Slashdot Mirror
Microsoft Sits on Security Flaw for Six Months
pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.
I guess its time to start coding isnt it?
People don't exist to serve systems, systems exist to serve people.
Really? Then they've gotten better than the last time I've checked.
News would be Microsoft releasing a product without any bugs or security flaws!
Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
Sig changed for readability by G.W.
It is unfortunate that an otherwise healthy piece of software has been found to have a problem of this scale. However I do have good news for software users everywhere: in two years, there will not be any more buffer overflows.
To understand why buffer overflows are going away, it is important to understand current trends in the software industry. Much has been read and published about what Americans call "outsourcing", which is the practice of hiring more competitive priced labor.
Where I work in Tirupathi India there are approximately 100 paid programmers, including myself. In addition to us, there are approximately 250 unpaid programmers working on the lower floors. They have "read-only" access to our source code, and may browse from the source code repository at will. Because of the abundance of Computer Science graduates here and the scarcity of jobs, only the best are able to move from unpaid to paid labor. As each of the paid programmers checks in code, the unpaid programmers review it, probing for weaknesses and security flaws. If a buffer overflow is found, it is reported to a head programming manager. The programmer who found the security flaw is promoted, often from unpaid to paid. The programmer who made the error is demoted. In the case of buffer overflows, which we are told at the beginning are the worst, worst, worst thing, the offending programmer is removed. This, actually, is how I moved from unpaid to paid. And I spend at least half of each of my days (about six hours) at work inspecting my own code to insure that I cannot be removed. I do not make security mistakes ever. To put it in simple language, I have a family to feed.
There is also the cold room, where the programmers who make buffer overflows go before they are removed. I have not seen it. But I know that they make sure not to leave marks. They put you in a metal room, and there is cold water and a hose. It is motivating. I will not go there.
-Srividya.
Hey, why not more?
http://sourceforge.net/projects/pound/
http://sourceforge.net/projects/yabause/
http://sourceforge.net/projects/jxmas/
http://sourceforge.net/projects/modp-driver/
http://sourceforge.net/projects/cdctl/
2002? 2000?! Shut your trap. All software everywhere has bugs and problems that may go ignored. Linux is not some sort of fucking holy grail of operating systems, immune to all bugs.
Linux zealot mods, the drop-down by this post should read "Underrated" or "Intresting" but instead reads "Troll" or "Flamebait".
*sigh*... I have two comps, one runs Slack, the other runs FreeBSD. Seems I just can't win....
Hey man,
Do you like, have bets on which OS will die first? 8)
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"