Slashdot Mirror
Security Affecting Microsoft's Bottom Line
kidlinux writes "The Globe and Mail has an article discussing the impact of viruses and security flaws in Windows. Apparently Microsoft has bounties out on virus writers. 'The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.' The effects of various worms and security issues are becoming visible in financial terms - having to deal with the security issues keeps Microsoft from closing new deals, and governments and businesses are starting to look at the alternatives, such as Linux. 'For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model.'"
Microsoft has such ridiculous control over the market that it would take an act of God (namely Bill Gates) to bring it down. Like discontinuing support for its OS's. Commence flaming.
The Braying and Neighing of Barnyard Animals Follows.
Time to protect the monopoly. Once in that phase, funds are diverted away from R&D and into protectionism -- the great money pit.
Is it really easier or more cost-effective to change the world (pay bounties for crackers, lobby for prtctionist laws) than to change your business practices (write more secure software)?
This had better be a temporary endeavor conducted in parallel with major shifts toward better busines practices, or MS is starting the downward spiral.
Security failures are beginning to hit Microsoft hard not because of the enterprise, but because of home/personal installations.
Whereas a competent MCSE or IT director will have properly secured a corporation's machines against remote exploits (a properly designed network, even if none of the machines had been patched, should've been able to stay free of worms like Blaster and Welchia, for example), home users have been thrust into the unfortunate situation of running an enterprise OS (anything from the NT family), with no experience on securing it, and often, no knowledge that it needs to be secured at all.
Windows NT-based operating systems listen on so many ports, and are designed so wide open, because they are meant to sit inside a secured corporate network. Though Microsoft's unification of the NT and personal trees of Windows starting with XP gave personal users much of the speed and stability they had been lacking for so long, it also gave them security issues they should not have been expected to deal with.
This is why, though NT-based OSes have had widely publicized security flaws for years, their flaws are now in the spotlight.
Microsoft's recent steps to finally globally disable the Windows Messenger service and enable the firewall by default are a late, but necessary, effort to help bridge this divide.
now they might actually do something about it... nah
95% of all computer errors occur between chair and keyboard (TM)
If microsoft had put more of there bottom line in the past into the security of windows, this wouldn't be such a concern now, would it?
And why did you staple the trout to the RAM?
Actually, MS doesn't want people talking about security holes they find in MS software:
l t. asp?url=/technet/columns/security/essays/noarch.as p
, 00 .asp
http://www.microsoft.com/technet/treeview/defau
http://www.pcworld.com/news/article/0,aid,63784
As Steve Jobs once said, "Every security scheme that is based on secrets eventually fails."
Truth and Justice cannot be forever denied!
Seriously, now is when we find out which model of software development really is more secure. Results like these will energize Microsft's management to try and address security even more forcefully. My money is on FOSS, but we'll actually get to see how it plays out in the real world.
"Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
Don't you think that if you're going to be childish, obscene, and offensive you should at least be right?
A lot of people realize that most of their new software will run on the .NET runtime virtually eliminating (probably) most of the programming vulnerabilities that exploits take advantage of (buffer overflows, unchecked casts, etc).
why run from Vincenzo?
This is what happens when you let marketing run the company :) Shiny new graphics in this version! More features you don't need! Security? nope.
If OpenBSD can produce a secure distro for FREE, why can't Microsoft with all the resources available to them? Marketing never thought that it was important. End users are finally starting to realize that it doesn't need to be this way.
At this point, it's a little late to go back and design security into a system which never had it.
Of course, there goes my job security...
I use Macs to up my productivity, so up yours Microsoft!
Instead of writing more secure code or locking down system services by default, MS is going after the people who write viri. How is this going to fix the (in)security problem? Do they think this is the last generation of assembly hackers? Bah. Every day I'm reminded of why the Voluntary Human Extinction Movement is a good idea. Just remember that one day MS will be one of the many corporations that provides sponsered funding for your child's or grandchild's school.
Speaking about the "cash bounties" campaign Microsoft is offering:
The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.
The campaign reveals just how much extra cash Microsoft has lying around and is willing to put up to make the buying public think it gives two shits about security.
Why're we taking this at all seriously?
M$oft says something to paint themselves in a good light, we slam it with, 'they must be lying, it's a bunch of FUD, they're just hiding the truth....etc'
M$oft says something bad, which casts them in a bit of a bad light, we immediately take it as gospel.
Fact: The average consumer is more aware of problems with M$oft security due to the prevalence of that information itself. (iNet, popular news media, print, etc).
Fact: The average consumer is more aware of alternatives to M$oft products, IE, Linux, MacOS, *shudder* Lindows...
Fact: The average consumer never bothers to install ANYTHING other than the OS that came preinstalled on their CompUSA/CC/BB/Wal-Mart PC.
Truthfully? I fail to see how this is costing them anything at all when you get right down to it. They've STILL got the market sewn up on preinstalled systems, the average consumer STILL thinks it's the easiest OS to use, and Symantec has those consumers who ARE a bit worried and aware of the dangers convinced that by running Norton Craptilities they can circumvent those dangers.
Crapcrapcrapcrap.
More crap.
Don't park drunk, accidents cause people.
The article says that Microsoft need to put a priority on customer satisfaction. Is that really possible? Over the years, my experience with Microsoft is that they pride themselves on being a "take no prisoners" and "shoot the wounded" type of company, always looking forward to the next challenge, never taking time to fix and support older products. When I once asked when some severe bugs were going to be fixed in one of their current compilers, I was told that they were never going to be fixed, the programmers had already been reassigned to the next big project. From a bottom line point of view, it made sense, but it showed a total disregard for their customers.
Mea navis aericumbens anguillis abundat
Martin Brooks / Slayer99 #linux / UIN 2178117
fiftieth post for you
I see the bounties as a cheap way to fix the security bugs... microsoft offers $500,000 for someone to find the author of the bug, then M$ gets them in a contract to either fix their software or go to jail... NICE!
stuff |
If Microsoft were really serious, they would pay the bounties to people who find their flaws.
IMHO, this is a Good Thing (tm). If security issues start affecting the MS bottom line, then they will start taking security seriously. Microsoft is not evil, they're just greedy. Hit them in the bank account, and they will notice. Losing a few $100 million in random lawsuits is not a big deal to MS. Losing desktop market share (especially in the home market) is a huge deal.
With the bounties, Microsoft will finally start to fix these issues by plugging criminals instead of security holes.
Doesn't anyone at all see Microsoft becoming a government-like entity, when it neatly circumvents federal antitrust laws and it now starts handing out cash payments to bring in law-breakers?
The impact on Microsoft's bottom line only reflects the impact on their customers' bottom lines. Well crafted EULAs may exempt MS from liability, but they can't exempt themselves from a deservedly bad rep created by poor security in their software.
If the wind blows right, sometimes shit does roll uphill.
What company do you work for?
0) you assume that a system admin has time to address the daily patches that were coming out at the peak.
1) patches take time to test and apply. You might be able to break a users computer (as long as it's not the company heads), but you can't break the server.
2) MS charges $$$$ for the systems which give you the ability to maintain many systems.
3) things get behind the firewall. Probably a lot less since these worms, but they do get behind the firewall.
MS is paying for bad decisions.
* Trust. Trust will work on the internet. Nobody would click ok without reading what the message says.
* Sandbox, VB don't need no stinking sandbox
* No user permission separation
If Microsoft buys Symantec, they can create a "real options" type scenario.
Microsoft creates insecure software. Microsoft-owned Symantec secures networks which runs insecure Microsoft software. End result: PROFIT!
Too bad the anti-trust laws would probably break the whole deal up.
I claim first use of "Error No. 0B" - or "No. 0B error." It'll be the new ID 10T!
Instead of placing a bounty on virus writers why don't they take that money and give it out as a bonus to employs who find bugs and distribute important security patches? Wouldn't you work harder for a quarter million dollar bonus? Prevention is the key and this move seems like an attempt to clean the mess up after the fact. They've said security is #1 but what internal changes in staffing and spending support this claim?
if there is no security to start with, has any security been breached?
'For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model.'
Now, I heard about Red Hat stopping selling it's consumer version OS. I haven't heard about MS dropping any products. So, how are these flaws being "translated"? A $1/2 million bounty? Big fucking deal. That's peanuts. They spend more than that on toilet paper every year.
1) Take OpenBSD
2) Slap GDI/Win32 API on top
3) ???
4) ???
(In this post, I am going to describe two or three reasons that I believe Microsoft will soon become a regular industry player, and will no longer rule at the top.)
Think that putting a bounty on virus writers is going to solve the problem? That's the trouble with you, billg, you think you can buy your way out of all your problems. Heck, if I had as much money as you, I could buy my way out of anything, too. The only trouble is that your mighty empire is slipping through your fingers, and because of what I'm about to say, you cannot fix it, no matter what you do.
Many companies have realized that using free software, and contributing to that software, both in fixes and in features, provides many advantages, such as independance from a vendor. If you think about it, suppose you get a contractor to add a room to your house and he does a crappy job. You could fire him and get someone else to do it. But when you use proprietary Microsoft programs, there is nobody but Microsoft that can fix them. While this may not have been an issue over the past 20 years or so, this is becoming a very critical issue.
Not only does the proprietary status of your software prevent others from finding and fixing its problems before they cost billions, but you continue to do everything in your power to isolate your software from anything else out there. Other companies want their software to interoperate with the competition, but you just want to embrace and extend. Why do you do that? If your software is so good, why can't you make it friendlier with your competitors' stuff? I know the answer: It's because you're insecure. You know that perhaps the biggest thing that kept people using your software was the fact that they were locked in to it and were forced to upgrade repeatedly.
By doing what I just described, you tightened your fist as much as you could on this software, but now governments, corporations, and individual users are beginning to look elsewhere in significant numbers. This is the beginning of the end of your monopoly. Soon, you will no longer rule at the top, but will be just another player in an industry. I'm sure it was fun while it lasted, though.
From the Slashdot story: "Apparently Microsoft has bounties out on virus writers."
Offering a bounty is no substitute for providing secure software. Maybe the OpenBSD team would help teach Microsoft how. Or, is someone in the U.S. government interested in having security vulnerabilities in the software everyone uses? There are just too many; is Microsoft really that sloppy?
Who was using Microsoft security vulnerabilities before they became public knowledge?
OpenBSD's motto: "Only one remote hole in the default install, in more than 7 years!"
Microsoft's motto: "Extremely serious flaws that allow an attacker complete control, every week."
Something is fishy about this. It is not that difficult to write secure software. If the extremely well-funded OpenBSD team can do it, the poor Microsoft people should be able to do it, too.
Rewards are a lot cheaper than devoting facilities to developing secure code.
AT least they don't fry CDROMS.
Newt-dog
My Doctor prescribed daily nasal saline irrigation, hehe
My name is Boba Fett. I do thy bidding....
just don't forget to let me use those damn cool carbonite freezer to chill 'em virus writers.
Mode (3) smart-aleck mode. Press * to return to main menu.
Why don't they just go ahead and have a clean, reimplementation of Windows started while they work on Longhorn? By the time they have Longhorn out a clean reimplementation could be at least ready as an Alpha or maybe a Beta.
Click here or a puppy gets stomped!
the CASH bounty only shows how afraid MS of the flaws in its OS/Apps. And when they know that they really can't do much about it (they don't know how to fix untill some1 comes fwd and shows 'em the way IN and out) .. they just behave like a dick-tator and kill (or try scare their pants wet) every1 who points fingers to the flaws. Another Evil Corporation!
[as the same time I myself am forced to use MS s/w like an addict... and the thought of leaving the app gives me creaps!!! HELP ME GOD]
Amit Agarwal a.k.a Netahoy http://www.netahoy.org/
This might be the only culture you get all week!
MS kept going because their stock was high enough to attract people who thought mostly of making lots of money, integrity and skill be damned. They were happy to grind out feature after feature without worrying too much about how sloppy the feature itself was, or the code that implemented it. The high stock price also kept investors happy, knowing the value would go up and they coudl sell to the next greedy sumbitch. A nice pair of positive feedback circles.
... I did not anticipate the water temperature lowering the saturation limit. This is really interesting!
Sooner or later the stock would hit its limit, mainly because of market saturation. Then there would be no increasing revenues, investors would find it harder and harder to unload, and as the stock price stabilized, the opportunistic employees would bail, and new employees would be harder to get.
What amuses me is this new wrinkle, that crappy software has put an extra limit on their market, causing market saturation early. Like adding sugar to hot water, you can only get so much in before it saturates
In addition to investors and opportunistic employees both bailing because the stock price has stabilized, I bet there are a lot of employees who are not happy being assigned to the boring tedious job of auditing old code, hunting down security flaws, and so on. These people have gottne used to adding useless features without any concern for reality, and that was fun. Dredging the muck for security holes is not. I wonder how many employees are bailing because the work has changed.
A nice accelerator to the two feedback loopbacks. Just because feedback is reinforcingly negative does not mean the slope is uphill!
Infuriate left and right
Knuth followed this model on TEX...
It works.
(Of course it used a great dev system that resists stupi mitakes;0(
Why not put a bounty out on the poor programmers that created the holes in the first place?
Added Rob Malda: "I also have a bad taste in my mouth, but that's from sucking Hemos' cock."
I believe the original article said he was sucking Michael's cock. Please don't spread that kind of misinformation.
...as seen on The Joy of Tech...
Because that is exactly what Longhorn IS.
Please note that Windows will then be incompatible with all old Windows software...
Will it still be Windows?
I think not...
Level OS playing field at that point, or at least much smoother.
Governments and big corporations are starting to realize that the cost of using Microsoft includes:
Linux isn't free of security holes, but it has considerably fewer because the underlying design isn't nearly as permissive to start with. Further, the open source model means that security holes get fixed more quickly.
Convenience of use and a good GUI loom large to non-geeks, but even they are beginning to wonder if the price they pay for the (Windows version of) these things isn't too high.
Catherine
Give me a break!! They should see how much it's affecting everyone else's bottom line! A good size company spends in the ten's of thousands every month on MS related security matters.
If MS were smart, they would run MAC's internally, for their own safety, of course...
Why don't they just go ahead and have a clean, reimplementation of Windows started while they work on Longhorn?
2 reasons. First, support for legacy apps has to be included in any new OS Microsoft developes. Second, imagine how long that would take to complete. It took what, 5 or 6 years, for the NT kernel to be able to reliably run 95/98/ME apps. Imagine the press release, "Longhorn to arrive in 2009".
Starting over would render close to a decade of work worthless. That kind of suggestion is hard to justify.
----
Squirrel
What this means is
It's a great thing for them, it's a great thing for the RIAA, it's a great thing for the MPAA (sp?). It's a shit lousy thing for you. But they are going to give you a secure platform. Makes you wonder if they couldn't have planned things any better.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
What more can I say?
Jeremy D. Zawodny /
Even if your'e a strict creationist you should learn darwins principles, it will prevent you from making mistakes like Microsofts. So Microsoft is now offering bounties against Virus writers. The death penalty doesn't stop murderers. Jail time doesn't stop criminals. What this will do is setup a fund that will be consumed by stupid people, and it will leave the more dangerous to do their damage. As long as the motivations to write viruses are in place blunt tactics like Microsofts will just escalate the problem. Lets not forget the fact that it was their complete and total lack of security going back to DOS that allowed the species to start in the first place. Now they are just placing evolutionary pressure on it.
... frequently found on slashdot. I'm talking about the unknown to me word "thier".
They have $50 billion in the bank, as ready cash. There are a lot of unemployed programmers, and if they wanted to outsource to India and China, there are a whole lot more even cheaper.
It might take a year or two, but they could squash future bugs if they wanted to. And yes, I know about the mythical man month and adding manpower to a late project, but this is not a single project, it is hundreds of small projects.
Microsoft is still not serious about fixing security holes. They never will be.
Infuriate left and right
Perhaps this will inspire all the M$ hating virus architects to creat newer and better worms, viruses and trojan horses to take M$ down. Ah the thrill of the kill with a bounty on your head! Go gadgets go!
With the first machine, I connected to the Internet and was infected with Welchia about 24 minutes later.
With the second machine, it was FIVE MINUTES.
In neither case did I even have enough time to get the latest patches (over 25mb of standalone patches + IE SP1 + SP4) before I was infected with a virus.
It's just plain ridiculous -- What happens when Joe Average User connects his computer he just bought from a local computer store (who I doubt would have installed the patches on every machine going out the door)? How is he supposed to know what to do?
There is no such word as virii.
The computer usage of this word stems from the medical word virus and the correct pluralization is VIRUSES - Dorlands 28th ed Medical dictionary.
No doctor that I know uses the word virii..we all use viruses.
..........FULL STOP.
Bounties only (sometimes) help put the criminals in jail, but they NEVER stopped any crime from happening, ever.
Maybe we deserve this world ?
Wouldn't they be better off spending that $250,000 on another programmer-year or two of code audits?
This whole business with bounties for virus writers is just an attempt at misdirection: draw the public's attention to the people writing the viruses instead and away from the fundamental flaws they're exploiting.
It's important that the public realize that the security holes exploited by the virus writers are also exploited in less public and more nefarious ways.
--Bruce Fields
Do they actually have a bounty on VB script virus writers? seriously? don't they even see something slightly wrong with that? Infact where do they draw the line between "its an evil hacker exploit" and "it was obviously our fault that time"? where do the police draw the line between "the burgler broke in through the window" and "sir you have been burgled 300 times in the last month and every single time you had left the door propped open with a different expensive item and gone out for 10 minutes please just close your door"
And what exactly is the reward? if its $250,000 worth of microsoft redemable software vouchers then i dont think they will have much luck.
This comment does not represent the views or opinions of the user.
"Where do you want to go today, apart from the PC shop to buy more virus removal software?"
Comment: Yes I realise the username 'fuckfuck101' makes me sound intelligent, no you cannot buy it from me.
A simple goole search will also show which is the most popular usage.
computer viruses 3,690,000 hits
computer virii 80,000 hits
3 out of 3 on line dictionaries also used viruses as the plural for computer virus..
..........FULL STOP.
One person CAN make a difference...
Comment: Yes I realise the username 'fuckfuck101' makes me sound intelligent, no you cannot buy it from me.
Their name says it all...
Geez, can't they just do a whole rewrite?
Also, it seems a company called Apple did get the mix between usability and security right.
Not everyone agrees, but most people seem to think that OS X is more secure than any windows version, especially 'out-of-the-box'.
Most people also seem to find it more 'usable'...and good looking.
Number one there is a unlimited number of hackers out there. Ie kill them all and some more will come.
Now the big thing is patch the back doors. Ie why does email servers let virus go. Why does Outlook run scripts. Why does windows startup with doors everywhere.
Now lets take my car someone steals it and I have not locked it and the keys are with it. What does the insurace company tell me. Yep get stuffed you did not lock it and it got nicked it is your fault.
Now it is about time microsoft stops passing the buck they left doors open and unlocked about time they get them shut. Now just like Windows XP firewall it is useless it would have been smarter to buy a third partly and ship it with XP. Now they have bought a antivirus company then they talk about stop shipping the linux version(brain dead some people). Give the linux version and windows version away for free and shut the viruses down. You control the updates get everything under control crush the anti-virus companys(under the flag of doing what is good for everyone) and the hackers. Then charge for it.
Basicly it is about time some people stop passing buck the internet is war and we are lossing due to buck passing. Hackers normally rate how good something is by the effect. This is the same rule with White Gray and Black. White if the program they create is used and works the more people that use it the better it is. Grey how big of a system the can attack under controled conditions(lot of hard work). Black how many system they bring to the kness.
Now we defeat the Black by reducing the affect of what they do. Lets take it I am still reciving email from virus over 3 months old. Lets try to get this down to a week then a day then a hour.
Now if the Black fail they will go away because they will not be able to as affective so they stunts will not work.
Now if only they would put out some contracts on the big spammers, maybe we could all have some peace in our inboxes :) I think $1M per head (with or without the rest of the spammer!) should suffice...
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
So when will someone put up a $250,000 for a judge /jury who will convict Microsoft for their irresonsibility and gross negligence in propagating non permissions-based filesystems across the entire network and creating the only software ecosystem in which viruses can exist and flourish? The rise of Microsoft is the apparently the concomitant with the death of personal responsibility. Not trying to flame here folks, just an opinion formed from a life lived on Unix/Linux/Irix/BSD/OSX systems and never having had to remove a virus even once. Am I alone in thinking that Microsoft is responsible for those viruses more than the virus writers are? The fact that I unwillingly support MCSE's who make virus removal a full-time job on my tax dollar while unix talent goes neglected and left useless to novel corporate agendas has nothing to do with this bitterness. Nope. It's Microsoft's own incompetence that deserves the bounty.
http://tinyurl.com/4ny52
That site is a real find. Cool!
My first rule of software design: "Anything backwards compatible with a kluge is, by definition, a kluge." A secure reimplementation of Windows would, by necessity, break most existing software. Microsoft developers are not stupid; they have many top-notch technical people. Unfortunately they are hindered by their legacy architecture, and product design driven by Marketing, not Engineering. I beleive most of the security holes can be traced to product misfeatures, not programming bugs.
"Freedom means freedom for everybody" -- Dick Cheney
All you guys celebrating this release and thinking it marks the begining the end of for Microsoft have got your head in the clouds.
There is no way MS would publish this information unless doing so is in their interest. They could had have played the same old games with accountants and auditing, etc, etc to hide this information if they had wanted to.
But no, they pretty much came right out with it and most of you have been taken hook, line and sinker. All this is not about any real pain that MS is feeling. No, it is about providing another justification for Palladium aka NGSCB "enscub" aka Next Generation Secure Computing Base.
MS can now point to how a lack of security is hurting their bottom line so whater bogus Palladium schemes they come up with to sell as increasing security (rather than just stealing control of your computer and divvying it up between MS, the MPAA and the RIAA) so of course Palladium will really provide better, more secure system becaue MS's ass is on the line too, see it if even says so in their SEC filings!
When information is power, privacy is freedom.
Pray Tell...
How will catching viruse writers improve the defects or the bottom line?
-Hackus
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
...and if you notice OpenBSD doesn't have 90% of the market share.
Ease of use.
I used to think users were lazy but after I got over myself I realized that they are simply clueless and have no idea how to install/tweak/secure an OS any more than I have any idea how to run multiphase electrical legs into my house and offset the phases manually if necessary (some shit my electrical contractor was telling me - he might as well have been telling me that my foot looked like an owl penis in swahili).
An earlier post was absolutely correct about running by default all kinds of network services and, consequently, opening all kinds of ports on the machine. The beauty of installing an OS, walking to another machine and browsing to the default web page on the fresh machine was more attractive to users than the nebulous security caveats such practices imposed. People understand (and can see) failing to hit a page, or a file share, or printer share whereas they cannot see the glaring hole in their security profile until, of course, it is compromised - but that begets experience and the experienced tech or power user eschews the lack of security that is often the directly proportionate consquence of ease of use.
However there are a lot more inexperienced users than there are techs/power users.
Microsoft simply assumed it would be far easier install and use their OS if security was low at first and tightened later. Windows 9x/Me/NT4 was an example of this. Win2k was a foray into the concept of balancing both in such a way as to maintain the ease of use yet improve security. It is far more secure than 9x/Me/NT4 but unfortunately still vulnerable as Blaster, SoBig and others have shown. Win2k3 may get it right - time will tell.
The key point in all this is that one of the very things that gave Microsoft 90% of the desktop was the sacrifice of security for ease of use. An interesting point is that Win2k can be made to be as secure an operating system as any other. The secret lies in proper firewalling and removing network services that are not required and (everyone seems to miss this one) oversight - watching every connect and monitoring network activity down to the byte - not necessarily with eyeballs but with event driven network monitoring tools which oversee things such as disk space, CPU usage, port connections, file activity, etc. For instance - there should be no reason for IUSR_WHATEVER to access \System32\cmd.exe - this can be audited and tracked. Had this simple rule been put in place CodeRed and Nimda would never have wreaked the havoc they did.
In the OSS community we need to be aware that there are a lot more "users" out there than "geeks". We sit on our high horse patting ourselves on the back for our default security profile but forget that the remaining 80% of the world just wants to install the OS and play with it - just like many of us "geeks" simply want to insert the key into our vehicles and drive to the store - we are not interested in consumer crash test reports, or airbag safety results.
At least we aren't interested until we get in a wreck - then we become a little more "experienced"
Funny, my corporate deployed laptop, following standard practice, set ME up as admin. I understand this is standard practice for WinNT-family (mine is Win2k) deployments, in general.
With that ONE practice, the single greatest/easiest chunk of security - separation of user from admin, is gone.
From what I understand, quite a bit of Windows software actually depends on this practice, and can't run without admin priviledges. So regardless of who takes the blame, Microsoft or the Windows Culture that has grown up around their products, there's an architectural-level problem, here.
The living have better things to do than to continue hating the dead.
Something that has puzzled me for a very long time. Microsoft spends an amazing amount of money on R&D, even claiming that Longhorn will cost more that the entire Apollo program to develope. What do they spend their time and resources on? I don't exactly see a flood of papers and patents flying out of there.
"To those who are overly cautious, everything is impossible. "
for inciting people to hack and write virii so m$ loses money
"For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model."
.NET programmer because we all know that .NET is now integrated with MS Word because it's clearly necessary.
NO!!!! This has been the case since almost the beginning!
Some people at Microsoft got together and decided that if they make it too good to start with, people would not upgrade to the newest version! This is especially true in light of the fact that people rarely even change FONTS but once in a document when writing in Word let alone use the other billion features they added since the last version. I know to be my secretary, you also need to be a successful
No, the business model is simple: People are compelled away from bugs and flaws! And since the only alternative to old Microsoft products is NEW Microsoft products (which is mysteriously vulnerable to many of the same flaws... makes me wonder if the new products aren't actually the same as the old products) people will buy the new ones! And who can keep up?? Let's just buy a subscription!!
Woah! Wait a minute! We just screwed up their entire model! Their business model is built around the notion that there are no alternatives to Microsoft products! (Can you say Monopoly?) The moment people start to think, "Hey, there's no alternative...let's get into Open Source and participate in creating our own alternative!" the Microsoft business model begins to crumble.
Next is born the MSAA. That's right. First there's the RIAA and MPAA and now, the MSAA. I don't know what the acronym means, but if it has MS in the front, we know it means Microsoft and AA in the back means a bunch of lawyers who want to screw everyone without wearing condoms. We've altered their business model with consumer demand!
"We must CRUSH consumer demand to restore our business model!!"
...to put that same money towards quality control, thereby preventing the flaws in the first place? Instead of just paying someone to nark out his friend who finds and exploits the flaw that still there?
The only thing this is going to do is make devious hackers more aware that they need to try harder to cover their tracks.
The famous MS instability is often a fault of the insane amount of crappy obsolete hardware that is still attached to machines. I recently heard someone bitch on how none of the P4 boards had an ISA slot for his modem and now he had to upgrade and he didn't want to. (oh and they exist)
Was he right? Well according to MS and linux and the makers of that board, yes. (don't know about the bsd's) People should be able to use old software from the dos era and hardware that belonged in a pc two generations old. (human generations). Apple would have told him to get stuffed.
Who is right?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
"The embedded market is much larger than the PDA market. Think cellphones. Think consumer electronics, connected DVD players, industrial products, etc..." all running Windows, as far as the eye can see! My god, it'll be beautiful!
With apologies to Christopher Lloyd and the makers of Who Framed Roger Rabbit?
Do not look into laser with remaining eye.
'For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model.'
It might be more accurate to say that flaws in Microsoft's business model are translating into flaws in their software. The "bottom-up" approach of software development, that is, tackling the easy problems first, have led to the problems today as the software becomes increasingly complex. They should just stay the hell away from servers and stick with the desktop.
The Death Penalty: Killing people to show others that killing people is wrong.
So, Knuth gets the bug report, spends the time to write a check, and never sees the $50 or whatever disappear from his checking account, because some geek out there thinks....
"Dollar varlue of my time spent sending note to Knuth about error in book: about $10. Getting check from Knuth for finding said error: $50. Hanging said check on wall for bragging rights: priceless. ;-)"
Of course, I suppose a modern /.'er with more mercenary inclinations might see/say it differently:
1. Receive check from Knuth
2. Post ad on ebay
3. Profit
... for me, "thier" would be far more easy to understand than "there". My non-English-speaking brain can easily associate "their" and "thier" --- but to understand "there", I have to leave my normal visual-based "reading" and change to sound-based decoding.
BTW, this seems natural to English speaking dudes, probably because of pronounced (heh) differences between spoken and written language.
"The tighter you squeeze, Tarkin, the more systems will slip through your fingers!"
there wouldnt be anywhere near as many virii and worms and crap about.
The design of windows means that it is insecure.
A really great way to make windows more secure:
Make it so that by default, windows is installed with an administrator (who you cant actually login to from the login prompt without extra effort) and 1 or more "regular users".
a "regular user" basicly has access to all normal stuff (i.e. anything thats not a risk to the system) but if they want to do something thats "risky" (e.g. if they or something they are running wants to add something to "load this at startup") they need to enter the Administrator password first. If they dont, the action is denied (for example, windows returns a "cant open file for writing error" or a "cant write registry key error" or whatever as appropriate.
Some things that should be "restricted":
1.putting any file in c:\windows\system or its sub-folders (such as c:\windows\system\drivers). Also modifying, deleting, changing etc those same files.
2.adding a program to the "this program starts at startup" list (this would also cover drivers, services etc)
3.modifying key Windows Sockets settings (for example, like how some Spyware inserts itself into those places to hook winsock)
4.perhaps there are other key settings that could be blocked (for example, access to certain control panels or changing the display settings or whatever)
and 5.there should be a way for someone (with the administrator password) to specificly add extra things to the "block list" (e.g. someone could show settings as to how to stop spyware crap from changing the homepage of M$IE)
Some benifits:
1.Viruses, Worms, Trojan Horses and other crap wouldnt be able to just "silently" install themselves (since it would say "c:\documents\your settings\temp\abc123.tmp.pif wants to write to c:\windows\system\dontdeletethisorwindowswontwork. exe. If you want to allow this, type in the administrator password"
2.Spyware (e.g. Gator, New.Net etc) wouldnt be able to install without specific authorization (for example it would say "c:\downloaded files\newnetinstaller.exe wants to modify winsock settings and install its own custom crap. If you want to allow this, type in the administrator password"
3.On shared computers (e.g. family PCs or kids PCs), the parents could be the only ones that know the administrator password (and therefore prevent the kids from changing the settings)
4.On computers e.g. work machines or machines in labs at schools, the sysadmin would be the only one that knows the administrator password and therefore e.g. you dont get people installing kazza or whatever.
Thats not to say that my system would prevent installing new software, it would only prevent it if:
1.the new software wants to modify important windows settings.
2.you dont have the administrator password.
and 3.when the install program gets the error back from windows "cant open file" or whatever, the install will fail in a way that makes the program unusable.
Basicly, this would be a benifit since:
1.if some program wants to do something behind your back (e.g. virus or spyware), you can be notified and more importantly block it.
and 2.you can be sure that the users of your machine arent installing anything that messes with the settings or messing with them themselves.
Some might say it would cause problems but I dont believe so.
For example, if a kid brings home a new game from school (that he has "borrowed" off a mate or more likely these days gotten that mate to burn him a copy of) and wants to install it, the kid puts the disk in and runs the installer. Then, if it needs to install system things (for example, new DirectX), the box asking for the password will come up and the kid will have to wait for the parents to give the OK before it can be run.
Another benifit is that if the user has to enter the password, its likely that (unless they are so cluless that they think that the "any" key is the
Microsoft knows that offering a reward to catch the "evil bad guys" won't really improve security anymore than offering a reward for Bin Laden will help stop terrorism. The real reason is to draw customer's attention away from the company and their insecure software and instead focus it on "the evil hackers". Because in the end, all that matters is that the customers believe that Microsoft is at least as secure as anyone else.
While I'm normally trashing Marketing as the latest "must have feature" arrives in my bug tracker, the reality is, they interface with the customer and try to determine what they want. If it was what us Developers wanted, software design would be machine centered, not human centered. The problem with this is that the purpose of a machine is for a human, so they must be human centered. I don't care if you have a bulletproof OS if no one can use it. Just as you said, it's all the features _that consumers want_ that cause many of these security holes.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
If non-computer people can corrupt the usage of hacking, then non-medical people can corrupt medical terminology to their own purposes.
Besides, you understood what was meant, so where is the problem?
And even more, I think it was Andrew Jackson, President of the US around 1820 or 1830, who said "It's a poor mind that can only think of one way to spell a word."
Infuriate left and right
I keep reading about the high 'cost of patching systems.' Ummm... in 1998 Microsoft launched Windows update. It detects what updates you don't have yet and then you can download them. And with Windows XP you can turn on automatic updates -- it downloads the updates for you and lets you know when they are ready to be installed. When you install them you can even click no to the restart your computer question and they will be fully installed the next time the computer restarts. Thus not being inconvient at all. Given, in a business situation, maybe it's only the admins that want to be patching systems, but they should still make use of Windows update. Automatic updating can even be set to auto install updates overnight!
The patch for MSBlast came out weeks before the worm came out -- the only reason ANYONE was affected by it was because they were too "lazy" to use AUTOMATIC updating.
If people do not want to patch there systems on time, then they should at least put up a firewall. If I remember correctly, anybody with a firewall was immune to the blaster worm.
It's been more than a year since M$ delcared Security "Job #1" and had their big group meetings. Oh yeah, I remember all that Bullshit about it being just like when M$ decided it needed to take the inernete seriously and all that for Windoze 95. Internet seriously for Windoze 95? Those jokers have yet to take the responsiblility of hooking up to networks seriously.
People told and Microsoft must have known that their single user mode nonsense was not an adequate model for a computer on a network. They did not care, it's that simple. The rise of internet destabilizing viruses is the result of more Microsoft users connecting to the internet, nothing more. Everyone knew it was comming.
They got plenty of warnings. I Love You happened years ago. It's no surprise that people don't want to buy their stuff. It's been broken for a long time and everyone knows it. It's no wonder that people are looking for something that works.
People don't hate Microsoft because they made software that sucks. People hate Microsoft because Microsoft thought so much of their sucky software that they put all sorts of stupid restrictions on user behavior and wanted to expend into everything and make competition impossible. Remeber them telling people who used Frontpage that they could not say bad things about Microsoft. The whole DRM thing was the pinacle of thier lunacy. It was Bill Gates' greedy dream to control all digital content, music, movies, books and even email, then charge the customer for everything AND sell each customer advertising. XP is the sum of such efforts. It's looking like it will only work with WM files, it takes popup adverts all day long, many of them pornographic and, of course, it crashes and gets viruses. Using M$ is a miserable experience and Microsoft wants to make it impossible for you to use anything else. Longhorn promisses to be worse and I predict it's sales will be worse than XPs were, even worse than the currently tanking XBox.
Tank? Yep, that's the ultimate incentive. It's been comming for a long, long time. M$ has exhausted the public's credibility. Bye, bye, assholes.
Friends don't help friends install M$ junk.
I doubt it. A complete rewrite is the only way to clean up the cobled together mess of intentionally spagetti coded junk they have purchased and stolen. The might be able to do that in a year or so, but it would not be Windblows it would be OSX1 or some other varient of BSD with an ugly and non-intuitive Redmond themed desktop.
They can complain all they want about it not being cost effective to fix bugs. I think they are going to find out the hard way that it's not cost effective to own crap.
Friends don't help friends install M$ junk.
This is like a *no duh* moment.
Microsoft likes to sell on the idea that if you know the desktop you can administer the server because it runs the same systems. Windows *everywhere* (even in your toaster) is the goal. That's attractive to a part-time admin, because it means they don't have to constantly switch frames of reference to administer a Novell / Unix / Linux server.
Of course, that means that a lot of the technical flaws / security holes on the desktops are also in the server product.
The virii this year have been outrageously bad where you almost have to segragate your lan into 2-8 computer sub-networks, with firewalls on the windows desktops and firewalls between all the segments if you want to slow down something like the Blaster or other worms. It's bad enough losing a windows desktop (or dozen), but heaven help you if something jumps the gap and takes out a Windows server.
In today's poor security environment, where the Windows O/S has a huge bulls-eye painted on it, and MS still giving only lip service to security, you'd have to be nuts to consider rolling out new MS servers without doing serious consideration of the alternatives. That means that MS is going to start losing server sales, which I'm betting are a higher-margin sell then the desktop O/S. (Plus all of the server-related software like SQL Server, Exchange, etc.)
"Starting over would render close to a decade of work worthless. That kind of suggestion is hard to justify."
But by SOME people's measuring stick it WAS worthless from the beginning. Back when there was actually competition between Microsoft and other companies in both the operating system and Office suite business people (like me) were warning that some of the new "usability" features from Redmond were going to create security issues.
They didn't HAVE to continue down that path and consequently waste those 10 years. They just did.
Blame whoever you want to for that. But the code IS worthless and will have to be replaced, even if its one line at a time as they seem to be doing now.
perhaps they should use BSD, and then write a GUI for it, and interfaces. Create an interpeter(like VMWARE) to support legacy apps. after 2-3 years, stop supporting pre-MSBSD apps.
yes, I said MSBSD. scary, huh?
well, my evil here is done.
The Kruger Dunning explains most post on
strippers, lattes!
The Kruger Dunning explains most post on
For every microsoft platform we deploy, we need to purchase centralized anti-virus software, proxy server filtering software, auditing software, intrusion detection software....and the list goes on and on.
Granted, we have never had a hack related outage, because we keep up with patches and anti-virus updates, but the added cost of the security packages certainly does eat into our budgets.
In a k-12 school, we run many 3rd party apps that don't run on Linux, so we really can't switch to that yet (think desktop...not server). We are, however, really considering migrating slowly to OS X to avoid the added "security software tax" that comes with the Microsoft products.
-ted
But that's why you have Apple/Mac OS X, Linux, and a few others _very_ hopeful systems, so you _don't_ have to rely on Microsoft anymore. You just dump them, it's _that_ easy. The process has to start somewhere, and it can start with you, me or whoever...
You're wrong about Microsoft having top notch people. While I don't doubt they do, most of what's in there is useless hordes of programmers who can't really think on their own feet... bunch of code monkeys who come in 9-5pm, and hope for a paycheck or their options to come afloat.... You'd be a fool to think there are many people with true, genuine understanding of operating systems, OO design, etc. - all that matters today. Those are few and far between at Microsoft or anywhere else in corporate US of A.
'A lie if repeated often enough, becomes the truth.' - Goebbels
Palladium (or what ever they are currently calling it) means that they will establish a secure layer between the o/s and the hardware and in doing so, allow the o/s to enforce absolute control.
The OS already *has* complete control. So "theoretically" there is no viruses, no unregistered/unauthorized software/drivers, no cracked software, no unauthorized files.
The only reason to have a DRM system is because the OS can't be trusted (some describe it as a ring -1, where the OS is ring 0 and userspace ring 3 (ring 1 and 2 usually unused).
What they really want to avoid is unauthorized OSs and applications to operate on their data - also for DRM, but mostly to enforce their monopoly. It's all about protecting *them* from us, not protecting the *users* from anything. Not even viruses.
Kjella
Live today, because you never know what tomorrow brings
One of the great reasons for MS to buy up Virtual PC is that they can now virtualize old environments. I am doing a little hand waving, but why do they need to maintain backwards compatibility if another piece of software can do that for them?
... and people bitched about it (still to this day even) -- even with a Classic OS layer that could be launched and ran on top of the new OS.
It takes some really big cahones to take a chance with trashing something that well established.
I'm glad they did.
...too little too late. Sorry MS, but you only have yourselves to blame.
So you're saying that MS will find out what WINE users and developers already know?
Microsoft has some major security problems going on right now. and it is MICROSOFT who caused these problems, nobody else. i can see this every time i open my snort logs or do an iptables -L on my router (i have snort and pigmeat running for an ids plus a dynamic firewalling system) and in two days alone i get 3-5000 ips blocked and logged with SQL worm propagation attempts etc... (alot of welchia and blaster, not to mention code red) this is microsofts problem. they need to begin to think security and make security a top priority. All companies, not just m$ in general need to take up more on security and GET THE PUBLIC INVOLVED. maybe isps should demand some sort of scanning system to prevent this type of garbage! /rant
I realize that we're talking about home users for the most part, but Microsoft does in fact know how to include a feature that is off by default. An initial installation of Windows Server 2003 doesn't turn much on. File/printer sharing, IIS, DNS, Active Directory, etc, all have to be explicitly enabled.
There is no word as viruses.
The medical word virus is taken from latin where it comparable to pestilence (they really didn't know what a virus was 2 millenia ago, did they?) As such, the plural of virus is virus, just as we don't have pestilences.
Now, we could all agree that 20th century english usage of a borrowed latin term is permitted to expand it's use and grammar, and as such, perhaps the 20th century computer usage of a borrowed medical term could do the same, no?
...and it might not. Unfortunately, the point is irrelevant unless someone has developed a time machine. As long as they're finally doing it, good.
Well this past spring and summer, he said he saw a drop in service calls by an amazing 85%. Those remaining calls were either hardware or the three windows boxes he had to maintain because of that customer demanded it, they owned the kiosks, he just provided service so he was making money on the service call.
When the "Work of the Week" started, the other guy lost at least 30 customers that switch to using our client because they were getting complaints from their ISP that their boxes were being used in DDOS attacks from the competitor's product. In last week business journal, our client's competitor has filed for chapter 11.
Now, chances are they were having cash flow problems, the manufacture of their product is also having problems, however I know that our client has been able to undercut his competor by 20% in price because and he is still reporting increased profits of 10% after slashing prices. That's how much his TCO has lowered on service calls in the last nine months.
I know in our consultancy that using Apples with OS X have lowered our costs and increased productivy over Windows dispite their higher initial cost. Why? most of our units are about 4 - 5 years old and are now in use by administrative staff and going stong. That, and we make about $400 a week from the company on the second and fifth floors for fixing their computers.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
You've hit on an interesting observation - but ultimately are wrong in your assessment of what it means.
First - I have to question the assertion that WinNT-based systems are designed to be behind a secured corporate network. I suspect the strategy employed by Microsoft has more to do with making a default system usable with as little configuration and actual technical knowledge as possible. There's an inverse relationship between functionality and security. When Microsoft has been faced with this in the past, they have tended to favor functionality rather strongly. This is not a suprise to most infosec types. After all, information security was not driving the market in the past.
The second point is the concept of a "properly designed network" mitigating these issues. You're absolutely wrong on this point. What we're dealing with is often linked with fundimental pieces of Windows architecture. Even if one wanted to go to the expense of trying to cordon off an enterprise's network in to many, many insulated cells, the strategy would ultimately fail to prevent this exposure. Firewalls are very usefull. But they're not a panacea.
So why are malware stories gaining increased public exposure? There are many reasons. Let's touch on three.
First, the public is becoming educated. They are discovering that computers should have a certain level of performance - that failures are not just something to live with. They are finding out that there are alternatives - albiet few and far between. And they're beginning to see these particular instances as "Microsoft worms" or "Microsoft viruses". And rightly so. After all, these instances of malware do prey on Windows issues.
Secondly, "security" has become news-worthy. 9/11 had that affect on the American, if not international, psyche. To many there is little difference between physical security and information security (so-called "cyber-warfare" aside). Which is not always a good thing. Unless you're selling infosec snake-oil. In any case, it causes anything with "security" in it to catch people's attention.
Finally, more people are being affected by malware outbreaks. Desktops are almost ambigious thanks to the killer app - the Internet (which is probably better broken down to email, web, and IM in questionably that order). And thanks to the Internet, those desktops are reachable. Now - this may sound a lot like the parent's point. But remember - malware is affecting both corporate and consumer desktops. The possible half-point that was touched on is... the desktop. Desktops are being targeted more often these days. And there are some interesting possiblities for this.
Its a given an attacker gets something out of the attack - the question is what. Sure - there are the usual reasons of discovery, challenge, and power-trips. On rare occasion, the attacker might even be after the information on the host itself - although this is usually targeted by very hand-crafted attacks and not fast waves of malware (its easier to scoop up
Would it run all that super-secure BSD software like Sendmail and BIND?
ok, just being paranoid, and reading your post on routers. I remembered the update that "spammed" the users. And, having read the article 8) I saw one thing that no one took the time to observe or mention.... FREE !!! the update will be FREE ! And god knows there is very few free things in M$ land.... So, Just to know, MS releasing a free update to one of the most protected (and hacked) OS in history, the famous one where you had to Call (!) (how very 20th century, isn't it ? 8p) to activate, so as to be sure you didn't steal it, or changed your video card without asking them first... So, can someone tell me what exactly is going to be in this (sure to be) HUGE (free) PATCH for XP ? as in "sniffer/bot/privacy intrusion/installed software remote checking/automatic inventory of all media files/please/be/paranoid/yourself/.../fill/blanks" .
You all speak of how much they make a noise about security, and I see MS taking a hit on the 35%(or so, depending on my mood) "bad, evil hackers" that stole their product by not registering/paying.
or something equally nice.
And that just speaking for "basic stuff", I will not speak about the quasi universal installation of some sort of DRM somewhere. Even better, if you mix DRM, media files scanning and installed applications reporting, you could all (most of you) (ok, some of you) (well, some of us 8) have a nice meeting with a comitee in front of your door (one for BSA, one for RIAA, one for Hollywood, and probably the IRS with the marshall, for so much good news cannot come alone)
Please someone consider the question and answer...
Are you gonna trust this nice, beautifull, efficient, FREE update for XP ? ...
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
It is a damn poor mind indeed which can't think of at least two ways to spell any word. ... and that's the one I had in mind.
... this is the best I could find:
Mark Twain had several quotes, none very close
I never had any large respect for good spelling. That is my feeling yet. Before the spelling-book came with its arbitrary forms, men unconsciously revealed shades of their characters and also added enlightening shades of expression to what they wrote by their spelling, and so it is possible that the spelling-book has been a doubtful benevolence to us.
Infuriate left and right
Of course with a check from Bill Gates it would go
1. Receive $50 check from Bill for error reporting.
2. Add a couple of zeros and cash.
3. Profit.
I don't give a damn for a man that can only spell a word one way.
So, ha, we are both mostly right!
Infuriate left and right
Who is Microsoft think they are kidding? In my opinion, the following is what is really going on. Microsoft will make a lot more money if they appear to be addressing Windows security issues ( i.e., bounties on virus writers ) than to actually fix the underlying code problems. The Windows line of programs have been designed specifically for maintaining an operating system and office application suite monopoly with the target users. For various reasons which I will not list here, this necessitates low security software for these target users. Think about it.
The most popular server software for ISPs is FreeBSD, a BSD variant. It's great software, and very capable.
One company uses NetBSD for dedicated mail servers.
We don't hear much about these uses, because the software just works. That's why it is seldom in the news.
You mean like Apple did with OSX?
"Starting over would render close to a decade of work worthless."
The decade worth of work is already worthless. Everyone already has a copy in one version or another and the foundation on which it is built is flawed. It is insecure by design.
It's like in Vegas when some casino wants to upgrade. They don't remodel, they blow the fucker up and start over.
"There is nothing to do it. But to do it." -Floyd Pepper
I know the feeling. I have Windows 95 on a laptop with only 72 Meg (maxed out) of memory. Resetting the LAN TCP/IP to use a gateway while traveling breaks dial-up. I have to delete the gateway to use the modem. I don't think they are going to fix it.
I have Windows CE 3.0 on a handheld. I wanted to use it as a very portable terminal with the serial port. The terminal program assumes a modem is connected and won't connect with out giving it a phone number to dial. There is no option to not use a modem (other than Active Sync). I could not find the correct key sequence to send out a null charactor. It's trapped by the OS and not sent out the port. (Same problem as the Tandy portable the M100 has which also can not transmit a null from the terminal). This is not good for the hardware I needed to operate. It's looking for a null (ASCII 0) and doesn't know what to do with ATDT5551212.
I upgraded the hardware in a Windows 98 Box. Found out the hard way Windows 98 does not like Pentium 4's even with all the latest patches and service packs.
I am very reluctant to buy the next version of the OS to find out what needs a work around or simply won't work. I no longer buy software upgrades. The upgrades wait for the hardware upgrade cycle. I buy a machine with an OS expecting to never upgrade the OS beyond the current version.
Old boxes make great Linux routers, game servers, web and office app machines, SMB servers, photo editors, media centers, etc. Just don't expect to have the OS work if you upgrade the hardware to a new generation, or upgrade the OS to a new generation without upgrading the hardware. This is especialy true for MS. They even work as a dumb terminal if needed and it works properly.
The truth shall set you free!
To go with our war on drugs, war on terrorists, war on... being sensible?
...but I don't have to. This is kind of like pointing out the obvious. If Microsoft isn't feeling any financial hurt they don't do a damn thing.
Some companies today listen to their customers and make changes proactively and a lot do not...but you are sure as hell going to see change when they are not making as much money.
Vote with your wallet...its the only vote anyone listens to anymore.
======== In the future, everything will be artificial. ========
We have been using linux at work as desktop and server OS for the pas 2 years. I dont think we miss windoze our 550 users is finw running linux desktop. To us windoze is dead it should be for you too. Open source app server live TomCat and Joanas is our life saver for business application Java and Linux has saved us from evil Bill Gates.
"Among the recent steps Microsoft has taken to improve security is its announcement that it will have a free update to its flagship Windows XP desktop operating system next year. The improvements are to include disabling certain features that can allow hacker break-ins. The upgrade, or service pack, will also include an improved firewall."
They strain this one out like a concrete turd. It's obvious that they want to make everyone aware that the FIX for the FAULTY OS is FREE, this time, versus the alterative plan, which is to CHARGE YOU for the FIX for the FAULTY OS.
Does M$ really charge you for service packs and security upgrades? I mean, damn, what absolute GALL!
I checked the price of XP (which I do NOT own or use) today at Frys and it's going for $199 for the UPGRADE. That means you had to have previously spent a large chunk of cash on 95-2K in times past. You figure those prices in and you come up with $350 to $400 for a fully legal copy of XP.
And straight out of the box it's broken. Then they expect you to buy updates, patches, and other repairs to it for more money??
You really have to be absolutely dying to throw cash out the window to go with this insane plan.
I've yet to see a distro of Linux that requires you to PAY for updates, patches, etc. Unless you count in perhaps the very large, high end, mega-server packages and that's doubtfull..
I was just wondering: Is a corporate network more likely to get hosed over an open port in the firewall through some exploit, or is the network more likely to get hosed because some PHB clicked on an attachment in Outlook?
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
6 years later, they came out with XP. This ran both 95 and NT apps, because by the time it came out, all apps could run on NT. (Well, not all, but I haven't had a problem personally.)
This was very foresightful of them, because it'll be incredibly easy to move to .NET and future sandboxes.
Someone else mentioned that purchasing VirtualPC was a good move. This is so true: all they have to do is port one application to their new platform (that being VirtualPC), and *poof* all their apps work on the new platform. Then they can take their time making them native.
Of course, this was the rationale behind OS/2's Windows support, and look where it got them. The difference is, this time Microsoft owns both the old and the new. They can turn off the old versions, forcing people to upgrade to the new ones. It's good for them in a business sense, but people are getting wise to it; there is no upgrade treadmill in free software.
I feel fantastic, and I'm still alive.
3 years for an entire rewrite, i think that is overly optomisitic... besides, to save that much time, they would just rewrite what they already have..
joelonsoftware, knows, the worst thing you can do is start from scratch.
MS should however, say to hell with users, expectations, deadlines, or compatability. pick a date, and get a list of everything fundamentally not good about Windows and get as many programmers they can to fix it.
From the article,
"was that Microsoft's sales people were so busy helping corporate clients shore up their networks that they could not close new deals."
I sure was glad my Microsoft salesman could help me with that firewall ruleset.
Alex
"Dollar varlue" ?
;)
Will I get a 50$ check from you?
^_^
They strain this one out like a concrete turd. It's obvious that they want to make everyone aware that the FIX for the FAULTY OS is FREE, this time, versus the alterative plan, which is to CHARGE YOU for the FIX for the FAULTY OS.
The language says that it's free so that people know that it's free. Updates and service packs for Windows have always been free. They have never once charged for them.
The markup most retail stores put on non-game software products is rediculous -- A non-upgrade XP Home edition can also be had for about $90 if you know where to look online.
And straight out of the box it's broken. Then they expect you to buy updates, patches, and other repairs to it for more money??
Now you're just trolling.
For an email client my wife uses Outlook Express and has a Hotmail account. She gets very little mail and almost no spam -- maybe one a month and it goes to the Junk Mail folder (my Hotmail account fills with email worm infection attempts every 2 to 3 hours, which is the price I pay for redirecting all incoming mail to "slashdot@rjamestaylor.com" to my Hotmail account. I figured if a worm went through Hotmail it would be checked for viruses. Unfortunately, that is true ONLY if you are using the Web Client to attempt to download an attachment. If you use OE, they don't bother to check the attachments.
Earlier this week my wife told me the computer is running really slow. I told her to press Ctrl-Shift-Esc to bring up the Windows Task Manager and she replied "something popped up but went away." I told her not to hit Esc twice (my assumption being that she had). She tried it again -- "nothing happened this time." Crap I thought - we've got Klez, or some other virus that kills WTM and other attempts someone may use to discover/remove it.
Turns out she received a spam that had Kelz and also used the iframe expoit -- and when the email was displayed in the Preview folder, *splat*, Agent Smith began infecting our machine's programs.
So, on my weekend I get to disinfect my home computer because I failed to install an Anti-Virus program. But really, I was let down by Microsoft 3 times:
- Windows is architected for ease of development and not security in the Internet{worked} Age
- Windows XP Home, which required a huge series of patches to be installed upon initial installation (I bought the full version for my OS-less homebuilt PC), yet did not have anything to stop Klez. (In fact, this is puzzling -- I thought a patch fized the iFrame exploit...and my system was and is fully pached. ???)
- MSN Hotmail doesn't check attachments as they arrive, only when yoy request the emal for download in the Web client. But OE is made to interface directly with Hotmail!
I am in the process of downloading Lycoris. Maybe Lindows. Probably WineX and Cross-over plugins, too. (Yes, I'll pay.) I'm going to test those two distributions on my wife and son. If either pass the test, that will be our OS at home on the desktop. I may try SuSE and Mandrake, but I like Lycoris/Lindows' "KISS & MAKEUP" (Keep It Simple Stupid and Make it Act Kinda Equivelent to Understood Patterns).-- @rjamestaylor on Ello
Standard operating procedure for our sysadmin, installing Debian:
- install completely disconnected from the network
- get patches from another, secure system
- install patches
- then connect to the Net
But it's true that the standard user seems defeated even before he starts. There is simply no way that new PC is not going to be infected within an hour or two.
This problem seems so severe that I think it will be the death of Microsoft. No amount of money in the bank will save a business that people stop buying from. Remember IBM at the start of the 1980's? They controlled IT, and it took only about 5 years and the rise of Compaq and Microsoft before they were humbled.
Microsoft's easiest way out is simply to move to a Linux platform. I guess this is what will happen, sooner or later.
Ceci n'est pas une signature
Abosultely crazy non sensical bs
What do you need on Linux to consider switching?
Grossly insecure OS...
???
Profit !!!
... they paid me my overtime-on-Internet due to downloading all these virus and worm generated e-mails:
..."
"Dear Microsoft Consumer,
Here's the 's security update
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Look at Apache's popularity, yet it doesn't even come close to the security nightmare IIS is. Yes, popularity is part of the problem but it certainly isn't the main or only factor.
reliability, I finally switched my wife's computer over to iMac. now instead of a big tower that use to crash, because my son holds down several keys for a couple minutes, it doesn't crash. Not only that. I don't have to worry about windows locking up, netscape doing bizzare things or virus through IE when my son uses it. Instead, it just works. And the spam rules in OSX is way the heck better than stupid OutLook. Screw Microsoft, they have to prove they can build secure, reliable software that a 2-4 yr old can use without crashing it before i consider switching back. think win2K3/XP is great. Let a 2 yr sit at the keyboard for 10 minutes and see how stable the damn thing is. 99.9% of the time, windows will behave in a bad way by locking up or crashing.
I feel that the General Public should post thier on bounty on Monopolistic Tactical OS developers and thier buggy ass software that keeps thier sister companies in business....
What the hell was that!
The problem is not the user. Period. If you design a car that has accidents for the most inocous of reasons you would be out of business in a snap, blaming the user would not save you. Extrapolate as you wish, a computer device should not expose an user to nastiness and it should not be possible to use it to launch attacks.
You may be affected by MS targeted virii even if you don't have Windows in your own network: thousend of owned machines scanning your firewall ports can bring your network to a halt.
Some of the virii have been so arcane and difficult to patch (even for pros sonny) that to keep arguing that MS is affected for their monopolistic position is the excuse of the gullible or the ignorant.
I will not boast about my credentials here, but the post to which you are replying is spot on, I have seen myself in the same situation in a much bigger and equally well organized company with an equivalent skill set as the one mentioned and still it is almost impossible that in despite of best, stringer practices, not to be affected.
MS in its current form is a threat to the IT industry, the sooner people realize this the better for everybody, MS included.
IANAL but write like a drunk one.
Pity that some patches broke previous fixes for other problems and that such an avalanche of fixes has to be tested before installed in a corporate environment.
In Solaris we can do this once every quarter.
In Windows we have been patching and rebooting practically every couple of weeks for the last 6 months.
As you see, a lucky home user can't be taken as an example of how a company could be affected.
IANAL but write like a drunk one.
The poster has it backwards - flaws in its business model PRODUCE the flaws in its software. Christ, don't they teach even rudimentary logic in schools anymore?
I want to delete my account but Slashdot doesn't allow it.
There's been a lot of MS bashing in this thread; some justified and most just pure bile. A lot of people have pointed out that Linux systems are not vulnerable in the same manner that MS systems are, and that it's all due to bad code design and terrible programmers who steamrolled security in the name of features.
.conf files, no having to know things like DNS servers or what display adapters work in X and all them "whatchamacallits."
I think in many of the arguments here, a critical fact has been overlooked. Users of MS products generally want the features that allow for the problems we've seen in the past to crop up. The average user wants automation; they don't want to configure software, or have to understand how the system does what it does, they (here it comes) just want it to work. It's this attitude that has fueled MS' design process; they build software that the end user can turn on and have "just work." No fiddling, no
I think that if similar products existed in a Linux environment, we'd still be seeing a lot of the same problems, simply because the level of automation required to satisfy the typical user is inherently insecure. I am willing to concede that a suite of applications built on Linux could be more secure, and that Microsoft definitely has a problem in that the flaws in their system are very deep, however: I can recall a number of occasions where I've seen articles here on Slashdot that announce "security hole in (whatever) allows root access! Come get your patches...." If Linux held sway in the desktop world, why would we expect the typical user to be any more willing or able to patch their OS than if they were using MS systems? Granted, there's fewer holes, but they're still there. If typical user never patches their default OS install, then why shouldn't we expect mass root exploits?
Don't get me wrong; I'm not wholeheartedly defending MS. They could have done things better, but I'm not ready to jump on the "Linux is more secure" bandwagon. I firmly believe that if similar applications had been developed for Linux to meet the same demands that MS has answered, we'd still be seeing problems.
It's about the choices you make. You can't optimize for everything. Everybody has work to do.
Updates and service packs for Windows have always been free. They have never once charged for them.
cough*Windows 98SE*cough
I'm sorry to have to disagree with you, but .Net will not eliminate vulnerabilities; the result will only be that all your applications and services will share the same vulnerabilities.
.Net to rescue their monopoly. They do it in the way that used to work in the past: They see what it successful in the real world, implement it in their own incompatible way, and then use their brute force to make their (wrong) way the only way. Just one example: It starts with a slight non-standard extension to HTML, and (for now) it ends with servers tailoring their output to the browser's user agent setting.
.Net fits that bill quite nicely.
:-)
...
You are right in your assumption, that MickeySoft has introduced
Others already have remarked that if MickeySoft wants to retain the grow rates it has become addicted to, it will have to penetrate the server market in a big way. At least two things are required to make that happen: They must break their ties to the Intel platform, and they must have something to replace JAVA. (MickeySoft's attempts to introduce their own flavour of JAVA fortunately failed.)
Of course this would be a better world if they had made the leap to re-implement all of their products in JAVA, and worked with the other players in the real world to achieve the improvements in JAVA that are needed for that re-implementation. Instead they followed their reflexes without really thinking, and try to do it their own way. I guess they must be scared.
I just hope that MickeySoft's collapse will not cause too much colateral damage
-- The best way to accelerate a computer running Windows is at 9.8 m/s^2.
See my journal, I write things there
Win98 SE was Win98 with updated hardware support, IE5 instead of IE4, and DirectX. If you already had Win98 up and running, you didn't need the updated hardware support. And you could get IE5 and DirectX as a free download.
Try again.
XP Pro is $300 retail, but you can probably find it cheaper. It works out of the box with my NetGear and Audigy cards, and I can burn DVDs, too. There are thousands of software titles for it. While I understand that $300 might be $295 more than you're willing to part with when instant ramen is not involved, please try to exercise some objectivity and not assume that the entire world shares your pathetic "principals" of cost vs. value.
And, BTW, I've noticed lately that, straight out of the box, RH7.x is also seriously broken, and I need to download 30MB of crap to secure it if I want to plug in the network card at all.
So, shut the fuck up. kthnx.
Um, excuse me but Redhat 7.x is seriously *old* and no longer supported. Current Redhat release is 9.x and that's being dumped shortly.
Get with the program before you bump your gums..
Besides, 9.x ("Shrike") also suffers from the same fate. So do Debian and SuSe. When was the last time you built a Debian box? OMFG.
Suddenly your point is not as valid as you thought, eh?
Comment removed based on user account deletion
Sure. Why not?
I'm sorry to have to disagree with you, but .Net will not eliminate vulnerabilities; the result will only be that all your applications and services will share the same vulnerabilities.
.NET, PERL, etc.
.NET is a nice platform, and the people at mono realize that the same way that the BSD people realized that UNIX was a good platform ten years ago and have their own implementation of that platform.
The same could be said about any platform or set of libraries, whether it's Java,
They see what it successful in the real world, implement it in their own incompatible way, and then use their brute force to make their (wrong) way the only way. Just one example: It starts with a slight non-standard extension to HTML, and (for now) it ends with servers tailoring their output to the browser's user agent setting.
That's intereseting because I use ASP.NET to generate content to target Mozilla/IE and web controls (and all else associated with ASP.NET) all works without any fuss on all the browsers I've used.
they must have something to replace JAVA..NET hardly replaces Java on ther server-side, though. Nothing scales (and has made my life easier programming RDBMS logic) than EJBs. Love that Java too.
Of course this would be a better world if they had made the leap to re-implement all of their products in JAVA, and worked with the other players in the real world to achieve the improvements in JAVA that are needed for that re-implementation.
Well, regarding the first part of that sentence. I would not disagree, but I have reservations about agreeing for the same reason that you started your reply with: If a platform has a vulnerability, the all apps based on that platform has the same vulnerabilities. A heterogenous mix of technology is a good thing, IMHO, to not only encourage competition (which in turn drives innovation), but to insure that we don't all rely on some defacto standard VM, platform, framework, API or whatever.
Anyway, only time will tell.
why run from Vincenzo?
Eat your own words.
Win 95 No longer supported.
Win 95b No longer supported.
Win 95c No longer supported.
Win 98 No longer supported.
Win 98SE No longer supported.
Win ME No longer supported.
Win NT3.5 No longer supported.
Win NT4 No longer supported.
Win 2K On the way out.
Win XP Why bother??
The IT department for one of my clients remotely updated three production machines on Friday evening, after which the computers inexplicably rebooted. They never came back up. What's more, these machines were responsible for the company's entire back office data feed. Without it, they are effectively running blind. The $15K it cost them to get those machines back up, tested, and re-certified won't hurt them in the long run, but there's nothing quite like bleeding out your jugular to give you a better appreciation of just how blantly MS leaves your assets swinging the breeze.
-Hope
a threat to Microsoft's bottom line
Few companies in the world would consider Microsoft' bottom line to be problematic.
Microsoft's revenue stream from Windows and Office continue to be cash cows envied and feared worldwide.
Microsoft's "problems" are very clear:
- keep a grip on a current dominant market position for computer desktops
- enter new markets since there's no growth left for them in the desktop
They've been doing the first thing tolerably well and with the bountiful cash they can afford the kinds of mis-steps that have been plagued their address of the second problem."Provided by the management for your protection."
FreeBSD is as adequate for what it attempts to do as Windows. The Windows GUI is more sophisticated, sure, but the vulnerabilities are not in the GUI.
You may not like my explanation, but the issue is there. Microsoft apparently has tons of sloppy code, that is what causes the bugs and maintenance problems.