Slashdot Mirror
Microsoft's Security Report Card
Decaffeinated Jedi writes "In January 2002, Microsoft launched an initiative called 'Trustworthy Computing' aimed at building better security into its products. It's now two years later, and News.com serves up a report card evaluating Microsoft's efforts. Kevin Kean, a group manager at Microsoft's Security Response Center, points out that customers are better off now than they were before the company made the move to refocus on security issues. An analyst quoted in the article, Stephen O'Grady, agrees that he would give Microsoft 'improved marks,' but also notes that the company is not yet where it needs to be in terms of security. He goes on to suggest, however, that 'the numbers indicate that they are at least taking it seriously.' It sounds like Microsoft might have earned itself an Incomplete on this report card."
Microsoft Security. What's it all about? Is it good, or it is whack?
GNAA announces plans to bomb Christmas island .cx NIC, one of the key GNAA sponsored websites, http://goatse.cx
has been found "in violation of .cx AUP policies". This announcement delivered a huge blow to the GNAA organization. .cx TLD, http://goat.cx. Users
are welcome to use this website while we try to persuade .cx NIC to reinstate goatse.cx domain.
.cx AUP policies,
http://www.nic.cx/policies/pdf/cx.AUP.pdf #5, page 7, and is therefore suspended. .cx board met and revised all .cx policies (December .cx policies that has not changed is that each domain
by GNAA Staff
Due to recent AUP policy changes at
Without goatse.cx, we lose an important piece of GNAA.
"We will not let this happen", GNAA representative goat-see said to the press. "GNAA will begin planning a terrorist attack on the Christmas Islands."
GNAA currently operates a back-up site, also located at the
"In the event that our peaceful negotiations will fail, Christmas islands are sure to be gone off the face of this planet", added another GNAA member, penisbird.
If you would like to show support for goatse.cx domain, please visit the following links:
Petition to reinstate goatse.cx (currently down due to attack)
nic.cx feedback forums goatse.cx thread
Thank you!
excerpt from an irc log
@b- The domain goatse.cx has been found in violation of
@r- shit, that sucks
*** joey (joey@brodels.gngsta.com) has joined nologin
@s- yea i read, page 7 only talks about payment issues though
@s- nothing about content
@b- ya
@b- im confused too
@s- i dunno what the #5 means
@s- oh i see
@s- Communication publication or distribution of adult or obscene content
@s- or images by way of embedded links in unsolicited email, postings to
@s- news groups, internet forums, notices to instant messaging programs,
@s- where the internet user is not explicitly made aware that by clicking on
@s- the link they would be directly exposed to adult or obscene content.
@b- hah
@b- he'll have to make a splash page
@s- i already put the lawyer warning on there
@p- hah
@b- that amendment to thier AUP
@b- is like 100% goatse
@s- - Over the years we have received numerous complaints of this domain's
@s- - content, but no person filee an AUP violation form against the
@s- - domain. Recently the
@s- - 2003). One of the
@s- - holder is required to review the policies every thirty days and make sure
@s- - their domain is in compliance (Please read part 1, page 2 of
@s- - http://www.nic.cx/policies/pdf/cx.registration.agr eement.pdf).
@s- -
@s- - We do not review web sites and cannot ensure every domain holder is in
@s- - compliance. But, if a domain is brought to our attention that fails to
@s- - comply with our policies, we reserve the right to suspend the domain.
@s- -
@s- - I am unclear if you change the content, the suspension might be
@s- - revoked. If you are considering this option, please send a note of inquiry
@s- - to info@nic.cx.
@s- -
@s- - Best Wishes,
@s- -
@s- - Elaine Pruis
This commentary brought to you by a proud GNAA member.
About GNAA
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.
Are you GAY ?
Are you a
Is any software really at the point where we can install it and forget about it?
Security is a job for all of us, not just Microsoft.
As long as hackers out there have the tuits to break into systems, security is everyone's business.
I have been pwned because my
Going from an F- to an F+ isn't something to get excited about.
Now look at that domain, it's been suspended
...
They pulled the plug on the goatse
It ain't workin', someone must've screwed it
Domain points to nothin' no more goatse
It ain't workin', someone must've screwed it
Lemme tell ya, this sucks big bum
Guess I'll have to troll to tubgirl
Guess my ASCII goatse will seem quite dumb
We gotta install a new domain
We want our civil liberties
We gotta have our big ol' anus
We gotta have our goatseeeeee.
See the little faggot with the big old wang
Yeah buddy that's just the giver
That little faggot got his own man sausage
That little faggot he's a goatse queer
We gotta install a new domain
We want our civil liberties
We gotta have our big ol' anus
We gotta have our goatseeeeee.
I shoulda learned to stretch my anus
I shoulda learned to stretch my bum
Look at that gaper, he got it stickin' in the camera
Man we had some fun
I want my, I want my, I want my GOATSE!
now that i'm an MCP (sucks huh?) i'll be trying to get as many people away from the Microsoft platform to something more secure at every opportunity i can get :)
:)
i'm calling myself a trojan horse
Don't call me back. Give me a call back. Bye. So yeah. But bye our, well, but alright we are on a shirt this chill.
I would like to see some comparisons to Red Hat version 7.2 (since O1) compared to XP (in terms of security patches, not bug fixes).
Heck Red Hat doesn't even support it anymore! 9.0 is coming up too!
Funny, it seems to imply in the news.com article that less advisories are better than more... hell, I think my ol' comp running win98 went for many months last year without a single advisory notice when I clicking into the Windows update site. Pfft. So therefore win98 is safer than Server 2003... :P
0- Eamonman Proud member of DNRC
I thought an Incomplete actually counted as an F.
I think the appropriate grade for this would be an IP (in progress).
Does anybody remember the article where old Microsoft basically said it was the end consumers responsibility to keep things secure and not the developers? I'll have to find the article, but it's only a couple months old or so. I think the "report card" should be re-evaluated knowing that Microsoft really doesn't care about security like they claim to.
That MS is actually improving security is good for all of us.
It's about time, and they still have a long way to go, but increasing security gives less room for E-mail viruses, worms and other network-hogging exploits.
Hmm... Any chance of a class-action suit from people who do NOT use Microsoft, addressing the way their lack of security has wrecked important services for non-MS users?
After all, those of us who don't use MS have never accepted their EULAs, but they've still wreaked havoc for our systems.
Could at least lead to an even further increased MS focus on security, which would help everyone...
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
And so we have a report card that wouldn't get you accepted to a state university, by the largest, most economically endowed entity in the world.
I'm sorry, Microsoft, but you have to be held to higher standards, not lower. Open source is able to do better with infinitely less.
If a bunch of hobbiests were able to colonize the moon, would we hold back any criticism of NASA?
Or maybe we've just figured out a better way of doing things. In which case, maybe the soft spot for the dinosaurs is somewhat warranted.
They're pouring billions into it, and what do we get?
24/7 CSI shows
Terrorist weather forecasting
A dog and pony show
God spoke to me
...over the loss of goatse.cx to even make fun of Microsoft. Microsoft? Their evil is nothing compared to the evil that which destroyed the almighty goatse. This is truly a sad day for the Internet. /me cries
teh fun never stops!!!1 You pore, pore bastards.
And I'll show Microsoft a bigger market!
Until then, I'll stick with BSD, Solaris and Linux.
Just trying to figure out what needs to be updated is a pain in itself, unless you figure out that you need the MBSE. Then you need to wade through the security bulletins, which sometimes contain the patch (in varying locations of the document and with no fewer than two pages to go through to get to the patch) and sometimes tell you to go to Windows Update. Not an option when you're trying to cut a disc for a client, or are dealing with an environment that doesn't allow Windows Update for security reasons.
Grabbing MBSE and every available patch from the website and applying said patches to a fresh Windows XP installation took about two and a half hours, and was incomplete (MBSE reported four patches that weren't applied). Windows Update isn't appropriate for a fresh install because of things like Blaster that will automatically infect the system upon connection to the Internet.
Then, there's all the defaults they've got to have their system phone home, such as sa.windows.com for searches, IE automated updates, WMP automated updates (including DRM), ntp.windows.com, Automated Windows Update. Locking down a Windows XP system is an exercise in frustration.
Trustworthy computing? Methinks not. Linux/BSD/OSX may have their myriad security and design flaws (except OpenBSD, which has yet to have a remote root compromise), but Windows XP holds a special place in my heart. Microsoft has admitted they've got an issue with security, which is a good thing, but now they should really address it -- they should be doing everything possible for the user to take control of his/her system, instead of heading the other way.
It's about as big an oxymoron as Microsoft Works.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
I just heard some sad news on talk radio - Internet shock site goatse.cx was found dead in its Christmas Island domain entry this morning. There weren't any more details. I'm sure we'll all miss it - even if you didn't see the gaping anus, you've probably enjoyed one of the trolls. Truly an American icon.
They have 10-30 BILLION USD in cash/cash like assest s. Why don't the spend some of that to make their products more secure?
I am not quite sure if this is off-topic, but I'm going to take a gamble here :)
:) but I'm really bothered that this "report card" doesn't include anything from the myrad of unpatched internet explorer holes and the way microsoft relicenses PATCHES... I mean, really EULA's for PATCHES? what if I DON'T agree???
:)
:)
""There is an order of magnitude--more people using Automatic Update and downloading patches," Microsoft's Kean said."
This would be the system that gave the world the "DRM or be unpatched" situation, right? how trustworthy.... changing functionality along with a "security" patch
I know that bashing microsoft is a favorite past-time here
really HOW is this "trustworthy" ??
I am REALLY impressed by the stupidity of these "reviewers" and how easily people forget these sorts of things... cudos to microsoft PR... AGAIN
I REALLY needed to get this of off my chest
Fighting for peace is like fucking for virginity
when they can read anybodies mind.
all rights elimated.
total slaves
totally secure
Why work on the Model-T, when you can build the next generation automobile. They have to be competitive to stay in the market place. If they kept patching Windows 3.1, where would we be?
This happens because of competition. If people were looking for more secure systems, then M$ would invest in it.
Regards,
S3cuRITy A wORK In PRo9r3SS fOr |\/|1cRoSoFt
l4ST M0d1FI3d: JANUary 15, 2004, 1:16 pm PS7
by roBERt 13Mo5
5TaFf wr1tER, C|\|37 neWS.c0|\/|
Two Y3ars AfTEr (HAirmaN bilL G4T35 CAL|eD ON |\/|1(rOSOft 7wO R3dOuB|E 1t's EFF0Rts T0 sECURe it'5 SOFTwArE, 7eh (OmPa|\|Y a|\/| BE91n|\|in9 twO ma|
pert5 wH0 peN|\|ED a Rep0rT w4rn1NG Th4T m1(R050f7'5 D0|\/|inanCE 1|\| t3h iT |\/|4RKe7 CArRieS A riS| of c4t4StrOPHi( FAI|URE.
7h3 risks 7oO 7he 1t i|\|FRasTRuc7uRE hav3 eVeN MiCR0sOfT'S c0mP37iT0r5 H0pi|\|G thAT 7HE (0Mp4|\|y 9ets 17 Right.
"ON t3h MaCR0 1eVel, Yo|_| \/\/aN7 E\/eRY v3ndOR Tw0 dO a beT7ER JOB 0F sEC|_|r1TY," SAiD |\/|ARy anN DAv1d50N, 7he Ch1ef SECUr17Y 0ffiC3R aT datABAse |\/|4kEr oR4(|E.
Dav1dsON 5EES m1Cr050FT'5 fOcU5 oN 5EC|_|rI7Y, pa1R3d \/\/I7h T3H f4c7 thA7 7eH cOmpa|\|Y aDm175 T0 L0SI|\|g s41ES BEcaUSE Of 5ECur1tY 1SsUe5, aS pRoof 7h4t cUst0merS c4N dEma|\|d b3t7er prOd|_|cts. "yoU HA\/e th3 |\/|ORa| LIAb1lI7y 7w0 y0|_|r CusTOm3rs--th3y B3t Th3yrE buSi|\|E55 o|\| JoOR soFTWAre," SHE 54iD. "7Hey eXp3CT 1T No7 T0o BR3a|, aNd 7HeY SH0|_|1d 9et THa7."
foR i7's pAr7, miCros0F7 is REpEAT1NG a |\/|4|\|Tra of a YE4r a9O: PaTIEnc3--5EC|_|R17y i5 4 J0URNey.
"Yo|_| C4N't T|_|r|\| arO|_|nd The iNFr45TRuCT|_|re In 24 MO|\|7HS," s4id sC0T7 cH4r|\|Ey, a mi(roSoFt 5E(|_|riTY 57R4TE9Is7 WHO ha5 r3p3A73DLY l1KeneD tH3 1NiT14TiVE to NAsa'S 10-y3AR |\/|aRcH TWo The MOOn.
"Y0u NeEd Bett3r eDuC4TI0n, J00 NeED b3773r tOo|5, B3t73R teChnO1OGY," h3 sA1D. "AR3 wE (om|\/|It7Ed tW0 pRoV1D1|\|G tho5e 7hI|\|gs? YEs. R We maK1nG pR0gresS? YE5. bUT Am W3 A|\|y\/\/her3 neAR D0N3? |\|o."
a|\|4|yS7 O'GrAdY saiD he'D G1ve mi(rO5of7 "1|\/|PR0\/3d |\/|ARkS." "bu7 Am They \/\/h3re 7H3Y |\|Eed TO be? n0, THEY IS NOt. tEh nu|\/|berS Ind1(ATe thAt tHEy am 4T Lea5t 7A|1NG I7 5ERIo|_|s|y."
cnet NEWS.c0M'S MIke riCc1|_|7I CON7R1B|_|tED 70O tHIS RePoR7.
Oh - I thought you said "at that point where we can throw it away and forget about it."
Are Web Tech News sites exempted from good english? There were so many incomplete sentences in the C/Net article that I was shocked. This a 'News' outlet? "Customers are better off today than they were a year ago, and they will be even better off in the future," said Kevin Kean, a group manager at Microsoft's Security Response Center. Run in sentences (look for ' , and '). "The problem is, there is still a wide base of products,". Poorly quoted. There should have been a more complete quote or a '...' at the end of the quote (instead of a comma) to allow readers to complete the sentence on their own. "Security has overshadowed things at the moment," 'things'? How about 'Security has become the priority issue in software upgrades' ? "Security is only one of the four pieces of the Trustworthy Computing". Drop the 'only'. W"hile Slammer affected a product that had been developed prior to the Trustworthy Computing push, MSBlast--also called Blaster--exploited errors missed by the Microsoft reviews." This paragraph is complete trash. It seems to be hinting at improvements, but never says it. How about: The virus 'Slammer' affected all MS products. But those deployed after the Trustworthy Initiative were least impacted and the easiest to patch.
What a well worded articulation - almost Greenspan-ish like in a sense that it looks like he is saying something, but you can never hold him upto for "whatever he is saying." And I think this quote summarises the whole article well.
It is 80:20 rule or in Microsoft's case 40:60 rule. In the first year you move 40 % of the distance towards the the Security Goal-Post. So, "Customers are better off today than they were a year ago, . In the next year you move another 40 % towards the goal. So, "Customers are better off two years from today than they will be a year from today. . An so on and on ...
Now if the security Goal Post moves and you find yourself heading in the wrong direction, as it always does in Real life, you can frame your message as follows. You are now 60 % away from the old place. So, "Customers are better off today than they were a year ago, . In the next year you move another 60 % away from the old place. So, "Customers are better off two years from today than they will be a year from today. . An so on and on ...
So,
And how can you be wrong when you say it the way it is said. What a well worded articulation.
To see a world in a grain of sand, and then to step back and see the beach where the sand lies
people complain that MS hasn't lived up to their promises, but was anyone really expecting all products to automagically become secure? the initiative has to be consistent from the design table to customer installation, meaning the product base has to be renewed from the bottom up before there's a chance they'll have a chance at delivering "Trustworty Computing". patching current products can only get you so far.
What do you mean incomplete on the report card? I thought it was incomplete everywhere.
SEMESTER 2, 2003
PRODUCTIVITY 101 3 HRS 80% C
ECONOMICS 307 3 HRS 100% A
CREATIVITY 92 3 HRS 67% D
GOV'T STUDIES 203 3 HRS 100% A
COSC 507 ADVANCED 3 HRS 78% C
MONO 302 3 HRS 100% A
BORE 405 3 HRS 100% A
THFT 305 3 HRS 100% A
LIES 205 3 HRS 100% A
SCUR 101 3 HRS 20% F
MONO 400 3 HRS 100% A
CONV 101 3 HRS 10% F
HID 205 3 HRS 70% C
OVERALL AVG. 78% C
This explains why mediocre rules the market.
I'm sorry, but after such large-scale security issues like Blaster and Klez, I don't think it's appropriate to give them any sort of improved marks. Sure, the patch might have been out.. But security is also about education.
[sig]www.masterslate.org[/sig]
Re-writing Windows from the ground up seems to me to be the best remedy. Forcibly breaking backwards compatibility should be a design goal.
Microsoft BS7799 certified?
|/________
|\A|ALYS|
It says here, Mr Gates, that you released 32 security advisories and 21 vulnerability fixes for Windoze 2000 Server in the first six months, yet for Windoze 2003 server you 14 flaw fixes and 6 critical issues...
Would this be because W2K3 server is based on Windoze XP code and that the majority of bugs had been ironed out already in the months between the releases?
hmmmm....
I've never shoed a horse, but I once told a donkey to piss off!
that they've discovered their security problem is much bigger than they thought it was.
Sure they've progressed in terms of there's more known security holes fixed now than there was 1-2 years back, but there's also far more security holes that have been identified and at (seemingly) a much faster rate than 1-2 years ago.
In other words, 2 years ago, they rated a 4/10 in terms of security. Today, I'd say they probably rate 20/50. Overall, my impression is that they've essentially stayed in place in terms of removing security holes from their products.
If you think that I'm being unfair, consider how long it's taking new security holes to get fixed now versus 2 years ago - it seems to be generally longer.
Also, consider that MS has now taken the step of bundling security updates into big bunches, to ease the pain of applying them - that they've had to resort to this is a reasonable indication (IMHO) that the quantity of security holes being *fixed* has gone up significantly.
Finally, consider the rate at which security holes are being uncovered - it would have to start dropping off dramatically if MS was being successful in fixing their problems. That certainly doesn't seem to have happened.
O'Grady, agrees that he would give Microsoft 'improved marks,'
Have to agree there. Two years ago, it would have been a solid F (us) or 6 (de). Today it's an E (us) or 5 (de).
Assorted stuff I do sometimes: Lemuria.org
There were so many incomplete sentences in the C/Net article that I was shocked. This a 'News' outlet?
Shaddup
Below expectation. Needs to try harder
455fe10422ca29c4933f95052b792ab2
Complaints from someone who hasn't mastered the paragraph?
instead of MAJOR CRAP!
At least at the institution of higher learning I attend, an Incomplete is not immediately counted into either total credits or GPA. The student must complete the course by either 1) finishing up the necessary work, or 2) retaking the course at the soonest possible semester (excluding summer semesters). The choice of the two is up to the professor. The Incomplete is replaced by the grade earned by 1) or 2).
You forgot some things for good security.
1. Don't run most programs.
2. Watch out for chat files sent to you.
3. Don't fall for email spams.
4. don't send out bank account info to web sites received by email.
5. don't go to nigeria
6. cut the network connection
7. reboot and reboot often
8. save and save often
9. don't let teens administer the family computer
WhatMeWorry!
Seems like there's three possible sentences that could have been used: 1. Customers are better off today than they were a year ago 2. Customers are no better off today than they were a year ago 3. Customers were better off a year ago If things have improved (as the article explains), then #1 seems appropriate. Even Freud said, sometimes a banana is just a banana.
Hello master.
sid=93059
formkey=yQYklEYu1f
This is a joint venture that will be mutually advantageous to both parties involved.
"Getting there, must try harder and must stop looking up girls skirts." Of course I don't think Microsoft does that and I finally kicked the habit last week :)
rus
CPanel + Root from $35/mo - 10% off with discount code SLASHDOT
Kevin Kean, a group manager at Microsoft's Security Response Center
Did Commander Keen grow up to be a Microsoftie? That would explain a few things...
Although Microsoft is knowen for its security problem the individual microsoft programmist is a good one . Microsoft don't make secure products because the programmers are directed from the menegment to prefer nice Shiny GUI instead on security.
For an indication of just how seriously Microsoft is taking security, rather than quickly fixing the bug, Microsoft is advising users to manually type URLs rather than click on hyperlinks. Well, of course, only malicious hyperlinks... but because of this bug, a scammer's link appears to be to the genuine website. Of course, they offer other gems, such as a chuck of javascript you can run to tell you the URL of the website you're actually viewing, since their software can't be bothered with giving you a correct indication. Or you can launch notepad and copy a shortcut. Yeah, everyone should have to go to the trouble of doing these steps, because they couldn't manage to get a fix out quickly (within the 1 week between the disclosure and scam artists starting to use it to trick end users to disclose sensitive indo). Microsoft also suggest viewing email at text-only... effectively reading all the html source, and changing to the high security profile )turning off all the dangerous technologies they have "innovated" over the years: ActiveX, scripting, etc...) not because they will help you avoid being tricked, but because it will limit the damage.
All because they couldn't fix this simple problem quickly.
Yeah, that's taking security seriously!
PJRC: Electronic Projects, 8051 Microcontroller Tools
because really, who cares?
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I wonder if their original plan was to extend Win98 support anway, for "positive PR".
Seems that MS is trying to undertake PR in a very SCO-like fashion lately.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I am reading a lot of MS-bashing here. But let's take a look at some facts here:
/. crowds--me included--can be an arrogant and blinded bunch. Sure, we can sit around bashing MS and fool ourselves on how insecure Windows is, but that doesn't accomplish anything. MS is catching up /fast/; that's fact. If we remain complacent, we can fall behind sooner than you think.
Consider a pretty standard setup--the OS, plus ftpd and httpd--here's the count of errata advisory between M$ Win2k Server and RedHat 9:
Microsoft: 1, for the botched FrontPage Extension patch released in November.
RedHat: 4, for the following:
1. Dec 2nd: Updated 2.4 kernel fixes privilege escalation security vulnerability RHSA-2003:392-05
2. Dec 16th: Updated lftp packages fix security vulnerability RHSA-2003:403-07
3. Dec 17th: Updated httpd packages fix Apache security vulnerabilities RHSA-2003:320-09
4. Dec 24th: Updated 2.4 kernel fixes various bugs RHBA-2003:394-08
Not to mention I will need to think about what to do when RH9 becomes EOL in April.
Interesting.
I am by no means by pro-MS here. If I have my way it'd be all qmail and publicfile. In fact, I don't have the balls to put my company's Exchange server directly on the 'net; I put it behind a RedHat box running perdition, and have qmail as the MX, behind an IOS IDS/FW.
Trust needs to be earned, and MS is slowly earning mine in the security front. I don't trust MS software enough to stick them directly on the Internet yet, but they did earn my trust to let Windows Update automatically sort things out: Not a glitch in the last 18 months.
The fact of a matter is, with a little clue as a admin, Windows can be made pretty secure. Being clueless, Linux can be made to be a big wad of swiss cheese.
We Linux and
Now that you have the facts... Go ahead, mod me down.
Security at MS is a marketing thing not a cultural thing. They're putting a lot of effort into patching Windows (because they want the worlds data centres to start running it and .NET so that their future is a bit safer), but they're putting very little effort into other products - for instance IE's most recent phishing bug which prevents it displaying anything after a ""%01" in the address bar (a gift for spammers after your credit card details everywhere) was picked up well over a month ago and yet no patch exists. And don't get me started on its awful SSL implementation. IE is a good example of a relatively small product that needs re-writing from the ground up and has done ever since it was first cobbled together several versions ago. MS hasn't done anything to it, and won't, because it looses money for them anyway. They might sort out Windows with Longhaul or whatever its called, but my guess is that they won't. With a bit of luck it will be too late for them by then anyway and Penguins will rule the world.
Hello master.
sid=93059
formkey=4otbka09km
This is a joint venture that will be mutually advantageous to both parties involved.
An incomplete after a while becomes an F at most colleges....and since it's been going on for more than two years.
Let's get this straight: You copy and paste a few hundred lines of legitimate SCO code into notepad, compile it with Dick Stallmin's half-assed compiler, change the name, and you're a fucking hero.
Please, someone deport that communist nigger back to Scandinavia.
You can find more information about the "Trustworthy Computing" initiative on this site. Quite cool that it still exists, actually. :-)
Learn to format your /. posts and they'll learn to appease ultra-grammar-freaks like yourself.
"We invented personal computing." - Bill Gates
This is truly the saddest day in the history of the Interweb.
It's worse then 9/11. We must bring goatse.cx back, or the terrorists will have won.
BTW, in the meantime, here's a mirror.
Delaying OSS development via law suites and :-)
other means (babes@personal.osdn) is likely to
increase the national security
Yours In Jesus,
Bribe Doors
I was able to implement DHCP-updated DNS entries with BIND 8, several years back. It wasn't as EASY as it is with BIND9 (and possibly DJB. I don't use it) but the capability was definitely there.
The first rule of MCP club is you do not talk about MCP club.
Now go set up franchises all over the country.
>Microsoft don't make secure products because the programmers are directed from the menegment to prefer nice Shiny GUI instead on security.
Apple has some good programmers
Apple management has a GUI focus
Still Apple doesn't make conceptual security flaws like requiring root privilege for any user to perform even the most basic tasks.
--
Every program has two purposes -- one for which it was written and another for which it wasn't.
cp is rock solid for me -- it just doesn't do much more than copy... As we add features and systems become more powerful, problems will come up regardless of the vendor.
The question isn't one of whether or not there are problems, the question is how they are dealt with, and *that* is where the focus should be for a report card like this.
dmiessler.com -- grep understanding knowledge
You don't see critical updates for OpenOffice, do you?
looks that way.
we haven't bought any virotic BugWear(tm) in years, but some of our customers are still hostages of the felonious kingdumb, & spend A LOT (time/money) trying to keep the infactdead softwar gangsters' bogus spyware kode working. seems like a fool's errand that never ends?
we give them a F for still FUDged.
The way I see it, the argument that programs "need not be fast" is saying that most things we do with our computers (web browsing, listening to music, writing email and word processing) aren't terribly processor intensive. The bottlenecks are usually storage speed and user response. Even the newest and greatest DDR3000 memory can't send data anywhere nearly as fast as a 500mhz PIII can execute it. Same thing with hard drives and network. It's also true that most user interaction is the slowest part of most operations. If you're typing in MS Word (or OpenOffice.org ;), your processor is sitting there going "OK, type another letter!" about 2 billion times a second.
That said, our requirements (I assume you're with me, cause you're compiling stuff...) are a little different than the average user. I manage to hit 100% CPU utilization pretty regularly due to compiling, POV-Ray, starting Mozilla, etc.
Just the fact that it doesn't have to be fast doesn't mean it can't be, but I figure the less time the developers spend making Windows 0.0000001 second faster at popping up the start menu the more time they spend fixing bugs and security holes.
Karma: Contrapositive
RedHat taking action to fix bugs in short order, while Microsoft drags their feet and doesn't even fix some holes deemed "low-risk." I'll take the OS from the company which has shown the commitment to supporting their customers over the one from the company that *says* they will.
"The best laid plans of mice and men gang oft agley..." - ROBERT BURNS
What the hell? Not far to go?!?!?!?!?!?! Who the fuck is paying the morons at C|Net to lie about this shit? MS got hit with more worms last year alone than it ever has. So, how is it now more secure???? C|Net is a bunch of MS whores!
All of that being said, no technology area is devoid of security flaws. Look at the recent attention given to H.323 standard vulnerabilities due to default ASN.1 parsing. That affects many vendors and product lines. Today I read an ISC diary entry detailing a couple of exploits that affect non-Windows environments. Apache, OpenSSH, QMail, Sendmail, etc. have all had their share of recently announced flaws.
Of course Open Source Software *should* be more secure since many eyes can review the code as it is maintained and updated. But the fact that nevertheless there are significant flaws and exploits in this area further proves my point. Microsoft is the largest software company on the planet so of course they have a target on their back. There are no doubt many third party organizations dedicated to doing nothing but trying to break Windows in order to submit security reports. Of course there are anonymous black hats doing the same but for other obvious reasons.
If the same manpower and effort was dedicated to breaking Linux and OSS applications (which currently have much less exposure and market share) I am sure that even more holes would be poked into what most folks on this board defend as being the silver bullet against corporate greed, monopolistic tyranny, and gaping security holes.
We're not going to hold a software company responsible for selling a product that risks the data on your system by leaving itself vulnerable to normal user actions? What next, advisories that you shouldn't drive north because cold weather might make the wheels fall off your car at speeds in excess of 40 mph?
If I surf to a site, or open a random attachment in a viewer, and my system dies as a result, that software is defective by design. Any company that tells me I can't do either of these things with their products is admitting that they are knowingly selling defective software.
Really, though, it's the users who shell out significant coin buying products that are known to be defective that needs to change. If users won't hold a vendor accountable for their miserably defective garbage by not buying it, I guess the user community deserves all the pain that bad decisions cause. At least they could be rephrasing their complaints as "I bought a piece of crap and it exploded when I used it. I made a stupid decision." rather than "I surfed this site and my PC blew up. Bad site! Bad, bad site!"
Also, last fall a few more former security companies knuckled under and now no longer engage in disclosure. Without some semblance of public disclosure, there is now way for sysadmins to verify that their systems are/aren't vulnerable or to verify if the patch worked or not. Talk about putting one's head in the sand.
The problems from that company are as severe as before, perhaps worse. For those still stuck with that company's products, 2004 will be a hard year, especially if its customers run afoul of privacy and other regulations as a result of the product.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
I think that would be an "F".
You'd think if they were truly serious M$ would root out and correct these as the #1 security priority....
But what do I know, I'm just a coward...
Well OK, I guess it's probably Red Hat. But I haven't been "scrambling" at all, and I don't think the difference really comes down to me using Debian instead (in the long run).
You can't compare total number of security advisories between Red Hat and Microsoft and get any kind of reasonable data. Microsoft sells an operating system and a few applications, several of which are integrated into said operating system. Red Hat sells an operating system and hundreds of applications. All but the most basic, core tools are installed because you decided they should be. Most of the Debian Security Advisories that hit BUGTRAQ don't apply to any of my machines. With Microsoft, nearly all of the advisories that hit BUGTRAQ apply to my machines (with the exception of IIS and SQL Server, but gee! if I want to use SUS, I'll need IIS too, because we MUST use a full Web browser/server for software updates! Oh, and that's OUR Web browser and server, thanks.)
Don't use Media Player, Outlook Express, or Internet Explorer? Sorry, but we've decided that it's really important that your machines have all of those, including your servers. I don't have to install Mozilla and MPlayer on my Linux servers. I just install what I need. MS has added support for partial "uninstallation" of some software, but it seems to get put back after certain updates, and you can't get rid of IE.
I don't need the pretty point-and-drool GUIs on my servers, and Linux gives me that choice. I choose to install less software and be more secure. Microsoft doesn't offer choice, and doesn't want choices to be offered. That's the difference, and I don't think it's going to change any time soon. All of the security initiatives in the world won't change their corporate culture.
WMBC freeform/independent online radio.
Of course Ballmer's upset, even late comers like HP are raking in sums like $2.5bn on Linux. That's not even counting the extra productivity from having a more secure design.
Even the regular employees know the gig is up and more than half have cashed in their options, even Uncle Fester himself cashed in. I'm sure the fact that the options come out of your U.S. taxes (in the form of a write off) has something to do with the accounting as well.
Parmalat, Enron, Worldcom, Microsoft.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Many of the problems have been embedded in their corporate culture from Day 1. It's gonna take a long time to train *everybody* to think first about how some new whizzy feature might work against the security of the system as a whole, especially in a place where (apparently) whizzy features are the medium of exchange, and the more you can coin the richer you are.
They liken securing their code to NASA's 10 years to get to the moon...
So that must mean it will take Open Sorcerors 20 to 30 years to make secure code because the Open Sorceror model is "ALL WRONG"...
Can I make you some sandwhiches?
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
As someone else already pointed out, lftp is a client. That aside, I almost never run FTP on any of my servers. SCP clients are freely available for any operating system I can imagine someone using as a desktop. Perhaps there is a need for you to run anonymous FTP, but in that case you can select a secure product like publicfile.
Also, you can't have a Microsoft server with just an HTTP and FTP server. You must have a full GUI and fully featured Web browser with a _terrible_ security history in order to get security updates. You simply can't strip out features you don't need to the degree you can in Linux.
Why is it an important feature for _servers_ to be able to be set up with "a minimum amount of clue"? Aren't there hundreds of unemployed IT folks out there? Your company should at least be able to bring in a consultant to do the initial setup and show someone how to maintain it. You don't have Bob from accounting install the real-world security system. Why are computers supposed to be different?
Yes, Microsoft is getting better. But the diagnostic tools for figuring out why something is going wrong suck (though third parties help out here as much as they can). They still have EULAs for security updates, and their service packs don't offer an option to install all the security updates without the new "features". They still want to be the ones in control of the computer, and that's not what I want. Pivx have proven via their QwikFix tool that the default settings could certainly be locked down tighter while having no effect on most people (Windows admins: check this tool out. It would have stopped Blaster even on unpatched machines.)
As for RH9 making an early trip to the gulag, I've heard that Progeny will be offering support for some Red Hat versions. This also illustrates that commercial Linux distributions are vulnerable to the some of the same hazards as commercial proprietary software. The difference is that if you were REALLY inclined, you could create your own updates for Red Hat 9, which is why companies like Progeny can do it too. Or with something like Debian's apt-get source -b [package], you could keep even an unsupported version of the OS going. And yes, for the people who still need it, the 2.0 kernel is still having new releases. As it is in many other areas, the difference is the availability of choices.
WMBC freeform/independent online radio.
I'd like to see 90% of end-users using Linux and then see how secure it actually is... Note that these 90% will do _every_ possible stupid thing which will compromise security. Similarly, all the script kiddies, virus writers etc. would know that there is this huge bunch of potentially stupid guys (who do not know anything about security) using Linux. Now that would be a good security test (remember that many of these guys would also be admins by themselves...) for Linux (actually it would simply prove that Linux could not be used by these guys...).
(Total number of infected machines) divided by (Total number of windows machines) = 0.0000000004
A pretty damn good record
I have to ask:
If you think being an MCP sucks (I'm not one, nor do I plan on being one, so I wouldn't know), why did you even bother taking the exam? Was it for employment possibilities? Job requirement? If that's the case - and I'm assuming that you would prefer to do other (perhaps Linux) systems work - why not market that instead? If you're strong in other systems, you're definitely employable.
being .compared to georgewellian fuddite corepirate nazi softwar gangster felons/execrable.
Come on, this was a bad year, though everybody seems to pretend that nothing happened.
In the span of six months, GNU was hacked twice, and GNOME, Gentoo, and Debian were all breached. And according to Linux's dirty little secret, LinuxSecurity.com, dozens of new holes in OSS software are discovered every week.
Where is the Slashdot article on that?
"Sufferin' succotash."
bignutz@linux [~/work/bin] $ locate .vim|grep syntax
|wc -l
345
bignutz@linux [~/work/bin] $
exploits is the key. OSS encourages people to point out their bug and flaws. Because they care about the product they release to the world. M$ discourages people to mention their short commings. The site that listed all the unfixed IE bugs was taken down due to a request from M$. DCMA prevents people from mentioning anything they learn from decompiling programs. (You don't think that stopped do you?)
So, I makes sense that M$ has had below average exploits published last year.
you look at the programs that NO ENTERPRISE WANTS TO ADOPT early. windoze 2k didn't gain wide acceptance until 2002 and 2003 server and its cohorts probably won't grab the same market share that 2k has overall, because of its massive security and compatibility issues.
"You never want a serious crisis to go to waste." - Rahm Emanuel
You thought ALL bugs in opensource software would be eliminted? Sorry to sound flip but like are you new to the world of computers and software or something? The point isn't that both Linux and Microsoft software have security problems, that will ALWAYS be the case. The point is with Linux and OSS software security problems are fixed quicker and can't be covered up and ignored like in the commercial world. Shit they have the freaking code to OSS and even according to you the amount of crictical bugs was the same as MS's? Is there any more daming evidence against closed source software? I mean if all of the holes are in the open and isn't in a 100 to 1 ratio against OSS doesn't that say a shitload about the quality of OSS software?
Most linux admins I know were not scrambling just as much as MS ones. In fact talk to anybody in the industry and that is just par for the course. Linux admins as a whole enjoy better uptime and less security problems. If you feel differently be assured that you are in fact in the minority.
So No, OSS security Didn't "suck" in 2003 as you Trollishly put it. It sounds like the security practices and linux experience level at your company sure does though.
If you wanna get rich, you know that payback is a bitch
I think alot of the crap problems that happen on a windows box stem from the fact that just about everyone using xp/2000 at home is running admin privlidges.
This is obciously not a good idea, but it's necessary. Games particularly are bad about this, half of them won't run with out admin rights. I don't know who to blame for this, microsoft should make it easy to operate as a regular user, not an admin. But software should be written to work with regular users, not just admins.
Yeah, outlook is still shiat. but hey, people want a pink background on their email, there's no way around it. maybe we should send pdf's back and forth. The days of plain text email is long gone, face it.
Imz.
That's not a bug, that's our business plan!
http://www.editplus.com/
It can upload/download entire projects via FTP.
{You can do SFTP via tunnelling a self-hosted
FTP server forward to an SSH server,
until there is native support.}
It remembers files that were opened when you exit.
It supports all language, and defining
new syntax highlight is a piece of cake.
Syntax: C:\Program Files\EditPlus 2\perl.stx
AutoComplete: C:\Program Files\EditPlus 2\perl.acp
It can compile stuff in the output window
using CTRL-1,2,3,4,5,6,7,8,9,0 (for group 1-10)
[up to 100 commands possible via keyboard]
Tools->Configure User Tools...
Add Tool->Program
Menu Text: Perl 5.6 compiler
Command: c:\Perl5.6\perl.exe
Argument: $(FileName)
Init Dir: $(FileDir)
Capture Output [x]
Do the same for any other tools.
Click [OK]
[You can also configure for other
debug mode console tools if you want
via cygwin]
Type CTRL-N,
type some perl,
print "\n\nHello World\n\n";
hit CTRL-1
Have fun! =)
dude, windows has EASY security updates.
I use Gentoo Linux.. and had my box rooted right out in front of me.
and more often the linux security updates cause the computer not to boot!
(I updated some stuff on Suse with their updater... and blam, my boss was pissed at me, cause he told me NOT to update the boxes, and I was being paranoid about outsiders... but the suse update (kernel update) caused the computer not to boot even!
anyway, my gentoo was rooted, and I've had viruses on my windows... er.. dos on my 286 from a floppy... and from letting other people use my windows with infected floppies...
IMNSHO Linux is more difficult/mystic to keep secure... however it is getting better, and it's free... and I don't have to keep track of stupid serial numbers or pay for it.
Please use [ informative / summarizing ] SUBJECT LINES
Flame me here
Why don't we just forget about making windows secure? Indulge me in my imagination -
IMHO, Windows made pretty bad choices as much as it earnestly strives to be a Network OS. I think the networking layer doesn't come up till pretty late in the bootup for one...
But anyway, if that's the case, since processors are getting more powerful, linux is our emblem for stability and security, and emulators are becoming so available, couldn't we just have a linux without GNOME nor KDE, but just run a fullscreen emulator on top of that and serve windows (or any OS) to the current logged in user?
In this way, we can run "baby" SCALED DOWN (yes, not bloated...) single-user OSs for users - and users get to customise their computing experience beyond choosing their favourite WM or desktop manager.
Yes, linux will become pretty invisible/invincible - but for most non un*x users out there, i think they don't really care what's running below.
Ah well, but that's just my imagination. but i think it'd be cool for instutitions to have such distros installed, then there wouldn't need to be "unix" labs different from "windows" labs. But I guess we need to wait for machines to be miraculously twice as powerful as software needs them to be for this to be less of an imagination.