Slashdot Mirror
Microsoft Drops Next-Generation Security Project [updated]
grooveFX points to this CRN article which starts "After a year of tackling the Windows security nightmare, Microsoft
has killed its Next-Generation Secure Computing Base (NGSCB)
project and later this year plans to detail a revised security plan for Longhorn,
the next major version of Windows, company executives said..." grooveFX writes "Glad to see they actually listen to the gripes from the media and users." Update: 05/05 19:13 GMT by T : phil reed writes "Oops. According to this article on Microsoft Watch, Microsoft really isn't giving up on NGSCB (aka 'Palladium') after all. Microsoft spent much of Day 2 of its Windows Hardware Engineering Conference (WinHEC) here refuting a published report claiming the company has axed its Next Generation Secure Computing Base (NGSCB) security technology."
If this goes well, they plan to cancel all security projects.
I thought that's what patches and hotfixes are for in M$ land.
Palladium was too ambitious. It's nice that they're atleast going with memory page protection.
------- "From bored to fanboy in 3.8 asian girls" ----------
So, what does this mean for 'Trusted Computing'?
Isn't NGSCB Palladium?
Surely this is pretty good news and indicates that MS might not be so able to force these kind of security measures on their custimers.
Although I imagine knowing Microsoft, the problems were at least as much technical than political, and they just gave up considering it to be "too hard and we can't be arsed", just like WinFS.
This sig has been deprecated.
I've got a three suggestions for Microsoft on the issue of security:
Like the airlines think Saftey, Saftey, Saftey - Microsoft need to adopt the slogan.. Security Security Security
Simon
just without all of the "security" it was supposed to bring us. Bwahahah!
All you need to do to get a secure Windows OS is... upgrade. Big surprise.
They have cancelled security? What next? Will Microsoft stop supporting Linux? Oh no!
Don't blame Durga. I voted for Centauri.
Their Next Generation security project was doomed from the start once Lore kidnapped Data and took his place in the landing party.
I watched C-beams glitter in the dark near the Tannhauser gate.
..that the "revised security plan" will make heavy use of the recent advances in obscurity technology.
pi = 3.141592653589793helpimtrappedinauniversefactory7
Microsoft has security projects?
Of course I have to question this release when on the same day I read about hotmail and msn whitelists.
Perhaps there will be a "whitelist" for longhorn? "Pay up and we'll give you a list of users and a bonus clue to a security hole!".
~~Guildencrantz
Penguin Trivia #46: Animals who are not penguins can only wish they were. -- Chicago Reader 10/15/82
This is Palladium, and it has not been "dropped", only shelved because it was too ambitious. They say they've invested too much on this not take advantage of it.
I'm out of my mind right now, but feel free to leave a message.....
Trusted computing, therefore, facilitates reduction of competition.
Don't blame Durga. I voted for Centauri.
Microsoft also lowered the hardware requireements for longhorn from 2x4ghz procs to a single 1ghz proc, citing the decrease in complexity of drm will free up much of the needed processing power.
I tried for 5 years to come up with a clever sig...only to realize that I am not clever.
...bypass virus scanning for malware authors who pay Microsoft?
What makes you think they are listening. They are presumably publically "killing the project named NGCSB", quietly inventing a new name and happily keep working on that, less publically this time now that they have used the publicity of Palladium/NGCSB to make initial "front door" contacts in the entertainment industry, they know who to expect at the "back door".
The ol' "keep renaming the thing so people don't have a steady label for what they are fighting". The british sellafield->windscale->thorp nuclear shenanigans, the last Palladium->NGCSB namechange, TIA->something-or-other. All the same propaganda trick.
The solution for opponents is to either keep using the old name so that the public latches onto it (everyone still calls it "Sellafield" and, to an extent, "TIA"), or invent your own name and get it to penetrate the public consciousness (much harder, only example I can think of it "Infidel")
What we need is "No Executive" security technology. Even the greatest security tools can be hogswaddled by the pointy hair types.
[/obligitory upper-management jab]
This one gang kept wanting me to join cause I'm pretty good with a bo staff.
Anyone?? Bueller??? ...
Free Mac Mini Yeah, it's
Glad to see they actually listen to the gripes from the media and users.
Microsoft doesn't listen to the media and the users, they listen to their shareholders and their finance guys. And they are saying that Windows looks like crap when it comes to security, undermining the credibility of the product, in turn threatening the sales and therefore their dividends.
Microsoft listen to users? bah... If they did, they'd have jumped on the internet bandwagon much earlier. They're going about the whole security thing just like they dealt with TCP/IP and the web: they're thrasing to catch up. And the sad thing is, they probably will sooner than you think...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Microsoft never lets projects really die. They may kill off other companies' projects, but never their own.
What they are doing, as they have done in the past with such flops as Bob, is slowly merge the improvements and features that they planned on delivering in a single project into their whole lineup across the board. As the article says, Longhorn is planned to incorporate this security technology.
While this is by no means a cure-all for the problems that Windows faces, it is a step forward in computing. Whereas legacy systems such as Unix are finding it harder to support newer hardware features such as the NX codes in the latest AMD and Intel chips, the deep corporate partnerships that Microsoft has with these companies allows them to bring such technologies to the public at a faster rate than otherwise possible.
That said, Windows sucks, has sucked, and will continue to suck. Linux shows it up every single time. Not to mention that Linux's security structure is already designed to thwart the exact problems that Microsoft is attempting to stop.
I have been pwned because my
Longhorn's Visual Basic code base is going to be it's downfall. Managed code is all very well on paper, but Microsoft have taken it too far. They are letting the compiler do all the work - but thats like putting all your eggs in one basket. Once someone decrypts MSIL then all hell will break loose!
First they cancel WinFS, now the NextGen Security stuff, they just delayed it to 2006 and they just announced the hardware specs that are totally way off. Next thing they cancel is Avalon and they will delay it to december 2006. In the end it will be a minor upgrade such as WinXP was to 2k with some boring new stuff and an ugly new GUI-theme. We've seen this before. This won't stop them from calling it the biggest step since Windows 95. well, nothing to see here. Move along...
;-)
Actually, it's good for the Linux Community that Microsoft keeps making the same mistakes again and again. Ahh..old faithful!
Maybe Miguel will now rethink his very stupid "I'm scared, I'm very scared" quote he made a few days ago...
...and that would be?
Can we please get this modded past all the responses that seem to think that NGSCB has something to do with security. NGSCB aka Palladium is/was Microsoft's locked down "trusted" computer project, meant to facilitate DRM. It never had anything to with security save for in name and spin.
This is a good thing of course, but I seriously doubt it means that that Microsoft won't find other ways of sneaking locked down computer on us in the future...
We are getting to the stage where a fair chunk of PCs connected to the Internet are destined to die. It's reasonable to assume that MS has performed a kind of triage: - Home PCs are beyond the reach of any help. Whatever is done is already too late. Home PC users will have to migrate to Linux within 6-12 months or face working without the Internet. - SMEs can be protected with additional work. SMEs need better firewall security and better patching methods. - Most enterprise computing is safe as is. Many data centers will switch away from Windows for cost and reliability issues but the ones that can't will remain faithful Windows clients. So Microsoft has to concentrate on helping the people who can still be saved, namely SMEs that have several PCs behind a shared internet connection. Having seen three of my friends' PCs dead today from Sasser (MSIE rebooting without end, and no way to do anything else on the system), I'm rather sceptical that home computing can be saved.
Sig for sale or rent. One previous user. Inquire within.
Why apologize? Instead we will gloat that this outrageous bad idea was shot down, and we hope that at least in small part this was due to the outcry from the tech community.
Please stop making the mistake of thinking that NGSCB was ever a security project. It is simply the newer name for "Palladium", Microsoft's total lockdown and DRM system to create a "trusted" (by the music industry, not by you) computer.
Microsoft dropping this is good in every way, except that it's ghost will return in other forms for sure...
the witch is dead!
As time goes on, hopefuly MS will get more and more tied up in antitrust limitations, and everyone will get bored of DRM schemes that get cracked. At the current interval between MS releases, that'll happen before the thing after Longhorn.
In soviet russia stale jokes recycle you!
Sounds well and good, but I can think of at least two questions: has anyone in the linux community looked into making use of this and, if not, why not?
The witch is dead, but will likely by replaced by an ogre or a kraken.
Don't blame Durga. I voted for Centauri.
Of course not. Since when do zealots ever apologise?
Most buffer overflows go away.
In soviet russia stale jokes recycle you!
In a recent interview with WinEvil.com, Gates confirmed, "Yeah, it [the NGSCB] just wasn't eeeevil enough for us. We've got a history of setting the evilbar pretty high, and our current efforts were "extremely irritating" at best... We're looking for true unadulterated mindbending evil, and we know our customers won't settle for anything less. Give us a chance -- you won't be disappointed."
Gates then proceeded to use a Windows XP CDRom as a prism to magnify his own inner evil until it was focused enough to melt a cute puppy, drawing appreciative applause from the crowd of evildoers. The crowd then had a huge WindowsXP InstallFest and cut off their own testicles in preparation for the comet Zurg's arrival to take them away.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
It takes a MMORPG or a simple PC game 3+ years to make, MS seems to throw out OS's every couple years, whats wrong with this picture? There is no need for Windows 2003, they should have secured 2000 and waited to build a solid secured OS say in like 2006.. MS needs to buck up, get with the program and stop wasting peoples time. just my 2 cents.
- WinFS wasn't cancelled. It was scaled back so they could deliver what worked in a reasonable timeframe.
- Microsoft hasn't announced hardware specs. What you're referring to is what a bunch of watchdog folks are GUESSING will be the hardware specs.
- WinXP is much more stable than 2k. If you consider stability a "boring" enhancement, well, I bet you're in the minority.
The'll just insert a coupon with Longhorn saying that users will get the Free Security upgrade when Half Life 2 ships, or when someone believes the 'free beer - tomorrow" sign, whichever comes first
Like they ever had a security project in the first place
Expect the DRM lockdown initiative to be back with a new name, probably not long after some virus or worm scare that captures vast attention.
1. use new-style page tables (Pentium Pro and up)
2. for mmap, if(!(prot&MAP_EXEC)) set the NX bit
3. set the NX bit on the stack
There's a minor extra snag in supporting old binaries. Many old binaries expect to get execute permission for free. If you want these buggy old apps to run correctly, you'll need to ensure that the NX bit is only set for new apps. You could have new compilers add a flag to the executable to request NX usage. Alternately, you could just let the old apps fail. There could be a sysctl for an admin to disable NX usage if really needed.
Some basic thoughts:
-Most people bristle at the restrictions that most security measures impose on them for any system. (Remember passwords, pins, where the keys are...)
-Others are troubled by the privacy issues involved. Centralized control of authentication by a single designated authority, whether is be government of corporate.
-Understanding of the whys and hows of security still elludes most users
-Corporate interest in controlling the development of their systems without any intervention from third parties, mostly driven by profit motive. This is wide open to abuse in the centralize authentication model, whether it is abuse by cost or abuse by invasion of privacy.
The bottom line: Crackers find ways to exploit these areas.
How to prevent this from happening:
-Shift the responsibility of the problem to the user. They must keep their PCs secured and up to date.
-Require yearly testing of the user's knowledge by state governments. If someone can't maintain a PC properly, they shouldn't be on the net. You wouldn't let someone on the road with no driving lessons or who regularly has accidents now would you?
-Government should regulate PCs, but there needs to be oversight that is done by citizens like you and me. The government should be accountable to us.
-Vote NO on George W. Bush and don't by software from Microsoft because they are all evildoers
Thank You for the Opportunity to Edify all of your minds.
(In MS Meeting Room 30 feet below Earth's surface)
PHG (pointy hair guy): Right. We killed the old plan.
MSGurus: Hooray!
PHG: Everyone gets a bonus.
MSGurus: Hooray!
PHG: We have a better plan.
MSGurus: Hooray... we think.
PHG: Because we spent so much time and money on the old plan...
MSGurus: Booooo!
PHG: We have to implement the new time in a fraction of the time. Bill thinks six weeks is plenty. Meeting adjourned.
IANAL, but I've seen actors play them on TV
Probably some user called MS support, and wrote somnething down on a piece of paper. Then he wanted to fix that paper on another one, and thought aloud: "Where are the paper clips? I should have some in the office!". The man at the support heared that and noted: "Customer wants paper clip in Office." He passed it on to the programmers, and Clippy was created.
The Tao of math: The numbers you can count are not the real numbers.
Home PCs are beyond the reach of any help. Whatever is done is already too late. Home PC users will have to migrate to Linux within 6-12 months or face working without the Internet.
So, you are saying that these people who click these e-mail virus, run without virus scanning software and run their network wide open to the internet should migrate to linux.
Just what we need is a bunch of Linux users with a root password of "password" that never get updated or patched. As most people know, an exploited Linux machine is a lot more powerful than an exploited windows machine.
I understand your point of view, but I don't think Linux currently offers any advantages for these people.
Yes. I've been trying to get the C++ committee to tighten up that language for years, with little success. It's time to get more serious about this, and apply pressure via ANSI (which is supposed to insure that standards are safe) and the Department of Homeland Security's National Cyber Security Division. Like it or not, we need to go to full subscript checking for anything that could possibly be exploited. The resulting 10-20% performance hit is minor compared to the costs of dealing with these attacks.
I've sent this to the C++ committee:
The Sasser worm exploits a buffer overflow in Microsoft's LSASS service, which is, apparently, written in C++.
Perhaps more weight should be given by the Standards Committee to tightening up C++ and making it a safer language. The Committee has consistently rejected most suggestions which tighten up the language, usually on the grounds that they would impact existing code or prevent some dangerous but valid code from being used.
It is now appropriate to ask ANSI, and the Department of Homeland Security's National Cyber Security Division, to reevaluate the C++ committee's priorities in the light of the documented and substantial damage caused by weak safety features of the language. Whether the committee should be permitted to promulgate unsafe technologies with ANSI approval must be seriously questioned at this point.
That will probably be ineffective. The appropriate forum will probably be Congressional hearings on computer security, which were threatened last year after the SOBIG virus, and are likely to happen this year.
Interestingly, at the same time as this article pops up in feedreader, I get this link from e-week that refutes the claim. Net: microsoft says palladium is still very much alive.
So what happens to the palladium bioses that the bios companies were building? Are they also going to be shelved?
Although I imagine knowing Microsoft, the problems were at least as much technical than political, and they just gave up considering it to be "too hard and we can't be arsed", just like WinFS.
This is why people complain about Slashdot's misreporting and falsehoods.
They never "gave up" on WinFS. WinFS is alive and well. All the MS blogs were making fun of the reporting on this--all that changed with WinFS was that some network things were taken out of it, extraneous features not required for it to work but will probably be added as additional downloads through Windows Update anyway.
I love how reality is revised around here when people base their reality on Slashdot headlines. WinFS is alive and well.
If you count servers, upgrades are far more frequent than every few years. But then, if you count servers, your entire analogy breaks down because most MMO servers get upgraded on the order of about once a month.
Windows 2003 is a server OS, not consumer - Longhorn is the next consumer one, and (surprise!) it's not coming out till 2006.
I guess the moderated rating says it all.
Microsoft presented something, customers and partners rejected it, so Microsoft listened and shelved it.
Is Microsoft still going to be considered the "evil" company who "forces" things on people whether they want it or not?
where can a get the latest version of BOB or MSDOS?
Bob - Clippy. Or download the Agent SDK and build your own Bob.
MSDOS - cmd.exe in its latest incarnation as a UI. Win32 as a programming interface.
Xenix - As you would know, if you had a clue as to what you were talking about, is that Xenix was never available to end users as Xenix. Talk to your vendor if you feel you need to upgrade.
After Avalon is out of the picture, I guess that Longhorn will only be a sorta good looking sidebar clock upgrade. Mind you, a $300 sidebar clock, but they really have thought this one out.
Problem is, people (particularly Windows users) buy features before they buy security.
IMHO that's because Windows users have given up on getting security. B-)
With a choice of an insecure platform with fewer features or an insecure platform with more, of course they'll pick the one with more. Just think: They might actually be able to get something done between crashes, infections, and reinstalls.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Like the airlines think Saftey, Saftey, Saftey - Microsoft need to adopt the slogan.. Security Security Security
----------
They already have one... "Developers, Developers, Developers.... DEVELOPERS... DEVELOPERS... DEVELOPERS!!!"
"Decrypts MSIL?"
Ahahahaha...have you not heard of the Common Language Specification, which publicly explains to compilers how to produce the intermediate code? We could have Python.NET if we wanted (and it's being worked on).
This isn't exactly some sort of black secret. They published them as open standards. How do you think Mono exists? Any compiler can look at the specs and produce the code.
Sigh...Slashdot sucks these days. The endless Microsoft articles are boring and uninformed. Remember when it was cool tech news?
How, if it all, could this be related to Janus?
Are MS simply giving up trying to make bits uncopyable on a PC, and instead move to implementing secure tunnels to and from trusted embedded devices?
What's the odds that Microsoft will continue to seek a way to push their concept of trusted computing onto the consumer -- by giving it another new name? Palladium got too much bad PR, so they changed the name. Enough people caught on, so now they are abandoning that name (not the project, for sure).
I was taking one day at a time, but then several days got together and ambushed me. (from a Rhymes with Orange comic)
The fact is that the only way to implement this sort of DRM is through tamper-proof hardware, and even then its not like someone with a camera phone or even a good old small film camera to get a copy of that 'private' email (which is mostly what they are touting its use for). As for music and videos theres the if-i-can-see-it-i-can-copy-it which just cant be stopped, people will tolarate surprisingly low quality. And this isnt rocket science either, most people will be able to defeat these systems, software or hardware. Its not in Microsoft's interest to pursue this unless they want to piss people off or look very stupid when their "virus proof" OS gets hit one week after launch. It was a stupid idea before and it always will be a stupid and hated idea. Im glad they dropped it.
This comment does not represent the views or opinions of the user.
Every postpone worked out to be worse than expected in terms of human rights... I lost any trust in MS long ago, whenever you hear the name Microsoft some shit hits the fan...
Again, this is why people think Slashdot is a fucking joke when it comes to reporting "tech news." Slashdotters spread these incorrect truths around and they just become true because it's anti-"M$."
:)
WinFS was NOT cancelled. It wasn't even scaled back. They just removed some extraneous network features not required (which will probably be free downloadable updates anyway). But, all the sites like Slashdot completely SPUN it and misreported it. Slashdot is owned by VA Linux, so the agenda is obvious.
All the MSDN blogs were laughing about the reporting on this. And the Slashdot hivemind--that means all you people out there who build your computing mindset based entirely out of Slashdot articles--proves itself ignorant and foolish-looking once again. The rational of us know better.
WinFS is alive and well. MSDN just put a technology showcase video out about it a couple of weeks ago! All they did was decide not to implement some network-specific features in order to focus on getting the core technology done.
This is the second time I've seen WinFS supposedly "cancelled" in this article discussion.
That's "Microsoft needs". It is a single entity: the plural does not apply. However, since you cannot even spell safety, I doubt you know this.
they plan to provide DRM kits to script kiddies so all viruses are signed, and thus acceptable to Windows.
if this is supposed to be a new economy, how come they still want my old fashioned money?
It's also to allow 5 different languages (more if you count Mono) to have one way of doing things.
BTW, there are some non-x86 systems that have similar ability.
Bear in mind that Bill Gates owns a large percentage of a waste management company. So every day is Be Nice To Microsoft Day. If you know what's good for you.
--
E_NOSIG
Didn't you know that:
WinFS was "cancelled?"
The iPod Mini is a complete and utter failure?
Microsoft violates human rights in China?
Longhorn apparently already has hardware requirements, even though they were merely predictions by watchdogs who attended the WinHEC?
Nobody likes Windows XP, and everybody is hearing about Linux, even though Google Zeitgeist shows Linux at 1% usage?
The Lone Gunmen die? Oh, wait...
Yes, kids, you need to try getting your news outside of Slashdot once in a while--you'll see that the computing world is sometimes a completely different place than what you see reported here...
No Execute can be selectively disabled for a particular application," Brunner said.
As long as they don't put the option into Outlook Express attachments, this may just work.
The percentage of desktop Linux usage is going to overtake the Mac!
Forgot that one.
The reason why the WEB BROWSER is part of the OS is because MS saw the browser, specifically Netscape, as an application delivery platform and being so a threat to MS core business. So, they integrated the browser so deep into the OS they effectively eliminated choice of browser.
I think they there was a lawsuit covering this issue. *lol*
Nick Powers
Encryption: I may not agree with what you say, but I will defend your right to encrypt it...
It also would have opened up new markets. It's interesting to note that all of the great innovative periods in human history have been carried on the backs of breaktrhoughs in travel,commerce and communications. Even the lowly canoe can be credited for the rapid westward puch in canada and the US. (Shame about the beaver however). The invention of "coin of the realm" and accounting practices allowed goods to be passed over huge distances even the marco polo trail carried "mail-order" goods.
At present we dont have ways in place for people to watch digital movies and othe rprotected content in ways the the owners are willing to produce or share thier content for. Let's not get into an RIAA riff here. The point is that lots of people do want to "rent" content and watch it and without a secure communication channel they cant.
likewise things like internet voting and commerce trasnactions are held back by the lack of ubiquitous secure channels.
thus while I disliked the implications of NGSC for having control over my machine I would have liked to have had one in myhouse. I'd have two computers. one for my own uses and one for the cases where security outweighed the other issues.
Some drink at the fountain of knowledge. Others just gargle.
Implementing palladium hard will do one thing over night. Many tech savvy Windows users would switch away in a heartbeart. Most if not all of my friends who uses Windows rarely pay for any application they use. They consider it their god given rights do download anything they please. Any hindrance to that would make them switch in notime since they are very reluctant to actually start forking the dough for the applications they use. Bring in all the movies and music they download and they would gladly suffer hell on a commandline to avoid having to pay for the things they use.
Come to think about it, harder and more vigalant enforcement on comercial software is only going to drive these people to open source no matter how they do it. Enforce and people migrate, dont and people dont pay. They are in a tough spot, BSA and ppl.
HTTP/1.1 400
"We're evaluating how these NGSCB capabilities should be integrated into Longhorn, but we don't know exactly how it'll be manifested. A lot of decisions have yet to be made," said Mario Juarez, product manager in Microsoft's Security and Technology Business Unit. "We're going to come out later this year with a complete story." I have been writing code for windows systems for the past 10 years. We have had good times (Win2000, WinXP) we have had bad times (Access, Security, VB, Me, ....).
But today I realised that 'dare i say it' linux is
finaly (on my knees face to the sky tears in eyes) coming together. It may not be tomorrow, maybe not even Friday. But the day will soon be here when I can look at what i am coding around in a production enviroment.. I can ask questions about what will happen in the next OS release, and not get any marketing blurbs.
Microsoft realised that the Palladium idea would tighten thier noose of control. But that this would also be showdown time. Would the business world spend a fortune buying into this "secure world" where 2GB RAM is required. Where code is so 'tight' that 6GHz dual core PX could open notepad just as fast it did on my P1 233 Win98?
Linux does not represent a huge corperation requiering $$$$ to keep going. Microsoft has to be a money making empire and empires dont last forever - what happens when bill & co start dying.
I will still be around in 20 years 'falls on ground - so cant be struk down - waiting to be struk' but will they?
Linux gets faster with each release. It gets bigger and stronger, remember that an OS is just that. It is not some majical thing that will make majical things just majically happen as they keep promising us. They need some reason to milk the 'heard' for as long as they can. This is not going to be with an OS for much longer. Maybe they can finish DNFE (but i am shure it won't live upto the hype :)
Linux is made to be perfect. Windows is made to be Perfect(tm).
Besides Linux/Wine runs Winamp ...... Winex runs windows games ..... XoverOffice runs Photoshop ....
Remember "build it and they will come".
Don't make your problems my problems!
..... Make something where nobody can claim PRIOR ART.
Patent...
Patent...
Patent...
Patent...
-- forget
There always was choice. In fact for quite a while many machines came shipped with Netscape icons on the desktop. However, what happened was that Microsoft improved MSIE while Netscape made their newer versions much slower and more crash prone. There was a choice, the users chose the faster browser that crashed less.
This had nothing to do with "application delivery platform". Browsers have never been that.
Didja notice that there were no comments on the story on the actual page, but that there is a whole bunch of threads going here. Looks like Slashdot has become the message board of choice. Either that or no one actually looked at the story before commenting here, naaa no one ever does that.
Was Xander played by Val Kilmer? It has been so long since I have seen that lame George Lucas movie.
I'm intrigued by your opinions and would like to subscribe to your newsletter.
Seriously, stop posting so many offtopic points along with your valid ones. Stop posting A/C so you can't get to -1 with a single mod. Do this, and you might be surprised how many people agree with you. There *ARE* free-thinkers on slashdot too...we're not all creepy anarchists who listen to j-pop.
Hey freaks: now you're ju
Yes, and the recent failure of the entire coast guard for the UK is a great example of how well the listen to gripes from the media. Slashdot is a form of media, why don't they listen to our gripes, the people that actually know what they are talking about?
If carrots got you drunk, rabbits would be fucked up. - Comedian Mitch Hedberg R.I.P. 03/30/68-2/24/05
Is there even one moderator who has heard of "j pop" at all?
The developers put their collective foot down, and forced the PR department to STFU. Word has it the developers are having a "Make fun of Star Trek: Enterprise" party to celebrate the lightened load.
Marking data memory "no execute" doesn't fix things. It just makes it a bit harder to exploit.
Currently a typical buffer overflow exploit consists of a long record with executable code which also overwrites the return address in the subroutine which read the record so that it jumps into the code upon return. Making the stack no-execute means this approach results in a trap when the return is made. This kills the process that was attacked, rather than subverting it.
There are several reasons that this is not a "fix".
First: The basic problem is the buffer overflow. And an overflowed buffer will STILL break things, by damaging the state of other variables of the subroutine (as well as breaking the return address and possibly overwriting stack variables of several layers of calling routines as well).
Second: The exploit doesn't have to wait for the victim subroutine's return. It overwrote other variables than the return location, and the subroutine obviously read the record in order to do some processing on it. So by judiciously manipulating the stack the exploit has lots of opportunities to subvert the routines that read it to do work it specifies.
Third: The exploit doesn't have to specify a return location within itself. It can rewrite the return location to be any spot in any code for which the address is known - and rewrite the variables on the stack to provide the desired environment for the target code. (A simple exploit would be to hit something that's about to call "exec", with arguments on the stack that look like a shell script. Unix starts the user tasks with a hand-crafted "exec init". A virus can start its exploit tasks the same way.)
The real problem is that the buffer overflow is there in the first place, and the real fix is to eliminate those.
But that's no reason NOT to raise the bar on exploits by activating the no execute feature.
A reason you might NOT want to raise the bar that way is that some tasks NEED to execute code they generate in their data space. Examples are language interpreters using incremental compilation, or other systems that accellerate some processing by generating and executing data-dependent tweaked instruction sequences. Turning it on breaks them. Making it controllable but on by default ALSO breaks them (though it lets you upgrade them to work again) and just gives the exploit something extra to do at the top of its faked-up stack.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Next MSFT security project will be interrogating Linux advocates at Abu Ghraib to get them to confess to putting SCO code in Linux.
I have a friend who once called me up talking about discovering all this free software in Juarez sites. It took me a few questions to find out that he wasn't connecting to Mexico. It was the way he thought "warez" was pronounced.
Don't blame Durga. I voted for Centauri.
An eWeek article located here:
. as p
http://www.eweek.com/article2/0,1759,1585363,00
says MS is denying this is true.
Be very, very careful what you put into that head, because you will never, ever get it out. -Thomas Cardinal Wolsey
Longhorn and future OSes are moving towards a two-tier OS model, where a small C++ based kernel, driver, and .Net CLR form the basis for the rest of the OS, which will be implemented in C#/.Net.
>Even if you write with a language that supposedly does not have Buffer Overflows, you still rely on other modules that were written in a language that does allow them ot happen.
You are technically right (on x86) for heap overflows, but you miss the point. There is no reason that the whole OS should be implemented in a dangerous language that uses dangerous functions by default. If 90% of the OS is implemented in a "safe" language, like Java or C#, then you get two benefits:
1) Basic programming snafus like overflows are limited to a smaller amount of code, that is more likely to be written by security aware developers and is easier to audit.
2) You have a security model that can be applied to 3rd party components in an understandable manner.
It's all Greek to me...
I can't afford a sig!
"Oh no! He's responding intelligently to a guy who's insulting our little imagined anarchic slashdot paradise! Quick, mod him offtopic!"
Fuck you guys, man. Just for that, I'm posting this one *WITH* my karma bonus. Wasting your mod points if you like, but remember: if it's offtopic, people just won't read it.
Hey freaks: now you're ju
Whatever Microsoft needs to get onto everybodys desktop for no additional cost is what's in the OS. I'm pretty sure that if Everquest was a free download, Asheron's Call would be part of the OS. "No, your honor, we can't take that out, Windows won't work without it".
--
E_NOSIG
Exactly like the frivolous McDonald's coffee lawsuit, where the company that sold the woman the nice hot coffee she wanted was "to blame", and she was exonerated for burning herself by dumping it into her own crotch. Topsy-turvy!
Breakfast served all day!
I used to be afraid of what Palladium could do for the computing industry. Many tried to convince me that there was nothing to fear because there was no way in heck Microsoft could ever get anything done right and on time. It appears they were correct. Now it's being pushed back to Longhorn, which is being pushed back to oblivion. Now I'm left wondering what all the fuss was about.
Heck, Microsoft cannot even secure its own "proprietary" gaming console, why did we ever fear that they'd lock down all of our computers?!
If someone says he and his monkey have nothing to hide, they almost certainly do.
When dealing with an entity made up of individuals and referring to the members of the group (as I believe he is referring to the individuals), it is indeed correct to use the plural. See http://www.learnenglish.org.uk/grammar/archive/col lective_nouns.html
Tigerdirect is selling what they claim to be "The Next Level of Computer Security for Your Home or Office". I think their definition of computer security may be a bit different than yours or mine however, as one of the major selling points is a "-110 decibel siren to sound alarm and scare off intruders". Imagine that bad boy going off every time the machine is violated by the Windows worm de jour! ;)
Then he should specify those individuals: "Microsoft employees are" is correct. "Microsoft are" is incorrect. The American usage is more consistent and makes more sense (much like the Americans having removed the extranous U from words like 'neighbor'). You don't hear the English saying "Poland are a country east of Germany", even though Poland, like Microsoft, is a group of invididuals.
That team being rolled into the Virtual Machines group. As you can imagine, a low level hypervisor with bottom-line control over the hardware would conflict with a virtualization tool that is supposed to emulate new hardware, also executing directly above the true hardware.
fyi
Oh in that case fuck the little buggers. Now we crack for humanity!
This comment does not represent the views or opinions of the user.
Earlier today so-n-so published an article detailing Microsoft's plans to stop using dirty, monopolistic tactics! *waits for an update* - Kevin
Obese plumber bends over. Report laments "Oh the humanity!"
If you don't want modded offtopic, try posting on topic, it might just help.
If you want to try to talk to antislash trolls, do it in your journal.
You can be sure that hes gone off to copy and paste some goatse links, and probobly will never read your post.
"We're not goint to say when it will be delivered, or what it will be. But it's going to be very, very important"
One of my favorite outcomes of the IBM antitrust trial was that IBM was forbidden from engaging in vaporware.
I don't care about its effects on competition, I just want Microsoft to shut up until they actually have something to show.
I call bullshit.
*How* can NGSCB and Palladium be used to enforce the GPL?
Oh, by tying the source code to a key, which makes it impossible to change the source code and use the same key... but the verification is against the key. By tying the binary to a key, and making it impossible to modify the binary? So, rebuild the binary, and key use is lost.
In other words, these measures *can't* be used to enforce GPL. So much for this tool.
Now, is Palladium a security project? Well, yes, but not for the end user. Indeed, the end user can run the same old trojans, etc. as before. Palladium *will* prevent the trojan from accessing data that has bee "protected", by kicking out the unsuitable software.
It was NEVER meant to secure YOUR stuff -- if you want that, go use GPG, etc. I assume that even MS Outlook must have some integration with GPG! (all of my emails are digitally signed).
Ratboy.
Just another "Cubible(sic) Joe" 2 17 3061
They have axed it - or at the very least scaled it right back. forcing hardware changes on such a scale as demanded by Microsoft does not make economic sense for hardware makers, and Microsoft realised that the impact on legacy systems would be catastrophic. Imagine not being able to connect to your thirty-year old mainframe because Windows does not see it as a trusted system. Bye, bye Windows!
However, that doesn't mean that Microsoft still isn't keen on conclusively trying to lock everyone, and open source software, from communicating with Windows.
If you dont believe my security statement, just wander on over to securitytracker.com - there are more discovered flaws in the recent past with Linux than with Windows.
a) Despite the increased amount of bundling Microsoft's done over the years, a "Linux distribution flaw" is still awfully different from a "Windows security flaw". A Linux distribution is composed of many, many more lines of code and pieces of software than Windows. If you want to include security problems with Open Office, it's only reasonable to include security problems with MS Office.
b) Local exploits attract attention on Linux. A lot of "exploits" in Linux are local attacks. Local security on a Windows box is pretty much a lost cause.
c) When Microsoft discovers a security problem and fixes it internally, they don't say "fixes a security hole in...". They just bundle it with some other set of fixes and stay quiet. You won't hear about it.
d) MS has a PR department that spins bugs as "issues" and tries to dampen criticism of security. In the open source world, people generally call "bugs" "bugs" (and frequently wishlist items "bugs", which would drive companies with marketers bananas).
e) Many previous Microsoft security holes just wouldn't happen in the *IX world because of the more security-oriented culture (note that I suspect that Microsoft is improving here). MSIE and Outlook grant a lot of power to remote websites to cause execution, to modify bookmark lists, and the like. Windows NT infamously shipped with a blank Administrator password (and no prompt to set one during the install process), all drives shared by default *invisibly* (they were administrative shares, and the only security in place was the fact that Microsoft clients didn't display administrative shares remotely), and automatically reshared drives upon reboot if sharing was turned off on a drive.
f) Microsoft has been known to blame sysadmins for security problems ("Well, yeah, your network was compromised and your data destroyed by the latest virus, but you didn't firewall our systems, and we released a patch a week ago which you should have deployed.") *IX boxes was designed to sit on a network and be fully accessable, and "firewalling to fix implementation flaws" is not an interesting approach to most *IX admins. Plus, most open source contributors *are* sysadmins to some extent.
Want to do some *real* security criticisms of Linux? How about the following:
* Red Hat was trying to set a new golden security standard for Linux by adding SELinux *by default* starting in Fedora Core 2. This would have allowed giving limited access to things to processes (a sore Linux lack), helped make software SELinux-compatible, and paved the road for other distro vendors. Red Hat, after two test releases, finally just backed down on including SELinux enabled by default in FC2, saying that it just caused too many problems at the moment. This represents a loss of a year at least in moving to a much more powerful and secure security system.
* Stack overflow protection mechanisms are still not standard in the Linux world. The only distro vendor that I know of that definitely includes such a patch enabled by default currently is Red Hat with exec-shield. In contrast, *Microsoft* just added stack execution blocking to Windows.
* Filesystem ACL support in Linux today sucks. A lot. A software author cannot rely on filesystem ACLs being present (since they are not by default on most Linux boxes) -- just old-style *IX permissions. One can improvise to get *some* of the ACL functionality by cleverly nesting directories and adding users to extra groups for each directory in question, but most Linux boxes *still* have a 32 group-per-user limit. The *IX permission scheme is simple, fast, and easy-to-audit. However, it is lacking for many users -- there are a lot of sysadmins out there who'd like to be able to say "Anyone in Development can read or write this directory, Mary and all of the Marketing gro
May we never see th
No, "the technology" itself is not evil. It never is. Microsoft, however, is evil and will use every tool available to screw their users. The activities that M$ allows on "their" operating system have never been much and the list is shrinking. Palladium is just another tool M$ is making for the same old goals: enforce a lack of competition on their platform and maximize their revenues. Fortunately, other people understood just how evil commercial software could be and devised alternatives we all use everyday.
Friends don't help friends install M$ junk.
The nexus was to be the kernel of an isolated software stack that was designed to run inside the standard Windows environment.
I believe they will be using Kernel version 2.6.14 for maximum security.
The parent is NOT a goddamn troll just because they're making you think about things you normally post blindly. Here's the fucking text again. Mod me down, and I'll post it again at the top of the next story. I'll do that until my fucking Karma is lower than michael's IQ:
* If you expect companies to follow the copyright of the GPL, you should support the RIAA going after infringers of its copyright. If not, you're a hypocrite.
* There is absolutely nothing wrong with a company being upset that its product is being pirated freely over online networks. A recent Slashdot poll showed that the majority of Slashotters are unemployed or are students ("academics"), which explains a lot. Try getting a real job sometime and see what it feels like when your work is everywhere, and you start worrying that your days are numbered. Does John Carmack want you to "sample" his new game via the "free advertising" happening on eMule?
* At the 2004 WinHEC, Allchin demonstrated an alpha version of Longhorn that played six high-resolution videos at the same time while playing Quake III in the background. An equivalent XP machine couldn't play more than four videos. Meanwhile, I can't even get xmms to play without skipping, and windows to drag without visual tearing! That's because KDE and GNOME are hacks to emulate a desktop on top of the crufty XFree86 architecture that people won't let die (Linux users absolutely fear change).
* VA Linux-owned Slashdot thinks its niche opinion represents the majority of the world. This is a result of people visiting every day and buying into the groupthink. Nobody outside of Slashdot knows or cares about "Linux," "RIAA", "M$," or anything else Slashdotters think is such a huge issue in today's society. Go to a mall or coffee shop sometime and see what people actually talk
about.
* Speaking of VA Linux--it's a Linux company...that owns a "tech news" site...that posts news stories negative toward competitors like Microsoft. If a Windows company or even Microsoft itself owned a "tech news" site and posted anti-Linux articles all the time, everyone would be up in arms. But with VA Linux, it's a-okay.
* Slashbots think people don't like the music coming out these days, which is the cause of the piracy. Never mind that if people didn't like the music they wouldn't be pirating it, most Slashbots--again, this goes back to the niche opinion thing--don't realize that most people these days love the music coming out and want to hear all of it. Probing around, you discover that Slashdot is made up of nerds and fogies who listen to things like The Who and Blind Guardian and techno--not what mainstream society enjoys.
* Any company ending in "AA" is evil. Especially if it doesn't want you distributing its works without paying for it. Somehow, this mindset is supposed to make sense.
* The inevitable result of all this is a world in which nothing can be profitable because people simply pirate free copies. Is that really what Slashbots want? OSS and free-ness in general reminds me of the hippie era of the 60s--idealistic socialism that only exists because of the surrounding capitalism around it that provides the environment for it to exist. We all know what happened to that idea.
* Linux rules the desktop, when in reality: Windows = 91%; Mac = 4%; Linux = 1%
* Slashdot editors are abusive. We all remember The Post. It's amusing the editors never mention the issue. The worst editor is michael, who will mod you down, insult you for your post count, and post unprofessional color commentary along with the article. This is the same bizarre person who cybersquatted Censorware for years--even as Slashdot posted articles negative toward cybersquatting! Michael played it off like he was some sort of stalking victim, which made it all the more bizarre.
* The moderation system is broken. If you mod someone as "Overrated," you can't be metamodded. People abuse this all the time to ga
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
When in doubt, assume Slashdot is wrong.
True, rational people don't listen to liars. Slashdot, CNN, your silly MSDN blogs only know what M$ tells them. Those who report it only look foolish to those who don't consider the ultimate source and how dishonest they have always been.
No one but M$ knows what their next release will be. Looking back, we can see that we should not listen to what M$ tells us it will be. Has Microsoft provided the level of system integration KDE provides yet? Has Microsoft built a "secure" system yet? It's supposed to be their most important project, but all is the same. Microsoft does not live up to their hype because they are too busy sabotaging their "competitors". The outrageous stream of troll posts right here are just another example of dishonesty and wasted resources.
The only thing you can be sure of is that M$ will continue to suck. They will continue to drive out and co-opt profitable third party development. They will continue restricting their user's behavior and choices.
Friends don't help friends install M$ junk.
It seems clear that digital information has an increasing need for copy protection. If Palladium fails (and I hope it does), what are we left with?
Aside from proprietary software, music, books, and videos, I suppose in a future with molecular nanotechnology manufacturing, almost everything could be purchased as digital iniformation. Just download the design file and software for that new palmtop or whatever, send it to your home nanofactory, and voila! I can see two possibilities. One is that all nano-engineering work is to be licensed with some equivalent to a GPL. Since this would presumably apply to almost all commodoties we have today, this requires a new economic model beyond the free market or capitalism! Sounds cool to me, but I have no idea what it would be. The other alternative is less revolutionary, but absolutely requires an effective DRM technology.
Coal was not mined greatly until it became economical to transport it. As the poster was remarking, the existance of transport mechanism can enable markets. You have to be able to connect willing buyers and willing sellers in ways both can trust.
And you seem so trustable too, ratboy666; would you hold my wallet for me?
http://www.microsoft-watch.com/article2/0,1995,158 5354,00.asp
~~~~
SEATTLE -- Microsoft spent much of Day 2 of its Windows Hardware Engineering Conference (WinHEC) here refuting a published report claiming the company has axed its Next Generation Secure Computing Base (NGSCB) security technology.
"NGSCB is alive and kicking," said Mario Juarez, a product manager in Microsoft's security and technology business unit.
~~~~~
actually I am happy to see you, however that is in fact a banana in my pocket.
Windows are secure. They are not safe, though. Security is different than safety.
Something is not safe when its maker has made mistakes that all third parties to use it.
Something is not secure when it is not guarded, i.e. there is no one to watch over it.
Microsoft should increase the safety of its products, i.e. remove all the bugs. They are secure, already. There is no unguarded place in Microsoft Windows NT/2000/XP (unlike its baby O/S).
Palladium has nothing to do with safety or security. It only has to do with copyrights, i.e. to prevend from unauthorized access to media.
I am surprised that Microsoft has not made a tool to grep the code for buffer overruns and other potential problems. With all the compiler technology they have, it would be very easy for them.
We are full aware of this. It does not matter! The coffee was being served at the recommended serving temperature, and it was quite safe. They sold 10 billion cups and had only 700 burn incidents (resulting from someone doing something idiotic with the coffee). The same lady who filed the frivolous lawsuit had purchased and consumed many cups at the same temperature from the same McDonald's before with no problem. However, these other times she didn't dump it in her own crotch..
"The coffee makers were set extra hot because you need less coffee grounds that way."
The coffee makers were not extra hot. They were set to the recommended temperature. When the lawsuit forced McDonald's to lower the temperature, cold coffee complaints soared.
I have never posted a goatse link. I think such posts are juvenile.
I'm just a concerned individual who has issues with the massive influence Slashdot has, coupled with massive irresponsibility. Unfortunately, Taco does not listen to readers, so I feel the only way I can express my opinions are to appeal to the readership.
If you disagree, no problem--skip over my posts and read something else. I don't mind. If you take issue with the fact that it gets reposted, you must also take issue with the repeat BSOD, Clippy, Simpsons, Soviet Russia, and "you must be new around here" jokes.
Microsoft will spend tomorrow vehemently denying a report that says "Microsoft does not kill kittens."
Friday will be dedicated to denying vehemently the report that says "Microsoft has cancelled its nuclear arms development program."
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Hey look, its just a cut and paste of the latest trolls...rather than mod you down, i'll poke a few holes.
...mostly it's a function of the video card (and drivers) to do the scaling and the game rendering, while the CPU only does decoding (which can be in hardware too). Finally, you need ballsy disk bandwidth to get those bits off the disk. A new shiny OS won't do you squat.
On my several-year-old system running linux 2.4, I can play fill my desktop with hi-res movies using mplayer. I'm talking upwards of 15 mpeg-2 and divx movies...on what? oh yeah, an athlon 1200. I wonder what your hot stuff Longhorn was running on - dual/quad processor xeons? Heh. Oh yeah, and I can play quake 3 in the background too - probably not at your framerate, but hey...
Look, the point is that you cut and paste some crap about linux, and are really just trolling. Every point you make is pretty much lame and it's all pre-concocted, I've seen the same crap from other trolls. Seriously...why? If you want to question the groupthink, at least write your own opinions!
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Comment removed based on user account deletion
Ever stop to think you might not be the target audience of the parent post? I mean... unless you really think of yourself as a mindless Slashbot? :-)
Point is that these attitudes are all over the place here on Slashdot, whether you specifically subscribe to them or not.
Funny, you could substitute the word "bonch" for the word "twitter" and it would be every bit as true.
BTW, nice attempt at discrediting one of your foes, bonch. Uh, I mean, Overly Critical Guy.
bonch is an insightful and clueful user with nothing but constructive criticism of OSS and fair and balanced views on Microsoft.
* I know of no distros that grant a user ownership of part of the hierarchy beneath their home directory. An example of this would make /home/ltorvalds be owned by Mr. Torvalds, but rtorvalds' $HOME be /home/ltorvalds/private.
/var/www/html/rtorvalds, say -- but then it's a main to administer and add and remove users.
/home/<username> shall be chmod 751. It shall be owned by the the user and the user's private group, as shall all the directories I mention here unless otherwise noted. /home/<username>/private shall be chmod 750. $HOME shall point to this directory. /home/<username>/public shall be chmod 751. . Programs that wish to create world-readable directories owned by the user shall default to a directory created in this directory. If the user wishes to create world-readable directories, they shall be created in this directory. A good example of this is public_html. /home/<username>/dropbox shall be chmod 3777. This provides an easy mechanism to make files available to other users -- anyone can dump a file in your dropbox. Since this is sgid, not suid, it means that it will not count against uid-checking quotas, and hence cannot be used as a DoS against you.
/home/username/public area (at the cost of additional complexity, this can be worked around by creating an everyone group containing all users -- and naturally, having the admin tools add new users to said group -- and making the /home/username/public directory sgid and owned by that group.). There is a bit more typing (though most of what the user is working with is under ~, same as before, so it isn't a huge impact. The user gains (a) a standard way to give files away to other users, which is not present, (b) a standard way to make files publically available. (c) the ability to make files publically available without revealing their private files.
Why is this important?
Currently, if a user wants to share files with others (or expose files to a webserver or something), it's required for them to make their home directory world-listable (and the lack of standard ACLs means that they cannot even allow "just the webserver" in, which is still a breech of security). (They can then create ~/public_html). This is Very Bad from a security standpoint. Because *IX convention dictates that software shall store local config files under $HOME/.programname, this exposes to the entire world what programs a user runs. It also means that if the user stores any files or directories in their home directory, they are world-visible (I dunno if you like everyone with accounts on the machine being able to view your home directory, but I'm not a fan of the idea). Finally, if you're using a umask with any permission bits set for world (as is default on Red Hat and most Linux distros, presumably to facilitate sharing files that have been placed in public directories), it means that everyone can read your files. This is Very Bad. Some sysadmins work around this by scattering a user's files across the system -- creating
ACLs cannot fix this problem, only reduce the egregiousness of it by reducing the number of people that can be poking around in someone's private area.
A better solution (and obviously one that would cause friction for a bit) would be a reworking of the standard *IX directory layout. Here's my take on it:
Default umask shall be 0027, not the current (common on Linux and definitely on RH) of 0022. This makes it a harder to share files (users may hit permission problems by default when dumping things into public_html), and easier to not accidently expose masses of your own files. It's also necessary for the dropbox scheme to work without people accidently sharing masses of files that they didn't intend to.
There are a couple of disadvantages. Users have to chmod o+r files going into the
Oh, yes, and (d) by
May we never see th