TM)s a fact. Enslavement is not necessarily undesirable work that one is forced to do; it also encompasses an element of âoeno other choiceâ. Every working class person (like you and I) end up working for big businesses with a stupid salary that cannot fulfill our desires of life simply because there is no other choice (other than to find yourself work that pays more; easier said than done). Hence, when a person ends up working for a corporation, youâ(TM)ve basically sold yourself out to them so you can earn yourself a living, but at the same time, youâ(TM)ve given up youâ(TM)re lifetime dreams of owning âoethis and thatâ.
Tell me, would you like to own a high-end sports car? Maybe a mansion or a ranch? Or maybe something else that costs a lot. Perhaps you own these things and more, congratulations if you do. But most of us will never be able to own any of these. Because why? Because unless youâ(TM)re a master, i.e. owner of a company, youâ(TM)ll never earn enough to own any of this stuff or anything else youâ(TM)ve always wanted.
I guess this argument just bothers me a lot more than most, because having travelled a lot I've seen what many people have to deal with. The view that hiring international programmers is enslaving them is just terribly insular.
Really? Perhaps youâ(TM)ll like to know that these programmers work many more hours than American programmers and STILL only get paid a fraction of the salary they deserve. I guess thatâ(TM)s justified by thoughts like âoebetter that than nothingâ. Of course, they are at least getting some
Msft has taken alot of heat lately about patch management, so they put up a new hire from a security consulting firm? Why not a product group guy? How do you think they got where they are anyway? The product groups did their own thing. And you know this won't be open to any other vendors. I hope someone comes up with a cross vendor solution....