Slashdot Mirror
Gates Says Windows Reliability Is Greater
mogrinz writes "According to an interview with the New York Times, Bill Gates is proud of the achievements Microsoft has made in increasing the security of Windows. As for the effects on people being attacked by SoBig.F, etc? Gates says this is "something we feel very bad about". Gates summarizes the Microsoft position very succinctly: "We're doing our very best, and that's all we can do"."
May his best isnt good enough ..@
*--- Sometimes a majority only means that all the fools are on the same side. ---*
at least tech support is...............
Welcome to The New York Times on the Web!
For full access to our site, please complete this simple registration form.
As a member, you'll enjoy:
In-depth coverage and analysis of news events from The New York Times FREE
Up-to-the-minute breaking news and developing stories FREE
Exclusive Web-only features, classifieds, tools, multimedia and much, much more FREE
Please enter your Member ID:
Please enter your password:
Remember my Member ID and password on this computer.
Forgot your password?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
A. No. "
He should.
Well, apparently Mr. Gates, your best isn't good enough, now is it?
My journal has hot
Losers always whine about their best. Winners go home and fuck the prom queen.
Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP
I like the part about "are you afraid of product liability suits". He should have answered. "no, now that we understand how to buy politicians and use lobbyists, we no longer fear the law".
photoplankton
"That's no moon.." -Obi Wan Kenobi
Bill's made it possible for any random high-school loser to destroy $14 billion of other people's hard work. He's soaked the world in gasoline and handed out a billion matches. That's an "achievement"?
If Microsloth was doing their best if fix Windoze666 they'd be broke. Instead they're doing their best to rip everybody off.
Big Brother Bush is doubleplus ungood.
for you lazy Geeks:
Link
x+50%(where x = 0)
You can alter the percentage to taste, Bill does.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
http://www.nytimes.com/2003/08/31/technology/31SMI C.html?ex=1062907200&en=97bebbbc61452055&ei=5062&p artner=GOOGLE
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
They didn't even bother locking down any of these dangling ports until somebody exploited the fuck out of them. Now they are at least going to ship Windows with the Internet Connection Firewall enabled by default, which is a good thing. They are a reactive organization - it comes with the territory of having a dominant market position and being scared shitless of change, unless and until it forces itself on them, usually by inducing fear of losing the dominant market position.
Dear Bill,
Far and away your #1 bug is the infamous "buffer overrun" flaw. These usually mostly manifest themselves in string libraries. I know that you have at least 3 library solutions in-house (Safestr for C, CString in MFC, and basic_string in STL) but your developers don't use them otherwise these problems wouldn't happen.
I'd like to point you out to another alternative:
http://bstring.sf.net/
Which your developers may prefer. But whatever you do, why don't you simply make it a requirement that <string.h> simply be outlawed (you could easily write a tool to enforce that couldn't you?), or take some other drastic action?
Buffer overruns are certainly the most common kind of bug that isn't caught by QA (the right answer is not to try to train QA to find them -- they would require the skill of a hacker.) If you concentrate on this one bug alone, you will probably easily remove 80% of these attacks.
I have never gotten a virus with xp. Never even even had one come up in a virus scan. But, I do all the right things like use a firewall and autoupdate. I also do things no one else does like use IE security settings and turn -everything- (java, activex) for all but say 40 sites on the net. This last step is just far too much work even for expert users (esp with that stupid site may not display properly dialog for ActiveX). Further it is just beyond the typical home XP user.
Well, really, it can't exactly get any less secure can it? Even if the new version does have security holes, MS are not going to admit to it until weeks after some major organisation has had all their data stolen! I haven't used Windows XP for a while now, so I can't really comment on the number of security fixes released.
Bored? http://www.dodgybloke.co.uk
here is a copy of the article, for the lazy bastards that don't want to register ;)
August 31, 2003
Virus Aside, Gates Says Reliability Is Greater
By JOHN MARKOFF
MICROSOFT, the world's biggest software maker, is the biggest target for computer viruses like the SoBig.F worm that wreaked havoc two weeks ago. Bill Gates, Microsoft's chairman and chief software architect, talked last week about what it is doing to keep hackers at bay. Following are excerpts from the conversation.
Q. You wrote a memo last year calling on Microsoft to focus on reliable software. Now we've had this series of computer-security-related events that make it appear to outsiders that you aren't making progress. Have you in fact made progress?
A. Well, we've certainly made a lot of progress in terms of creating more reliable software, building tools so that people can stay up to date so that they don't run into these problems, creating the procedures that make sure that the recovery actions get widely communicated. We'd be the first to say that we're doing more and more on this. It was very important that we got the company focused on it, made it part of the reviews of all the different employees.
The fact that these attacks are coming out and that people's software is not up to date in a way that fully prevents an attack on them is something we feel very bad about. We want the update process to work so automatically that in the future these problems won't happen. The hackers are attacking not only our systems but other systems, and with the right kind of infrastructure and the right kind of work we can make sure they don't disrupt things.
Q. Have these events created a serious public perception problem about Microsoft on the issue of security?
A. Microsoft's reputation for doing great software research is very strong, and people are looking to us now and saying, "no other software company has solved this; you, Microsoft, need to solve it." We're rising to that challenge. The expectation they have of us is very high.
Q. The buffer overrun flaw that made the Blaster worm possible was specifically targeted in your code reviews last year. Do you understand why the flaw that led to Blaster escaped your detection?
A. Understand there have actually been fixes for all of these things before the attack took place. The challenge is that we've got to get the fixes to be automatically applied without our customers having to make a special effort.
Q. You have enemies who are in a crusade to undermine Microsoft. How do you cope with that?
A. I'm not aware of any systematic attempt by any group. There have been a few of these things that have come along. We have to make our systems invulnerable to these things. It's within our ability to make the systems invulnerable because the speed of update is as great or greater than the speed that somebody comes up with an exploit.
Q. Blaster included a message attacking you. Do you take these things personally?
A. No.
Q. Have you considered enabling the Windows XP Firewall by default?
A. The fact is there has been a fire wall inside of Windows that would have blocked MSblast [the worm]. We're doing a better job of getting information out to people of how to turn that on and when they should turn that on. The idea that it would be on by default is something that we have to push the technology to make that work for people. It looks like we've got a solution to do that.
Q. Some people are concerned about the automatic distribution of patches because of the possibility of doing widespread damage.
A. These patches will be signed by us, and things that are put into the critical security path that we have to pass through we have to be very careful that there is no regression in those things. It's a channel that has to be used not for features, but just for very critical things. We have some other ideas such as something called behavior blocking that will obviate the need in
For Chris'sake BILL what the fuck is taking so Goddamn long.
Steal the fucking Linux Kernel slap a Windows sticker on it sue the GPL out of business and give us One OS To Bind (not BIND) Them All already.
You ripped everything else off, how about ripping off so fucking security?
This
Linux and OS X ship with zero ports open. Windows XP and even Windows Server 2003 ship with 4 open ports. What does that mean? Four places that anyone can jack your system, and even if you have a firewall (a good one at that) programs that have managed to get onto your system whether through shadow installs (see Gator) or tricky web-pages that use java to make you download something and not tell you or even e-mail attachments-- all of those will be able to access the outside world and pull in information and throw it out there too without you ever knowing because those 4 ports are open.
Windows is not secure. Instead of fixing little problems like this that are incredibly simple, they decide to invest billions of dollars into programs like Palladium which will, among other less desirable things, make the platform "more secure" both from the outside world and from yourself. Figure your shit out Redmond, please (by Redmond I mean Microsoft, not Nintendo America).
The New Root Council, kickin' ass sinc
to make money, our stock price even increased when soBig while soBig was doing the rounds so as a buisness we are doing pretty well
Bill.G
Windows Reliability is greater than:
1) Tredding in dog muck
2) Falling off a cliff
3) Having your website compromised
4) SoBig
5) Gross karma whoring
5) Cowboy neil is the reliability king
6)...
7) PROFIT..
A friend of mine called MS years ago about a bug in on of their assemblers. It didn't understand an op code. The result is Billy Gates the Supreme coder fixed the bug. He added the op code but since he didn't add it to the opcode table, you had to enter it in upper case and only with a small subset of operands that billy thought about or saw in other nearby code. Mike claims to not have used any MS code since 1974 and hes much less stressed than I am.
Why, because you're not trolling or flamebaiting?
I have three Debian stable installs here, all using ext3, yes, ext3 filesystems. How did I do it?
Well, I could boast about my l33tness, but I just selected the 2.4kernel install option from the menu, and then when it asked me to choose a filesystem, I had reiserFS and ext3. W00t!
So, it's not really that hard now, is it?
David
Content analysis details: (20 hits, 5 required)
AUTHOR_JOHN_MARKOV (20 points) Article written by John Markov
I'm a big fan of linux, but I work in an eviroment where windows is locked in. Yea MS has some problems but so does everyone, what everyone needs to remember is that MICROSOFT RELEASED A FIX FOR BLASTER BEFORE THE BIG HIT CAME. The fact is the people who got hit by blaster didn't maintain thier system, or weren't running firewalls. You wouldn't be on here growling about how debian sucked if a bunch of users didn't do apt-get update / upgrade would you? These guys have a huge market share, have a reasonably good product that most of the population is happy enough using. Many of (myself included) like linux. Both have bugs, both get fixes... but the weakest link is if the admins / system owners update... in this case many didn't and it made MS look bad/
--------- If its possible it will happen, If its impossible it will just take longer
Invoicing, Time Tracking, Reporting
Microsft software was never designed with security in mind. And it was and is not their primary goal, even now. It is quite different than non-Microsoft software.
If security were *that* important, wouldn't they take some of those many *billions* and actually make that silk purse?
Consider even just today's news post on Slashdot. Each and every one of them is about Microsoft is about money, and *not" about fantastic security advances. And yet the security problems plague us everyday.
Microsoft Introduces IM Licensing
Microsoft vs. Burst.com
Hey, I am willing to beat up on Microsoft as much as the next citizen of slashdot city, but let's be fair here. A lot of the problems that are hitting people are due to people not applying the patches that are available.
I use both Mac OS X and Windows XP. On both systems, I use the software update mechanisms and religously apply the patches that are made available. On Windows I also have a virus protection utility in place. I have never once been caught with my pants down by a worm, virus, trojan horse, etc. And to answer the question of this out there that are already preparing to ask it, I have also never had my system "broken" by a patch.
So my respone, is that people shouldn "Just Apply The Damn Patches".
Jordan Dea-Mattson
Posting from China, where I am to adopt my daughter! Back to the US in a week!
ok you have obviously not read the mission statment of debian and know little about debian, so i won't bother with calling you an idiot, which you are, or any other names. I will simply say: if you don't like it or can't get it to run, leave the linux thing to people that can get it to run and who actually read and understand what they are using is about and simply keep your mouth shut about it. If you really have to say something about how you really want something done .... submit a bug report.
-=gabe2=- macbook dual 2.0
"We're doing our very best, and that's all we can do"
Concerned about the impact of viruses like Blaster and SoBig on your business? Look, here's what Bill Gates has to say on the issue. Even he's saying it's not going to get any better, so you can expect these kinds of incidents to keep recurring.
Now, let's talk about how to fix this...
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The truth is, every other mainstream OS has solved the security problem better than Microsoft. Most other OSes, especially *nix ones, have a philosophy of least privelege. But not Windows - its big "innovation" is to bundle the (insecure) web browser directly into the OS and enabling all sorts of nifty auto-executing controls so that drooling little kiddies all over the world can pass the time by bringing random network-connected Windows machines to their knees.
The usual refrain from Microsoft and its apologists is that its software is attacked so much because it's so popular. No. It's attacked so much because it's so easy to do.
echo -en "HEAD / HTTP/1.0\r\n\r\n" | netcat www.microsoft.com 80
------------
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 132
Expires: Sun, 31 Aug 2003 13:29:53 GMT
Date: Sun, 31 Aug 2003 13:29:53 GMT
Connection: close
The past couple of weeks has been pretty tough on this salaried IT person. Long hours, missed deadlines, real work put aside to help deal with the worm and its after effects. I work for a larger company and know that as a result of this last worm we have lost a significant amount of money because of the worm. A whole lot of productivity was lost.
Billy, you have to better.
I am not going to lay all of the blame at your feet but you do need to own your share of it. I also blame the virus writer(s) and to a lesser degree my own IT department. We did not have all of the patches and service packs in place. Our engineers need to certify and package them and that takes time. We have to test them against custom software to make sure that they don't break them.
Billy, you can do better than you have. How about borrowing the "sandbox" idea from Java and enhance it so the custom apps can run in their own environment? That way companies would not have to worry about certifying every patch, service pack, and driver that comes our way? How about shipping secure products that come with ports shut off or put in stealth mode?
Looking over SlahDot's home page this week I cannot help but feel this is a biased Pro-Microsoft shop. The propaganda and lies are just too much.
http://www.leadmagnet.50megs.com
Yoda: No! Best you can do very not. Fix ailing platform. Or do not. There is no "very best we will do".
Note: I dislike Star Wars references as much as the next guy. The dead horse asked to be beat.
Time to get the tin foil hats out again. Longhorn is going to affect the part of your brain that writes worms...
Invoicing, Time Tracking, Reporting
Microsoft and bill gates are the greatest thing since slice bread, (uhuh um bull un shit um) What up JETTA JOE :)
Dear Bill: Would you please give me one good reason why a system intended for home use needs to implement remote procedure calls at all?
Would you please point out one benefit this provides to the average home user?
"How to Do Nothing," kids activities, back in print!
Quote the article:
"Q. You have enemies who are in a crusade to undermine Microsoft. How do you cope with that?
A. I'm not aware of any systematic attempt by any group. "
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
We should get a refund, all these billions we gave to Bill Gates, and he cant spend some of it to fix his damn OS?
He is trying his best? What a load of bullshit!!!!! Microsoft just refuses to spend their #$@! money!!!!
If you use Linux, please help development of Autopac
to uproot Microsoft from our every day lives and push them back to where they need to be.
... demanding them to shut down, go back to the drawing board, rebuild, and re-offer solutions for their crap for free.
(I use OSS, every day, for virtually every thing.)
I do my part and I tell every I know one to use Linux. But the real question is not for me, the end, home user. Really, it is a question for our society, as a whole. What steps do we take to rid our present existence from such terribly desgined, bug riddled, poor excuse for computer software that is utterly dangerous to our lives?
This is not Linux Zealotry speaking here, nor is it a troll. For far too long, we have heard of nothing but negativity and endless problems surrounding MS and their faulty products. When do we say 'enough is enough'?
Considering that most casual Windows users have no idea how to configure a firewall properly (or even what those dang "port" thingies are), it's understandable that Microsoft was reluctant to ship Windows with ICF enabled. People like that are either going to see all their IM/webconferencing/file sharing/etc software stop working once their ports are blocked (and start a massive wave of calls tying up tech support), or else default to allowing everything to go through the firewall which defeats the purpose of having it in the first place.
Your point of Windows shipping with a bunch of open ports being a Bad Thing is a good one, but a better solution would be to just have the ports closed by default -- why nail a bunch of boards over an open doorway when simply closing and locking the door would suffice? I also think Microsoft is going to have more luck with their current plan of automating updates -- as many people have already pointed out, the exploit used by MSBlast already had a patch out for over a month before the first attack, and people who downloaded it were fine. Virus software companies have known for years that the only way to get people to update regularly is to build it into the software, a la LiveUpdate for Symantec. Letting expert users who are savvy enough to get the relevant patches by themselves anyways opt out of auto update keeps everyone happy.
The bold print giveth, and the fine print taketh away
Bills not aware of any group trying to bring microsoft down? ...BILL, EVERYONE is trying, trust me !!!
Think linux is stable? Well your wrong!
You're sort of right and you sort of aren't. I think that anyone who is familiar with computer basics will know that any operating system can be crashed if you do the right things. Dropping the right bomb into either a Linux or OS X terminal will drop it like third period French.
The question is whether or not an operating system is "stable" is based mostly on whether or not it crashes during *routine* and *normal* duties and tasks. If an operating system crashes when I open up a terminal and type something that's designed to create a crash, I don't consider that OS to be unstable. If an operating system crashes when I'm trying to install a video card, save a large file, change audio settings or check my mail, well... that's when I start to complain.
www.macgamer.com
This is worth a +5, Insightful.
I cannot believe it: Bill Gates publicly stating that they are unable to fix the problem!
Unfortunately most of their customers will not understand and stay with the company that cannot fix their problems.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
With all the crap they've already foisted on an unsuspecting public, why the HELL should I trust their crappy patches? Remember the NT 4 service packs?
Only if I can view the source code, will I allow their patches on my system.
MS's Best is takign 40 billion and giving free upgrades to all windows user not using winXP and Longhorn even hardware upgrade rebates when necessary..
anything less is a con game!
Don't Tread on OpenSource
With $40+ billion in the bank...that's the best they can do?
That's sad.
-Pete
Soccer Goal Plans
I mean look at the guy, he has what? 40-50 billion dollars? Then you have Microsoft with maybe 50-100 billion dollars in excess cash just sitting in the bank.
Something is wrong with this guys brain if he cant spend a penny of his money to fix his OS even when little script kiddies are hacking it.
I mean come on, we have governments, (including ours) using this piece of shit OS, we made this piece of shit Bill Gates the richest man in the world, and he cant even spend his money?! Whats his plan? To put all his money in a little room and then spend hours of every day counting it?
If you use Linux, please help development of Autopac
This is double-speak. He is trying to imply that people's failure to auto-update is somehow related to Windows' risk of virus/worm attack. But they are in no way related.
System architecture that fails to maintain security is a design flaw, not a maintenance problem. Gates and Microsoft are attempting to blame shift their responsibilities to their product's users. Pretty much anyone would recognize this in a tort law suit, although I expect very few to make this claim in court simply because of Microsoft's size and reputation.
There is no need to use a SlashDot sig for SEO...
Think linux is stable? Well your wrong! Copy and paste (thats if X's crappy mechanism lets you) this into your nearest xterm and watch the fun!
man bash
/ulimit
ulimit [-SHacdflmnpstuv [limit]]
...
Provides control over the resources available to the shell and to processes started by it, on systems that allow such control. The value of limit can be a number in the unit specified for the resource, or the value unlimited. The -H and -S options specify that the hard or soft limit is set for the given resource. A hard limit cannot be increased once it is set; a soft limit may be increased up to the value of the hard limit. If neither -H nor -S is specified, both the soft and hard limits are set. If limit is omitted, the current value of the soft limit of the resource is printed, unless the -H option is given. When more than one resource is specified, the limit name and unit are printed before the value. Other options are interpreted as follows:
-u The maximum number of processes available to a single user
Karma: Frotzed (mostly due to the Frobozz Magic Karma Company)
You have enemies who are in a crusade to undermine Microsoft. How do you cope with that?
"We have met the enemy and he is us." Walt Kelly, Pogo comic strip
"It's not about the bugs! It's not about the bugs!" Bill gates, previous interview
You are wrong about open ports. If you take OpenBSD which is the most secure OS on the planet ships with SSH open by default. Now yes it secure but its still an open port.
Rus
Cheap UK and US VPS
heh heh heh!
Bugs are easier to fix in the lab than fixing them on the field. When marketing decides when release date is, that is what you get in result.
This
After trying .Not and windoze is the worst
language and OS in the history of computing.
Companies like these should be sue for liability of
selling such crappy OS amd language.
Jeffrey Lee Parson is my hero, the only problem i have with him is that i caught the virus, Jeff next time crash BILL's pc, not everyone elses. THX JEFF (and if your reading this Jeff, and i know you are, yuo know you shouldn't be using your pc, bad you)
"We're doing our very best, and that's all we can do"
In the words of George Carlin: "If this is your best, perhaps you should keep it to yourself."
When Bill Gates spends the fucking money, we wont have to patch the software every second of every day.
Yes every OS needs patches, even Linux and OSX, but on Linux and OSX, most of the bugs are in server software like Apache, not bugs in the Kernel itself!
Maybe if Microsoft released a better OS itself we wouldnt have to worry about our computers being hiijacked via a simple virus, perhaps if the OS didnt run in root all the time, perhaps if they checked for buffer overruns and used their damn money we wouldnt have to check their security for them by hacking their damn OS.
If you use Linux, please help development of Autopac
To bad Bill sold us all out, but, hey, are you surprised? It's obvious that Bill Gates doesn't care about security, or software for that matter, and no, he's not a geek. He's a consumate businessman who will cheat, lie and steal to get to the top, just like most other rich people. You really can't only blame him for taking advantage of a system you allow and support.
In modern America, there is no responsibility, there is no justice, there is only exploitation and greed. We really have only ourselves to blame.
I fear for America, there are so many traitors in positions of power. Support Linux, support freedom, fight against tyranny. You have a personal responsibility not to be evil.
http://www.eweek.com/category2/0,3960,1122122,00.a sp
Why should Microsoft fix anything? Window's is the most secure OS according to http://www.wininformant.com/Articles/Index.cfm?Ar
If you use Linux, please help development of Autopac
A replacement string library claiming to bring C up to the standards of "modern languages" but which doesn't even support Unicode. I'm not impressed.
...but I don't feel this is one of them. Two points.
1) No OS is perfect, and anyone who uses Windows has to admit that XP is a lot more reliable in general than 98 or earlier. So, in that respect, Microsoft has 'made a lot of progress' in reliability.
2) I run XP. I used to run 98. I've never had a virus. Never had a trojan. Ad-aware scanned my computer and all it could come up with is a few cookies. Why? I'm not an idiot. I don't run attachments from strange people. I stay away from things named "Gator" and "Xupiter". I firewall. Yes, blame needs to be placed with Microsoft for leaving these holes gaping open, but Joe Q Moron also needs to be held responsible for being uneducated enough to let his computer get infected.
ooh, that guy is my exact double, ooh look a dog with a fluffy tail, hehehehehehe.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Before everyone starts chiming in on how real system admins would have been prepared. Remember a few things:
1) After being burned by a few bad patches, some corporations now have a policy that specifically states that patches must be tested first. With the huge amount of patches that is released by MS, this is a full time job.
2) Remote users (laptop users, VPN users, etc.) are like sailors coming back from overseas. Who knows what they were exposed to and what viruses they have. This is outside the control of most admins.
3) Microsoft itself was not prepared for Slammer. SQL servers that were being used in a development environment (read outside of normal sys admin networks) were not patched. With large organizations, sometimes there are unknown, rogue installations.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Sheesh. Someone send Bill that Despair poster of the exhausted athelete with the caption "Failure. When your best just isn't good enough!", it sounds like he needs some more negative reinforcement to me. ;)
UNIX? They're not even circumcised! Savages!
Then please explain to me why i just recived 300+ infected emails, and 200+ MCafee warnings due to forged headers?
Or why i have spent the last 3 weeks dealing with the same at work, and slow WAN, and having to close ports all over the place on routers.
One could argue that its an admins job to protect his network, which is true.. But the idea of patching for the 'hole of the day' is insane..
Or why i have to reboot my office machine at least every other day or it gets flaky ( XP )..
Or i get users all the time that have to be reloaded as their windows self-destructs over time..
Or when a servicepack blue screens my test server..
Or a thousand other reasons...
Perhaps im stupid, but it sure doesnt seem reliable to me.
---- Booth was a patriot ----
just like me
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I think your view is somewhat short-sighted, and makes assumptions which (in developers) lead to crashable operating systems.
It should be _HARD_ to crash the OS, even deliberately, even as root/superuser/administrator. Even things like bad device drivers should not affect the core OS, which should be capable of 'healing' itself. Mostly against hardware glitches, as it should be armored against software attacks already.
As a side note, it is almost impossible to achieve this level of hardening in a monolithic architecture.
If you're not living on the edge, you're just taking up space!
Years ago when viruses were brand new Unix experts were critical of Microsoft for making Dos an unsecure operating system.
Being fair even in the light of that day and even more so years later I can see why Microsoft Dos was made the way it was made.
(a CP/M like operating sysem for a new generation of computers not actually by Micorsoft dring a day and age when security was maintained through ignorence.)
After the movie "War Games" security became an important topic. Microsoft published the book "Outside the inner circle" this book would forever destory the notion of security by obscurity. Amoung the topics "The Cracker" points out that many operating systems didn't take security sereously when they were designed offering features that made hacking in increadably easy.
It also pointed out that "Security by obscurity" is stupid.
Many good consepts were printed in that book and I suspect that had Bill Gates not had a "Microsoft press" to publish it himself it probably would have never been published.
On the other hand talk is cheap.
When it came time for Microsoft to make it's revised Dos (called Windows) they did not take any of the critisums into account. Microsoft didn't lift a finger with reguards to security.
There are a few small issues I can think of with reguards to how Microsoft could improve the over all process in keeping Windows secure.
In saying "Windows is insecure by design" is not being critial of Microsofts efforst TODAY to repair Windows.
It's critical of Microsofts efforts over 10 years ago when Microsoft designed Windows.
And much later when Microsoft designed NT.
And again for Win 2k, Win XP and Win '03.
(I omitted Win ME and 9x as they were not resigned so much as improved on preveous version.
The over all os structures didn't change so redesignning the security was not possable)
Fundamentally Microsoft needs to make changes in Windows to work securely.
Realisticly it won't happen.
What they are doing is using the brute force method of securing Windows. Sending teams to fix bugs as they become known.
But brute force won't fix a flawed design process, Badly designed patches or an os that isn't designed to be secure to start with.
I don't actually exist.
It's a shame that you got a 0, redundant for your post timed the same minute as the 4,funny above with the exact same quote. Sometimes life just ain't fair
Put identity in the browser.
Good, it's settled now. I wish Gates would have said this sooner. Goodbye Linux.
Even Win2K had some rather doggy things about it -- it behaves just about as well, but can be glacially slow to do so.
Win98, 98SE and ME required reboots several times daily, and I wouldn't think of trying to use Sleep Mode. With XP, we leave machines running for days with nary a reboot.
Do apps still fail? Yeah, but they don't bring the machine down. I can now run DOS-style programs much more reliably than ME could ever do (and I have to: the supplier's Win32 app for ordering is a terrible program).
And about the cost of viruses: Blaster didn't hurt me at all except during the net storms slowing everything down. But Sobig has definitely harmed our business:
So I can believe it's billions.
Design for Use, not Construction!
Like you, I find the $14B figure highly suspicious. However, I cannot help but notice how much things add up. My company's cost for the last few virus/worms is tens of millions in helpdesk time (all metered, hence easy to count), plus lost productivity. Take a high-level engineer whose lab time, including salary, equipment, real estate and benefits come to $250/hour. Have him spent the morning fiddle with his Windows machine that has to be brought up to the last service pack, then rebooted 3 times, then he has to download and install three patches from saturated servers... (even if the guy actually never caught a worm and wasn't dumb enough to open an attachment titled "Free XXX Pics!", Networking won't let him reconnect before he patches his machine). And even on machines that said engineer has carefully kept patched, Networking insist that he downloads and runs an update verification program that will certify this machine is indeed patched. Oh, and the verifier is a bit buggy so on some machines, you need to tweak it before it runs correctly.
And soon your cost is a cool grand. Multiply by many, many instances all over the world for every outburst. It adds up quickly.
Meanwhile, of course, the Linux machines in the lab are perfectly happy. It's just that the engineer needs Windows to access his email because of the boneheaded all-Windows desktop strategy that the higher-up morons barfed on unsuspecting cubicle dwellers. But that's a different problem.
Don't tell me that these procedure are wasteful and inflexible. I know it. Unfortunately, that's still better than sending helpdesk technicians to each machine, which is even more costly.
So the total figure can easily come to billions because of the huge mandatory waste of time to update and run the verification program on each machine.
Right now, this weekend, in many colleges and universities, thousands of IT depts and student/faculty helpdesk techs are running around like crazy patching machines of students coming back to school. The cost for our local college alone (5000 students) is estimated at $15-30 per student. Do the math.
Conclusion: The $14B might well be optimistic after all.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Ahh their position for everything. The RPC 026 vunerability was discovered by a 3rd party.. not Bill's code reviews. The vunerability was in OLD code that existed back on Win 95... carried forward to the current versions. Even for those that deployed the fix, unless you had 100% coverage, you suffered the effects (Blaster.D ping traffic). And of course you lay blame with the very people that support your defective products (it's THEIR fault the fix wasn't applied).
Great question, lame dodge.. and the 'solution' you propose will not fix the problem, but will only satisfy another agenda.
Understand this, Gates: MS products are riddled with vunerabilities by the nature of your very development process. Peer review process is either non existant or done by folks who wouldn't know a Buffer Overflow if it smaked them over the head. Your programmers can get away with writing crap and because of the development model and your tight release schedules are forced to use 'quick and dirty' rather than 'quality' and 'wide peer review'. Code is slapped together and tucked away in a vault never to see the light of day... and forgotten. That is the best you can do with your business model - and it is not good enough and never will be.
Give me open source any day: worldwide peer review.. garbarge code is rejected and sent back, fast. A developer learns very quickly in this development model to use best practices or face rejection. Can't get away with 'quick and dirty'. And the funny thing is this cannot be bought. IBM realizes this.
Lawsuits won't fix this.. Marketing slogans won't, either. Insecure by design.
I recently bought a Dell laptop and learned something in the manual that should scare the heck out of anyone. My laptop came with WinXP Home, and there is an Administrator account with a blank password. Obviously, this is liable to become a security breach.
The thing is that Dell or Microsoft believes in security through obscurity, since you can reach the Administrator account only by booting in Safe mode. But do you think Linux or MacOS would ship with anything like this?
I think not.
A NYC lawyer blogs. http://www.chuangblog.com/
Q. Are you concerned about the possibility of product liability suits?
A. Well, we're doing our best to improve Windows and make it so our customers don't run into these problems. I think this is a critical issue for our customers, and solving this will be fulfilling the commitment we made on trustworthy computing. We're doing our very best, and that's all we can do.
Read: They want to take on our lawyers? Be my guest. Just hope the EULA doesn't stand up in court, and that you haven't opted into the Florida Class Action settlement....
1) firewall on by default or equivalent
2) Separate Securtiy updates from feature updates so that sys admins will be less reluctant to apply them to stable reference platforms.
3) make the system default to autoupdate so that nearly all desktops will be patched.
4) "Behavior Limitation". By which I assume he means something like requiring root privliledges for some operations, and not making the user root by default.
If they do all this, and it sounds like they will, then it would seem that Windows will soar past Linux in security. Because Microsoft controls the entirety of their "distro" they will be able to have a robust patching mechanism that GNU/Linux with its highly custom configs wont be able to do (robustly at least). Moreover MS is mocing towards an instituinalized formal system for checking every line of code for sommon security errors like buffer overflows. Linux/GNU is dependent on developers checking theirt own code and the results will vary, and exerience will not be instituionalized.
Sure they've gotten hammered but the comment lament on Slashdot is that "boy they are dumb. if they just did a few simple things this would not happen. linux Rulez". Well apparently they are goinf to do a few simple things and a few more. How is the Linux desktop market (aka common user) ever going to succeed if it cant match the future windows for security.
Can someone please explain why after these changes Linux is somehow intrisically better than Windows has the potential to becomein terms of security?
This is a legitimate question, flamers will just be proving my point.
Some drink at the fountain of knowledge. Others just gargle.
"Loosers allways tell me that they are doing their very best. Winners date the prom queen"
Sean Connery in "the rock"
Baby steps, Mr. Gates. Baby steps. One day your billion-dollar software company will get there.
I have little doubt that Windows (NT/2k/XP) and Linux are pretty much on par in terms of stability and reliability. However, much of the stability of Windows gets washed away by the fact that many software installs and OS updates require you to reboot the system. With Linux, only a small handful of things require you to reboot the system.
Replacing the Linux kernel obviously requires a reboot, and rebooting is often recommended when updating some of the core libraries and programs (glibc, init). Even parts of the kernel can be changed (via kernel modules) while the system is booted. I'm sure that some of this capability actually exists in Windows, but the mantra of that OS appears to be, "If at first you don't succeed, try rebooting."
I can't expect people to drop everything every few days in order to update. I find it painful to reboot on the monthly basis that I usually do on Linux...
What a surprise. Another story featuring the words Bill Gates and Micro$oft on Slashdot. Have you rubbed your golden Bill Gates buddha statue's tummy today guys? How much publicity are we going to have for m$ here? It's no wonder the serious Linux users all laugh about /. having anything to do with Linux.
What a joke.
...than what?
...than a slug covered with salt?
...than sniveling snot?
...than [insert your wit here]?
What's the problem? Just ran that as root on my server, and nothing happens. Oh, there are some errors about being unable to fork.. *grin*
(Clue: All Linux servers worth their salt have ulimits)
There--- Used the code you told me to.
./crashlinux
...
bash-2.05b$ echo "main(){for(;;){fork();}} | gcc -o crashlinux && chmod +x crashlinux &&
>
bash-2.05b$
Seriously: 'format c: \q' should do more than that, but you had to create some smart script and hope that we added an extra '"'
I just tried it. It does not crash the system
Of course your example doesn't work, (unmatched quote, gcc doesn't accept stdin, chmod is unneccessary)
I tried the program as a normal user. It creates 1000 processes, the load average goes to 1000 and the system is slow, but doesn't crash.
And I can type ^C and all processes are stopped.
Windows update needs a little work. Its a pain in the ass. It pops up while your doing something, wihtout thinking you hit remind me later, because your in the middle of something and dont want to have to wait for it to install and the reboot the computer. What they need is a remind me at next shutdown option. I dont run windows update all that often because i'm always in the middle of something, but i know i wouldn't mind spending an extra five minutes before i shut down.
"Sic Semper Tyrannosaurus Rex."
I think the whole Linux vs. Microsoft thing where security and stability are concerned comes down to the dilemma of the "soft" parent vs. the "hard" parent. Microsoft is the "soft" parent and *NIX/Linux distros are the "hard" parent.
Remember when you wanted to go out somewhere with some friends of yours and your folks didn't? They did that for your own security and wellbeing. In some cases, you probably had a parent that was easier on you. For example, my dad was the "soft" parent for me. If I asked him something, he'd cautiously say that I could do X as long as I was home beore my mom found out. If I asked my Mom, the answer was most positively one of the following:
1. No!
2. Only if you've done everything else you need to do to get some free time.
3. Why would you want to do that? Go do something useful.
So you can guess which parent I asked more often. I asked the parent that gave me what I WANTED, not what I NEEDED.
Microsoft is the "soft" parent. They give the average user what they want without thinking too much about what the implications are. Or they assume that the user will "do the right thing". *NIX/Linux distros are the "hard" parent since they don't (by default) allow the user to do anything they shouldn't be doing. It's a pain in the ass to have to switch over to "root" to take care of some administrative tasks in Linux. Newer distros make it a little easier, but they still throw up the password protection which would annoy an average Windows user to no end. Think of how many times a Windows user complains when they have to remember a password and they can't or they have to write it down somewhere. Windows doesn't do this kind of thing. Instead they thwart security by being the "nice guy" on the surface. I have plenty of friends who got pissed off having to deal with passwords on their boxes and logging out to become administrator. They eventually all asked me to reconfigure them so that they log in as admin by default automatically with no password. I told them what the implications were and they still wanted this. The real problem still comes down to lazy and uneducated users. The PC industry is giving them the keys to Ferarris and nukes even though they aren't qualified to handle them.
I think that eventually it will become necessary to give people what they need with no respect given to what they want. However, it doesn't have to be impossible to deal with from the end user's perspective. I think RedHat's root dialog box when trying to run an administrative command from the GUI is a perect example of how it can be made slightly easier, but still secure.
Until the average user understands why they SHOULDN'T run as root or Administrator, we are giving them loaded weapons pointed at their heads without telling them how to use them.
Un-news
shared by all who know of a classic MS 'we are sorry'. I thought of this comic when i read "Bill Gates is proud of the achievements Microsoft has made in increasing the security of Windows. As for the effects on people being attacked by SoBig.F, etc? Gates says this is "something we feel very bad about"."
enjoy
You are confusing me with someone who cares.
I kind of feel sorry for Microsoft because they have a security problem which will never go away: end users.
The average home users of Windows simply don't care about security or applying fixes. They open everything they get via e-mail: spam, forwarded jokes and executable attachments. They either have no password on their system or one so simple that a novice could guess it.
MS supplies security fixes but the everyday home users are more concerned with convenience than security.
Do more!!
I've never had any problems when changing a video card under linux. Under Windows I get all sorts of messes (98). If X windows crashes (which it does sometimes), it's not the whole system, it is possible to restart X with a few keypresses or a couple of commands. I think I have had linux crash maybe 3 or 4 times in the past year when I've been using it solidly, and that was because of things like popping in and out PC cards which is not supported with the firewire protocol or not installing my USB devices properly (my laptop is dodgy). I haven't had windows crash on reading mail under 98, but on XP it did it all the time. Eurora didn't work properly under XP and crashed frequently (maybe it's a conspiracy!). That is mainly why I changed over. I'm not saying that linux is perfect, but normally when something might not work, at least you are told i.e. the drivers are experimental. At the moment, everything appears to be working 100%, abeit not as 'easy' as windows to get everything working, when it is working, it doesn't just randomly give up. I wish I had kept my 'certificate of authenticity' from MS, so I could have sent the license back saying I didn't agree with it, but I'd used it by then anyway. I doubt I would get anything back from them!
Bored? http://www.dodgybloke.co.uk
Most stack buffer overrun problems (Blaster bug, etc) are possible because the stack is executable. Other systems, such as VMS on Alpha don't have executable stacks, making this kind of exploits very difficult to do.
At least, the problem seems to have been fixed in the x86-64 hardware, but the operating systems need to take advantage of it. See here.
So when will we see M$ take advantage of good simple security features in the hardware instead of trying to invent new fantastic schemes (Palladium)? Why wasn't buffer overflow attacks fixed 5-10 years ago? I'm not sure if earlier x86 chips allowed non-executable stacks, but if M$ were serious about security, they could certainy have requested that feature from Intel. It's not rocket science.
)9TSS
John Markov is the reporter that has essentially harassed Kevin Mitnick via articles. Mitnick essentially says that Markov bent the truth (or even outright lied) about Mitnick in order to sell more articles, etc. Having watched Operation Takedown, I'm fairly certain Mitnick is right.
I'm giving up the possibility of modding in this topic in order to respond. Hehe, I'm an example for future generations!
-- It is no measure of health to be well adjusted to a profoundly sick society.
Don't you see? Linux really isn't that much of a threat on the desktop at the moment, Microsoft can shoulder this bad press easily without losing customers. They will spin the media at making it look like this really difficult problem that only they can solve, and a problem that requires a big security overhaul - nothing like what has been done before.
Microsoft are going to have a two pronged attack in selling Longhorn. First, it has updated Directx (not backwards compatible), updated IE(not backwards compatible), and a 3D rendered desktop (ooh eye candy). This captures the home market.
Second, it uses the security angle to capture corporate markets and get them to upgrade. It will be touted as "trusted computing" and a huge advertising campaign will be launched to sell it. They will tout things like being able to run programs inside of a jail, running "signed" i.e. trusted programs, having hardware support to offload cryptography calculations and to hold your machine's "private key". etc etc
People have such little understanding of computer technology that we will not be able to explain why moving to Longhorn is a dangerous thing. Thus, the world will flock by the millions to the new platform, the lock in will be tighter, and freedom in computing will slip further from our grip.
I like your idea about seperating critical updates from feature updates, but there is another problem. Microsoft frequently puts nasty licensing changes on their click-through agreements for updates. You may ignore this, but a business can only do so at their own peril.
"Sorry, we haven't installed the blaster update because we have not yet cleared the EULA with our lawyers..."
While that update may not have something previously unseen in it, we have all seen this in security updates and in media player updates (remember that media player has some arbitrary code exploits that are exposed every now and then... to fix those you need to update media player and 'agree' to their fruity terms).
With the likes of the BSA, software licensing can cause a business alot of pain. On the other hand, actual virus/worm can be blaimed on evil hackers, avoiding litigation.
Business will update more when it is not a legal liability to do so.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
You're mixing tenses: comparing how secure Linux is to how secure Windows might become. Of course Windows has the potential to become as secure or more secure than Linux; so does any other OS, though of course the amount of work required will vary. If the Linux hackers, GNU hackers, et al spend time improving their security while Microsoft is improving Windows', there's no reason Linux can't stay ahead.
Like applying a 200,000 volt ZAP from the mouse whenever the user clicks on an executable in email or starts to download malware from a website? That's what it would take to make some users learn. I have friends who are repeatedly infested with spyware, popup ad servers, and viruses ... but they have never seen cute cursor software or a game site that they could resist.
Funnily enough, that same tactic works on Windows. Making it worse, Windows doesn't have something like ulimit.
Heck, one copy of I.E. all by itself can make Windows unusable by eating up CPU, memory and GDI objects.
Without consideration, without pity, without shame
they have built great and high walls around me.
And now I sit here and despair.
I think of nothing else: this fate gnaws at my mind;
for I had many things to do outside.
Ah why did I not pay attention when they were building the walls.
But I never heard any noise or sound of builders.
Imperceptibly they shut me from the outside world.
Constantine P. Cavafy (1896)
How is it Bill's fault that users are stupid with regard to e-mail attachments? Is he going to come to people's doors and tell them not to run attachments?
Honestly, jamie, that was a cheap shot that had no basis. As if sendmail hasn't had its share of problems over the years. Imagine if it had the marketshare Windows has.
"Sufferin' succotash."
If this were an interview with Linux Torvalds, and Linux had the marketshare Windows does, you all would be blaming people who didn't patch their programs and fix their holes.
But it's Microsoft Windows, so absolutely everything they do is wrong by default. The bias is sickening. At least be rational and level-headed about it.
Give Linux the marketshare Windows has and we'll see how many vulnerabilities crop up.
"Sufferin' succotash."
Not good enough. You had your chance. I switched to linux.
1. The holes in the OS, even if minor, tend to have roots and fingers that stretch out and effect a good deal of the OS. Other posts in this article have more comments on that.
2. Windows Culture. Now, I hate this word, so I'm being a tad bit facetious; see, for example, that NASA needs to fix it's `culture', an amorphous idea at best, IMHO. In any case, here I would argue that it is the culture of Windows to default with automation. Outlook defaults to launching many attachments in the viewer automatically. Attach a picture, and voila! Attach something that says it's a picture but does something malicious instead: Voila, opt-out worm spreading. The `culture' doesn't opt-out.
Most likely the #1 Unfunny Meta/Moderator on
Alexandre http://enkerli.wordpress.com/
If you have ever been to one of their "Tech" sessions about one of their products, they tell you "have your clients purchase our products so you can bill more time".
Microsoft where "make work" is the goal, and job security is the outcome.
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
When I built this computer, and installed Windows XP (necessary for some video editing/authoring software I run), I had to bring XP up-to-date with patches. The total was over 40 mb! I am using a cable modem, but a most people aren't. At my pre-broadband speed, a 40 mb download would have taken between 6 and 7 hours. Most people will not let their computer tie up the phoneline for that length of time. So, the patches go unused. Considering the cost of XP (and the other MS OS) shouldn't Microsoft send you a disk or, at the very least, only sell up-to-date versions. What you buy in the store is not what Microsoft considers to be up-to-date.
but, really, his point is that windows has more potential for security, if they go through the four steps he listed. his question was, can linux really do likewise?
People pay for a secure, stable, easy-to-use OS; not whatever he calls "his best."
This is a legitimate question, flamers will just be proving my point.
Sorry, it doesn't work like that, chucklehead.
I have more Mac and Linux equipment then MS...
/. minded people of the world crying foul to forced updating which reduces their perceived security/privacy. Heck I think w/ XP they already download all updates to your PC as available and pop up little bubbles every 30 seconds telling you to install them!
But Bill is not a bad guy, and I think that comment in the headline (if accurate) is excellent.
The other theme I saw in this thread, is that it's not MS' fault that IT depts world wide did not install a patch that had been available for more then a month. I mean come on! As someone else said, it could easily happen to anyone. There are plenty of holes in all software, and as soon as they're patched that exactly when people start to work on exploiting them the hardest.
If anything they should be pushing their MSCSE folks hard on the importance of applying patches to systems within days/weeks of release rather then months.
They can't really make it any "easier" to install patches w/o the
Are you kidding Billy? Just the other day I had a system with XP professional, fully updated, and I tried to run chkdsk on one of the partitions that was having issues.
I received an "Integer attempt to divide by zero" error message, that is something that I as a programmer would get fired if that happened in my code! ChkDsk is supposed to be a core tool!
...except the credibility that they actually will do it, instead of talking about it.
Linux/GNU is dependent on developers checking theirt own code and the results will vary, and exerience will not be instituionalized.
Really? In my experience, there are quite a few people that "check out" the code without actually developing it. Not to mention people testing out automatic error detection systems, I know Linux has been getting good help from research in that area.
Can someone please explain why after these changes Linux is somehow intrisically better than Windows has the potential to becomein terms of security?
You speak as if they've already happened. Of course Windows could simply copy everything Linux has done, there's no magic over it. That aside, I don't think it will. Primarily, because it doesn't sell as well and because security is sometimes inconvienient. Windows has been building their market share on those new to using computers, and more are still joining. But I don't think Microsoft can hold on to being both that and the professional OS.
Around Windows 2000, I really thought they could. It was stable, clean and professional, and in general vastly superior to the Linux distros of its time. After WinXP, the "plastic" theme and setting up all the users as administrators in the *professional* version, I don't believe that at all anymore. I this you should ask the reverse - what is it Windows can do that Linux doesn't have the potential of doing better, not to mention cheaper (free) and with greater flexibility (access to source code)? I certainly haven't been impressed with the "improvements" I've seen lately...
Kjella
Live today, because you never know what tomorrow brings
I'm sure he does...but, fuck him.
eweek articles
The exploit was known and used in the black hat community for nearly half a year before it was patched. It was such an easy one to exploit, too... Oh well. There are plenty more where that came from, and it's often months to a year before the white hats learn of and report them like good little lapdogs.
Wait. So, you're saying that since Windows is the underdog for security issues, it has no choice but to come out victorious?
It's funny but quite sad at the same time.
Best quote:
Best part is they put this 6-foot-4-inch, 320-pound fellow under home detention. From what I can tell, doesn't sound like young Jeffrey Lee Parson got out much in the first place.
Help fight continental drift.
...which was Blaster's exploit.
RPC's are Remote procedure calls- they're technically IPC's, but they're over a network connection to a remote machine in most cases. DCOM would be an example. DCE RPC would be another, which is associated with Exchange servers and clients. Sockets would be yet another one.
All of which are used on MS products extensively.
IPC is difficult to exploit- but not impossible.
RPC is a lot easier to exploit- after all, that is how most exploits happen, it's through an RPC or communications channel over the network to a server of some sort.
It's debatable whether or not you need RPC on a desktop machine- higher risks. Most of the time, you install an RPC system on selected machines that need it and those machines are usually behind a firewall. Fortunately, most CORBA ORBs are designed with security in mind, so they're at less risk than most of the Microsoft product offerings. This doesn't, however, mean I'm 100% happy with the use of CORBA in GNOME because it still presents a risk that could have otherwise been avoided by way rolling an IPC or reusing one that was available at the time they chose CORBA.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
The Linux I run on my computers today works a lot better than any combination of wishful thinking and promissory notes about future Microsoft products.
Windows' so-called potential for improvement is so large because it's so far behind. In any race, the smart money's on the consistent leaders, not on the lame duck with "great potenrial".
Sure, I'd be happy to explain after those changes actually happen. Until then, I'd be trying to compare actual working software with vapour. And that would be silly.
Are you a security expert? I'm not. However, I did attend a security lecture by security experts where Unix (in general) was compared to Windows (in general) and the conclusion was that Unix (in general) was far more secure than Windows (in general). Why? The DLL model is insecure. The registry model is insecure. The user groups (Admin vs. Local) are insecure. By default, Windows still enourages the initial user to have Admin privileges and by default Unix does not. AS someone who runs Linux, my "user" account has normal priveleges and I use "su" and "sudo" for those times I need admin privileges. Windows doesn't even have "su" or "sudo" capabilities. You have to log out and log back in? Most reasonable people grow tired of this in no short order make themselves Admin. In UNIX, I find su and sudo very reasonable to work with and have never made my user the root equivalent. The list of *fundamental* differences went on and on. Never once during the lecture was a distinction between various *nix flavors and Windows flavors made. Bottom line? Unix was designed from the get-go with security in mind. Windows is patching a fundamentally insecure system.
I believe it was Dogbert who said (to Dilbert): "But you and I don't have any children, so we're borrowing it from complete strangers. We can just use it up and leave a smoldering wasteland behind."
For those who are completely ignorant of computer security and never update their systems, they are akin to someone buying a power tool, not knowing how to use it, then trying to sue when they lop off a body part. You don't blame the manufacturer for those problems, you chalk it up to natural selection.
For those who are a bit more knowledgable, there is the issue of trust. After having used Microsoft's products for roughly 2 decades(since msdos), I feel I can't trust them to do something right anymore.
I know of people who got burned by the auto-update feature and their system was rendered unusable until they either restored or went into safemode to undo whatever "fix" was applied. Granted this is better than the "good old days" when a patch might require a clean re-install. Lots of good weekends gone to waste because of MS's "fixes".
Just this past week, I installed a update and suddenly, I couldn't make backups of my system because Autoupdate dinked with the drive access dll's. Thankfully, this only required the re-installation of the backup software to restore the DLLs to a working condition, but at what cost to the other parts of the system?
I have auto-update's download feature enabled, but I review the updates before installing them. I didn't get hit by the worm since I patched my system almost immediately after the fix came out.
The problem can't be completely attributed to users or to the producer of the software. But when the design of the software is so buggy that after literally tens of thousands of fixes, it is still riddled with security holes, you have to wonder if they are truly serious about security and about delivering a quality product to the end-user or if they are trying to do just enough.
It is understandable that MS is saying that they are doing the best that they can. That is all well and fine. But there is such a thing as their best not being good enough. Especially when there is so much slack to be made up for.
There is also the issue of this "got to be secure" attitude is recent. If it hadn't been for Linux arising quickly in the server and business markets both domestically and globally and if it hadn't been for the recent DOD government contract renewal, do you think MS would be so hot to trot to respond to problems like this?
Having watched and used MS's products for as long as I have, my personal opinion is that they've got a long way to go still and they aren't breaking even.
Winged Power Photography
nt
> Every MS virus, worm, and what not does not cause BILLIONS in lost dollars. There are I am sure some cases of actual lost real money, but if they totalled billions I'd be surprised.
So be surprised.
Here are some virus costs from Wired:
Nimda -- $635 million
Code Red -- $2.62 billion
SirCam -- $1.15 billion
Love Bug -- $8.75 billion
While we're looking at statistics, here's another...
According to CERT, the number of reported security incidents grew, starting in 1988, until they hovered at just over two thousand incidents per year from 1994 to 1997.
But then in 1998, the number of incidents started to explode:
1998 -- 3,734
1999 -- 9,859
2000 -- 21,756
2001 -- 52,658
2002 -- 82,094
2003 -- 76,404 (so far)
So what happened in 1998?
Microsoft introduced embedded e-mail scripting in Outlook Express!
Even an idiot could have predicted the consequences.
But why would Microsoft do something that was so clearly incompetent and irresponsible?
The answer can be found in another event that occurred in 1998, namely, the leaked release of the Halloween document. That internal Microsoft document described a strategy for fighting Open Source, as follows:
> OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market.
So there you have it. The embedded scripting in Outlook Express is just one part of a general Microsoft strategy to decommoditize (i.e. break) Internet protocols.
In other words, these viruses and worms, which are costing us $billions, are just a side effect of MICROSOFT'S EXTENDED DENIAL OF SERVICE ATTACK ON OPEN SOURCE USERS.
If Jeffrey Parson might be going to jail for his denial of service attack (modifying the DDOS Blaster worm), then why not the president of Microsoft?
Between connecting to the Internet and receiving the patches, many machines were infected. Why do even new machines ship with software that has known inadequacies?
Sure MS has announced the idea of cooperating with 3rd party IM companies, what about cooperating with 3rd-party exchange clients? What about cooperating with outher network file systems like SAMBA?
As for leaving systems to be automatically updated, that would be good if the updates don't break things. This isn't always the case. It is onething if only professionals had to check out updates before applying them across the enterprise. They have the resources and spare machines. A home user doesn't - but it myay still break the user's applications.
See my journal, I write things there
Thank you. that was exactly the intelligent response I was looking for to my original post. Would be nice if someome could hang some flesh on the points you raise.why is the registry model less secure than whatever its unix countepart is (xinit.d?) and why is a .dll less secure than a shared library or run time linking in java? As for a lack of sudo, this can easily be handles as Apple does with their security framework and dialog boxes to mometarilty elevate to root priv.
Some drink at the fountain of knowledge. Others just gargle.
Any classic villain bent on worl d domination needs a long-haired white Persian cat, which he can then stroke whilst cackling in a manic way. The top hat is optional though.
See my journal, I write things there
If it's so secure, then why is it that right now, my entire team is in a panic because our (pr0n) webserver is being overrun by script kiddies sharing dvd rips and our #1 feature is going to be on national TV tomorrow for an hour-long biography and we don't even know what might happen to our box.
Well I guess that last line said it all. We're moving from Win2k to Linux because we're tired of the endless backdoors, trojans and whatnot. It doesn't matter how soon or often you patch, the bastards still find ways to break in. Game over Microsoft.
-Billco, Fnarg.com
I see your point, but one might also expect it to be moot. that is, if MS were to separate Security patches from Feature updates, one might expect that a defining characteristic of a "security patch" that did no add features is that it would not alter the orignal EULA. Whether MS could resist not forcing you into an new onerous EULA to get the patch is another matter. But conceivably they should be able to not require EULAs for Security updates since the original program capability is not actually changing.
A recent Microsoft security patch caused more problems than it fixed.
So how do we distinguish the good Microsoft patches from the bad ones?
Most of the security problems in Microsoft software are caused by bad design. Plus, Microsoft's integrated approach to everything -- designed to make things difficult for Netscape, Java, RealMedia, and other competitors -- has made Microsoft's software almost unmanagable, which is why their updates so often introduce a new problem.
I finally got fed up, and chose the easy solution. I don't run any Microsoft software.
Apperently your security experts knew more about Unix than Windows.
Are Unix shared libraries insecure? Why are Windows DLLs insecure when their Unix counterpart isn't? The one issue I'm aware regarding this is the current directory being searched before system directories - that was fixed in XP SP1 & W2k3.
Why is the registry unsecure? The registry is fully ACLed, so every key can have it's own set of permissions. You can specify read, write, or special permissions. And you can specify users, groups, etc... This is a much greater form of flexibility w.r.t. configuration & security than Unix offers (where every setting is either editable for a program, or not).
The user groups are insecure? I don't even know what you're talking about. Unix has groups too, but Windows in general offers much greater flexibility in permissions for users and groups because it uses ACLs, rather than just having rwx bits you can flip for 3 categories.
Windows does not encourage the user to have admin privledges by default. Windows XP asks you to create a new user account. By default this account does not have admin privledges.
Windows does have su/sudo capabilities. From the command line there is a "RUNAS" command, from the start menu you can right click for the context menu and select "Run As". Gee, was that so hard? And if that IS too hard, Windows offers fast user switching, so you don't have to logout and log back in.
I'm sure the list of fundamental differences did go on and on. Unfortunately the reality is that Windows has a much more robust security API. It supports a wide range of settings. The unfortunate fact is that people are mostly oblivious to this (as you are), and many (non-Microsoft and non-Microsoft logoed) apps don't work well without permissions. Those are all bugs in the programs. And finally of course Windows does have bugs, just like Unix does, and those result in the occasionally vulnerability. But mainly Windows has lots of stupid users who open attachments (and any recent version of Outlook has blocked attachments for years). Not to mention the number of 18year olds who would like to see Microsoft burn in hell who write viruses.
Finally, I'd like to address the "Unix was designed from the get-go with security in mind. Windows is patching a fundamentally insecure system." Unix passwords were originally stored in plaintext. Originally users just didn't use them. Don't believe me? Ask Bob Morris, he improved the situation.
The fact of the matter is that Unix was NOT designed with security in mind. Certainly security was added, and more recent implementations (Linux & the BSDs) were designed with that security model in mind. But Unix's security system was developed ad-hoc.
What about Windows? Windows NT was designed with security in mind. Everything I've described here are security concenpts baked into the core of Windows NT. But it goes much further than that. Let me just give you one example: security attributes can be attached to a thread when you create it.
So I've just described SOME of the security features Windows has built in. And I've countered every example of poor Windows security you've cited.
So the bottom line is this: Windows has vulnerabilities. Unix has vulnerabilities. More people release virues for Windows than Unix.
Yes, the quote is decontexted, but it just sounds so silly. "We feel very bad."
This sig no verb.
We should all sue M$ for the damages it has done making faulty OS that has brought finacial losses to our business.
You might want to tell the Security Experts that there is a sudo equivalent in Win2K/XP Windows Run As
And that's the best that Bill Gates' company can do? These are people with a multi-million dollar budget who have enough left over to fend off lawsuits from the government and they're doing their best? Give me a break! I don't want to pay to be treated like an imbecile.
This sig no verb.
I can see it now..."yes, solve all of your virus, worm, and security problems! Just switch everything to Windows 2003 (supported for, perhaps a couple of years, then you'll have to upgrade again, of course, for a modest fee, of course...) or, if your organization requires Unix capabilities, may we recommend SCO, at only $699 per CPU (supported for, perhaps a couple of years, then'll you'll have to upgrade again, of course, for a modest fee, of course...)
Just below Bill's quote "that's all we can do" I got a Linux.com advertising!
Got Pike?
The biggest problem with windows update is that it doesn't include any sort of "Criticality" level that indicates what should be applied, and what shouldn't. The hotfix for the blaster worm was rated just as high as an upgrade to MediaPlayer 9. Until Microsoft releases some sort of control for the sys-admins over what updates are applied, no network admin in the WORLD is going to allow windows update to run automatically. What happens if someone cracks the windows update site and manages to upload a signed trojan? Congratulations, he has now successfully 0Wnzored more boxes than anyone else on the planet.
And let's not even mention some of the "Updates" that microsoft has put out. Or the hot fixes that you have to de-install to install service packs, or any of the other muck-ups that they've managed to pull off...
As my subject line indicates, access is a different concept than ownership. Any beginning Learning Unix text will illustrate the differences and basic administrative control. If (hard to believe) you are running a unix-like system, try the following commands "man chown" "man chgrp" "man chmod" and you can research what it all means.
Think linux is stable? Well your wrong! Copy and paste (thats if X's crappy mechanism lets you) this into your nearest xterm and watch the fun!
Why in hell would I deliberately crash my own machine? Why don't you connect to my machine over the internet and crash it for me?
> When auto-update stops trying to patch apps I don't use or want installed maybe I'll consider enabling it.
.mp3 and .html extensions away from Winamp and Netscape, and gave them back to Windows Media Player and IE.
I know what you mean. I started avoiding Microsoft updates years ago, when an update grabbed control of my
Since I ran Netscape instead of IE and Outlook, and I didn't download Word documents from the Net, the only security updates I had to worry about were those that affected Windows itself. The other updates were just a waste of my time, and an _increased_ security risk that I didn't have to take.
And let's not forget the updates that come with new and "improved" EULAs that give Microsoft expanded rights over your system.
But it's no longer a problem for me, because I now run Debian Gnu/Linux, which respects my configuration choices when software updates are applied.
But that's not the end of the story. Just yesterday, my friend brought over his new Windows laptop so we could try playing a DVD in it. When he first got the laptop, a week earlier, we immediately installed Mozilla, and deactivated a number of Windows features (such as Instant Messaging). But when we put in the DVD, it wouldn't play -- not until we first completed the installation of Internet Explorer!
So, as part of Microsoft's ongoing war against Netscape, their DVD player requires IE (with its 22 unpatched security holes). That's just one more reason why I don't use Windows.
Can someone please explain why after these changes Linux is somehow intrisically better than Windows has the potential to becomein terms of security?
.exe file in Windows, you can run it. In Linux, you need to explicitly be given permision to run a file.
Linux services and daemons run as their own user, and as such are limiting to accessing only the resources they need. Hence, a buffer is exploited on a service, that exploit would be causing very limited damage.
As, the file system is set up so that you can specify which users and groups can read, write and execute. Permisions on the NTFS file system are not quite as thorough as ext2. If you can read an
Also, to an admin concerned about security, they can make their Linux box more secure through modifications (no ssh as root directly, not running unneccisary services, etc).
Can someone please explain why after these changes Linux is somehow intrisically better than Windows has the potential to becomein terms of security?
Sure, the architecture is screwed. This guy says it better than I could.
www.lucernesys.comHorizon: Calendar-based personal finance
And people think the only reason Windows gets more viruses than everyone else is because it's more insecure... Slashdot amazes me.
Not the OS. Microsoft didn't "bundle the insecure browser into the OS".
The problem is that most Windows machines are set up to grant the user full admin priveliges. If you turn this off, Windows explorer is no less a threat than Netscape.
It's a decision by the people who use and install the machine. It isn't a fault in Windows.
[..] all of those will be able to access the outside world and pull in information and throw it out there too without you ever knowing because those 4 ports are open.
Figure your shit out Redmond, please (by Redmond I mean Microsoft, not Nintendo America).
Actually, Nintendo's Gamecube ships with 4 ports open, so technically, they need to get their shit together as well.
... only means there's more time for The Next Worm to get in.
This is the sense in which you're being told that the entire system (OS and all the apps -- "non-logoed", if you wish, but they are what keep the users on the platform) was built without security in mind.
Timeo idiotikOS et dona ferentes
It's very interesting that some suggest that Microsoft have done all they need to do in announcing fixes.
Have you ever tried to run Windows Update over a dial-up modem?
Just how many WindWoes users "out there" only have access to dial-up Internet?
These worms will be around for a very long time simply because not everyone has the luxury of high-speed network connections.
Perhaps some more testing is needed before releasing buggy software?
I can attest to universities having problems. I'm currently at the University of Wisconsin, @ Madison, reading /. in a public computer lab, because my dorm room ethernet connection isn't working. Why? Because the network servers are clogged up with junk. Some of them are down completely, and even in the public computer lab I'm in, net connections are iffy. The computer next to mine isn't connecting to the net at all. Estimated time to fix this? Tuesday at best. Why? Because of Labor day weekend, the techies are all gone.
If anyone has some connections with UW staff, tell them to call me so I can help. I'm a fully qualified techie guy too, just that I don't know anything about UW servers and what they run.
name one WinXP exploit that would've been cured by a Linux kernel...
the exploits are all in the other services that are built on top of the kernel.
please Mod up this post and the grandparent post that started this thread. its the only ones that provide useful information to dispute linux fan-boy knee jerk responses.
What always bothers me about the MS people is that they are very vague in what their achievements are. Gates now says that they worked very hard and they do their best, but doesn't give any examples that we can use to verify his claims. That makes this interview rather useless.
-- Cheers!
Get a list of all e-mail addresses to as many individuals with MS, Symantec, and all the other computer security outfits spawned by Gates. Include these in your address book and nothing else. Run an old unpatched MS office IE and Outlook express, get everybody that is pissed at MS security to do this world wide. Then do not run a firewall or virus scan. Now if everybody just let address book based garbage run wild and target the people who profit from garbage ware, and security patching, Gates might get the picture. Sometimes a little revolution is a good thing!
OH THE SHAME I fell off the wagon and use sigs again!
> With those EULAS and companies/users accepting them with or without reading they have nothing to get afraid from.
This is not entirely true. Actually I, as well as a few other people, apparently, wrote to the Consumer ombudsman's office in Finland a while back (a year or more.) I just recently received a letter from said office indicating that they had sent Microsoft Finland an 'inquiry' about the EULAs in their products (presumably because they're too constrictive in the view of current laws), as well as what I understood a strong hidden message of 'you might want to reconsider this.' So there's some progress -write your consumer rights protection agency!
(If you're from the US, first write to your Congressman in order to *get* a consumer rights protection agency.)
Marxist evolution is just N generations away!
..then I'd absolutely love to see your average user and admin using Linux across the board.
I can't get viruses or hackers because I run Lie-nucks. What? Patch? No I still smoke. KerWHAT? We had popcorn yesterday...
Not all admins patch boxes. Those that do don't get hit like this, regardless of if they are running Linux / BSD / Solaris / OSX.
If everyone ran Linux then we would see a lot of malware targetted at Linux. If everyone ran OSX then we would see a lot of malware targetted at OSX.
Etc. etc. rpt ad infinitum.
According to the book "The Software Conspiracy" (available in .pdf format- a Google search will find it), the reason 20-odd soldiers were killed in that barracks from a Scud attack during the first Gulf War was that the Patriot missile battery that was supposed to defend the area had a MS Windows operating system. The OS locked up and the Patriots didn't work, and the Scud hit the barracks and killed the soldiers. Score another for Microsoft reliability.
I know a cardiologist in FL who has 4 heart-attack patients who blame their attacks on the same new car- a BMW 745 Li. But that's a great ride, you might think, recalling the BMW ads. Well, the 745 Li has 70-odd microprocessors that control most of the functionality of that car, including the engine. Guess what OS these processors run? A modified version of MS Windows CE. There have been 2 major OS software upgrades for the vehicle since its release, and the problems keep occurring.
Would you like it if your car's computer-controlled engine lost power every time you went into a turn? Might possibly be life-threatening. When is someone going to call Gates-Ballmer and company on nonsense like this?
Yeah, but doesn't the EULA forbid us from doing this??? What a situation.....
I'm a windows user. I apply all the patches as soon as they become available. I've never had a worm or virus on my system, ever.
Now if only someone could explain Joe Sixpack what "patch" is, and tell him to never open executables that come in the mail, script kiddies would be out of business.
If they do all this, and it sounds like they will, then it would seem that Windows will soar past Linux in security. Because Microsoft controls the entirety of their "distro" they will be able to have a robust patching mechanism that GNU/Linux with its highly custom configs wont be able to do (robustly at least). Moreover MS is mocing towards an instituinalized formal system for checking every line of code for sommon security errors like buffer overflows. Linux/GNU is dependent on developers checking theirt own code and the results will vary, and exerience will not be instituionalized.
I think you've got that backwards. M$ only has control over whatever comes on the CD (and maybe M$ produced apps). Running Windows Update doesn't update Realplayer, Netscape, WordPerfect etc but it often does find ways of breaking third party apps. With most Linux distros the distro maker has control over the core Linux stuff and most of the extras (Mozilla, Koffice, etc) the user is likely to use as well. When I run apt-get upgrade virtually every app. on my system is upgraded and the Debian folks have taken care to make sure the new versions all work well together.
Windows XP crashed :(
Why doesn't MS ship Windows with all services turned off and all ports blocked? If any app needs to open a port it should bring up a pop-up window where it explains what port number it's opening and how to close the port later. Seems that would take care of a lot of these problems.
I drank what? -- Socrates
If you can read an .exe file in Windows, you can run it. In Linux, you need to explicitly be given permision to run a file.
The same thing is true in linux -- it just takes more work. If you can read a file, you can make a copy of it. If you have a copy of it, you can modify the permissions. If you can modify the permissions, you can execute it.
Alternatively, you can write a script that will load in the file and execute it.
Don't confuse "hard to use" with "security."
How long before the Auto Update is exploited and chaos runs amok in yet another direction? Oh yeah, we'll lock up another 18 year old and everyone will sleep better. Never mind. Silly thought.
sig mind freed
There is a huge reason why the IT Community turns off windows update. Windows update, newer versions of software, all can cause unforeseen effects and change the 'gold disk' standard most IT depts. strive for. How do you isolate and prevent problems on untested environments?
A perfect example is PDM. PDM is a document tracking web based enterprise app. It runs on 5.5 and 5.0 of IE, but will not run on 6. under a lot of config, newer software might not work with older software. If we let users automatically update IE and win2k and all that, we could be creating new incompatibilies that would bring down a lot of resources.
What every IT dept needs is a good core of individuals who test software configurations, and a reliable delivery method once the software is confirmed compatible. I've found that SMS by microsoft is NOT reliable. A lot of IT depts have a KLUDGE of logon scripts, SMS packages, and various other hacks. What needs to be is a unified system of delivery
Reason, free market capitalism, and individualism
Truthfully, if Microsoft really cared about security then they would have introduced a Journalling file system with ACLs and proper usable non-admin access across all of their retail OS since Windows 98 or at least 98SE.
Will MS choose the route of the car manufacturers and their record on safety or cigarette manufacturers and their record ?
So far MS is down the cigarette route of sweeping the problems under the table. NTFS is a great file system but obviously the more intelligent marketing people in MS think that its a BUSINESS thing when in fact its needed as a minimum for any school or retail customer who doesn't have the suport people to fix their PCs from simple disk problems.
Windows 95 was a great leap forward but in the 3 years until Win98 they had a chance to help secure their OS but deliberately chose not to do this.
So Windows 98 had poor package management (think MSI), no journalling and no ACLs so simple end users still end up screwing their systems.
Windows 98SE again no packaging, No NTFS/no ACLs, Windows ME again No NTFS/No ACLs....
Now Windows XP (home) has NTFS, and packaging with rollback, but as others have commented on it basically forces you into using a superuser style account all the time. WinXP-Home is even more of a joke as you can't even set up security to manage share access for your files. So we're still like the cigarette suppliers selling "low tar" and "patches" with warnings on the box.
The reason Unix/Linux works well is the fact that a lot of useful stuff can be done as a user account without having to jump into root.
Until Microsoft train both themselves and end-users into a more Unix mentality of non-root verses root then no matter how secure their OS is their product will be the cause of much heartache.
Just like the car manufacturers finally did an about-face and now sell cars for their safety then Microsoft need to do this to. Many still die but you can't always solve end user issues. All we retail users want is a OS that has the capabiliy to protect. Unix/Linux gives you that capability but retail Windows doesn't yet.
I sometimes set up Linux servers on Windoze networks, so have discovered a few fun things to do to really torque off WinDope sysadmins, MCSE and non-MCSE alike.
First, it is absolutely essential to disable the Linux GUI on any Linux server installed on a M$ network. Not having a GUI to work on really blows a WinDope's mind. If the sysadmin WinDope is a real tool, this could be as simple as changing permissions on startx. Make it easy on yourself if you ever need to use the GUI. If he has some smarts, make it so certain components have to be installed and configured before the GUI can be started.
Never give a WinDope an easy break. If you can kick off an essential script at startup, don't do it- leave it in whatever directory nestled deeply from root, and make the WinDope type it in (you can also neglect to tell the WinDope that he can enter the directory/script all in one string- make him cd to each directory first) to start it. This works to mind-f*ck 95% of WinDope sysadmins.
If there is an admin task the WinDope wants to do, never show him how to use Suse or Redhat's admin tools. Make him do it from the command line.
These simple little steps will really convince the WinDope that the Linux world is out to get him. It will also stop him from doing dopey things like zapping crontabs because he thinks they are "using too much memory." Just remember- if you understand how your Linux system works, you have it all over the WinDope, who usually approaches his system from the "put this number in that box and that number in this box and click okay and you're connected to the internet."
And if you want to keep those consulting fees coming in, tell him all the things that Linux can do- like sharing windows filesystems with Samba. Most WinDopes will want to set this up themselves- let'em get started by showing them how to install Samba, and they will call a day or 2 later with "questions" about config files, or maybe asking if they could take you out to lunch to discuss a few "issues". That's when you can latch on to the billable hours. Another great way to generate billable hours is fixing crashed Linux systems- ever notice how many WinDopes can't even fix their own crashed Windoze systems themselves?
That's a perfectly legitimate question. Linux will still be able to hold its own, however. iptables is a very solid foundation, considerably more mature than icf, and a lot more open from an sdk standpoint. It's not that hard for someone to build a powerful remote firewall management system using apache, cgis, freeswan, and iptables that fits the security needs of their enterprise, for example, and it's pretty hard to do it with windows. If you want to use windows security, you've got to accept it at face value.
Perhaps the area that microsoft will consistently be unable to come anywhere near Linux in terms of security, however, will be in response time. From acknowlement of a problem in the first place to fast release of a patch, Microsoft has shown time and time again that it simply isn't anywhere near as fast as Linux. Linux's security problem and acknowledgement mechanism is distributed. Microsoft's isn't. Single point won't be able to beat distributed, no matter how hard it tries.
You are right. But if you want people to be able to execute it, but not copy it, you use -rwx--x--x.
IF you don't want people to execute it, just don't give them read or execute permisions. Some times you just want people to write to a file, and not be able to read or execute it. This is useful on a web server.
Please, people, you can't blame Microsoft for SoBig.
You have to MANUALLY (no MIME exploits, no nothing) execute a file YOU HAVEN'T ASKED FOR AND YOU DONT KNOW WHAT IS !!
Jeez, only fucking idiots would get hit by SoBig.
SoBig happened to target Windows systems only. But nothing would prevent me from writing a totally identical version, which would do exactly the same thing, on a Linux system. Or BSD, or Solaris.
Don't blame the operating system here. People who executes unknown files, particularly unrequested files received by mail, should be hung by the balls in the nearest telephone pole.
Obligatory Funny Yet Extremely Relevant UserFriendly Link
This quote, in response to a question about the public's perception of MS products security tells me that Gates is living on a different planet from the one I inhabit.
"A. Microsoft's reputation for doing great software research is very strong, and people are looking to us now and saying, "no other software company has solved this; you, Microsoft, need to solve it." We're rising to that challenge. The expectation they have of us is very high."
I know very few people, especially those who are forced to use MS products on a daily basis, who have high expectations for that software; unless waiting for the daily crash or other fsck-up can be called an expectation.
Just my $.02,
Ron
Impeach Barack Obama for violating the Constitutional requirement to be a "natural born" citizen to hold the office of P
...says a lot about folks with billions in the bank:)
_____ "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- Orwell
when I can stop laughing my ass off.
At that point I would like to post a comment...
I look at it this way. MS spent 800 man years (not hours) looking for security flaws and ficxing security flaws in windows (source: cpu magazine 2001). so that gives them a 800 year advangtage over any other single person.
Windows is built on a 25 year legacy of poorly secured code and Gates reckons it's all OK? Obviously he's talking out of the same arse as Darl McBride.
Hmmmmmm..... Deep fried and look like Squirrel.
You are right. But if you want people to be able to execute it, but not copy it, you use -rwx--x--x.
Great, but that doesn't change the fact that if you have a file that people have read access to, but not execute access, that simply copying the file and setting some permissions gives them a way to execute the file. The fact that the user has read access to a file gives them the ability to run it.
Being able to disable reading while retaining execute permissions on a file has no "security" benefit that I can see, unless security through obscurity is your goal...or your security model requires a "trusted" client app (neither of which are good security models).
IF you don't want people to execute it, just don't give them read or execute permisions. Some times you just want people to write to a file, and not be able to read or execute it. This is useful on a web server.
Same thing can be done on WinNT. This isn't an area that Linux is superior to NT in. In fact, as far as flexibility of file permissions goes, NT wins hands down.
Unix has the concept of owner permissions, group permissions, and "anybody" permission levels. Root is granted all privledges. You are able to control execute, read, and write access. That's it (except for maybe the superuser flag, but hopefully nobody is dumb enough to use that anymore...).
The NT access model allows different access settings for the owner, multiple groups, multiple users, and "anybody". You are able to control read, write, execute, delete, permissions control, and ownership. Each of these flags can be set via "Special Access" permissions, or a selection of these attributes can be chosen from the default selection of no access, read, change, or full controll. And you can have a unique set of permissions for each user in the access list. Depending on the permissions you set, an administrator may not have access to a file.
Hi Darby -
As far as I can see, there isn't a "Great Firewall of China". I am staying at the "The China Hotel by Marriott" in Guangzhou. A Chinese hotel which is managed by Marriott. It has Western and Chinese guests, and the ADSL service (which is a bit less of a broadband than I would like) is provided by a local Chinese company.
I have hit a wide range of sites from Slashdot, to News.COM, to the NY Times, to WSJ, etc. I haven't tried to hit sites that I know would be no-nos, but I have yet to be blocked.
But then maybe, the Chinese government in its guest to build up Open Source systems is giving full and free access to "Slashdot". I can just see it: Slashdot, read it - just like the Chinese Government!
The adoption is going well. We head in for our physical this morning. She is a beautiful little girl. Quite intelligent and interested in the world. I think she will get along with her two older brothers just fine!
Well, I have to go and give her a bath and get her ready for our group breakfast.
This is Jordan Dea-Mattson, broadcasting from Guangzhou China! Signing off now!
Yours,
Jordan
That must be why my Community College Instructors have had no email through the campus system in over a week. That kind of security is wonderful ain't it.
Professional Politicians are not the solution, they ARE the problem.
Comment removed based on user account deletion
nmos wrote:
"Running Windows Update doesn't update Realplayer, Netscape, WordPerfect etc but it often does find ways of breaking third party apps."
Or breaking its own apps. When I did security updates on a win2k office machine earlier in the month, dutifully rebooting and following all of M$'s instructions and recommendations, the control panel's Add/Remove Programs app stopped working. And that's exactly what I am going to do- remove the program called win2k from that computer. You know what, even with a frickin' MSDN membership provided by my employer, I don't download M$ crap and run it on my own personal computers. Even my employer, once a MS advocate, wants to get the hell away from M$. Won't be renewing that MSDN membership next year .
Pop Secret has released a "New and improved" version of the microwave pop corn. Other food companies have stated they will follow with changes in thier own brands. Synders, Delmonte, and Kraft are all releasing products with a new and "improved" flavor covering everything from pretzels to sweetened condensed milk.
I don't see how Windows isn't secure. I've always used windows. Dual boot w/ Linux, so yes I have had experience w/ other OSes. Never once has my Windows box been hacked or compromised. I keep up with patches and system updates. Never once aquired a virus. Now, I've never had a problem with my Linux box either, but I know plenty of people who run both Windows and Linux servers and let me tell you, their Linux servers have been hacked/compromised more times than their Windows servers, which has been a grand total of 0 times. Yes, call it stupid sys-admining on their part or whatever, but still. Windows users not updating a critical patch is equivalent to someone running Apache or whatever and not updating if a major security hole has been fixed. Open ports.. big wow. I have open ports on my boxes. There still has to be an exploit in order to do anything w/ them though.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
Yes, but I would not pay people to post said drivel. There are many other things I'd do differenly than Bill Gates. It has to do with morals and paranoia. When you have morals you don't need to be pre-emptively paranoid and the world is a better place.
Friends don't help friends install M$ junk.
That was Al Bundy in "Married with Children". Oh yeah, dumb fuckers get what they deserve. Bill Gates is doing his best to fuck everyone, and always been a whiner. Having to use Windows for most of and the rest of his life is punishment enough for his sins.
Friends don't help friends install M$ junk.
Just keep telling people that, then maybe they'll start to believe it. Oh wait--they already do... too bad it isn't actually true.
Furry cows moo and decompress.
I remember being told when I was younger thatwhen you say you are doing your best its a lie. Later on I remember hearing Loosers always cry about doing their best. Fact: Any OS that allows permission to a directory because a user has access rights to a file in the dir (even though they have no access permissions to that dir) will never be able to tell me that they are secure. Fact2: Contrary to popular belief MS is not the largest software developer IBM holds this distinction. MS is not even close last time I checked. Fact3: Until MS gets it through their head that total integration is the anthesis to security they will not clean up their mess.
I won't mod you down. I don't disagree on one point: There is no magic cure for user stupidity.
On the other hand, Outlook and Outlook Express shouldn't be executing code found in attachments. Never. When a user previews or opens an E-Mail, what they do with the attachment should be their choice. Part of the problem here is that OE defaults to preview E-Mail messages and most people don't know about the inherent danger that can cause.
You weren't modded down because people disagreed with what you had to say. You were modded down for being combative.
What does user stupidity with regard to e-mail attachments have to do with Windows? Absolutely nothing.
First off, I wasn't talking about Windows. That's why I said 'Microsoft software'. I was talking about Outlook and Outlook express, although the difference here is debatable because they both render through mshtml.dll which is arguably part of the Windows Operating System.
You say you want an answer, then you put the answer in my mouth. Do you even want to learn? Ask me a question, I'll answer it. I know.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
I am very impressed at how the interviewer can ask all these questions without laughing so hard. If it were me, probably I'd be on the floor screaming, "Stop! Please I can't take this anymore..." in the best case scenario or I'd require a change of pants at the worst.
Guys
One common theme I see frequently throughout this thread is the constant assertion by linux users that MS products are fundamentally flawed out of the box and lead to all kinds of security and other problems for end users. However, when they make this comparison, they invariably take the non-computer literate windows user versus someone who has a fully tweaked linux box as their example. This to me is completely unfair on MS. The person who has the linux box is invariably far more PC aware and has done all sorts of tweaks and updates to get their box the way they want it. If that same, computer-savvy user were to apply themselves to setting up a windows box, they could achieve similar levels of reliability and security that they can on their linux box. On the other hand, if that joe bloggs, barely-knows-how-to-switch-it-on windows user was to try and install a linux distro, even one of the up to date ones, and I guarantee he will have an unusable comp and be looking at a re-install within a very short space of time.
I consider myself fairly computer literate and am running xp pro on my main box at the moment and have to say its the most stable, reliable os I have ever used and this includes several linux distributions. The box is up 24/7/365 with only occasional reboots for patches and so on. I run it behind a NAT router, use zonealarm, have up to date AV software and am up to date on all security alerts. These precautions couple with that most valuable of commodities i.e. common sense and I have never had a virus or security problem.
Its not that I dont like linux - I have been using it on a secondary pc which I like to dabble on - i have used RH 5.0,5.2, COL, SUSE 6.0, MDK 8 and currently RH 9. I went through the whole linux addiction, compiling apps and kernels like nobody's business but since getting married dont have the time to go and search for a new version of gcc or glibc because I want some plugin for xmms and have broken dependencies. Windows lets me get things done quicker and to me is more reliable - FOR THE AVERAGE USER.
So please people lets compare apples to apples in future when slating MS.
"We're doing our very best, and that's all we can do"
Your best, losers always whine about thier best
then something about winners doing something with the prom queen
-- Karma Karma Karma Karma, Karma Chameleon - Boy George
For the home user, Windows Auto-update is fine. But every once in a while, MS releases and update that is... not ready for prime time. Automatically update an entire enterprise of Windows boxen, without testing the effects of that update, is folly.
Now everyone click your heels together three times and repeat, "There's no place like home" and we can go back to CP/M and start over.
If Billy wanted to optimize security, he'd put 80% of his resources on fixing current versions of current products. He'd stop charging customers to report bugs in his products (via support calls). He'd release *bug fix only* releases with minimal or *no* new features (except those needed to fix design flaws).
Got a great idea Bill, Instead of forcing customers to pay $35-100 per "support call", let's up the ante a bit. If it is a failing, bug, or undocumented shortcoming in your product, then you pay the user the $35-$100. If it is just a case of them not reading the manual and it's the customer being supported, the customer pays. If the fix involves no fault finding -- i.e. -- say you have them uninstall and reinstall the product, the call cost is zero, since all you've done is erase any evidence of the problem -- you didnt' find out what caused the problem (amok user or amok MS program).
Seems only fair, since all the bugs I've tried to support to you that I managed to get MS to look at were duplicatable bugs in MS software. Many are fixed in the 2003 _*SERVER*_ release...(hello...does anyone think the 2003 product is a replacement for Windows XP? Where's the Windows XP:bug fix edition?
It'd really be nice if you paid customers for all the Beta testing they do for you.
-l
no.. i'm not saying anything. i'm saying that _he_ said that windows may come out ahead because they have a more concrete and better plan of action presented, that he doesn't see as possible given the linux development and installation environment.
Gates Says Windows Reliability Is Greater ...than a 1983 Chevette!
Healthcare article at Kuro5hin