Posted by
CmdrTaco
on from the you-can-do-it dept.
Rantastic writes "In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline." He also reveals that he runs Firefox."
WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?
In case anyone is wondering about Download.Ject, check this link out. It's only a matter of time until a high-volume site gets compromised with this exploit. Scary stuff.
When will Open Source advocates realize that it's just this sort of behind-the-times technological gaffe that will keep Linux in single-digit marketshare forever?;)
-- I watched C-beams glitter in the dark near the Tannhauser gate.
Oddly, the site you linked says that SP2 users are affected, but Microsoft's page says they're not. Clearly someone must be wrong, or the page you linked is about a completely different bug (it does not mention Download.Ject in its body). What gives?
-- Quality, performance, value; you get only two, and you don't always get to pick.
In case anyone is wondering about Download.Ject, check this link out. It's only a matter of time until a high-volume site gets compromised with this exploit. Scary stuff.
I've tested this on several machines with different versions of IE, windows SP, and such. It hasn't worked on a single one. I'm going to say this is FUD.
Re:Download.Ject
by
Jim_Maryland
·
· Score: 4, Informative
If I'm not mistaken, XP SP2 includes the work around which changes a registry entry related to the exploit. XP SP2 doesn't really fix this particular problem but disables the functionality that is being exploited. In a way, users aren't at risk, but if you rely on that functionality, well your out of luck for now or you must run with the risk.
It's been more than a month since the first news of Download.Ject
Not that it seems to have helped much, but the patch MS claims would have prevented the IIS vulnerability has been out since MS04-011 was released on April 25, 2004. (from detecting and preventing IIS infection)
Relying on IE-only functionality (as I assume this is) is a retarded thing to do anyway, with the extreme gain in marketshare that Firefox has seen recently. People who make that mistake deserve a good slapping, or at the very least, a reality check.
Regardless of what Microsoft and their fans may think, the browser wars are all started up again. Anyone who designs their site to be IE-only nowadays is just asking for trouble. Unfortunately, it's not exactly uncommon.
-- Quality, performance, value; you get only two, and you don't always get to pick.
I completely disagree. Internet Explorer is more then a webbrowser... same with Mozilla. It is a platform. You can do more with it then browse the web... you can use it as a framework to build entire applications... just... like... Mozilla.
--
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Re:Download.Ject
by
aron_wallaker
·
· Score: 4, Informative
I tried it on WinXP Pro (no SP2) IE 6.0.28 and it went through on the first try without even a warning from IE.
Re:Download.Ject
by
Jim_Maryland
·
· Score: 3, Insightful
Unfortunately you'll find that organizations do rely on Internet Explorer as it comes with MS operating systems by default. Personally I avoid using MS IE unless absolutely necessary (a couple of my company's internal websites, namely benefits, time sheet, etc..., check for the browser and don't permit anything but IE) as I like features of the Mozilla based browsers (tabbed browsing being the first that comes to mind). As for calling it a mistake to choose IE only functionality, this all depends on the application. If developing for an internal website, then as a corporation, they do have the ability to require use of a particular application (even if the IT folks dislike it). This wouldn't be the logical choice, but the money controlling the project is theirs and they can decide what to do with it.
As for you statement about the browser wars, hopefully your right. Ideally all browsers will approach the standards correctly and then end users will be able to choose the browser they like without worrying that some web pages will not display correctly.
Nope, sorry... I've verified this exploit on freshly installed Windows XP SP2 machines.. (more than three by the way)..
Although, if you do know of a registry key which disables this "feature".. please post it for everyone to see! 8)
How many third party toolbars, BHOs, etc do you have installed? I've found that pretty much every time someone whines about how insecure and unstable windows is, it's because they've installed something that broke it.
Re:Download.Ject
by
gad_zuki!
·
· Score: 4, Informative
Just tried it on a fresh SP2 install and it works. The kicker is even after I've closed IE I still can't delete the boom.exe file from startup because its being used by a different program. Oh well, might as well disarm it (yeah I know its a 0kb exe but what the hey) with msconfig.
The handful of sites that don't work well with Firefox/Moz is really a small price to pay for the added security especially in regards to drive-by spyware installs.
Re:Download.Ject
by
Kernkraft400
·
· Score: 2, Informative
Try this to get round sites that check for the user agent and blcok non-IE browsers (it works a treat for me with Firefox 0.9.3)...
*User Agent Switcher Extension*
"The User Agent Switcher extension for Mozilla Firefox and Mozilla adds a menu to switch the user agent of the browser. It is designed to provide functionality similar to the 'Browser Identification' feature of Opera and allows configuration of the list of user agents to display in the menu."
http://www.chrispederick.com/work/firefox/userag en tswitcher/
That's fine with me. At least this way we don't have to cater to all the idiots who want to have everything at their fingertips, including root access. And don't you dare make them login!
Linux doesn't have to be popular to be the best. But then neither do any of the BSD's.
Re:Download.Ject
by
Anonymous Coward
·
· Score: 0
Listen smartguy, the exploit still works on a clean install of XP with just SP2 installed, so kindly remove the Microsoft cock from your mouth and think for yourself.
For complete details, please review this article (
MS KB870669).
Pulled from that article...
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Microsoft has provided three ways to disable the ADODB.Stream object from Internet Explorer. You can use Microsoft Windows Update to update your computer, you can download an update file from the Microsoft Download Center, or you can disable the ADODB.Stream object manually.
These methods work by creating the following registry key:
This registry key has a GUID for the ADODB.Stream object. When Internet Explorer recognizes this registry key, Internet Explorer does not permit the component to be started in the browser.
Important notes
* If you are running the ADODB.Stream object from a server (middle tier), disabling the ADODB.Stream object on the server does not affect ADODB.Stream object functionality with Microsoft Internet Information Services (IIS).
* If you are running the ADODB.Stream object from a client by using Internet Explorer, disabling the ADODB.Stream object stops the ADODB.Stream object from being created in Internet Explorer.
Now I can't say that this necessarily fixes the problem, but this is what I found on it. Unfortunately, I don't believe the problem is limited to Internet Explorer as many MS products also rely on Internet Explorer and the various COM objects (like ADODB).
Jim
Re:Download.Ject
by
Henk+Poley
·
· Score: 2, Informative
The exploit still works under XP SP2. At least the file was dropped there into my startup menu.
I know what you mean about internal applications, but the small extra effort to make a site compliant for both at implementation would be a lot cheaper than doing it at a later stage.
Let's say that a company takes over another, and they run on Firefox. Immediately, you can bring them on stream.
To me, it's like buying a lot of pre-built PC systems. They may be cheaper, but come with some rubbish components for which there's only one driver. Upgrade your OS, and you'll be upgrading the hardware too.
Re:Download.Ject
by
Anonymous Coward
·
· Score: 0
That agent switcher fixes just part of the problems because there are some sites (quite a few) that are badly designed with specific IE design workarounds and not standard HTML code. This sucks and I hope more people will use FireFox so that designer will understand that they need to create pages with standard code, not IE rubbish.
When will Open Source advocates realize that it's just this sort of behind-the-times technological gaffe that will keep Linux in single-digit marketshare forever?;)
A single digit market share that laughs at YOU from a hammock while you spend your life updating Windows with critical security patches / or getting raped by script kiddis.
They left the spinning to Slashdot. RTFA. The interviewee says:
It's not a switch that can be flipped. Software written by humans will always contain errors. We're fundamentally changing the way things operate, to help to make software more resistant to attacks. We're two and a half years down a much longer road; it's more of a 10-year timeline.
What me meant is that Microsoft is completely reworking the way their browser operates -- not just toughening a few system calls here and there. A total reconsideration of how a browser should be designed.
The Slashdot editors took that and spit out "AHAHA M$IE INSEKURE UNTIL 2011! LOL@GATES"
It is likely that this is spin. When someone has a job that depends on the future security of a product that is likely next to impossible to make secure without a complete rewrite, what can he do? He has limited budjet, and unrealistic goals. So he makes a 10 year plan, saying that they will be secure in 10 years. He shows progress to his boss, and his boss is happy. He gets to keep his job.
Then, 2 years down the line, he revises his 10 year plan to expire in another 10 years - as long as the deadline is far enough away, he keeps his job, he puts food on the table, and the PR bunnies have something to hop about. This happens all the time in business, particularly publicly held companies. I would be very sceptical about any future Microsoft promises about security.
-- I submitted this story last night, and it didn't get posted.
"What me meant is that Microsoft is completely reworking the way their browser operates"
Yeah, but it was only a year or two between IE being a basic app bundled with Windows to (what they call) a part of the core operating system, inseparable from the rest of the OS. And if that wasn't "comletely reworking the way their browser operates..."
Fair? You mean as unfair as declaring Linux's TCO is 10 times that of Windows (as long as it is run on hardware that costs ten times as much as a barebones x86 system)??
Wow. Microsoft declaring unfair... Here, have another bucket of black paint for your kettle. On second thought, take two buckets.
-- This is my sig. There are many like it but this one is mine.
Agreed. Slashdot, to me, seems more and more biased every day, or at least its editors do. The headline of this story is purely sensationalized. I wonder if they ever bother to read the comments nowadays, there's almost always one that is similar to the parent...
-- It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Yeah, but it was only a year or two between IE being...inseparable from the rest of the OS. And if that wasn't "comletely reworking the way their browser operates..."
Actually no, it wasn't a complete rework at all. They simply arbitrarily combined a couple of IE function libraries with some existing system libraries and proclaimed that the two were, therefor, inseparable.
The functions actually remained completely separate right down to having separate (development) source trees for quite some time.
If the source to those "new" system DLL's had been subpoenaed back in the day there'd have been plenty of smoking guns to show the courts...
He knows that in 2 years his bosses are not going to be the least bit concerned about the fact that they should be 20% closer to the goal of a secure Windows platform. Neither his bosses, nor he himself expect to be in the positions they now hold.
One of three things will have happened. They will have had a promotion to a different position, with different responsibilities, and reportables. They will be working for some other company doing something completely different. They will be out of work because Microsoft will have outsourced their job to some country that we don't even think has a technological presence today.
-Rusty
-- You never know...
Interesting...
by
rah1420
·
· Score: 2, Insightful
I thought Microsofties had to eat their own dog food?
-- Mit der Dummheit kämpfen Götter selbst vergebens.
Re:Interesting...
by
Anonymous Coward
·
· Score: 0
Parent is not flamebait, in fact, it is a very good point. Microsoft has stated many times before that they "eat their own dogfood" in order to convince people of their dedication to their software. Try searching google.
Geez, if I said things like that about my product, to the extent where I wouldn't even use it because it's so insecure, I'd be shown the door in next to no time.
So, either he's incredibly brave, incredibly stupid, or that's a point for Microsoft, for allowing their employees to be candid about the state of their products.
-- I believe posters are recognized by their sig. So I made one.
Re:Firing offense?
by
Anonymous Coward
·
· Score: 0
I like how MS is starting to open up. You can read honest (and not always very flattering) accounts on both MSDN Blogs and Channel 9
Just a few years ago it would have been impossible to imagine MS ever running a wiki!
Re:Firing offense?
by
gregarican
·
· Score: 3, Informative
I recall years ago working for the RAID manufacturing division of Conner (the hard drive/tape drive company, which was bought out by Seagate). The building right down the street from ours was responsible for tech support of their tape drives and backup software.
What did our facility use for backup software? Not Backup Exec! We used Legato Networker. I recall some tours the corporate big wigs were given every now and then. Their expressions were funny to see if they peeked in the server room!
The way I see it: It's nice to know someone at MS isn't a stupid drone, and is at equal or greater technical prowress of my parents (who figured out that mozilla would be a good idea).
Re:Firing offense?
by
Anonymous Coward
·
· Score: 0
No it just shows you the power of LOCK IN!
Can you imagine any other product maker saying stuff like this and still having business?
Hell, can you imagine any other product *staying on the market* with the kind of performance Microsoft has displayed?
Microsoft has something beautiful (for them).. a user base that just can't afford to switch.
Re:Firing offense?
by
brickbat
·
· Score: 5, Informative
This really needs to be modded down, as it's not only not insightful, it demonstrates a total lack of comprehension of Toulouse's response.
He did not say he didn't use IE. He simply mentioned needing to install a security update of Firefox. Yes, Virginia, there are other browsers that have security flaws other than IE. That doesn't make them better or worse, it just illustrates that the problem isn't isolated to Microsoft.
And I suspect that in performing his job duties, he needs to be familiar with a wide array of browser technologies, not just IE.
So, please mod the parent down -1, Needs a Clue.
Re:Firing offense?
by
GeorgeMcBay
·
· Score: 3, Informative
He doesn't say he doesn't use IE because it is insecure. What he said is he recently had to a patch a Firefox installation because it (also) suffered from an exploit.
Somebody didn't read the article...
Re:Firing offense?
by
Anonymous Coward
·
· Score: 0
More specifically, he said:
Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system.
What was this update. I use firefox and noticed no such update. Is it just FUD, or did Windows-Update not tell me about it?
He doesn't say he doesn't use IE because it is insecure. What he said is he recently had to a patch a Firefox installation because it (also) suffered from an exploit.
Somebody didn't read the article...
No, somebody did read the article, but filtered out anything remotely resembing (a) a slight against OSS and (b) any vindication, however slight, of Microsoft and their products. Typical Slashdot behavior. Everything bad about Microsoft must be emphasized, and anything good must be squelched. At the same time, anything good about FOSS must be emphasized, and anything bad must be buried with Jimmy Hoffa.
Where's the "-1 Michael-Moore-style selective editing" mod point when you need one, eh? That's what I love about Slashdot, the fair and balanced perspective everyone has here. Makes me so proud to be a Linux user. Not.
-- In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Re:Firing offense?
by
calethix
·
· Score: 5, Insightful
That's what I'd like to know. The article summary makes it sound like he uses Firefox because he doesn't trust IE.
All I found in the article was: "Meanwhile, Firefox and Opera look awfully appealing.
Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
That sounds more to me like he's trying to point out that other browsers can have vulnerabilities as well. He doesn't say anything about exclusively using Firefox. Maybe he just installed Firefox just to see what the competition is like.
Heh, the first thing I thought to myself after reading the sidebar in Wired was, "Hmm, I wonder how many Sherlock Holmes wannabes are going to claim that this guy isn't even using his own MS products and is stupid enough to admit to it in a huge publication."
If you ask me (I know, nobody did. Piss off.), it seems like this was taken out of context (perhaps Toulouse mentioned previously how he monitors other browsers for functionality, or something similar) either due to space limitations or the sidebar author/editor specifically dropped this little tidbit in there without validation of why exactly Toulouse is concerned with patching a copy of Firebird.
Either way, those that are anxious to see Microsoft and their employees look like idiots must have felt really good about reading this small "interview".
Brickbat, well put. I was about to say something similar, but you beat me to it.
I think the point is that in the case of Firefox, the fix was out fast. The workaround for Download.Ject is nice, but it's not a fix- the underlying security issue remains. Hopefully we'll see one soon...?
He did not say he didn't use IE. He simply mentioned needing to install a security update of Firefox.
Well... I think one is entitled to read between the lines a bit here.
First of all, the guy clearly screwed up by in effect saying "I use Firefox" without any further clarification. This is not good PR. So it seems we have a moment of true candidness.
Secondly, most of us have a favorite browser. What's his? His words were I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system. Sure sounds like he uses Firefox a lot.
All he said was "I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system." e.g. he has OTHER browsers and he keeps up with security flaws in those browsers as well.
"sticking a feather up your butt does not make you a chicken" Tyler Durden, Fight Club
Precisely correct; the Slashdot article is misleading because it suggests he uses Firefox [the word "reveals" connotes that something has been disclosed which would otherwise have remained hidden]. He has nothing to hide; of course a security person working with browser design *should* run other browsers.
It may be that the author did not intend to deceive; nevertheless, the choice of words leads to a faulty conclusion. It is a deceptive statement.
Mod this parent down -1. This type of yellow journalism does no honor to Slashdot.
Re:Firing offense?
by
Anonymous Coward
·
· Score: 0
God damn, buddy. Who's fucking team are you on?
Re:Firing offense?
by
brickbat
·
· Score: 2, Insightful
We should also consider that Wired edited his responses to fit the allotted space (assuming that this is from the current print issue and not an online-only piece). Any journalist should know that taking quotes can lead to misinterpretations.
I am willing to give him the benefit of the doubt and assume that Firefox is but one of many browsers he runs, as would be prudent for someone working on software security. It's quite possible for even third-party browsers to expose flaws in the OS itself, so it's in Microsoft's best interests to keep tabs on how other browsers interact with its platform.
He's using Firefox 0.1 and just updated this morning.
-- This is my sig. There are many like it but this one is mine.
Re:Firing offense?
by
BryanR1977
·
· Score: 3, Informative
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
That would probably be the shell:// vulnerability, which if I recall the Mozilla dev's removed the functionality because windows handeled the call in an insecure way. BTW to the best of my kwowledge IE still accepts shell:// URLs.
Maybe he just installed Firefox just to see what the competition is like.
This is true. The best way to beat your competition is to see what they do better than you...and then try to outdo them. Or see what is in the works and beat them to the punch but make it look like your own. I don't mean steal from the source code here. I mean "Wow. That popup blocker in Mozilla and Firefox is really handy. Maybe IE should have one as well." And wouldn't you know it, SP2 has a popup blocker for IE. As much as I hate Microsoft without real reason, I respect the foresight they (perhaps only now) seem to have in fixing major flaws and adding shiny new functionality to make sure more people like me don't stray to alternates.
Re:Firing offense?
by
Anonymous Coward
·
· Score: 0
Firefox not Firebird, but a good point none-the-less.
I'm on my team, looking out for my interests. My interests are not served when Linux users seek to make Microsoft the ogre while ignoring similar faults in our own ranks. If Microsoft does something good, it should be lauded just as much as if it had come from Linus Torvalds. If Microsoft does something bad, it should receive no more and no less criticism than if it were found in Linux. If we stoop to the level of Microsoft and produce only FUD, we're no better than Microsoft.
-- In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Re:Firing offense?
by
Anonymous Coward
·
· Score: 2, Insightful
Isn't this flaw one in WIndows, as opposed to the browser itself?
If so, that makes it worse - the OS is broken.
Missing: Interview
by
RobertB-DC
·
· Score: 5, Insightful
What sort of "interview" only includes four loaded questions? Wired gets hold of the Microsoft "security program manager", and these are all the questions they ask? I'm no M$ fanboy (though I must admit I make a living writing programs for Windows), but surely they can do better than this obvious hatchet job:
WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?
In other words: So, when will you stop beating your wife?
Meanwhile, Firefox and Opera look awfully appealing.
Ok, the guy really stepped in it here when he plugged Firefox (though I'm an Opera fan, myself).
What about removing capabilities from IE to beef up security?
You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?
Seems like you're fighting a losing battle.
Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."
-- Stressed? Me?
Of course not.
Stress is what a rubber band feels before it breaks, silly.
Re:Missing: Interview
by
savagedome
·
· Score: 3, Funny
Re:Missing: Interview
by
MrMr
·
· Score: 5, Insightful
In other words: So, when will you stop beating your wife? Except that to make the analogy complete, you should add that in this case the question is put to somebody who is actually busy beating his wife...
Objection: counsel is badgering the witness Overruled, Wired reporters are not counsel but more like prosecution, and this guy is not a witness but a suspect.
An aggressive interview is actually a great technique to give the interviewee a chance to provide their best stuff. It is used all of the time in the UK. At first, I thought it was extremely unfair. After a while, I realized that you can cover a lot more ground, and defend your position a lot better, if the interviewee takes on the role of the detractor.
-- My Photography - http://ian-x.com
The Deathlings (comic) - http://thedeathlings.com
Re:Missing: Interview
by
BrynM
·
· Score: 2, Informative
What sort of "interview" only includes four loaded questions?
In the print version of the September issue, it's just a sidebar. Wired does this a lot. There are often little tidbits in sidebars throughout the magazine. This was one of them. Go look at a copy at your local newsstand. I don't remember what page it's on, but it was never meant to be a full blown article/interview. I'm actually impressed that they include their content in the web version so completely.
-- US Democracy:The best person for the job (among These pre-selected choices...)
Re:Missing: Interview
by
Tet
·
· Score: 3, Informative
Ok, the guy really stepped in it here when he plugged Firefox
But he didn't even do that! All he said was that
he needed to upgrade Firefox to fix a security
problem. Not that he used it as his main browser,
and certainly not that he didn't use IE every day
like all good Microsoft employees. Merely that he
had it installed on his machine, and patched it
as appropriate. In his job, I'd expect him to have
a copy of alternative browsers on his system. I'd
be surprised if he doesn't have Opera installed,
too.
-- "The invisible and the non-existent look very much alike." -- Delos B. McKown
Re:Missing: Interview
by
Anonymous Coward
·
· Score: 0
OH come on.
Microsoft's record here is abysmall. Their arrogance astounding.
Products of Microsoft's popularity (or should I say, "widespread distribution") simply should *NOT* have the defect rate they do.
I know it's possible to write secure software. I use OpenBSD and DJB's tools and I sleep well at night. If these guys can do it, so can somebody at MS.
Since most folks can't afford to switch away from MS, we *must* hold their feet to the fire until they get a clue and make changes pronto.
We know they screwed up, they know it, let's not pretend otherwise.
Foo: So, when will you stop beating your wife? Bar: The day before I first met her. Baz: So you went back in time and beat her?
I think he means the wobble-wobble-poof thing from The Butterfly Effect. He went back in time and made sure not to marry her in the first place, so that he wouldn't beat her.
-- Stressed? Me?
Of course not.
Stress is what a rubber band feels before it breaks, silly.
It's a monthly thing they do called "Hot Seat" or something like that, where they take a controversial issue, pick a guy who should have a strong inside perspective on it, and drill him with 3 or 4 hard questions.
It's a whole lot better than an interview with four softball questions. Would you have preferred:
So what color is the carpet in your cubicle?
We know that you're trying as hard as you can to make Windows more secure, would it be easier if there were no hackers trying to break it?
A lot of people claim that OS X is much more secure than Windows, but back in April there was a trojan horse found that can cause problems on OS X, can you comment?
What's your favorite movie so far this year?
It's actually good to see the press holding Micrsoft's feet to the fire for once. They especially deserve it when it comes to the topic of security (or lack thereof).
Thanks! My issue is at home in the bathroom (for reading and not TP) and I'm at work.
-- US Democracy:The best person for the job (among These pre-selected choices...)
Re:Missing: Interview
by
sjames
·
· Score: 4, Insightful
In other words: So, when will you stop beating your wife?
Not really, no. The question was about a specific hole who's existance is not in dispute. It makes no unwarranted assumptions and doesn't ask him to make any new admissions in answering. Unless you mean to imply that the question might cause him to accidentally admit to doing his job?
You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?
Perhaps not, but it's a fair question. Many people are of the opinion that the feature shouldn't have been there in the first place (for security reasons). It wouldn't be the first time MS has given customers a choice between break feature X or be insecure.
Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."
Perhaps, but since MS has a history of being less than forthcoming on the witness stand (literally as well as fuguratively), additional lattitude in questioning may be given.
WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?
In other words: So, when will you stop beating your wife?
Not quite the same. There was a vulnerability, e.g. the wife-beating. It was since fixed half-heartedly (that's why the question asks about a "real" fix), but the Bad Thing was actually happening - the wife was being beaten.
Meanwhile, Firefox and Opera look awfully appealing.
Ok, the guy really stepped in it here when he plugged Firefox (though I'm an Opera fan, myself).
The Microsoft dude himself uses Firefox! What's so loaded about this question? CERT recommended using anything-but-IE. That adds to their appeal, right? The Microsoft dude missed an opportunity to say somthing like "we're committed to providing a secure and useful platform for people to enjoy yadayada".
What about removing capabilities from IE to beef up security?
You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?
Why not? Servicepack 2 for XP "broke" a lot of applications in its default behavior. It's not unthinkable that Microsoft will take a long hard look at Internet Explorer and decide to ship the next version (or a patch) with less features turned on by default.
If they're not considering doing that, why, then this question is a golden opportunity to reassure their users that it won't happen. In fact, the answer is "we're constantly looking at trade offs".
The hack could have followed up with indignation about the lack of clarity about what functionality might be broken in the future. He didn't. He also didn't ask "why did it take so long to switch off popups by default?". He's going light on the fella here.
Seems like you're fighting a losing battle.
Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."
Oh come on. He didn't even say "aren't you?". It's perfectly OK for a journalist to make this statement, allowing the interviewee to say "no we're not".
This could have been phrased much, much more antagonistically. Like "So, you admit Internet Explorer is a piece of crap?" or "Do you realize that health professionals use Internet Explorer, and that lives are at risk?" or even "So Microsoft will continue pushing a product out the door that enables terrorists..." - preferably cutting off the interviewee when he answers, because "time is up".
The journo could have asked the question in a nicer form, like "How would you respond to those that say you're fighting a losing battle?", but that's just sucking up.
Asking a direct question actually allows the Microsoft dude to present himself more charismatically, exactly by not being offended.. "Well buddy, I wouldn't say we're losing quite yet!" rather than "How dare you question Microsoft?! You will be assimilated!".
Just because the reporter is asking "hard" questions, doesn't mean he's magically biased. It just means he didn't feel like writing a piece consisting entirely of fluff (though this is close as it is, for a lack of follow-up questions).
And it's not "badgering" it's "leading the witness" or "stating conclusions".
While I fully understand what you're trying to say, even people who understand what you meant by "Mu" get nothing out of your answer.
That's the point. Someone who asks that question doesn't deserve an answer. Duh.:)
Re:Missing: Interview
by
black+mariah
·
· Score: 2, Insightful
Yeah, I'm sick of hearing this whiny tit moronic shit. "AH-HAH! Someone at M$ uses Firefox! M$$ IS T3H DYING!!!!1" Ummm... no, retard, they just don't see software as a fucking religion. I worked for one guitar company and still was able to play other companies guitars. My hands didn't burn off due to the sacrilege. It's a fucking piece of software. Same with the dipshits that spooge their pants when someone mentions MS buying more Macs. "OMG! THEY BUY APPLES!" They own a large stake of the company, and develop software for their platform... gee, why would they want to use Macs?
Repeat after me: "I am a loser. I fill the void that social retardation has left in my personality with stupid shit that nobody else gives a flying fuck about. My opinion does not matter to anyone but me. My continued insistence on software-as-religion is fucking stupid, and I need to go out and get laid or at LEAST interact with other humans in some way."
-- 'Standards' in computing only impress those who are impressed by things like 'standards'.
What about removing capabilities from IE to beef up security?
You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?
Isn't it a legitimate request? One of the main problems people hammer on Windows and IE is that the product is too deep in the OS, making it nearly impossible to secure.
If you have a security failure that can't be fixed in a timely fashion without breaking the functionality, isn't it better to break the functionality instead of leaving the security broken?
Re:Missing: Interview
by
acebone
·
· Score: 3, Funny
> "OMG! THEY BUY APPLES!" They own a large stake of the company,
No - they sold that large stake didn't they ?
>Repeat after me: "I am a loser. I fill the void that social retardation has left in my personality with stupid shit that nobody else gives a flying fuck about. My opinion does not matter to anyone but me. My continued insistence on software-as-religion is fucking stupid, and I need to go out and get laid or at LEAST interact with other humans in some way.
Re:Missing: Interview
by
Anonymous Coward
·
· Score: 0
What wife?
Re:Missing: Interview
by
black+mariah
·
· Score: 1
No - they sold that large stake didn't they ?
AFAIK, they still own a chunk of Apple. Their ownership of part of Apple is not a prerequisite for the rest of my point (they develop for that platform) to be valid.
Eat your own dogfood man !
Hey, I've already been outside THREE TIMES today! And I TALKED TO PEOPLE while I was out there.
-- 'Standards' in computing only impress those who are impressed by things like 'standards'.
A far better answer is "I never have beaten my wife" or "I have no wife".
Or "When I get a divorce from your sister, then I'l just be beating a filthy whore."/too shitty of a mood to post ac, or without the karma bonus.
-- Pain lasts, kid. Its how you know you're alive.
Sometimes I think this growing up thing is just pain management-TheMaxx
Re:Missing: Interview
by
Anonymous Coward
·
· Score: 0
Hey, I've already been outside THREE TIMES today! And I TALKED TO PEOPLE while I was out there.
Did you talk socially to them, or yell and berate them?
You seem quite uptight and short fused.
Re:Missing: Interview
by
16K+Ram+Pack
·
· Score: 1
Yes, sounds like the security problem that was basically the shell:// problem. Which was a Windows problem.
How odd that he didn't clarify that.
I security really that important?
by
ellem
·
· Score: 2, Insightful
Windows hasn't been all that secure since, well, forver. Has the horrendous security done anything other than support thousands of jobs and spawed a massive aftermarket security industry?
-- This.sig is fake but accurate.
Re:I security really that important?
by
Anonymous Coward
·
· Score: 0
actually OP makes a good point. How bad is this insecurity?
Re:I security really that important?
by
hernyo
·
· Score: 5, Insightful
This sounds like "death is good because it makes us appreciate life"...
Non-security is a thing we don't like, so of course we want to get rid of it.
----- yeah, my englisk sucks
Re:I security really that important?
by
dodgy_knickers
·
· Score: 5, Insightful
"Has the horrendous security done anything other than support thousands of jobs and spawed a massive aftermarket security industry?"
By that logic, we should view terrorism as good for the economy since it creates jobs for the folks employed at the office of Homeland Security.
Think, real hard. What other effects came from from security flaws (in either case)? Anything bad? Anything at all?
Perhaps this is just crazy talk, but I submit that there are better ways to stimulate the economy.
-kev
Re:I security really that important?
by
mrchaotica
·
· Score: 5, Insightful
Those thousands of jobs are just running on a treadmill and sucking resources from companies that do real work. If Windows was secure, all that capital and talent could be used for something better.
--
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Re:I security really that important?
by
jcr
·
· Score: 3, Funny
Broken Window Fallacy.
-jcr
-- The only title of honor that a tyrant can grant is "Enemy of the State."
Re:I security really that important?
by
Anonymous Coward
·
· Score: 0
If Windows was secure, all that capital and talent could be used for something better. you obviously haven't worked with IT people before
Re:I security really that important?
by
Stevyn
·
· Score: 1
Well, on one side if people weren't being plumbers of windows machines, they'd be doing something more productive. Then again, someone who has the job of running ad-aware and cleaning out the junk that runs on startup, they probably can't do much better. But if they couldn't get a job as a windows plumber, then they'd be forced to get a better education. So I guess then that windows security is a drag on our economy and work force.
Re:I security really that important?
by
EinarH
·
· Score: 4, Interesting
Melius mori in libertate quam vivere in servitute.
Re:I security really that important?
by
Anonymous Coward
·
· Score: 0
This sounds like "death is good because it makes us appreciate life"...
Non-security is a thing we don't like, so of course we want to get rid of it.
Eh, sort of. It sounds more like "No government, no war."
Re:I security really that important?
by
M.C.+Hampster
·
· Score: 1
This has to be the wittiest comment I have ever seen on Slashdot. I'm guessing it was intentional.
-- Forget the whales - save the babies.
Re:I security really that important?
by
Anonymous Coward
·
· Score: 0
my englisk sucks Maybe, but your English is not so good too...
Re:I security really that important?
by
upsidedown_duck
·
· Score: 1
Over the course of Windows history, it was a largely non-networked OS. Only fairly recently has every person and their mother-in-law connected their home PC directly to the Internet.
Your analogy is analogous to: cars haven't been all that bulletproof since, well, forever, so why is the latest trend of everyone driving through crime-infested neighborhoods at 3am resulting in so many shootings? (the Internet is the crime-infested neighborhood of the computing world)
-- -- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
Re:I security really that important?
by
jcr
·
· Score: 2, Insightful
Yeah, but dang it: I meant to say "Broken Windows Fallacy".
-- The only title of honor that a tyrant can grant is "Enemy of the State."
Re:I security really that important?
by
ellem
·
· Score: 1
you know actually you make a pretty good point in way.
Cars used to be built much better. If the level of quality had remained as high and the currently level of safety had been attained cars would be fantastic.
So if the quality of old OSes had been enhanced by a level of safety we'd have a pretyy good OS to work on... like OS X or something...;)
-- This.sig is fake but accurate.
Re:I security really that important?
by
upsidedown_duck
·
· Score: 1
Cars used to be built much better.
Agreed, as long as we exclude most of the 1970s and the 1980s in the US, when US automakers made genius decisions like putting 100HP engines in 4000lb trucks and making sure every emissions control would break repeatedly causing absolutely terrible emissions and very expensive repairs. Jumping straight from the 60s to 2004...actually, we're getting back to muscle cars but with modern safety and fuel economy, so a fantastic car to you r likeing just might be at a local dealer this year.
-- -- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
Re:I security really that important?
by
Ikester8
·
· Score: 1
Sounds like a classic "broken Windows" fallacy.
-- That's the last time I run code posted in somebody's sig...
Re:I security really that important?
by
ellem
·
· Score: 1
Actually I immediatey thought about cars from the 40s & 50s as "good cars"
Let us never speak of the Matador again...
-- This.sig is fake but accurate.
Re:I security really that important?
by
conteXXt
·
· Score: 1
Tell that to Peter Norton,symantec and all the other AV companies.
Windows has been berry berry good to them.
-- The truth about Led Zep should never be told on/. (Karma suicide ensues)
Sounds like an acknowledgment of the extended timeline for something like Palladium/Trusted Computing. I've been curious to hear more about when and where that's actually going to show up.
He runs Firefox, duh!?
by
garcia
·
· Score: 4, Insightful
He also reveals that he runs Firefox.
If you were working in the X divison of a company wouldn't YOU be using a competitors program so that you could know what they were doing to make their side better? I know I would.
In fact, I would be completely disappointed if he DIDN'T run Firefox.
Re:He runs Firefox, duh!?
by
jbeaupre
·
· Score: 1
On the other hand, he's running it on his own system. Not a test machine, his own system. And he's using it enough to be concerned about updating it.
If he were only just doing a little testing, he could browse internal sites (oh, wait, he probably can't since they might not be compliant) or check out a few sites he knows are secure. And would that take more than a few minutes?
Or I could be all wrong. Maybe his system means his workgroup and there are a number of people using firefox. A little reverse engineering?
-- The world is made by those who show up for the job.
Eh?! MySQL has to be one of the simplest pieces of software to install (on Linux at least). Just create a user/group called mysql (in the unlikely event that you don't already have them) ungzip it somewhere, and make sure ALL the directories/sub directories are owned by mysql and group mysql (this trips people up). Change to the directory created when you ungzipped it. Type./configure and it'll sort itself out and start up. Then change the password for root etc... For subsequent boots, add an init script to start it automatically, or change to the mysql directory, type "bin/safe_mysqld &" and you're running.
Yes, we're familiar with the works of Robin Williams.
-- I'd rather be lucky than good.
Re:Longhorn
by
Blackknight
·
· Score: 0, Redundant
apt-get install mysql-server.
Re:Longhorn
by
Anonymous Coward
·
· Score: 0, Interesting
MySQL has to be one of the simplest pieces of software to install (on Linux at least)
Just create a user/group called mysql (in the unlikely event that you don't already have them) ungzip it somewhere, and make sure ALL the directories/sub directories are owned by mysql and group mysql (this trips people up). Change to the directory created when you ungzipped it. Type./configure and it'll sort itself out and start up. Then change the password for root etc... For subsequent boots, add an init script to start it automatically, or change to the mysql directory, type "bin/safe_mysqld &" and you're running.
Oh, well if *that's* all there is...
That that paragraph of proceedure is considered "simple" (on linux) is more a testament to the horrible install proceedures of linux programs in general as opposed to the simplicity of MySQL.
That's such a fucked up point of view. I don't mind things being complicated, but I do mind people fooling themselves that they're simple when they're not. Unless you are using some definition of the word 'simple' that I was previously unaware of?
For anyone who isn't a Unix-head, installing packages like mySQL and then configuring all of the environment variables to get your PHP-driven website working on a remote server is *extremely* difficult.
You think it's easy because you've done it many times and you're familiar with the gestalt: well, guess what? I think using a large format camera is pretty easy, but I wouldn't be arrogant enough to call it simple, or patronise someone who'd never used one by telling them 'Now, dear, you better stick to snapshots, hadn't you?'
The lack of good install scripts or instructions for many packages is a sign of a failure on the part of the developers, not the users.
--
I'm not wrong. You haven't thought about it hard enough.
This is from Robin Williams's old standup material. It's also on his "A Night at the Met" album. He quotes someone who says that "there is no devil; there is only God when he's been drinking" (or something similar). Williams offers that if God drinks, it's logical that he probably smokes up sometimes too. He offers the patypus as proof that the Almighty sometimes gets high. Which seemed to be the same joke that you were making, so I thought you might be drawing from Williams. Apparently just a coincidence. More proof that platypuses really are weird, I guess.
Re:Longhorn
by
Epidemical
·
· Score: 3, Insightful
I don't really see the conflict here.
A large format camera is easy to use for someone with experience using it. MySQL is easy to install for someone with experience doing it.
If you don't know how to do it, learn how before attempting to either use a large format camera or installing/configuring MySQL. Where exactly is the problem?
I agree that some Linux applications need to be easier to install for ordinary users, but something as complex as a database installed with Next->Next->Next->Finished can only create problems.
Which of the steps you described was not scriptable?
If it was not scriptable, how come you glossed over that in your explanation?
If it WAS scriptable, how come an install script would 'create problems?'
--
I'm not wrong. You haven't thought about it hard enough.
Re:Longhorn
by
Anonymous Coward
·
· Score: 0
For anyone who isn't a Unix-head, installing packages like mySQL and then configuring all of the environment variables to get your PHP-driven website working on a remote server is *extremely* difficult.
I had a hell of a time with the binary package for Mac OS X; it installs to/usr/local/mysql, which is great, but then you have to make symlinks for things like:/usr/local/bin/mysql/usr/local/include/mysql/usr/local/lib/mysql
Oh, and/usr/local/bin isn't in $PATH by default; I had to add that. Of course I could have put it in/usr/bin instead, but/usr/local/bin is really a more appropriate place IMHO.
I didn't bother dealing with the man pages, so of course "man mysql" doesn't find anything.
I'm thinking there was something else I had to do; I don't remember. On the plus side, the "mysql" user and group were already there, so I didn't have to worry about that.
Your instructions for compiling from source, as I recall, result in a similar mess, because it just puts everything in/usr/local/mysql too. Configuring with --prefix=/usr or something might work, but I'd prefer not to have files strewn all over my system that aren't put there by a package manager, or by myself directly. Yeah, you can start the server without creating all the symlinks, but try getting Perl's DBD::mysql to work properly.
-- $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$]; $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
No, that was the "hardest" install - but it will work for ANY Linux distro. I was illustrating a point. The easiest way (for Linux) is installing from RPM, or emerging, or apt-getting etc, depending upon your distro of choice.
I don't mind things being complicated, but I do mind people fooling themselves that they're simple when they're not...
If you have problems following that short sequence of instructions that have been "spoon fed" you, then you really shouldn't be attempting to install and configure a database server anyway. If you install almost ANY version of Linux, you CAN install MySQL with a single command or mouse click, or as an option during installation. If you pay for a root server, or shared hosting, MySQL will already be there, configured for you.
If you're too bone idle to read a *very simple* guide to install something, it's really not for you.
Read the fricken post before you start patronising me, you git.
The only thing I have a problem with is the description of that multi-step process as 'simple' in a context where single-step installers are available.
--
I'm not wrong. You haven't thought about it hard enough.
I'm surprised
by
Anonymous Coward
·
· Score: 0, Funny
I thought having a CTO/CEO declare security as high priority would get the soldiers all in line and squash all those bugs in millions of lines of code. After all, MS is better at writing software than any other corporate entity right?
Re:I'm surprised
by
Anonymous Coward
·
· Score: 1, Insightful
No, the effect of a CEO publically announcing this is to get the _PR_ and _Marketing_ team 100% behind the security story.
Microsoft's greatest strength is and alwasy has been that it recognised that time-to-market is more important than bugs or security. Engineers will still continue on the incredibly successful strategy they used before.
Reading between the lines
by
El
·
· Score: 5, Funny
"it's more of a 10-year timeline... but my stock options will be fully vested in 5 years, so I'll be long gone before the shit hits the fan on security still not being fixed!"
--
"Freedom means freedom for everybody" -- Dick Cheney
I dont know if he really *uses* firefox...
by
angst7
·
· Score: 4, Interesting
The context made it seem more like he saw an opportunity to mention a flaw in the competing product.
Re:I dont know if he really *uses* firefox...
by
Aneurysm9
·
· Score: 4, Insightful
Exactly. When was this interview done that he had just installed the shell exploit fix that morning? Besides, that's a fix for a *Windows* problem and he should be more concerned with fixing it than making hay about someone else's patch for their problem.
-- There was Cowboy Neal at the wheel of a bus to never-ever land.
Re:I dont know if he really *uses* firefox...
by
Aneurysm9
·
· Score: 1
One, how do you know I'm not a Windows user? Two, where did I try to sweep any Linux problems under the rug? I didn't. I simply pointed out that the problem he was referring to was a Windows problem and not a Firefox problem. It was a nifty attempt at poking holes in the competitor's mindshare though.
-- There was Cowboy Neal at the wheel of a bus to never-ever land.
Re:I dont know if he really *uses* firefox...
by
hobo2k
·
· Score: 1
It was a nifty attempt at poking holes in the competitor's
And, with me, the attempted worked very well. Until now I haven't worried about updates for firefox, but reading that I started worrying, "Ack! did I miss one? What update happened this morning?".
Regarding the shell:// update. Happening only on Windows does not a Windows problem this bug make.
Programs which take input from unknown sources must validate that input in a 'default deny' fashion. I don't mean that FireFox sucks because of one error, but denying culpability for the error leads to the dark side.
Re:I dont know if he really *uses* firefox...
by
ugauaauag
·
· Score: 1
"Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
You hit the nail on the head. He used it as an opportunity to passively attack another browser.
Re:I dont know if he really *uses* firefox...
by
anti-trojan
·
· Score: 1
Wasn't the latest update (0.9.3) also included the fix for libPNG exploit? It is hardly a Windows problem (not that it is a Mozilla problem, either).
Re:I dont know if he really *uses* firefox...
by
black+mariah
·
· Score: 1
My statement is completely unrelated to what you personally use, and actually it's COMPLETELY unrelated to you. I'm referring to the people that see it as no big deal when an exploit is found in Mozilla because "Oh, it'll be patched soon." but still blame MS when a worm they had a patch for MONTHS AGO goes nuclear and takes out half the web.
-- 'Standards' in computing only impress those who are impressed by things like 'standards'.
Re:I dont know if he really *uses* firefox...
by
Anonymous Coward
·
· Score: 0
My statement is completely unrelated to what you personally use, and actually it's COMPLETELY unrelated to you.
If your statement is completely unrelated to him, why did you (a) make it in a reply to his comment, and (b) follow it by telling him to STFU? Sure looks to me like you thought it had something to do with him when you wrote it...
Re:I dont know if he really *uses* firefox...
by
Anonymous Coward
·
· Score: 0
"Regarding the shell:// update. Happening only on Windows does not a Windows problem this bug make."
The exact bug was present in IE6 until a patch. It was present in Word and MSN Messenger until SP2. It most definately was a Windows problem
Four Questions
by
AKAImBatman
·
· Score: 3, Insightful
Only four questions? Yikes! That's not much of an article!
Re:Four Questions
by
spidereyes
·
· Score: 1, Interesting
Not only is it a very short article, but it seems to deal mainly with the browser. It would have been nice to see some details about the rationale behind the 10 year wait to a secure operating system.
And if it does take Microsoft 10 years to secure it's operating system, one could only imagine the leaps Linux will take:-).
--
I say we just grow up, be adults and die.
Re:Four Questions
by
Anonymous Coward
·
· Score: 0
You know, someone should really explain to the mods that you have to check timestamps before modding redundant.
Re:Download.Ject -- CORRECTION
by
romper
·
· Score: 5, Informative
Sorry to reply to my own post, but figured I should before the flamethrowers start in.
Download.Ject information is actually here. The exploit referred to above is actually the "what a drag" exploit. Still pretty scary if you ask me.
Anyway, the editor (me) regrets this error. =)
-- Right is wrong when left is right.
in related news
by
Anonymous Coward
·
· Score: 0, Funny
slashdot reveals it will not fix the IT color scheme for 10 more years...
... So please refrain from computing for the next 7 years. Just go about your lives. Pay no attention to the penguin and cute little red daemon over there. Hey look! Over here! Have this complimentary Plush Clippy!
Re:7 Years To Go?
by
Anonymous Coward
·
· Score: 0
LOL an article about Microsoft and somone mentions clippy holyshit your'e a comeeeedian! You should have mentioned BOB too and you'd have split my sides you one funny guy!!!!
Re:7 Years To Go?
by
Anonymous Coward
·
· Score: 0
Pay no attention to the penguin and cute little red daemon over there.
That's funny 'cause my mom's a baptist and she'd freak if I had a daemon on my computer. Penguins work, but wallscrolls of Kosuke Fujishima's goddess are not allowed.
Re:7 Years To Go?
by
Anonymous Coward
·
· Score: 0
I'll have one./me buys plush Clippy and heads home DIE EVIL BASTARD!/uses voodoo tricks on clippy
BANG (the sound of millions of Windows machines crashing from an important piece of software disappearing from existance.
-- Good programmers drink beer to relieve job stress.
Great programmers drink hard liquor and work best hungover.
Well XP is the most secure windows ever! Haven't you read the blurb during installation? it also starts much faster than any previous version of windows... Lets forget about 3.1, which on any machine capable of running XP loads almost instantly and doesn't even support tcp/ip by default, so no chance of getting owned on the internet.
Geez, if I said things like that about my product, to the extent where I wouldn't even use it because it's so insecure, I'd be shown the door in next to no time.
Yeah, who wants to bet that Stephen Toulouse gets a pink slip? It wasn't long after Salon suggested people switch to Firefox or Mozilla until IE was patched, before we learned that MS was selling the magazine.
-- The dangers of knowledge trigger emotional distress in human beings.
Re:Totally
by
Duke+Machesne
·
· Score: 2, Informative
Stop saying bad things about us, or we'll kill another person that you don't know or have any relation to, aside from the fact that they share the same profession.
I mean it!!!
Re:Totally
by
Anonymous Coward
·
· Score: 0
I once spent fifteen minutes arguing that Elvis Costello was in Styx.
-- "Evil will always triumph because good is dumb." -- Dark Helmet
Re:Fat lot of good it will do...
by
MooseByte
·
· Score: 4, Funny
"According to the Mayan Calendar We'll only get a year to enjoy it!"
We won't even get there. I hesitate to instigate a panic, but... MY calendar runs out on Dec 31 of THIS YEAR! AAAIEEEEEE!
Re:Fat lot of good it will do...
by
dtfinch
·
· Score: 1
p.s. someone help me, please
Well, they want my email address and clicking the "privacy policy" or "terms and conditions" links do nothing but generate javascript errors in Mozilla because they put their script tags in a very peculiar place.
The company is Gratis Internet, aka FreeDVDs.com. They have several aliases: www.FreeFlatScreens.com www.FreeCDs.com www.FreeCondoms.com www.FreeGiftPlanet.com www .FreeVideoGames.com...
From the Better Business Bureau: "Complaints against this business concern advertising issues, credit or billing disputes, delivery issues, refund practices, selling practices and service issues.... The company provides contact information to its advertisers... As in all transactions, consumers should read any terms and conditions about transactions and offers and restrictions before signing up to participate."
Sounds like your typical internet marketting company. I wish you good luck in trying to get an ipod out of them because succeed of fail you'll definitely get a lot of email and physical mail out of it.
No Time Toulouse
by
Otis2222222
·
· Score: 5, Funny
The first thing I thought of when I saw the guy's name. Still cracks me up everytime I see it. Am I the only one that thought of this sketch?
You may think that its funny that firefox doesn't support Download.Ject technology, but for the rest of us in the real world, how can we offer it as an alternative to explorer? My PHB will just say "Ignignot, I like this FireFox thing you have working on my computer. But I've read in the Wall Street Journal that it doesn't support Download.Ject. I'm afraid we simply can't afford to make this switch."
We need this feature fixed now if not sooner, otherwise we're all going to be stuck using this insecure MS offering!
When will there ever be a feature complete open source internet explorer??
-- I submitted this story last night, and it didn't get posted.
My PHB will just say "Ignignot, I like this FireFox thing..."
Dude that's cool that you have a job. I'm stuck living in this damned basement. The interviews usually go well too, just until I introduce myself as "0x12d3". --Maybe it would be more personable of me to suggest "623370" for short.
PS: if that is your real name I am **so** sorry and meant no offense.
PSS: I'm also very very sorry that your name is Ignignot and wish you all the best of luck;)
Re:It's a JOKE
by
Anonymous Coward
·
· Score: 0
The interviews usually go well too, just until I introduce myself as "0x12d3"
Don't sweat it Ignignot things could be worse
--AC
Move the timeline out indefinately...
by
Anonymous Coward
·
· Score: 4, Funny
If everyone is spreading viruses, it ceases to be a stigma, and becomes the accepted norm. Think of it this way:
If everyone had AIDS, you wouldn't have to be all that concerned about STDs now, would you?
New Apple add: iMac, its like a computer with a condom!
Re:Move the timeline out indefinately...
by
Anonymous Coward
·
· Score: 0
iMac, its like a computer with a condom!
Too bad that without a condom it is such a better experience.
Re:Move the timeline out indefinately...
by
Excelsior
·
· Score: 1
If everyone had AIDS, you wouldn't have to be all that concerned about STDs now, would you?
I know what you mean. I read about such an STD. It results in 9 months of increasing deformity capped off by up to 48 hours of excrutiating pain. Afterward there are stretch marks, decreased sexual desire, and extreme sleep deprevation. It is then followed by 18 years of agony, a change in lifestyle, complete loss of social life, and expenses in the tens of thousands of dollars.
Because this horrific STD affects nearly 50% of the population, it is often considered "normal".
Re:Move the timeline out indefinately...
by
doodlelogic
·
· Score: 1
If everyone had AIDS, you wouldn't have to be all that concerned about STDs now, would you?
I know, I know, it's a joke, but there are many different strains of HIV and just because two partners (or in your example, all possible partners) are infected, does not mean they should disregard safe sex between themselves.
Further, the secondary infections that HIV infected people/AIDS sufferers are more liable include several STDs, some of which would not be as dangerous in the general population.
Also, are Apple computers really more secure than Windows? Surely the control settings (and firewall installs) that the user sets on a domestic PC are the main defence against exploits.
Security Update
by
MikeMacK
·
· Score: 5, Insightful
Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system.
But that's just it, at least he had an update to install, MS doesn't release security updates as quickly as it needs too, as the first question mentioned.
Actually, the exploit only worked on Windows Machines. Firefox for Linux, MacOS etc was not affected. It had more to do with native Windows security than it had to do with Firefox.
-- Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
IIRC, this particular hole dates back to over a year ago, when IE had the same exact hole. They fixed it, but it only looks like they fixed it part way. They prevented IE from exploiting the hole, but they left the hole there, potentially allowing programs in the future to exploit it.
So they could point at firefox and sya "look! it's just as insecure as IE" The fact that the firefox developers had to work around a security hole because microsoft wouldn't fix it properly is totally unacceptable tho.
Buy a car from my company now!
by
tie_guy_matt
·
· Score: 3, Interesting
Yes buy a car from me today. Look at all the great features! The controls are so easy to use! Any idiot can drive one!
Of course we won't perfect the brakes or the air bags for another 10 years or so, but hey the seat belts work most of the time. So buy my car version "XP" now so you can get a taste of what a safe car of the future will be like
Man, that's a long time for Mr. Bush to loose sleep. Should not the States just occupy Microsoft, to prevent an obvious, known threat to Homeland Security?
Re:Homeland Security Implications
by
Anonymous Coward
·
· Score: 0
MS is installed at 98% of businesses, huge number of government organizations in the USA and all the Western countries.
Someone really thinks that security flaws in that infrastructure has really no security implications?
Story comes with ad for Microsoft "security"
by
Animats
·
· Score: 3, Funny
This Slashdot page is being served with a Microsoft ad boasting about their security. Really.
Re:Story comes with ad for Microsoft "security"
by
SeaFox
·
· Score: 1
What? You can see the ads?
Well, we know who isn't using Firefox!
Re:Story comes with ad for Microsoft "security"
by
Anonymous Coward
·
· Score: 0
Really. When I read the parent post, my first thought was "Slashdot has ads?" I've been using Firefox with the Adblock plugin for so long, I can't remember the last time I saw an ad on/.
Everyone bashes Microsoft because of their fallible software.
Let's think about this for a moment: ALL SOFTWARE IS INSECURE. Microsoft is just the biggest player, so they are targeted the most often. There have been 'proof-of-concept' viruses written for Linux, Macintosh, even cellphones via BlueTooth.
Compare Microsoft to automobile makers. When they started, they were unsafe. So they added a 'fix' like seatbelts. Then they added crumple zones, an enhancement to make them safe. Airbags, side impact curtains, rear-sensors for backing up, and so on, and so on.
If the stupid driver of the car wants to get drunk and drive backwards 100mph down the freeway with no lights on, do we blame the automobile manufacturer?
No... so, maybe we should just START to take a little blame for windows security problems. Stop running that cute screensaver your Aunt Matilda sent you. Don't go to webpages that advertise 'warez' and 'free 3leet mp3z!'
Microsoft is partly to blame, but they're the biggest fish in the sea. Every 'fisherman' is out to get them. When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure... They may get fixed quicker because of the relative smallness and open source attributes, but the bugs are there. Just no one is looking/caring too much. Yet.
(I fully expect to be modded down a bajillion points for making a case for Microsoft here. Go ahead, then)
-- Check out the best P2P sharing website: MEDIACHEST.COM
Re:Bash away...
by
BenjiPenguin
·
· Score: 5, Insightful
"Microsoft is partly to blame, but they're the biggest fish in the sea. Every 'fisherman' is out to get them. When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure... They may get fixed quicker because of the relative smallness and open source attributes, but the bugs are there. Just no one is looking/caring too much. Yet."
Linux is already one of the biggest players in the server department, and that's where a majority of viruses and exploits are aimed at... I still don't see announcements for all these business running Linux servers being compromised.... The fact is, Linux is theoretically and in actual practice more stable and secure. Windows isn't.. A virus won't JUST affect your user account files in Windows... I think they're mostly to blame...
"
No... so, maybe we should just START to take a little blame for windows security problems. Stop running that cute screensaver your Aunt Matilda sent you. Don't go to webpages that advertise 'warez' and 'free 3leet mp3z!'"
People aren't that smart.
Re:Bash away...
by
josh3736
·
· Score: 2, Insightful
I wish I had the points to mod you up. You make very valid points that the zealots just don't want to hear.
I hear about Linux exploits just as often as Windows exploits. There's kernel exploits that can get a remote user root. But it always gets brushed off as not a big deal, because hey, there's gonna be a patch out in a few days, right?
Sure, but the serious Windows exploits usually have a patch out in a few days too. It's just a matter of the responsible persons getting it installed.
Linux or Windows, if you don't take steps to be secure, you're gonna get 0wn3d. And that's the problem-- most Windows users don't even understand the fundamental problem, much less why they should install these updates. This is why I think SP2 is a move in the right direction with Windows Update automatically downloading and updating by default. I just fear the day someone cracks Windows Update and has it distribute their new l33t worm...
Re:Bash away...
by
Peaker
·
· Score: 2, Interesting
There have been 'proof-of-concept' viruses written for Linux, Macintosh, even cellphones via BlueTooth.
And how many of them actually succeeded in infecting millions of machines?
Compare Microsoft to automobile makers. When they started, they were unsafe. So they added a 'fix' like seatbelts. Then they added crumple zones, an enhancement to make them safe. Airbags, side impact curtains, rear-sensors for backing up, and so on, and so on.
That analogy is useless. In computing, the OS can have near infinite control of all the computer's resources, including all of its outgoing connections/etc, while a car only has control of itself. Thus, in computing, if done right, an OS can use its power to limit unwanted use of its resources much more powerfully than a car can limit another from racing into it.
When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure..
Your statements sum up to:
A. Windows is more targeted by attackers than other operating systems B. Other operating systems are just as insecure
And you attempt to make B sound as the logical continuation of A. Well, it isn't, and B is only your personal opinion.
even cellphones via BlueTooth. Uh, those cellphones wouldn't by any chance happen to be running Windows CE, would they? (Actually, the problem is that the OBEX protocol allows anyone to send a business card to your PDA/cellphone without asking your permission first. How those business cards then become executables or alter existing files is beyond me.)
--
"Freedom means freedom for everybody" -- Dick Cheney
Microsoft is partly to blame, but they're the biggest fish in the sea.
I'd say that MS is mostly to blame. Here's another analogy.
It's one thing for me leave the door of my house unlocked or invite in a criminal. But it's not my fault when the builder leaves a gaping hole on the side of my house.
If the stupid driver of the car wants to get drunk and drive backwards 100mph down the freeway with no lights on, do we blame the automobile manufacturer? Yes we should blame the manufacturer, if the vehicle is configure by default to drive 100mph in reverse with the lights off, and it actually requires a more sophisticated user to reconfigure it to go forward more slowly with the lights on...
A more appropriate analogy would be if a car manufacturer made a car with a big, shiny hood ornament, but when anybody pressed on it, it would pop the hood open. Sure, it makes it easier for mechanics to access the engine... but it also make it easier for miscreants to steal your battery!
--
"Freedom means freedom for everybody" -- Dick Cheney
Re:Bash away...
by
Anonymous Coward
·
· Score: 0
You have some mistakes in your post.
Linux is a key player in the "WEB SERVER" department, not in overall servers where Linux holds a small overall marketshare.
In computing, the OS can have near infinite control of all the computer's resources, including all of its outgoing connections/etc, while a car only has control of itself.
You make some good points, but I don't like this one. The OS cannot possibly control everything the user does. That would be considered AI, n'est-ce pas? I don't use Linux much, so I can't be sure, but I'd bet $1 that someone here could send me an executable to my Linux machine's mailbox, and I could run that program, and it could wreak havoc/delete all my data/impregnate my pet dog.
From my post, B is the logical continuation of A, and yes "B" is my opinion. You can't prove me wrong, either, due to Windows owning 80% (statistic made up on the spot) of the desktop market share. When someone else owns the computer market like that, only then will we see the true 'security' of other O/S's.
-- Check out the best P2P sharing website: MEDIACHEST.COM
Re:Bash away...
by
MikeMacK
·
· Score: 2, Insightful
Compare Microsoft to automobile makers. When they started, they were unsafe. So they added a 'fix' like seatbelts. Then they added crumple zones, an enhancement to make them safe. Airbags, side impact curtains, rear-sensors for backing up, and so on, and so on.
I think a big difference here is that car manufacturers REDESIGNED cars to add those things, we don't have airbags in our Model-T's. MS has not done a good job of redesigning Windows, so the insecurities remain.
When there is something majorly wrong with a car, they perform recalls. Microsoft performs patches, same idea.
And we don't expect car manufacturers to make our old cars safer and new... I have an old beater that doesn't have air bags, or even seatbelts. No crumple zones. It's got a straight shaft steering column that will pierce my chest and probably kill me if I ever crash that car.
So I don't drive 100mph like an idiot and practice safe driving.
Because there are so many idiotic computer users now, we expect the manufacturer of the OS to make them all safe and happy out there on the world wide web.
So, we should soon expect carmakers to put breathalyzers on all ignition systems, put biometrics on the steering wheel/shift sticks to make sure the right driver is operating the vehicle. And all cars will be linked up to GPS (already happening)... and some sort of inter-car networking/radar should be developed so crashes never occur anymore...
-- Check out the best P2P sharing website: MEDIACHEST.COM
Re:Bash away...
by
Kent+Recal
·
· Score: 5, Insightful
Linux remote-root exploits just happen rarely and kernel exploits even more so.
But what excuse does the biggest software company in the world have to not fix the gaping security holes in their two most used and probably most sensitive applications, explorer and outlook? We are watching this weekly windows exploit drama not for months but for years now. It's getting really old and its not funny at all anymore.
The worms we have seen were pretty harmless in my book, I'm still waiting for the one that carries some more serious payload. Like wiping out all accessible drives (network volumes), saturating all network cards with malicious packets, stuff like that. MS probably needs that kind of wake up call but are they really that bone-headed to not see it coming?
Actually, the kernel exploits have all been local, you can't exploit them without an existing non root account on the system. As for remote exploits, all these are distribution specific and recently haven't been found in the most common daemons, only in a few less commonly used ones. Not to mention the fact that these are exploits in third party applications/daemons, most of which are also capable of running on windows via cygwin.. Only the kernel exploits can really be considered to be linux exploits, everything else is a vulnerability in a specific app and 99% of the time is exploitable on any os running that app, unlike exploits in inbuilt windows functionality like rpc or ie. As for not taking steps to be secure, many linux distributions are remotely-secure by default nowadays, you dont need to do anything extra, you actually have to go out of your way (turn off the firewall, turn on remote services, add remote users etc) to render yourself exploitable.
Everyone bashes Microsoft because of their fallible software.
Let's think about this for a moment: ALL SOFTWARE IS INSECURE. Microsoft is just the biggest player, so they are targeted the most often. There have been 'proof-of-concept' viruses written for Linux, Macintosh, even cellphones via BlueTooth.
Yes, there are proof of concepts. But... Microsoft is the company who made it the norm that either applications or the entire computer crashed.
Think about it that way: Before the golden age of MS Windows and MS Office people complained about infrequent crashes and buggy software and they were bloody right doing so.
Since Microsoft, everyone is chanting the mantra "it's all about software complexity".
Before Microsoft people joked about so-called banana-ware, meaning a product which ripened at the customer.
Since Microsoft this is the norm with almost all vendors. And who can blame them? A single "yeah, we are thinking about coming up with something similar" from Microsoft will effectively kill the market for any smaller competitor.
Compare Microsoft to automobile makers. When they started, they were unsafe. So they added a 'fix' like seatbelts. Then they added crumple zones, an enhancement to make them safe. Airbags, side impact curtains, rear-sensors for backing up, and so on, and so on.
Make fair comparisons. Microsoft wasn't among the first companies to enter the market of multi-tasking capable graphical user interfaces. In fact, almost any other major player of those times had something faster, better, and less crash prone out.
To pick up your car example: When other companies were already selling something like a Chevy Corvette, Microsoft entered the market with a Ford Model T, even worse, a faulty one -- and special glasses which made it look like a Corvette and plenty of promises.
Remember Windows 95? It took them at least until W2K to come up with a product with lived up to the promises they made for Win95. Besides, they didn't earn themselves a reputation for being ultra fast with bug fixes, even mission critical ones.
"Let's think about this for a moment: ALL SOFTWARE IS INSECURE. Microsoft is just the biggest player, so they are targeted the most often." Let's test that theory with logic. I guess one way would be to examine the competition and the aftermarket players, say, the Symantics, the IBMs, the AutoDesks, Apple - even the open source players. If we look at security complaints against all of them, proportionally speaking, your argument is just munchkin chatter.
I hear about Linux exploits just as often as Windows exploits. There's kernel exploits that can get a remote user root. But it always gets brushed off as not a big deal, because hey, there's gonna be a patch out in a few days, right?
Bad example. The kernel exploits you're talking about are privelege escalation vulnerabilities, not remote root. The Windows user privelege model is (a) broken and (b) rarely used for anything important, so no one cares about or reports that type of vulnerability (and there most certainly are a lot more of them than Linux has.)
When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure... They may get fixed quicker because of the relative smallness and open source attributes, but the bugs are there. Just no one is looking/caring too much. Yet.
In order for the Linux community to get there (become a primary player), they need to bash Windows and spread FUD about Microsoft everyday, just like every other player in the business world. So Microsoft will be faulted for everything and ridiculed at every opportunity as long as the Linux dream goes on.
Re:Bash away...
by
argent
·
· Score: 2, Insightful
I hear about Linux exploits just as often as Windows exploits
Funny, I don't. I wouldn't be horribly upset if I did, I don't care for Linux all that much and I use other systems more often myself. But I don't.
I hear about exploits in third party applications that run on both Windows and Linux get called "Linux Exploits". I hear about exploits in interfaces that both Windows and Linux used called "Linux Exploits". I hear about exploits in some proprietary package Red Hat added called "Linux Exploits". I don't hear about exploits in Mozilla or Opera called "Windows Exploits". I don't hear about flaws in encryption algorithms called "Windows Exploits". And I definitely don't hear bugs in software HP or DEC added to their laptop installs called "Windows Exploits".
the serious Windows exploits usually have a patch out in a few days too
Microsoft has refused to fix a fundamental security flaw in IE for seven years now, and even fought a lawsuit that could have forced them to fix it or be split into multiple companies if they lost, and it's still there.
Linux or Windows, if you don't take steps to be secure, you're gonna get 0wn3d
Windows is the only one where, by default, every user is root on their own machine, all the time, so EVERY remote exploit is a root exploit.
Windows is the only one where, by default, all the exploitable services are turned on after you've installed it.
Windows is the only one where you can get exploited just opening an email message. That one still boggles me... back before Melissa, the idea of a mail virus or worm that could do that was a JOKE. You at least had to explicitly run something before you could get attacked, so the "Good Times" virus hoax was hilarious. Nobody would ever build a mail program that would do that, or if they did they'd fix it for good, right away, by removing the ability to run software from a text window...
That Microsoft not only did it, but has refused to back out of the design that *still* allows it to happen whenever someone comes up with a new combination of file names and types to trick it into running something in the wrong zone, is just incomprehensible...
" No... so, maybe we should just START to take a little blame for windows security problems. Stop running that cute screensaver your Aunt Matilda sent you. Don't go to webpages that advertise 'warez' and 'free 3leet mp3z!'"
People aren't that smart.
No, people aren't that educated. They don't know that things that were pretty safe to do a few years ago no longer are. And the information as to what exactly the dangers are, as well as how to avoid and fix them, is still pretty much distributed via word-of-mouth. Which means they're going to get different opinions from all sorts of sources, who may not be willing to admit they don't have all the answers.
I don't necessarily blame the average Windows user for being confused. I do blame Microsoft for not being forthcoming about the problems they helped create and for not doing their damndest to fix them as quickly as possible. A big list of warnings should be the first thing you see when you go to Microsoft.com.
Really though, is Linux actually anyone's target? While Linux fascists are always on the prowl for a way to exploit or beat up Windows/Microsoft, I've never heard of anyone giving a rat's ass about Linux. I doubt Linux is really as secure as the fans would have one believe. It's just that no one really cares enough to actively pursue attacking it. It's unlikely that we'll ever see an anti-Linux movement with any of the specific kind of passionate negativity that so drives the anti-Microsoft hordes.
Like Microsoft or not, they do know a thing or two about business in general. They're only one of the most sucessful companies in the world.
Business sense (and government sense too, apparently) would say that security is a hot topic right about know. I would wager that Microsoft is all over security. Not because it will make their product better, but because it will make the product sell more. More buzzwords to impress account managers ect.
Concerning the OS market share wars, expect to see security continue to be a hot topic well after we're all tired of it. Much like the current presidential election. FUD sells.
If Microsoft ignores the issue long enough for worms to become malicious enough to do "real" damage, it won't be due to bone-headedness. It'll be to lobby for more trusted computing and to sell additional security products. Much like current election.
Either way, I would wager a dollar that says in 3-4 years we'll be complaining about too much security in windows. There will be articles in your rights online crying foul on Microsoft for locking everything down too much.
So... just what IS the right amount of security (aside from user common sense)?
Well at least you have proven that there are zealots on both sides of this debate. There is no logical connection between the popularity of Windows and the security of Linux.
I don't claim that Linux doesn't have security issues, but there is absolutely no evidence that they are on the same scale as in windows. Apache hosts many more sites than IIS, but has nowhere near the security history that IE does. There are many quantifiable reasons why Linux is more secure for most applications.
For one, it is much easier to isolate components by running them as different users, or in root jails. Windows doesn't even come close to doing that right. Just try to use a Windows box without full admin rights. Many apps break, and some just wont run. With Linux such problems are easy to correct, in Windows it is almost impossible.
Linux mail clients will not automatically detach an executable file and run it for you. The reason for this is that the developers had security in mind from the start. MS developed its existing product line with only market-share in mind. How else could you explain the wide open holes in Office macros.
In order to gain market share MS threw in every feature they could think of, without any concern for security. This played well with joe six-pack and joe ceo, while the competent techies looked on thinking "WTF are they doing?" Now MS wants to whine that they are being picked on because they are so big.
Another problem with Windows is that the monolithic design will always result in more flaws, and that exploits will have more of an impact when discovered. In a single vendor world this will always be the case. It is too tempting to take shortcuts when you control the kernel, the windowing system, the office suite, and most of the other applications. FOSS on the other hand has clean interfaces between components because the nature of distributed development demands it. This results in less complex code/data paths, which results in better security.
Yes, it is true that complex software will probably always have bugs. (At least until we have a major shift in development languages and tools.) But MS ignored security for too long. The issues in Windows go way beyond any particular buffer overflow. The design itself breeds flaws and allows those flaws to have much deeper impact than they should.
BTW: My understanding is that the firefox vulnerability from the article was an extension of a flaw in Windows, and that IE had the same problem. People running Firefox on Linux had no issue.
-- XML is the best data format; unless your data needs to be read or written by a human or a computer.
Re:Bash away...
by
Anonymous Coward
·
· Score: 0
> The worms we have seen were pretty harmless in my book, I'm still waiting for the one that carries some more serious payload. Like wiping out all accessible drives (network volumes), saturating all network cards with malicious packets, stuff like that. MS probably needs that kind of wake up call but are they really that bone-headed to not see it coming?
No one who writes viruses/worms wants to write such a juvenile, useless piece of junk. FAR better to write the ongoing hijack-this-PC-so-I-can-resell-it-as-a-spam-source virus.
Keep the host alive, compromise tens of thousands - now THAT's useful. And harmful.
Well, admittedly yes. But a smarter worm could probably hook into fopen() and friends like realtime virus scanners do and trigger the payload when an attempt to remove the worm (launch/install of antivirus software?) is noticed. There could be a remote trigger so the worm writer can flip the switch as soon as patches/removal tools become available. And finally there might be worm writers whose malicious intend outweights the fiscal one. Those would be more interested in creating a big headline than in assembling zombies for whatever job. Heck, some annoyed spam-fighter might go for a clean sweep to wipe out all the damned spam drones - if only for a week... The possibilities are endless as long as MS is providing the playground.
I am sure that the number of serious flaws at one time will never equal the number of serious flaws with say windows 95 or windows 3.1 or windows 98 for that matter. All softare has bugs...The biggest difference is that the open source community is just that...open. Thus many more bugs are discovered and then fixed as quickly as needed.
I would never claim that OSS is immune to bugs and virus writers and such...only that OSS is by nature more robust.
When they started, they were unsafe. So they added a 'fix' like seatbelts.
No, that's not how it happened. A company came along and made the Packard car which promised a whole variety of things like roll cage, seat belts, 3 headlights to see better around curves, etc. The company ended up being attacked by the big auto makers, and it went bankrupt. The whole seat belt thing came about only after the government stepped in when there was a large outcry over I believe the death of James Dean.
Then they added crumple zones, an enhancement to make them safe. Airbags, side impact curtains, rear-sensors for backing up, and so on, and so on.
Now, most of these also were requirements of government; most are also graded to tell consumers just how unsafe cars are. Only the rear-sensor thing seems to be a new, non-requirement option and it's really an extra not a standard feature.
If the stupid driver of the car wants to get drunk and drive backwards 100mph down the freeway with no lights on, do we blame the automobile manufacturer?
No, but the problem is that even when driving as safely as one can, odds are bad that if you're hit by another drive head-on that you'll survive. It took a lot of government regulation to even *have* odds that you'd survive.
So, do you want the government to step in and do a lot of regulation to make sure MS software is safe? Or do you think that Packard/Linux will raise enough awareness that MS will finally have to get off its ass and truly design a secure OS? It seems for the time that Linux is doing the job for now; I only hope that it continues to be true, but until that time I'll continue to use Linux where there might also be security problems but the design normally doesn't offer egregious n-part automated attacks.
-- Eurohacker European paranoia, gun rights, and h
What makes you think a Linux server is more stable and secure than a NT server ? Is it because of the UGO "security" model? Or because there is no bug or exploit with OSS ?
I am a computer consultant and I do install and support Linux and OSS. And you know what ? I'm really tired of all the time I must spend patching security holes.
From a security point of view, Windows is a joke, but so is Linux. A few years ago I thought SELinux was a step in the right direction. But the fact is, nobody really cares about security. It seems the only thing people care about is speed (and, of course, patting themselves on the back).
I fully expect to be modded down a bajillion points for making a case for Microsoft here.
Your "case" seems no more than simply wrong "more users -> more bugs" and attempting to shift the blame for bugs to user errors.
Apache runs 67% of all public websites. But somehow that "other" webserver running 20-some percent of sites has fallen victim to numerous remote exploits... including a very nasty one recently that infected a certain popular browser which would in turn infect more of those servers.
Linux is already one of the biggest players in the server department, and that's where a majority of viruses and exploits are aimed at...
No, they're not. Most viruses and exploits these days target end user machines.
Why would you target a virus or exploit at a server ? It's more likely to be detected and more likely to be fixed. It's not like a decade ago when only servers had gobs of disk space, fast processors and fast internet connections.
I still don't see announcements for all these business running Linux servers being compromised....
Hardly surprising. Seeing announcements for any servers being compromised is relatively rare.
The fact is, Linux is theoretically and in actual practice more stable and secure.
Please explain this theory and how it leads to the practice.
A virus won't JUST affect your user account files in Windows
It will if you're not running as a privileged user.
And yet the number of worms targetting IIS (code red, nimda, others?) massively outnumbers the amount of worms targetting Apache regardless of platform, despite Apache having over 60% market share.
They may get fixed quicker because of the relative smallness and open source attributes, but the bugs are there.
That is, I think, the whole point in security and the problem with Microsoft. IF there is a security breach, fix it. FAST! If you found it, somebody else will have found it as well.
Yes, there are security bugs in Linux. Fact is that they are repaired quickly. I think the average is about 2 days.
If you only look at the time between bugs and fixes between Linux and Windows, Linux is more secure BECAUSE of the relative smallness and the open source attributes.
You thought you were making a point for Microsoft, you actually made a point for F/OSS.
-- Don't fight for your country,
if your country does not fight for you.
Re:Bash away...
by
Anonymous Coward
·
· Score: 0
So, sites running IIS have 1000 times the amount of money, 25 times as many admins, and they still can't secure IIS as good as some college-student running Apache...
The point the last 20 or so posts failed to mention is sooo out of your reach. You guys are just speculating -- thinking your limited involvement with protecting yourself from crime suddenly makes you experts. Taking part in these crime organizations or DIRECTLY fighting them is necessary to understand this situation.
Developers focused on securing their products don't count either as you're just interested in coding technically-armored snippets into your latest project. Noble, but it doesn't give you a strong insight into why there are more viruses on Windows than Linux.
Not suprisingly, it's all about the fame and money.
Why would one create a program that obsessively sends itself out to other computers??
Fame, Fame, Fame, Fame, Fame. Or ego, however you want to think about it. Fame involves an actual audience while ego is the performer and the audience.
With intelligence comes agenda, with agenda comes a desire to see it fulfilled. This sums up the fame category.
Non-Politically-Correct Example: Boo is intelligent. Boo has an agenda. Boo hates all gays. Boo writes a virus targetting gay porn scavengers (connoisseurs?). Computer owners of the homosexual persuasion suddenly have virus-infected machines. Agenda fulfilled, but not on Linux as that means less gays being harmed.
Money is also a good reason as I'm sure many spammers can atest to.
Obviously since most of the public currently uses Windows, most people are going to create viruses attacking these machines for above reasons.
-More virus infected machines mean more fame or more money either way you look at it.-
Also, comparing server-attacking viruses to desktop-attacking viruses is silly in the current state of both markets.
Let me explain: One can only assume a would-be virus creator's first attempt at creating these malicious programs would target a Windows Desktop as that's normally what they're going to be running (yay, graduated from public victim to public attacker!) So, with their skills polished on the Windows Desktop system what is the next logical progression you ask? Not almost the EXACT THING, just with web server support *gasp* *shock* *puke* NO NO NO, let's completely reverse directions and start learning how to attack Apache web servers!!
Does it happen? Sure. Often? Hell, no. Thousands of virus writers out there and most of them start with Windows so of course that's what they learn to attack first. It takes forever for them to get to the point where they have interest in Linux in the first place and then even longer to learn it. Most stop caring before they ever progress that far.
IMO Microsoft could do a whole lot more to improve their products.
Firstly, take out the vulnerabilities that are down to user running program.exe. That's just dumb.
However, when you buy certain goods (like a food processor), there is an expectation of reasonable protection for the user. My electric coffee grinder has a switch inside that requires the lid to be on to prevent accidents.
Some ideas....
More security by default. When you switch on your Windows XP machine, it should have the option to have everything locked down except for a connection to Windows Update. All the latest patches come down and then the machine unlocks itself. That way, people won't get owned machines before they even get a chance to patch.
User and admin accounts by default. Accidentally double clicking a dialler program should by default need a password inputting.
Much more sandboxing. Your screensaver example is a good one. It should run in nothing more than its directory. If it attempts to go outside, the crashes and tells the user.
I'm not saying that these behaviours shouldn't be amendable, just that the default should be a more resilient and protecting machine.
Regarding errors and "fishermen" out to get them, that's an unacceptable excuse. Have a look at the known vulnerabilities in IE vs those in Firefox. Firefox ones get fixed very quickly. Considering it is open source, people should be able to find vulnerabilities much easier.
But there is little that can be done about crime on a home, except putting security guards, barbed wire, dogs etc - the cost per home would be ludicrous.
Some homes in very good areas are targetted by professionals and generally people don't get through because of security measures.
The analogy doesn't work because hiring a security guard for every home is impossible. Security guards don't have a near-zero duplication cost. Software does though.
I remember working in a mainframe department when our first NT server came in. It typically crashed about once a week where we had last had a crash about 2 years earlier.
If the mainframe went down, or even if one of our applications went offline, all hell broke loose and users went mad. They expected very high uptime.
Now, I notice that users don't seem to expect the same levels of uptime. They've become conditioned to software being down.
I find Microsoft's attitude to security infuriating. They seem to now be selling security as a bonus in a "look at how seriously we are taking it" when it should have been a gimme all along.
My attitude - a browser should be bullet proof. I shouldn't have a company saying "type in hyperlinks" or "be careful of the sites you visit". The browser is the window on the web and should protect the user, or it isn't doing its job. If a fault is found, it should be jumped on and fixed PDQ. The Mozilla guys can do it, so why can't a multi-billion dollar company?
If the mainframe went down, or even if one of our applications went offline, all hell broke loose and users went mad. They expected very high uptime.
Not to mention the fact that until Microsoft "servers" it was common understanding that a server just would not crash. The only reasons to shut it down was to upgrade or repair. That was especially true for big mainframes which took an awful long time to boot. With a boot process lasting 10-15 minutes you just want to have that machine up and running.
I find Microsoft's attitude to security infuriating. They seem to now be selling security as a bonus in a "look at how seriously we are taking it" when it should have been a gimme all along.
I personally hate the "It's not a bug, it's a feature." kind of attitude they even show today.
You're thinking in yesterday's terms. The viruses of old would wipe out hard drives and cause data loss.
The viruses and trojans of today delivery the more harmful payload. There is money to be made in spam (hard to believe, but never the less true), there is money to be made in phishing, there is money to be made in orchestrating DDoS attacks against your competition, and this is the payload being delivered in todays viruses. And by not doing anything outwardly visible to end-users other than some slow-down that they may or may not notice, it goes undetected for weeks or months which extends each infection's useful life and allows those responsible for spreading them to maximize their benefits.
Viruses of today are the tools of organized crime around the world. The days of the "innocent" wipe out your hard drive virus are gone.
Trust in technology, computers and the internet are slowly being lost because of all the scams going around, all the exploits, all the spy-ware, and all the viruses that make them possible. With this loss of trust, comes the demise of the technology economy that has made Microsoft the incredibly successful business that they are today. This is the crux of the reason that Microsoft is having to focus on security in their products.
We typically brought down some services at 5am to recycle journals (IIRC could be done another way, but 5am was never an issue anyway) and occassionally had to take down some services to get an upgrade put in.
In fact, I never remember the machine actually crashing in a decade. The nearest thing we had was a disc head crash and that took out some data which we fixed that night.
Re:Bash away...
by
Anonymous Coward
·
· Score: 0
"I'm still waiting for the one that carries some more serious payload. Like wiping out all accessible drives (network volumes), saturating all network cards with malicious packets, stuff like that." I wonder how many people read this post and got a really, really good idea.
Comment removed
by
account_deleted
·
· Score: 4, Interesting
Comment removed based on user account deletion
What?? 100% known secure isn't possible.
by
DunbarTheInept
·
· Score: 4, Insightful
What in the blazes does it mean for something to finally be "secure"?? It's not as if it's actually an achievable goal, and it's not as if you'd have a way to detect when you'd achieved it even if it was achievable.
The 100% secure line is an asymptote. You can get fractionally closer to it, but never ever actually achieve it.
--
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
To be fair...
by
artemis67
·
· Score: 5, Insightful
he didn't say that FireFox was his primary browser, he just said that he had to patch it because of a vulnerability.
I would hope that as a program manager he would have a copy of each of the competing browsers on his system, so that he can steal... ah, borrow, ideas from them.
he didn't say that FireFox was his primary browser, he just said that he had to patch it because of a vulnerability.
I would hope that as a program manager he would have a copy of each of the competing browsers on his system, so that he can steal... ah, borrow, ideas from them.
What made this quote so striking isn't that he uses a competitor's product (he *should* be using their product). The point is that he *must* use a competing product because IE isn't secure in this case. To underline the matter both browsers were exposed to this vulnerability but Mozilla/Firefox had a patch out the same day the vuln was reported to them. We're all still waiting for a patch from MS closing in on two months later to fix this security hole. Surely, that is at least a little embarrasing considering all the noise out of Redmond lately about security being their top priority.
I do give Toulouse big points for mentioning that he had to use Firefox in this case. Honesty like that is refreshing! The software industry could do with a bit more candor like this.
-- G. Washington on Government "it is force. Like fire, it is a dangerous servant and a fearful master."
I just about spit my soda all over the page when I read his comment about installing the Firefox fix. He forgot to add the Firefox security fix was a work-around to a Microsoft vulnerability not a Firefox bug itself.
glad to see he is running firefox. seems these days, everyone is switching over to it because running IE means that you can expect to have your computer taken over every other day.
firefox hopefully will put those anti-spyware programs at least partially out of business. and If MS is running firefox, I image the next version of IE will look familiar to those of us who have already switched away..
>... because running IE means that you can expect to have your computer taken over every other day. Acutally, running Windows would put you at risk of having your computer taken over every other day. Get smart, get rid of Windows. There are much better OS's all over the place.
In case you're wondering... why?
by
Penguinoflight
·
· Score: 4, Insightful
First, someone posted above, the analogy between windows security fix, and Slashdot's terrible "IT" theme.
Second, the idea that an MS head is using firefox is hardly surprising, it's much more at issue that he's willing to admit it to Wired, and doesn't even seem to mind that open source is a better alternative.
Microsoft has had a history of using open source projects, most famously with qmail+unix on their hotmail, but even branching to the MSN gaming zone, etc. It's really not too surprising, considering a lot of the unix foundation implemented in their NT-XP series.
--
"And we have seen and do testify that the Father sent the Son to be the Savior of the World" 1 John 4:14
Re:In case you're wondering... why?
by
4of12
·
· Score: 3, Interesting
the idea that an MS head is using firefox
and that he projects such a long time for security to happen gives him greater credibility among IT people that have a clue.
MS has lost so much credibility in so many ways in the past that they have nowhere to go but up. Why pretend anymore?
-- "Provided by the management for your protection."
Re:In case you're wondering... why?
by
burns210
·
· Score: 3, Informative
"qmail+unix on their hotmail"
That was from the original creators of hotmail. MS bought out hotmail... It took several years, but Hotmail was finally moved over to an NT base, which it now runs on.
Among other browsers, I'm sure!
by
addie
·
· Score: 5, Insightful
He also reveals that he runs Firefox
Indeed, parent post is correct. Besides, the article doesn't say that he uses FireFox exclusively by any means. In fact he only mentions FireFox to prove that all browsers are susceptible to attacks.. Here's hoping he also uses NS, Opera, Safari, and whatever browser he can to do testing and research.
Yet more spin by/. zealots who don't take the article at face value.
Re:Among other browsers, I'm sure!
by
grcumb
·
· Score: 1
"Yet more spin by/. zealots who don't take the article at face value."
Er, don't get me wrong, but I don't take anything anyone says at face value. Not even my mother.
... Okay, especially my mother, but let's not go there.
-- Crumb's Corollary: Never bring a knife to a bun fight.
Re:Among other browsers, I'm sure!
by
16K+Ram+Pack
·
· Score: 1
Which update is he talking about? If it's that recent, it sounds like the one that allowed execution by shell://. The one that arguably is a Windows problem, and that Firefox is simply patching Windows.
What kind of pathetic headline is that? When did MS say "MS not expected secure until 2011"?!?! This is called sensationalist GARBAGE, people! Stop putting this swill up as headline material.
Having someone say "it's more of a 10-year timeline" does not equate to "MS not expected secure until 2011"...much less "MS says" 2011. The phrase "more of a..." connotes a generality. The headline is pure, conjured specificity.
Crap like this makes me become seriously disenchanted with Slashdot.
What kind of pathetic headline is that? When did MS say "MS not expected secure until 2011"?!?! This is called sensationalist GARBAGE, people! Stop putting this swill up as headline material.
MS has been preaching this security initiative for 2 or 3 years, that brings us back to around 2001. Now they say it's a 10 year plan. 2001 + 10 = 2011.
Based on MS's past performance, we can extrapolate a timeline from their behavior and make a decision to purchase or not from that.
Microsoft never said "it's a 10 year plan". Sure, I'm picking nits here...but the crux of the quote is that there is no quick fix in, say, 2 to 3 years..."it's more of a 10-year timeline". In otherwords, less than a sprint and more like a marathon. Is that a 5 year marathon? Ten years? Fifteen years? Who knows? Microsoft might know for certain, but they're only throwing out generalizations here.
But this quote does NOT read "it's a 10 year plan". Read into it what you will; embrace self-delusion.
Yeah its just as sensational as the Windows XP Install Marketing Windows that pop up while your waiting for 100% to install.
"WINBLOWS XP THE MOST SECURE OS!!"
M$ ARE a MARKETING machine. Read "BULLSHIT" machine.
So what.. the headlines a bit sensationlistic - at least it didnt give me 101 different holes with my browser that lead to files being dumped or retrieved from my PC - who cares about firewalls when you can attack IE.
It *doesn't* say "WINDOWS XP THE MOST SECURE OS." It just say, XP will make your computer more secure and reliable than previous versions of Windows. Which is arguably true.
Nice strawman.
Even XP SP2 is easy to tamper with
by
mslinux
·
· Score: 5, Informative
Change the following registry value to 4 and the new "Windows Security Center" will stop working upon reboot... it runs as a service that any admin user can kill. Did I mention that by default all XP users are admin;)
Also, here's a Python script that will automatically kill the new "Windows Firewall" in to XP Service Pack 2. You can bet your ass that hackers are already tampering with this. Click a URL and bam... the firewall goes down.
This is just two example of what MS does to "secure" their systems. God help us all.
Re:Even XP SP2 is easy to tamper with
by
qwerty75
·
· Score: 1
"Did I mention that by default all XP users are admin;)"
Not if they are in a Domain. If they are not in a domain, then any user created after the primary account also is not an Admin unless specified as so by the account creator.
"Click a URL and bam... the firewall goes down" If they are using the MS firewall as their sole line of defense then there are other issues to worry about.
Re:Even XP SP2 is easy to tamper with
by
mslinux
·
· Score: 1
XP home users (all 50 - 60 million of them) are not in a domain nor can they be. And by default, the OS creates users who have full admin rights on the machine. It's like giving a 5 year-old a loaded gun and telling him to go outside and play... something bad is going to happen.
Re:Even XP SP2 is easy to tamper with
by
dJCL
·
· Score: 0, Troll
Have you tried Win2K3's tools for joining the domain? It asks you which of the current users should be setup as a local system admin(usually to allow installing software). This is how it is designed to work! Usually we only have one user on each machine, and so they get the admin rights locally on it. This basically means that a script like the ones mentioned would work fine, even on a domain.
Anyway...
-- On Arrakis: early worm gets the bird.
Magister mundi sum!
Re:Even XP SP2 is easy to tamper with
by
Anonymous Coward
·
· Score: 0
Disabling Linux's firewall is as easy as '/etc/init.d/iptables stop', or permanantly (for RedHat) chkconfig iptables off, or even 'rm/etc/init.d/iptables' or 'rm/sbin/iptables'.
Re:Even XP SP2 is easy to tamper with
by
Anonymous Coward
·
· Score: 0
Oh come on. That's like saying "writing 10,000 x's on one line in/etc/passwd causes iptables-based firewalls to stop functioning". If I can write 10,000 x's to/etc/passwd, you have a hell of a lot more to worry about than the state of your iptables firewall.
Re:Even XP SP2 is easy to tamper with
by
JKR
·
· Score: 2, Insightful
It asks you which of the current users should be setup as a local system admin
This is not how you should set up a domain, by the way. There shouldn't BE any local users other than the local administrator. Domain user accounts are managed from the domain controller.
Usually we only have one user on each machine, and so they get the admin rights locally on it.
And why are you expecting this to be secure? Do you give everyone root on their own linux boxes as well? Any domain admin with a clue sets things up so that the domain users are "User" or "Power User" at best, and a lot of places lock things down even further using group policy. You can reduce XP to kiosk mode if necessary. I've actually deployed SP2 in a domain and the XP firewall can be configured using domain policy such that local admin can't mess with it.
Jon.
Re:Even XP SP2 is easy to tamper with
by
dJCL
·
· Score: 0, Redundant
I don't make the rules, I just follow them... (And I have recomended we change this, and why). But I do understand the reason this situation exists: We usually go into a client that has grown from a small business into a medium business and their old peer to peer network just cannot cut it any more. Install a SBS2003 server as a domain controller and mail/file server and join everyone to the domain with their old computer. By using the tools built into SBS2003, this is insanely easy to do, and it will import the users profile to the domain controller. The default in this situation is for the user that is being imported to be set as local admin.
Anyway...
-- On Arrakis: early worm gets the bird.
Magister mundi sum!
What is unfair here?
by
revscat
·
· Score: 4, Informative
A) A Microsoft representative said that it will take an estimated 11 years to fully secure Windows
B) Slashdot reports this
What spinning or unfair editing took place here? Your pullquote doesn't seem to show anything unfair. Yes, they are reworking key system components. But that still doesn't change the fact that Windows is so insecure that it will, by their own admission, take over 10 years to fix it. That's pretty important.
Re:What is unfair here?
by
danheskett
·
· Score: 5, Insightful
What spinning or unfair editing took place here?
No, the Microsoft guy said that the security goals set forth are not short term goals, but rather, long terms goals, aka 10 years.
The headline of the Slashdot article makes it seems like he said flat out that Windows will be insecure for 10 years. Which isn't true, and which isn't what he said.
At some point people on Slashdot are going to have to come to grips with the fact that there are levels of security. MS is in the middle of a big push to change how they themselves and more importantly their customers think about security.
It's a non-trivial thing. Windows developers haven't been thinking about security until recently. It's been a non-issue until the world and MS made it one.
Getting the core of Microsoft software, applications, services and servers up to date, as well as creating tools that forcefully prod developers into coding effectively and securely is the real big goal of Microsoft's security plan.
Now look at this very short interview. The original question was:
We asked Stephen Toulouse, Microsoft's security program manager, if Redmond is fighting a war it can't win.
That's clearly the question he is responding to in the final "question": "Seems like you're fighting a losing battle.".
Rethink it in light of that question. Security isn't a start at X, arrive at Y, and you are done thing. Any developer knows that.
MS has done the basic things they never did before: disable services by default, enforce passwords, use least privelage practices, and the like. That's step 1. They've gone a head and prodded developers to be more conscious of security problems - that's step 2. They've updated thier own software to be much more resilent to attack. This isn't about just buffer overruns and whatnot. It's about cross-site scripting, phishing, and the like. It's about redesigning things to be secure by default.
Getting everyone in the Windows world to that point is the stated goal of the MS security initiative. The Slashdot headline made it seem like a MS rep said point blank that to make Windows secure would take until 2011. And that is pretty clear.
When the question "Seems like you're fighting a losing battle" was posed the MS guy responded by saying "'s not a switch that can be flipped. Software written by humans will always contain errors. We're fundamentally changing the way things operate, to help to make software more resistant to attacks. We're two and a half years down a much longer road; it's more of a 10-year timeline."
Finally,as an FYI. The rate of security flaws in Windows itself isn't terribly bad. Windows XP is a decent product, and it's not terribly hard to harden. Take a Windows XP box, turn on auto-updates, run FireFox, and be done with it.
Re:What is unfair here?
by
malfunct
·
· Score: 2, Interesting
I agree with you, 11 years to as near perfect as they understand how to do. SP2 was a huge way toward basic security and did many good things.
What I want to know is whether Linux has even admitted that it has a security problem to work on? I know they try to be secure but it seems a great many people thing that Linux is already secure.
When the question "Seems like you're fighting a losing battle" was posed the MS guy responded by saying "'s not a switch that can be flipped. Software written by humans will always contain errors. We're fundamentally changing the way things operate, to help to make software more resistant to attacks. We're two and a half years down a much longer road; it's more of a 10-year timeline."
Ok, I can agree with your assesment of that. Point taken.
"The headline of the Slashdot article makes it seems like he said flat out that Windows will be insecure for 10 years. Which isn't true, and which isn't what he said."
"It's been a non-issue until the world and MS made it one."
I hope you geeks are proud of yourselfs now! Nooo you couldnt leave well enough alone, you had to write virii and trojans and exploits and what not! For shame For shame
Re:What is unfair here?
by
Anonymous Coward
·
· Score: 1, Informative
Just FYI, the plural of virus is actually viruses. Someone pointed it out to me just the other day:).
Take a Windows XP box, turn on auto-updates, run FireFox, and be done with it.
I wish to god it were that simple. But FireFox, "whom I love more than a woman", has a distinct tendency to blow up at least 5 times a day, given enough installed plug-ins and opened tabs. I get this both at home and at my job. When more than 10 plugins are installed and many tabs are open, with different sorts of media types viewed in those tabs, FireFox crashes like a mofo. Now go figure what caused the crash.. I can't even report a bug since it's difficult to say which module is responsible.
It's getting embarressing for me, as the company's sole mozilla advocat.
-- The power of Christ compiles you!
Re:What is unfair here?
by
Anonymous Coward
·
· Score: 0
What I want to know is whether Linux has even admitted that it has a security problem to work on
Ok ok, I'm a little insecure, what more do you want from me baby? You want to parade my insecurities around in front of everyone? Don't be a bitch, and I won't panic everytime you touch me.
Love,
Linux
Re:What is unfair here?
by
Anonymous Coward
·
· Score: 0
"MS is in the middle of a big push to change how they themselves and more importantly their customers think about security."
MS only deals with marketing though, so their marketing department will take a serious look at how they can turn around this crappy security situation and say that "Windows got more secure" due to X, Y and Z.
It doesn't mean anything will be fixed, or that code produced in the future will have learnt and benefited from these past mistakes. I sincerly don't believe that any other department apart from Microsoft Marketing is bothered about security.
Re:What is unfair here?
by
Anonymous Coward
·
· Score: 0
No, it isn't. You see, 'virus' is not an english word. Thus, the english plural of 'virus' is 'viruses', the (somewhat more correct) latin plural is 'virii'.
10 years? what are they doing in Seattle?
by
Anonymous Coward
·
· Score: 0
Take them 10 long years? what are those Microsoft folks doing? smoking a halibut or something? I think Microsoft should start hiring decent programmers and test engineers to test their product before they release.
Re:10 years? what are they doing in Seattle?
by
Anonymous Coward
·
· Score: 0
No can do. They would have to install some intelligence into the company first. And, according to their history, they don't know how to do that.
In other news from MSFT
by
YankeeInExile
·
· Score: 1
The Benevelent Software Source is pleased to report that in the last quarter, the seventh three-year-plan for software patches has been overfulfilled by 98%
-- How does the Slashdot Effect happen given that no slashdotters ever RTFA?
Meaningless
by
Lord_Dweomer
·
· Score: 2, Insightful
In that much time, there will be new vulnerabilities discovered in new software that is created. There will ALWAYS be a way, and there is no way they can guarantee this. Will computers be a little more secure? Sure, in many ways. But they will also be a lot more insecure in others. Remember, we're dealing with the same idiots who install Bonzi Buddy because he seems friendly, or Weatherbug because it sounds so convenient that they don't care abou the EULA.
Great. Linux should be ready for the desktop by then!
-- Are you...Are you some kind of genius?
No, ma'am, I'm just a regular Slashdot reader.
takes a long time to turn a big slow boat
by
methuselah
·
· Score: 1
Guess its official Microsoft has reached beaurocratic status. That sounds an aweful lot like a government timeline. Oh well, the masses are content. So whatever happened to innovate? hmmmm... Oh they are a monopoly they don't have to do silly things like compete anymore. Too bad there isn't someone out there that created a secure solution already. Its not like Microsoft would steal it and drive them into bankruptcy. Hey, thats a great idea I am sure that some entrepeneur will get right on that....
Firefox has bugs
by
qwerty75
·
· Score: 2, Informative
Not certain what the big deal is about him running firefox. It seems to me the only statement he made was that he has to download patches for that program too not that he exclusively used Firefox as his browser because of secruity problems with IE.
The only secure computer is one that is turned off and encased in six cubic feet of concrete surrounded by a faraday cage.
1. Read the C2 security certification guide from the NSA. http://nsa2.www.conxion.com/
2. Remove the network card from your computer. 3. Install Windows 2000 Workstation. 4. Install all service packs and security hotfixes from Microsoft from CD. 5. Turn off all unecessary services, including server, messenger, networking, etc... 6. Get 2000lite and nuke internet explorer off your computer. http://www.litepc.com/
7. Lock down a restricted user for general machine use. 8. Install OpenOffice.org for office applications. 9. Remove floppy and cdrom drives and lock case. 10. Epoxy shut the USB ports to discourage thumbdrive use.
All done! I dare anyone to hack into this machine:)
-- My Other Computer Is A Data General Nova III.
Re:How to make Windows secure:
by
Aggrajag
·
· Score: 1
No firewall and no anti-virus? I seriously doubt the security of your system unless you forgot them from your list.
Re:How to make Windows secure:
by
dgagley
·
· Score: 1
1.) Turn off the computer 2.) Go play with your pet dinasaur
-- I can't use my sig - my computer can't read my handwriting.
Re:How to make Windows secure:
by
spidereyes
·
· Score: 0
1. Format 2. Install Linux
It scares me to think how much we rely on an operating system that won't be secure till 2011.
--
I say we just grow up, be adults and die.
Re:How to make Windows secure:
by
DaHat
·
· Score: 1, Troll
The previous year Lucifer appears in the sky, and in the following Windows will be secure... Coincidence or Prophecy... You decide ^^
Funny though, I figured it would take MS more than one year to gather all the souls it would need to sell in order to make it secure... either that or I need to read my EULA more carefully..
-- meep!
What the...?
by
Jugalator
·
· Score: 4, Insightful
Since when did security become a goal you can achieve after a certain amount of time?
It's something you always need to keep an eye open for, and combat exploits whenever necessary. How can Microsoft say "it's more of a 10-year timeline". That statement alone makes me wonder how sane Microsoft's security program manager is. So Microsoft are going to dismantle their security team in 2011?
What would the Linux community think if Linus went out claiming that "we expect the Linux kernel to be secure in version 3.0"??
Anyone who takes software security seriously should understand that you can never expect a product to be secure after some period of time.
"Secure" is also relative and not at all an absolute term.
-- Beware: In C++, your friends can see your privates!
Maybe what they've got is a seven year track of projects designed to address some of the chronic security problems through abandonment or rewrite of legacy code. For example, getting rid of the old crufty C/C++ apis and replacing them with managed dotnet could be a boost to security, especially as dotnet matures.
Re:What the...?
by
Anonymous Coward
·
· Score: 0
It means that they've currently got a list of work and projects that spans 10 years.
I've always felt that MS isn't inherently an evil company, it's just that any company that size is going to screw up. The fact of the matter is that no one else can pull off what MS has done - it takes a huge amount of resources to make some of their products and innovate like they do. Yes, Linux, Firefox, and a host of other free software has pretty much identical functionality, but that functionality wouldn't have ever been thought of without MS. This interview indicates to me that MS is not trying to hide anything, but is instead genuinley trying to improve their products. They know that apps that size are going to have products, and they apologize - it's too bad when they are accused of being a horrible company because of bugs. Applications these days are just too complicated to be completely secure. In recent months MS has actually been very forthcoming with what their plans for the future are. As much as you might like open source, MS's influence has been integral to the developement of those technologies. I'm not exactly sure what my point is, but articles like this really make me like MS more - maybe even feel sorry for them as they fight a losing battle against people who want to cause damage to their customers and to the company itself.
Re:MS != evil
by
Anonymous Coward
·
· Score: 0
Troll.
The fact of the matter is that no one else can pull off what MS has done
That thing you call a fact is more properly a conjecture. Microsoft has certainly done some unique things, in the area of anticompetitive practices for example, but while these may be noteworthy, the reason that you offer is simply that Microsoft has a lot of money. In other words, according to your reasoning, any other organization with similar resources would be equally capable of committing similar acts.
Whether they would choose to do so or not is, of course, dependent on the organization. But we do know that there are other very large organizations which have not developed a reputation as Microsoft has for despicable acts. Therefore, your argument that any company [of] that size will do so is demonstrably false.
that functionality wouldn't have ever been thought of without MS
Another conjecture, this one quite a bit more speculative. You've presented no evidence in support of it, and most of us here are aware of much evidence against it.
While you are correct in that I didn't provide any evidence, I certainly didn't mean this as a troll. Trust me, I don't have the time to sit here and make up opinions. While I would say this particular opinion is not the status quo on/., this was by no means flamebait or a troll. Ass.
Re:Bash away...Thanks I will
by
Anonymous Coward
·
· Score: 0
If the stupid driver of the car wants to get drunk and drive backwards 100mph down the freeway with no lights on, do we blame the automobile manufacturer?
No, but if ford releases the new Explorer, that hits a curb, sign, or barrier on average within 15 minutes of getting on the highway for the average driver, and the only way a professional driver can safely go 60 in it is to buy a Honda brand mini-car to drive in front of it and tow it safely out of the way of accidents. When all large companies have company cars, but they require their employees to drive on their special corporate backroads and be hauled in a car carrier truck when on the highway. Maybe, just maybe, we would consider, putting some of the blame on Ford/MS.
Love is when the desire to be desired takes you so badly that you feel you could die of it.
By the looks of it Mr. Currently-Owned-by-Microsoft Toulouse does not desire to be desired by Microsoft enough to feel he could die, but that's just what might happen if he keeps working on this mission impossible project.
Ah, you have nothing Toulouse^Wto lose, but your job at Microsoft.
That's it. He's fired
by
freedom_india
·
· Score: 0, Redundant
He confessed "He also reveals that he runs Firefox."
That does it. He's fired.
-- "Doing what i can, with what i have." ~ Burt Gummer
The thrust of Rantastic's initial post is off the mark. As others have already pointed out here, it's natural and good business practice that Toulouse would run Firefox and any number of competitors.
The key to focus on, however, is that Toulouse has access to fast, easily applied patches for Firfox, while an MSIE flaw is fought with Russian law enforcement. When will the MSIE software be patched? "We're still working on that."
That's the gist of it.
--
"Even for Slashdot, that was a very obscure reference!" - Anonymous Coward
It will certainly take that long...
by
Vexler
·
· Score: 1
...to run all those hotfixes.
If slashdot continues like this
by
Anonymous Coward
·
· Score: 0
it won't be taken seriously at all.
2011?
by
Anonymous Coward
·
· Score: 1, Funny
So Jupiter will collapse into a sun and Europa will support life before Windows is secure?
New Apple add:
iMac, its like a computer with a condom!
New add for Linux:
Linux: you can't get infected unless you get laid.
New ad for Ritalin:
Medicate your kids, or else they'll even misspell jokes.
-- You know what?... A little club soda *did* get that out!
Firefox? Your Fired!
by
KB1GHC
·
· Score: 0, Interesting
Didn't a Microsoft Executive get fired for recommending FireFox because of an IE security hole?
Everyone so far has missed the point
by
slashname3
·
· Score: 2, Interesting
Everyone so far has missed the point about him saying their security plan was a 10 year plan. Microsoft looked long and hard at the trends and figured out that in 10 years Windows would be displaced as the leading client OS by Linux (or some other system).
Case in point, they are paying out huge dividend this year. Why? So they can all pocket a boat load of money before everyone finds out that Longhorn won't be delivered on time or with all features (see other recent story on/. about this).
So now that they have drawn down that huge cache of money and paid it to all those that hold stock they can cruise control for a few years as they start figuring out ways to sell of portions of the company to turn it into money to put in thier pockets.
I believe they have seen the writing on the wall and have started the process of shutting things down. Only problem is that you don't shut down a colossus like Microsoft over night. Very similar to AT&T, they have been in a downward spiral for many years. In AT&T's case they have at most another 5 years before someone picks up the carcass and finishes stripping it. Microsoft will take another 20 years before they finally have squezzed every last nickel out of the user population.
In other news Longhorns arrival was postponed until 2012 so it can ship secure.
Innovate?
by
Anonymous Coward
·
· Score: 0
Give one example of something microsoft innovated and didn't steal from another OS/Company. If you actually do the research, which no one does, you can always find where microsoft stole their ideas and concepts from.
Yes, they do deserve credit for making computing mainstream, but this was inevitable. Now they (and other companies like them) are holding society back. Give them credit for what they deserve credit for. Not for being innovative.
Name one thing Apple innovated and didn't steal from another OS/Company?
Such a retarded litmus test.
MS and Apple sell consumer level products. Companies geared towards mass audiences rarely "innovate" or "invent" in the computer world. You want to see "innovation", look at some of the shit defense or aerospace contractors come up with. Brand new devices to act as solutions to recently discovered problems.
The mass market doesn't want an "innovative" PC, they want a faster one with a bigger HDD and better graphics.
--
I don't need no instructions to know how to rock!!!!
The parrent post was talking about microsofts ingenuity and inovation. Granted they took several concepts from other places and made them popular as well as taking several ideas and bundling them in ways never thought of before (active directory authentification for example).
While i agree with you in that the defense and airo space industry does the bulk of the inovation, Most marketing campains sell on thier inovations. Inovation was one key point to selling upgrades for both operating systems as well as new computers. Look at DDR memory verses SDR memory, differing ATA specifications for drives or logical block adressing verses the standard CHS, ISA buses vs. PCI or agp and now PCI EXPRESS. Inovation sells more, granted it apears to more of a hardware driven inovation but software is inline also. Windows XP bills itself as inovative compared to windows 98 wich until very recently (doom III erra) did more then what most consumers would ever need. Inovations in office XP caused some people to upgrade from office 2000.
Inovation, wether they "stole the ideas or not" is a key to selling new systems and the consumers must have some interest in it. To what degree i guess could be debated.
Re:Download.Ject -- CORRECTION
by
Davak
·
· Score: 3, Informative
I couldn't open the sample exploit listed in the parent, but I could open he one in the link I provided. The proof is safe and scary.
If they are not going to fix these errors, Microsoft should at least give us a naming system! It's hard to discuss the exploits when we don't know how to name them correctly.:)
Why am I not surprised?
by
Anonymous Coward
·
· Score: 0, Flamebait
> "In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline."
Why am I not surprised. I doubt they'll get it right in 2011 either. Here's a hint... don't use Microsoft Windows. They just admitted that it isn't secure and won't be for years.
> He also reveals that he runs Firefox.
So, Microsoft employees don't even run Microsoft software. This should be a huge hint to people who are dumb enough to run Windows.
After pissing away thirty billion in R&D money for a one-time stock prop scheme?
And their head of security uses Firefox?
This is like discovering Bush prays to Allah!
BWAHAHAHAHAHA!!!
Hey, how about this theory?! Gates is secretly a hacker like the guy in the Sandra Bullock movie and really wants everybody to be insecure so he can take over the world!
BWAHAHAHAHAHAHA!!!
Mod this troll, mod this flamebait! Is that all you got, huh? Are you nuts? Come at me!
-- Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Re:BWAHAHAHAHAHA!!!
by
Quill_28
·
· Score: 3, Informative
> This is like discovering Bush prays to Allah!
He does.
The Jews, Christians, and Muslims are pray to the same God, the God of Abraham.
The Jews come from the line of Issac(Abram's son with Sarah) the Muslims from Ishmael(Abram's son with Hagar).
The Jews are still waiting for the Messiah, while the Christians believe the Messiah has come(Jesus Christ).
Th Pentarch (first 5 books of the Old Testament) are the same for all 3 major religions. It is afterwards that is different.
Though, one mistake you made is the Koran does not speficy WHICH son. It's been known that Jews and Christans accepted Issac, so Islam chose Ishmael instead.
The most interesting part of history between Ishmael and Issac is in the Jew's bible. Both of the brothers have feuded since they knew each other.. But once Abraham died, they met back together, realising that their petty war of who was "the one" was meaningless.
--
Mod parent up! by Anonymous Coward (Score:1) Thurs, Nov 31, @13:37
The most interesting part of history between Ishmael and Issac is in the Jew's bible. Both of the brothers have feuded since they knew each other.. But once Abraham died, they met back together, realising that their petty war of who was "the one" was meaningless.
Hmm, if only the radical fundamentalists of the jews/christians/muslims would read this...but of course, the rest of the believers won't try and help them out...
-- When you look at the state of the world, how can you not become a radical, liberal anarchist?
Re:BWAHAHAHAHAHA!!!
by
Anonymous Coward
·
· Score: 0
Mod this troll, mod this flamebait! Is that all you got, huh? Are you nuts? Come at me!
just mod him as "drunk donkey"... and prepare some mineral water for the next morning
Re:BWAHAHAHAHAHA!!!
by
Anonymous Coward
·
· Score: 0
Ummm, I think you'll find Pres Bush preys to the god of money, just like his daddy told him to.
In other words "Windows Expected Insecure Until At Least 2011, Says MS".
--
--
make install -not war
BSD ad...
by
Anonymous Coward
·
· Score: 0
Screwing the devil is like screwing Saddam!
first few posts are disappointing...
by
buzban
·
· Score: 1
what, no 2011...if that soon!or sounds optimistic... or anything like that?:P more humor! please!
Re:What?? 100% known secure isn't possible.
by
bearl
·
· Score: 1, Funny
I think he meant it would take until 2011 before they had completed fixes for 100% of the currently known security problems.
So what's he's saying is technically possible.
That's a joke folks; start laughing.
Poor guy is really having to struggle...
by
argent
·
· Score: 4, Informative
Poor guy is really having to struggle to say something that'll make his job look less hopeless. The "patch to Firefox" that he's talking about is actually a patch to a PNG library used by a lot of applications, not just Firefox.
On the other hand, he didn't say "Windows not secure until 2011", and I think his "10 year plan" is more of an acknowledgement of the magnitude of the problem than a hint as to Microsoft's timeline.
I wonder if he's even got the authority to deal with the real problems buried deep in the design of IE. If not, they can take 10 years or 100 years and still not get rid of "cross zone" attacks. I suspect only hope is that other browser developers will suddenly agree with microsoft that security zones based on the current location of a file is a much better idea than limiting the potential targets for an attack to just the application that's responsible for downloading and displaying an untrusted document. If that happens, then they'll REALLY be able to argue "everyone else has the same problem" and mean it.
article from the future?
by
whizkid042
·
· Score: 1
Did anyone else note that the article appears to be from the future (Sept. 2004)? In my time zone, its still Aug. 30, 2004.
Perhaps Wired has invented a time machine too?
Taht's not a FIX... That's a FUX
by
Foofoobar
·
· Score: 4, Funny
That's not a fix, that's a FUX. It looks like a fix but if you percieve a FUX to be a FIX, you're bound to get FUXED.
Seriously though, they can't fix it without removing IE from the system. You can easily get around their FUX by using a shell call... which makes this bug even scarier.
-- This is my sig. There are many like it but this one is mine.
The sweet-heart deal?
by
Anonymous Coward
·
· Score: 0
So the sweet-heart deal with symantec is a 15 year thing. Windows has been a security nightmare ever since they cloned Norton utilities and got their ass sued off. Windows could have been air tight. The MS Swiss Cheese approach to security can only be deliberate.
Re:The sweet-heart deal?
by
Anonymous Coward
·
· Score: 0
Of course it's deliberate. How else could they lock their users into years and years of worthless upgrades, AND create millions of jobs, AND keep the anti-virus software companies in business at the same time? It's a scam that stupid people will fall for every time.
or even "death is good because it creates jobs". Think of the morticians, gravediggers, floral industry, casket industry etc.
-- I'm sorry, the number you have dialed is an imaginary number. Please rotate your phone 90 degrees and dial again.
IE share down 2% according to WSJ
by
pileated
·
· Score: 2, Interesting
Oddly enough I happened to read both the WSJ article and the Toulouse mini-article during my lunch a few minutes ago and came back to find this on slashdot.
I also have to commend the graphic that accompanies the WSJ article. The article says that for the first time ever IE share dropped, presumably because of the virus threat. Also a few words about the Mozilla developers.
Not always when they know what's in it...
by
bADlOGIN
·
· Score: 1
For example, they don't use Visual Source Safe. Of course, you don't have to know what's in VSS not to trust it: just try and use it for a project once:)
-- ***
Sigs are a stupid waste of bandwidth.
Re:Not always when they know what's in it...
by
Anonymous Coward
·
· Score: 0
what do they use?
Re:Not always when they know what's in it...
by
bADlOGIN
·
· Score: 1
Home grown system that's been in place for years (according to a co-worker of mine who spent a few years there). Don't recall the name of it.
-- ***
Sigs are a stupid waste of bandwidth.
Microsoft person using firefox???
by
jskline
·
· Score: 1
whoa...
I bet after the "you know what" hits the fan here, this guy is toast... fired.... gabye.... out the door... history.
You don't make that kind of revelation while working for Redmond!..
-- All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
It's the fundamental APIs
by
msobkow
·
· Score: 4, Interesting
The heavy use of anonymous pointers, multi-function entry points, and DLL initialization/release interactions create an absolute nightmare to maintain.
Even for a relatively small project, you have to spend a fair amount of time just getting code separated into mainline and DLL. Then you get the joy of dealing with the weirdities of the Windows variation on process interaction with DLLs.
I can't imagine any way of securing that spaghetti except to scrap the Win32 API and make the.Net framework the Windows programming layer. Then you can get rid of those holdover APIs from DOS-thunker days and replace the kernel with one that was designed for multi-user security.
You can be grateful Microsoft is finally taking security seriously if you like. I look back on 10-15 years of pager calls, system recoveries, and late projects because of bugs, many of which have never been fixed. My patience with their problems and excuses ended a long, long time ago.
Don't forget Microsoft has been around almost exactly as long as GNU.org. Linux is a pup compared to Windows, yet look how much faster that team addresses problems than the much larger team at Microsoft.
If Microsoft's market share begins hurting because of their security issues, they've no one else to blame but themselves. If the industry demands POSIX server APIs and Windows can't deliver, Microsoft has no one to blame but themselves -- the Cygwin team seems to have managed the task.
Microsoft and a lot of other companies need to get back to re-verifying their core business and refocus on producing marketable products and services. Times change, and last decade's sure winner is last year's end-of-life product. A little less focus on the stock market, and a little more on realistic business models and long-term viability.
-- I do not fail; I succeed at finding out what does not work.
Re:It's the fundamental APIs
by
Anonymous Coward
·
· Score: 0
Actually, Microsoft freely distributes POSIX server APIs for Windows called Services for Unix - Unlike Cygwin, its compiled directly into the NT kernel, so its a bit faster and is covered under Microsoft's Enterprise Server Support.
As of right now, the plans are to ship SFU on all installations of Longhorn including an XServer optimized for the Windows environment.
Re:It's the fundamental APIs
by
IvyKing
·
· Score: 2, Informative
Don't forget Microsoft has been around almost exactly as long as GNU.org.
Don't you mean that Microsoft Windows has been around almost excatly as long as GNU.org???
Microsoft started ca 1976, MS-Windows 1.0 announced late 1983, GNU manifesto published in Dr Dobbs in 1984.
Re:It's the fundamental APIs
by
msobkow
·
· Score: 1
Windows 1.0 had virtually no market share.
As with most 1.0 products, the intent is to determine if there is enough early adopter interest to continue the development of the planned features and functionality. It's also an opportunity to verify that your target issues and solution are indeed fitting the needs of your market.
1.1 is typically a first cut at addressing the most important functionality features for early adopters to begin generating a decent ROI from the product or service.
The 2.x series usually fleshes out the key components and features that define the long-term vision. Additional releases are primarily to implement that long term vision, keep software up to date with third-party components, and improve security, stability, performance, and scalability over time.
Some products like MQ series have spent their decades of existing fulfilling that vision of a cross-platform reliable messaging backbone. Others like OpenLDAP are pretty simple and take much less time to become relatively stable solutions for specific needs.
Stable core services still leaves plenty of room for adaptation. Consider the accounting industry. Most of their software is implementing the core regulatory requirements for them to achieve and maintain market acceptance. That is a "backbone" requirement for their industry. On top of that they layer their own user interface styles, which some users love and others hate. The same goes for reporting, import/export, connections to online banking facilities, etc. Most core services have thousands of potential applications to explore once you have a reliable processing infrastructure to build on.
-- I do not fail; I succeed at finding out what does not work.
Software written by humans will always contain errors.
Should read:
Software written by Microsoft will always contain errors.
I write software that doesn't contain errors, every day, on systems which deal with far more data than the average MS app. It seems to me that Microsoft's has no idea what constitutes professionalism:
Bug-free code isn't hard to write if you use good design principles. I do, and I don't see why Microsoft can't. My job depends on writing bug-free code; I don't have the option of simply letting it go - I either fix it, or I'm fired.
Even if you can't write bug-free code, a well-designed, modularized project won't take long to debug. Given that most MS software is written in languages which encourage good design principles such as encapsulation, modularization, and well-defined interfaces, I'm at a loss as to explain how their software quality is so much lower than normal. The typical enterprise data system works more reliably than the most reliable Microsoft software.
There is no excuse for not properly testing an application. You don't have to walk through every possible execution path to test well - rather, you can construct data and test sequences which will likely trigger the most common forms of bugs (like opening a document larger than the available memory, for example...).
Even if you can neither design well nor write perfect code, a professional has an obligation to at least debug his code before release. People are going to spend billions of dollars on your software, and probably tens of billions of dollars cleaning up the security holes and bugs; these bugs are not mere inconveniences, and the software maker has a moral obligation to fix them before release.
I understand why the majority of the world runs windows. Most people don't want to complicate things any more than necessary. But the inability of users to grasp technical details does not justify releasing a product, which in any other industry, would be a prime lawsuit candidate under fraud and lemon laws.
-- The society for a thought-free internet welcomes you.
Re:Correction:
by
Anonymous Coward
·
· Score: 0
You, sir, make some very good points. Unfortunately, Microsoft won't learn as they do not have the capacity. Microsoft is a company of idiots, for idiots, by idiots. At least, this is how they portray themselves through their products.
Re:Correction:
by
Macrobat
·
· Score: 4, Insightful
I write software that doesn't contain errors, every day, on systems which deal with far more data than the average MS app.
I find this hard to believe. Are you saying that you write software that is as complex as the usual MS app, and that it contains no errors whatsoever and has never had to be debugged? It seems like everyone from Knuth on down has written bugs in software when working on an application of non-trivial complexity, so I'm a little skeptical if that's your claim.
And the amount of data that an app processes is not the only measure of a program's complexity: does your program interoperate with a dozen others in a standard cut-and-paste manner; does it hide the complexity of operation from the end user so he or she can point and click and get things done; does it use an API so that software writers outside of your company can can write apps that interact with it; does your software run on multiple different hardware platforms; do you add new features to it when marketing surveys show people want it?
I'm not saying that all of those criteria are necessarily the best or most desirable (e.g., sometimes you want software that's only usable by industry professionals), but those are the constraints that Microsoft operates within, and they all increase the complexity of even the simplest-seeming of applications.
-- "Hardly used" will not fetch you a better price for your brain.
Re:Correction:
by
Anonymous Coward
·
· Score: 0
Bug-free code isn't hard to write if you use good design principles.
Yes, it is.
Even if you can't write bug-free code, a well-designed, modularized project won't take long to debug.
Ever dealt with a well-designed, modularised, 400+ Megabyte, 4000+ file C program?
The typical enterprise data system works more reliably than the most reliable Microsoft software.
MS software is not designed to the same requirements as enterprise data systems, so the comparison is pointless.
There is no excuse for not properly testing an application.
Yes there is: If it takes ten days to run all your tests, and marketing have announced that it will ship to customers in nine days, that's what you do. Followed 11 days later with SP1 if necessary.
You don't have to walk through every possible execution path to test well
You should if you want to be able to say you've tested everything; there are some good code coverage tools around to help you do just that - 100% branch coverage is a good target.
bugs are not mere inconveniences, and the software maker has a moral obligation to fix them before release.
If every software company waited until they were certain there were no bugs in the product before releasing it, we would have no software at all.
Phil
Wow, you must really lack some real-world experience to make such a cocky declaration. 1. You are right, it isn't hard to write bug-free code, it is nearly impossible for all but the simplest of projects. It is possible to acheive an at least apparently bug-free state, but only in relatively simple applications dealing with a relatively well controlled data set. 2. Point taken that well architected code lends itself well to problem isolation and debug. Most MS software is written in C/C++ still, and those languages can be used well or poorly with respect to modularity. The price to pay for flexibility is that developers can bypass the mechanisms that encourage modular design. Regardless of language a developer can always fail to modularize a design properly, particularly if the application encounters new functional requirements in the middle of a development cycle. 3. Testing an application can be very very hard for even not so complex software. You can of course test a good representative sample of normal operation and likely problematic circumstances, but there are many many variations and those corner cases which they can't know in advance (if so, secure software would be easy...) are where >98% of field problems customers see come out of. 4. Basically the same exact point as 3, of course they do, but, as you say, not all branches of execution are realistically testable, and it is even worse for a commercial entity with limited resource, the problem space is simply too large.
-- XML is like violence. If it doesn't solve the problem, use more.
does your program interoperate with a dozen others in a standard cut-and-paste manner;
does it hide the complexity of operation from the end user so he or she can point and click and get things done;
does it use an API so that software writers outside of your company can can write apps that interact with it;
does your software run on multiple different hardware platforms;
do you add new features to it when marketing surveys show people want it?
1, 2, and 5: Yes. 3 and 4: No.
But, I'm not the only programmer; I work on a team. I'm responsible for very small pieces of a very large project, and because our software was well architected, it's easier for me to write bug-free code.
Are you saying that you write software that is as complex as the usual MS app, and that it contains no errors whatsoever and has never had to be debugged?
Yes, it is more complex, and it did start off with errors - but I made certain it was debugged it before it went into production. And it isn't hard to write bug-free code when you've got a well-written specification and a well designed interface. And when you've got another programmer reviewing your code, you tend to be a little bit more careful. Even if I happen to miss something, the likelihood that a programmer senior to me will miss the same bug is pretty small.
Think about how difficult it would be to write a flawless Hello World program.
But, no, no one could write bug free code, right?
The idea of good design is that you reduce the complexity of the individual components to the point where even a secretary couldn't screw it up. And it does work - the systems I work with contain ten thousand modules; our project would have failed had we used the "Microsoft approach". (Code first, debug later, lament the lack of design in blog somewhere...)
Writing bug free code is more a matter of one's character than ability. You make a concious decision to compromise quality for deadlines; you make a conscious decision to forego good design for the sake of expediency. But if you find yourself in this business for long, you realize that good software always lasts longer than the original coders ever envisioned (Y2K, anyone?). What it really comes down to is whether or not a person has the professionalism to insist on reasonable time schedules and self-discipline to prove their design before beginning coding. Good software comes not from fast coders, but good designers.
-- The society for a thought-free internet welcomes you.
You are the best programmer in the world. No, I'm serious you should run the NSA or something. Man, I wish I was you.
Re:Correction:
by
Anonymous Coward
·
· Score: 0
only in relatively simple applications dealing with a relatively well controlled data set.
IOW, the UNIX design philosophy: Do one thing, and do it well...
it is nearly impossible for all but the simplest of projects
And if you've done your design correctly, you'll be left with a collection of simple, easily debugged, objects. Converting these to code shouldn't be too difficult, should it?
The people who can't believe I write bug free code probably believe such because they've never taken the time to actually do good design; instead of defining the problem, they dive into coding the solution, only to find that their original assumptions weren't quite correct, and they end up with software which doesn't work quite right, and requires a behemoth effort to debug. So they give up, saying that writing bug-free software is impossible.
It isn't. It just requires the discipline to spend a little time away from the keyboard.
Wow you are either an amazing programmer or full of crap. I guess the latter.
I read of a great example of bug free code. A simple 40 line program was published in a book. Several people examined this code with the intent of looking for bugs and found one. It was then certified as bug free. 2 years later someone else examined it and found another bug & certified it as bug free. 3 years on, the same thing happened. The people involved were respected programmers & writers. I can't provide the reference for this right now (the book is at home somewhere), but I'm happy to dig it up if you are than interested.
The point is bugs in software are a fact of life. Good design principles, testing, code review are all just methods to *minimise*, not eliminate bugs. Any attempt to suggest otherwise is nothing more than dreaming.
I admit that the number of bugs in Microsoft products points to failures in their development processes, however to suggest that bug free software is achievable tells me you are on crack.
Believe me, it is not that hard to believe. Take a look at the architecture of typical Microsoft application. It's not the question of what are the requirements for data processing capabilities or cut-paste functionality - a properly designed application will not see a difference between 1x or 1'000'000x amount of data (except for processing power required). It is the design they use and where they choose (or are forced to) connect any particular functionality that makes their applications so damn hard to maintain.
Any application can be easly made customizable and maintainable. Unfourtonately for microsoft this would mean a total revrite of most of their applications to remove uncountable legacy layers or obselte software architecture decisions.
Re:Correction:
by
Anonymous Coward
·
· Score: 0
Amen, brother!
My coding mistakes very rarely leave the factory, too. I got my early training in factory automation where mistakes can kill people. What it takes is a commitment to: 1. design first, code later. 2. test; test at the module level, test integration with other modules and then test at the product level. 3. Did I mention test?
Do it the Portage way!
by
Anonymous Coward
·
· Score: 0
I've never had to make sure mysql was owned by mysql.
Automatically start: # rc-update add mysql default
(Whatever you do, don't get me started on ALSA...)
Stupid criticism
by
Anonymous Coward
·
· Score: 2, Insightful
Granted that "it's more of a ten year focus" is a stupid answer, but/.'s criticism is equally stupid. What would the correct answer be? It's not "Yep, we've been at it for two years and we're done. All our software is secure now." Rather, the correct answer is, "We will continue to focus on security for the foreseeable future."
To a software engineer, the much-publicised "Microsoft focus on security" seems actually to have been more of an internal awareness drive. Microsoft just wanted to educate all its programmers so they stopped writing buffer overflows and absurd permissions holes. At the same time, I imagine some existing code was reviewed with an eye toward identifying security holes. All commendable stuff (although it's mindboggling that this sort of thing should even be necessary).
But even with that part supposedly accomplished, security is never "done". Once you start paying attention to it, you're now doing the right thing. You don't stop. The focus on security education may be over. The focus on security as an important part of software engineering should continue as long as, and to the degree that, consumers need secure software.
Why don't they just have their coded auditted and catch potential problems early on? As many programmers as they have, I don't see why it would take until 2011.
Instead of making the code more complicated and potentially more insecure, include a 32-bit emulation subsystem comparable to the existing 16-bit emulation subsystem in NT/2000/XP.
Re:Why so long?
by
Anonymous Coward
·
· Score: 0
How many times do we have to say this?
Microsoft isn't smart enough to make everything work correctly!!!!!
AFAIK, the WinNT Kernel is well designed...
by
emil
·
· Score: 1
While I have little kernel development experience, the NT kernel design was lead by Dave Cutler, who had previously led development for the RSX-11 and VMS operating systems (VMS has an incredible reputation for security). Here is an interview with Cutler.
Security was an original objective with NT, and I imagine that, from the kernel code, this objective was met.
Where NT security has obviously failed is the userland, where Microsoft rushed to destroy Netscape (et al), and in doing so sacrificed security.
If only Microsoft had maintained a high standard in NT development, perhaps Cutler's claim that UNIX was "a junk OS designed by a committee of Ph.D.s" might have held water.
Software written by humans...
by
.+visplek+.
·
· Score: 1
It's not a switch that can be flipped. Software written by humans will always contain errors.
- Lucas Graves
I like to believe that software can be perfect. I might be wrong at least it keeps me busy.:)
-- - Save a tree, eat more woodpeckers
Doubledge sword
by
superpulpsicle
·
· Score: 5, Insightful
Linux will always be 1 step ahead in security.
MS will always be 1 step ahead in features.
Guess what, features sell. Maybe in the year 3000 things might be different.
Re:Doubledge sword
by
BasilBrush
·
· Score: 4, Insightful
How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X? How can MS be 1 step ahead in features when I.E. does less than Firefox?
MS is one step ahead in having off the shelf applications written for it. That's the reason why most people stick with it. The applications that they already have, and the applications that they forsee themselves wanting to run run on Windows. It's not because of features.
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 4, Interesting
How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X?
They aren't.
The only thing I can think of that you might be referring to is Avalon. And that is considerably more advanced than Quartz Extreme. Quartz Extreme is like the current Windows rendering engine on steroids - it does more in hardware, it does more fancy stuff, but at heart it's still 2D bitmap-based software rendering with some fancy anti-aliasing, alpha compositing, and Expose bolted on top. Avalon is fully vector-based and done entirely in hardware. You simply can't compare the two directly.
Re:Doubledge sword
by
Tanktalus
·
· Score: 4, Insightful
How can MS be 1 step ahead in features when they are struggling to put into Windows by 2006 what is already in OS X? How can MS be 1 step ahead in features when I.E. does less than Firefox?
Us OS/2 guys always said the same thing about Windows - why wait for Windows95 when OS/2 had all its features, and stability as well? Obviously MS doesn't even need features to continue selling.
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
OS/2 was the last desktop OS to ship with networking in the box, so it didn't exactly have ALL the features.
Re:Doubledge sword
by
rspress
·
· Score: 2, Informative
While it maybe bitmap based Quartz itself is based on the adobe PDF engine, which renders both vector and bitmap via the computers 3d card.
While it is all just eye candy the new imageunits or coregrahpic and corevideo are the really exciting things in tiger and which has no equal on the windows side. I am looking forward to Tiger for these features which should make any other platform for video look slow and clumsy. Catch the keynote video at the Apple quicktime site. This is truly amazing stuff. I expect a windows knock-off around 2007-2008.
Ah, so that is why most people buy the unsecure flying automobile instead of the much more safe plain road version.
Point: Not all features sell, and certainly not at any pricepoint.
-- --- Hindsight is 20/20, but walking backwards is not the answer.
Re:Doubledge sword
by
mnmn
·
· Score: 4, Insightful
I just cant bear NOT to reply to this.
Linux has more functionality than Windows. No question about it.
Answer these:
how many ports (cpu architectures) does windows run on?
is windows tcpip more featureful and flexible than windows?
which version of windows has more GUI features than the latest KDE or GNOME?
does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)
how many different ways can you install windows?
is windows' threads implementation the best in the market?
is windows memory management the best in the market?
show me the most secure windows, I'll show you 10 more oses more secure than that.
by a WIDE margin.
-- "Give orange me give eat orange me eat orange give me eat orange give me you."
-Nim Chimpsky
Re:Doubledge sword
by
rspress
·
· Score: 2, Interesting
I have actually heard about this but it was not what I was talking about. Coreimage and corevideo let you use real time effects on videos and still images or a mix of both and text layers all in real time. All effects are floating point and you can drag the effect or transition around the screen in real time with the video playing underneath. Transitions can be stopped half way through and dragged around the screen in real time. These are not in preview windows but the full screen, full data rate video. You really have to see it to appreciate it.
Actually I went retro on my PC and erased the drives and installed Windows 2000 pro. I am actually glad to be rid of XP Pro. Since most of my school work will center around 2000 pro that does not hurt either;-)
Re:Doubledge sword
by
Smurf
·
· Score: 2, Informative
lies in your post:
1) into Windows by 2006 what is already in OS X 2) I.E. does less than Firefox
No, no, he's actually correct. Check the features in Panther (and Jaguar) from the Apple site (ignore Tiger, since we are talking about the present). Admittedly, Longhorn will feature some things not currently in OS X, but that's if they don't shave them off also.
Then go to the Mozilla site and download Firefox. It's free! You have an excuse for not trying OS X, but there is no excuse for not trying Firefox. (And yet, I still prefer Safari.)
You will be surprised by how the herd mentality that ties you to MS's products is making you miss. Now. Not in two years.
Aqua Dock seems great. If I had a permanent PC I would try it. Half of the users on download.com didn't like it, though (and some say that it's hard to un-install).
On the other hand, the Dock substitutes for Windows that I have seen so far (as well as the Exposé knock-off) have been quite pitiful. They give me the impression that people who use them haven't really spent enough time on a Mac.
The Mac experience is not just about looks. Those can be easily copied. It's about integration and consistency. But you only realize that after working on a Mac for several days.
Not true. OS/2 3.0 was on shelves well before Windows 95. When it shipped windows 3.11 users were still getting floppies with trumpet winsock to get connected.
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
Well, I have to pay $250.00 per month on my daughters XP Dell box, but I, myself am getting along on this setup: 1. IBM 350-P90 with 128 MB RAM, and a 200 MMX upgrade processor. 2. SuSE Linux 6.3, running on slave hdd, a sorry Caviar 22000 that won't run windows if it's life depended on it. In fact, I rescued the HDD from the trash. 3. Opera 6.03. All of this costs me very little, I got SuSE at the bookstore. I did put a new 250 Watt power supply in the computer today, cost $20.00. Yes, it's new, from an old unused 386 long outdated. 4. I use dial-up, and connect using WvDial at 52000 bps. Having to pay for a Microsoft box hurts, that money could have gone to other Yankee Banks, to pay off debt. They'll just have to fight over my bones, the mailman takes the $250.00 each month to be divided between rich Yankees, I suppose. Damn the Schools for wanting our kids to have Micro$oft machines!
Re:Doubledge sword
by
cot
·
· Score: 2, Interesting
"MS is one step ahead in having off the shelf applications written for it."
More like 9 steps, but yeah, that's the big deal.
--
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
maybe you should send her to a better school?
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 1, Insightful
Think about this, Open Source crowd.
MS is ahead in features (according to the great unwashed) with their OS from 2002 - and plan to stay that way with it until 2006.
Our Linux from like last week is STILL less user friendly than a few year old version of Windows.
Re:Doubledge sword
by
PocketPick
·
· Score: 5, Interesting
Those are all nice features for some, but not features that will sell an operating system to Joe User. When a user boots up thier computer, they want three things:
-To Read Email
-To Use Office (or other word processing/spreadsheet/presentation application)
-To Surf the internet.
That's all. My grandmother doesn't care if KDE provides quick access to the console terminal, nice configuration of profiles or quick ways to make system level modifications. And she definitetly wouldn't care about ports or tcp-ip (even if she had a vague idea of what they were). In short, she would have no intention of touching these features in the first place even if they were present in Windows.
Your case of installation is another excellent example. Windows install methods are kept basic for the simple reason that even your most average user has to be able to perform it (and Microsoft knows it). Having a variety of installation methods and added complexity tends to scare people away from any product in general. Whether it's simply choosing 1 application from hundreds that you want to install or telling someone to setup partitions and swap space, they'll be terrified if you put too much in thier face.
Linux Distribution companies realize this, and are working hard to simplyfy thier installation methods. Based on what i've seen when I picked up SuSE 9.0 a while back, this is certainly true.
In time, people will come to become more computer literate, and perhaps these features will have some meaning. Till then though, it's not going to be all the fancy under-the-hood features that sell a product. It's going to be simplicty.
Though I'm not going to comment on your 'interesting' way of stating your point, I will say that much of your remarks aren't true.
From the perspective of SDKs, DirectX (up till the most recent versions) was long inferior to other alternatives such as OpenGL (which Microsoft has worked hard to mimic in terms of simplicity). The reason's for DirectX support had less to do with the fact that it was superior to other methods but more to do with the the MCD and Farenheit debacles , Microsoft's influence and as of late, the fact that OpenGL's 'By-Commmitte' approach has slowed down advancements in the API.
From the perspective of game development itself, Microsoft has lagged also. Most of Microsoft's games were not incredible, and thier entry into the console market did not occur till just in the last 3 years (in what has been a money losing venture).
The fact that Linux does not have games has less to do with the fact that Linux cannot SUPPORT games, but more to do with the fact that Microsoft used (and still contiues to use) questionable tactics to undercut thier competitors.
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
- Did you hear why they use Windows 3000 as a prison guard? - No, why? - Cause it always locks up.
From the cartoon Futurama
Re:Doubledge sword
by
BasilBrush
·
· Score: 1, Informative
You don't know what you are talking about. Quartz Extreme bears no relation to the current Windows rendering system. Windows XP is based on the old technique of having a list of redraw areas on the screen, and whenever you move a window, an application is requested to redraw the area underneath it. Quartz Extreme doesn't work like that. It composites the desktop from individual windows who have an off screen bitmap. This is also how Avalon will work. This gives things like flicker free display, true translucency through an arbitrary number of levels, power to do arbitrary transformations etc.
Quartz Extreme is Vector based, and 3D as well as 2D - PDF and OpenGL.
Avalon is very much playing catchup to Quartz Extreme. But a year or so before Avalon is released, Apple will have already raised the bar again with Core Image, which does far more.
OS X will also have Spotlight a full year before Microsoft fails to get WinFS into Longhorn.
Microsoft are not catching up, because OS X not only started in 2000 ahead of where XP was in 2002, but is progressing faster than Windows.
Re:Doubledge sword
by
Foolhardy
·
· Score: 2, Insightful
While it maybe bitmap based Quartz itself is based on the adobe PDF engine, which renders both vector and bitmap via the computers 3d card.
Everything that PDF can do for rendering, so can a Windows Metafile. Yes, this includes complex vector graphics, text, bitmaps and transformations(scaling, rotation, shearing). Notice that it has been supported since NT 3.1. As for video acceleration, GDI can use a video driver to offload many functions onto hardware, including: Alpha blending Filling paths Fill gradients Draw lines Move, set the mouse cursor Scale bitmaps Render text Render transparencies Stretch with raster op Set arbitrary surface transformations including translation, scaling, rotation and shearing Outline a path Note that all the linked functions are implemented by the video driver, not GDI. If a video driver doesn't support a feature, GDI breaks it down in software into the most complex format supported. What can Quartz Extreme do that Windows NT couldn't since 3.1? There are a few small things but nothing major.
Besides, who really cares about MS's marketshare, Linux (and BSD, etc) is a better product, and if most people don't realise that it's their loss.
Besides, tech support people probably don't want to handle the call
"I rm -rf/'d my file system... what do I do?"
heh.
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
HAHA you just answered the question as to why most users use windows. 95% of users would have no idea about ANY of the stuff you just mentioned and what it means. they just want a familiar face that does what they want.
linux simply fails to deliver to them. yes, it may be better in a multitude of ways, but knowing how something is 'technically' better does not deliver to joe user. linux users are generally very technically adept,m and this is their biggest problem in achieving the mainstream.
Re:Doubledge sword
by
Joe+U
·
· Score: 5, Insightful
And now I'll answer as the average Joe User.
how many ports (cpu architectures) does windows run on?
One, the system I own. I don't care about the others. I have no need to, this is not a hobby, this is my computer.
is windows tcpip more featureful and flexible than windows?
It works with everything I have.
which version of windows has more GUI features than the latest KDE or GNOME?
Without editing files and getting complicated? 95/98/Me/2000/XP/NT 4
does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)
Your hardware is broken, you should fix it.
how many different ways can you install windows?
One, the way it installs on my system.
is windows' threads implementation the best in the market?
As far as I'm concerned it is.
is windows memory management the best in the market?
As far as I'm concerned it is.
show me the most secure windows, I'll show you 10 more oses more secure than that.
I wouldn't call either an absolute. There are a lot of Linux features not native to Windows that I have come to depend on. And Windows can easily be set up to be very secure, or Linux very insecure.
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
how many of the things you listed matter at all to joe sixpack?
is windows tcpip more featureful and flexible than windows?
I think I can answer that with an unqualified "no".
show me the most secure windows, I'll show you 10 more oses more secure than that.
Windows Unplugged(tm). For extra security, Windows in a Concrete Box at the Bottom of the Ocean(tm). This exciting new OS, to be released after Longhorn, is in the process of getting its A1 security rating.
-- This post expresses my opinion, not that of my employer. And yes, IAAL.
You are right. Linux DOES have more features. What windows does pretty well is hide the non-layman features pretty well from the end-user, which results in a more user-friendly experience:
I get to see the network connection icon right out of the box (not anymore though)
I dont have to remount ("whats that" - my father asks) drives after every reboot (some distros)
windows doesnt ask me for my monitor vertical and horizontal refresh rates (and those numbers being the most difficult to find out)
it actually loads up faster than suse or fedora (first few weeks anyway:) )
The screen refresh is so much more responsive in windows. and that makes my dad think is works faster.
etc
Apart from this I dont understand why linux is trying to copy the real bad functions of windows too. In windows when I want to see the little data calendar by double clicking on the time, as a guest or non-power user it thinks I will change the date and does not let me view the calendar. Dumb design. KDE stupidly goes ahead and copies that (can we not have a read-only view of the calendar? I am sure we can but I mean it should be intuitive to access too)
Similarly, most people do like to see the time in the system tray, but a the same number also like to see the date (rather than double clicking each time). windows shows only time, no date. KDE thinks thats the best way to do it and does that too (by default).
disclaimer - I have used fedora, suse and slackware and what i say is from just limited experience from these distros.
And it eats many more MBs of memory because all the windows have to be double buffered.
Re:Doubledge sword
by
Sj0
·
· Score: 2, Insightful
Ignorance is a stupid arguement. Especially when the original arguement has nothing to do with the fact that you're ignorant. It's features which are being spoken of, remember?
Schools that teach how to use the software people actually use ARE the better schools. Those who eschew mainstream methods for more idealistically sound methods are useless and inferior.
But all those "uncool" features are exactly the stuff that made computers and the internet possible in the first place!
The cool ones managed to convert the computers into dumb toys.
>>which version of windows has more GUI features than the latest KDE or GNOME? >Without editing files and getting complicated?
Yeah. The problem here is that once average Joe User gains enough experience to help out and address those complaints, it's no longer a problem to him. Nowadays you can usually get pretty far without editing text config files though, as distributions try harder to attract average users. I just learned that I can scale my desktop icons individually to any size, and some of them are pretty high resolution with alpha transparency.
>Your hardware is broken, you should fix it.
Certainly he should.
>>is windows' threads implementation the best in the market? >As far as I'm concerned it is.
Windows isn't too bad at that. Linux threads had to be implemented using forks until recently if I'm not mistaken. Windows on the other hand threads well but doesn't fork well. Linux can now scale well to more concurrent threads than you'll ever need though, and can spawn new processes very quickly. And windows seems to have some priority issues, as a higher priority thread doesn't get higher priority access to IO resources, so a disk intensive app at the lowest priority can bring higher priority processes to a screeching halt.
>> is windows memory management the best in the market? >As far as I'm concerned it is.
My own observations suggest that Windows is still far behind in this particular area. But I've only run enough benchmarks to satisfy my own curiosity.
>>show me the most secure windows, I'll show you 10 more oses more secure than that. >Strange, they all have BSD in their name.
The security argument can go on forever. Unix-like operating systems were designed to be used by many people at once, many of whom might need to compile and run programs from a remote terminal, but without enabling them to exceed their priveledges. Windows, on the other hand, is a bit constrained by its single-user origins and needs for backwards compatibility. But in its defense, I've read that buffer exploits often take less work to pull off on Linux than on Windows. You can build a secure or insecure system either way, but keep in mind which had security in mind from the beginning.
MS will always be 1 step ahead in features. Guess what, features sell.
If they did, we'd all be running Opera by now. Microsoft hasn't come up with anything new for IE since... 2001? Ages ago, anyway. Opera is the innovator these days, Mozilla/Firefox is picking up a lot of ideas from Opera too. (Tabbed browsing e.g.)
--
The knuckles, the horrible knuckles!
(I'm a girl, you know)
"which version of windows has more GUI features than the latest KDE or GNOME?"
Without editing files and getting complicated? 95/98/Me/2000/XP/NT 4
Pray tell: what features are there in KDE that require "editing files"? And how exactly is using those features "complicated"? KDE (or Gnome for that matter) provide all the features Windows-UI has, and ALOT more. And I don't have to "edit files" to use them, nor is their usage "compilcated".
You seem to assume that using any of the more advanced features in KDE (or Gnome) is inherintly "complicated", whereas using features in Windows is simple, and therefore Windows wins by default.
How would I use virtual desktop in Windows? I don't. Unless I installed a separate app than gives me primitive implementation of virtual desktops. Why is that "simple" whereas using the built-in feature in KDE would be "compicated"?
Or how about encoding mp3's. In KDE I do that by dragging file around. In Windows I need some third-party app to do the same thing (although it would still be more difficult). Why is it (according to you) "complicated" in KDE, whereas it would me "simple" in Windows?
If I wanted to have even the fraction of the features I have in KDE at my disposal in Windows, I would have to install alot of third-party apps. How exactly is installing and using those third-party apps "simple", whereas using the easy-to-use and built-in features of KDE "complicated"?
-- Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
I just installed Debian on my next door neighbours computer along with giving her my old RAM and 6 gig harddrive. She is retired and cannot afford a new computer so she was running an old Pentium II that had a 600 megabyte hard drive and only 16 meg of RAM that her son had given her.
All she needs is a computer that will be used:
-To Read Email
-To Use Office (or other word processing/spreadsheet/presentation application)
-To Surf the internet.
-To play solitare and mahjong!
She does not care if it is Windows or KDE as long as she can do the above.
There are a lot of elderly and poor people who cannot afford the hardware to run WindowsXP.
Linux does the job for them. As for security for the average home user running the Bastille script will lock them down better than any Windows computer.
The computer she had was running Windows 98.
When I told her security support for Windows 98 was to be discontinued in 2006 and explained that she would never have to buy software again she was easily sold on the idea.
Plus running as an ordinary user she doesn't break things. I spend less time fixing her computer!
With Windows you need to be constantly upgrading hardware and software. With linux you can tailor it to your hardware and needs.
And try and convince me that somebody will NOT find a way to port Doom3 to linux!
-- "Flags are bits of colored cloth that governments use first to
shrink-wrap people's brains..."
Re:Doubledge sword
by
znode
·
· Score: 2, Insightful
It's features which are being spoken of, remember?
No, it's the features that the CUSTOMER CARE ABOUT which are being spoken, and grandparent has done a good job of listening them. This is because CUSTOMERS choose what set of features to care about, remember?
guys you mistakenly think that people buy software.
People buy computers: OEM's buy software. M$ commercial might will always be able to convince OEM's that offering Dual boot linux systems is not proper.
So, it is not features, or security. MS hasn't had an original idea blockbuster in AGES, it's always something someone else had done first (which is precisely why MS stock is stuck: tthe collective mind of the stock market is wiser than the sum of the participating minds).
-- "If a boss demands loyalty, give him integrity. But if he demands integrity, give him loyalty." (John Boyd, 1927-1997)
Re:Doubledge sword
by
unclethursday
·
· Score: 2, Informative
lies in your post:
1) into Windows by 2006 what is already in OS X
So where's Expose in Windows? This alone is one feature of Panther (and future OS X and above releases) that makes OS X worth having. Having one button press to either make all open windows scale down and show on the desktop so you can get what you want, or another button press to bring all open windows of one application to the front, scaled down (and tab between apps) so you can choose the window you want, or yet another button to make every window get off the desktop to get to something on the desktop; and hit corresponding button again to go back to how you were, is simply wonderful. I don't recall this feature in any current version of Windows. I expect something similar to be copiedH^H^H^H^H^H^innovated into Longhorn.
What about the advanced graphics engine of OS X that allows you to scale windows without losing much quality when going bigger, or keeping the same quality when going smaller?
What about a scalable tool bar (dock in OS X) that can be modified to make icons scale up when moved over so you know what you are over if the tool bar is very full? Oh, wait, that goes with the advanced graphics engine.
What about incredibly fast user switching without logging off another user to accomplish? Well, this may be in Windows, but I haven't really used any Windows beyond 98 SE.
2) I.E. does less than Firefox
Tabbed browsing? It is in Firefox, not IE.
IE finally got a built in popup blocker, but only if you have Windows XP with Service Pack 2, and there's still a ton of people running Windows 98-2000 and not XP.
CSS support? It's much better and standards compliant in Firefox than in IE.
Fully W3C HTML standard compliant? Firefox, not IE.
KDE comes with KOffice (not the sharpest tool in the box but ok). Windows comes with notepad and wordpad.
KDE comes with Konquror, and all kinds of network access directly supported by every kde application (that bothers to) via kio.
Windows comes with IE, ftp (from command line), telnet and hyperterminal.
KDE comes with KMail, PGP support for those emails you must sign (tax returns), and a whole host of other PIM goodies.
Windows comes with the Outlook express, and as many viruses and trojons as you want.
KDE comes with a ton of games , maybe not Doom3, but better than... minesweeper, solitare, Freecell and maybe not pinball.
Does you grandmother realy play pinball so much that she needs windows? if so, it will probably run under wine.
I was seriously thinking about putting togeter a joe public live CD, possibly with some of the more 'fancy under-the-hood features' farmed off to a powertools sub menu.
The distro would come with Wine, and if it finds windows installed on the pc then it will pull as many settings from the regerstry as possible, and could even try to match the start menu order.
Yes, and graphics screen modes use more memory than character screens, and colour screens use more memory than mono. It's all part of the evolution of the way graphics are done that we use more memory for it. But that's OK because Moore's law hath provided the abundance that we need. When GUIs first started coming into common use, computer memory size was measured in KB, now it's measured in MB. Both for the system memory and for the graphics card memory.
The OS X GUI is done by desktop compositing. Longhorn will be done by desktop compositing.
One day Linux will be done this way too.
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
You missed one: MS also has a large list of applications that are depended on by businesses and that run only on Windows.
And, no, I am not talking about Office. A real good example is Adobe Photoshop. Don't flame me, but I have used Gimp and I use Photoshop and Photoshop is better. Photoshop alone will keep Windows on desktops for quite a while.
Microsoft always eats their young, however. Over the past 10-15 years, they have identified successful applications running on Windows and bought, stolen or developed competing products to drive others out of the business. They have set their sights on Adobe products in a number of ways: Publisher was designed to compete with PageMaker and InDesign; Xdocs are seen as a threat to Adobe PDF's. Regardless of the relative merit of the applications as they exist now, Microsoft's drive to add features and the use of their monopoly to drive competing products off of Windows just about guarantees what the end result will be for anyone who writes applications for Windows. Vulture capitalists have realized this for some time now; they don't want to put up money for new software development on Windows.
You can see it happening right now; WinFS is an attempt to build database capability into the OS. Big database guys realize this and are banking on the move to Linux.
Now, the trends that I sketched out above and the increased security of Linux may make things different in 3000!
Which one runs Half-Life 2? Or practically any high-profile games (I know there are exceptions to this)?
Which one runs Adobe Photoshop (and no, Crossover doesn't count--it'll ruin my argument:P)?
Face it, Linux may be TECHNOLOGICALLY superior, but look what happened to Betamax.
Sometimes it's not which is technically "the best", it's which one does what consumers want. I realize that "crash for no readily aparent reason" isn't what consumers want it to do, but being able to run all those "friendly" Windows-only applications is.
That said, I'm jumping ship the moment someone writes a DirectX->OpenGL wrapper for Linux.
-- We're geeks... We're the sorcerers of the modern-day world. --
Linux will always be 1 step ahead in security.
Guess what, security is free;)
MS will always be 1 step ahead in features.
Guess what, features are free;)
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
> MS will always be 1 step ahead in features.
I run KDE at home. I come to work where I run windows and get discombobulated because I can't alt-drag to move and resize windows. I still can't drag files out of FTP to my desktop, let alone links to files on web pages. Konquerer has the sort of integration and extensibility MS dreamed of with IE and explorer, but it actually pulls it off.
Windows supports more hardware, out of the box, its remote system management is better (believe it or not -- WMI is pretty good). Far as ease of use goes, I now think it's a tie. Windows is losing everywhere else in terms of features. That hardware support will keep it going for a while, but that's it.
Reiser4 will be stable by the time WinFS arrives. I have SVG icons now, and libCairo is here now. Front-ending that with a XML parser is NOT HARD, it's sure been done to death for java guis.
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
> is windows tcpip more featureful and flexible than windows?
You betcha. Wonderfully modular stack, protocol selection, so on. 'course FreeBSD's netgraph spanks BOTH of them.
> does windows or dos support more different hardware than linux? (I have one pentium3 sitting right here that crashes on the HLT instruction. I can only run Linux on it, and quite well.)
You can't be serious. My Pentium 3 does fine with the HLT instruction on any OS. God what a joke that item was.
> how many different ways can you install windows?
CD's, network with boot floppies, PXE. Oh yes, you can also push it with SMS. With wake-on-lan you can push it onto machines that are TURNED OFF.
> is windows' threads implementation the best in the market?
They're quite adequate. Async I/O that actually works decently means you don't always have to use threads.
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
Betamax tapes had more moving parts that broke down, and couldn't hold an entire movie on one tape. They had a superficial superiority and an early lead that was soon matched in commodity hardware that became widely available through multiple channels.
but linux gives you the flexibility that needed by a user if he know what he want for eg. debian is not easy for a new user but for a power user once it is installed everything work perfectly.
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
The simple answer:
I use windows, KDE doesn't work quite like windows. It doesn't have the features I use in Windows where the Windows features are located.
Therefore Windows is better than KDE.
Of course, if instead of expecting KDE == Windows and these individuals would learn about KDE as a desktop in and of itself, they would find very useful, productive features, NOT FOUND IN WINDOWS.. such as simple things like "keep on top" for windows, window shading, virtual desktops, much more advance file management, kioslaves, customizable open/save dialogs, overall interface customizations, etc..etc..
Of course, by being constrained by Windows, the brain mold has set and unfortunately there is still a huge lack of marketing/fluff that promotes these advance features of the KDE desktop.
Eventually people will understand.. you know, when Windows starts to have these features and you can say "yes, I had those on KDE for half a decade.."
A bit of OS/2 history - Warp Connect seems to have beat Win95 out by a few months. Which seems to coincide closely with when I bought it - I recall buying Warp Connect early in 1996, and I remember that I had waited and agonised over the decision for a long time - many months. Had to buy a CDROM at the same time.
Regardless, MS has obviously won that battle with OS/2 support being withdrawn in 2006. MacOSX having more features than Longhorn is not a guarantor of success for MacOSX either. MS consistantly wins on fewer features.
I am ONLY saying Linux has more features than Windows. I never said it was easier to use for Joe Public. Even though some of your points are wrong, like I can give you 10 OSes without BSD in their names, Solaris, AIX, IRIX, BeOS, Unixware, OpenVMS, Nextstep, minix, MacOS 9, Novell Netware. Hey that doesnt even include Linux.
And that Windows has more GUI features than KDE.
I firmly believe Linux is not quite ready for Joe User, never rooted for it. In fact I believe the X system needs an overhaul with better integration with modern video cards and the kernel, like BeOS was, and some simplification of the graphic system, and much more simplification of the packaging system. In addition everything should be standardized and used by redhat, suse and ibm to begin with, thats when users can even start using Linux without knowing how to use tar xvfz;./configure;make;make install.
But I'm only saying Linux has more features than Windows.
-- "Give orange me give eat orange me eat orange give me eat orange give me you."
-Nim Chimpsky
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
I'm only saying Linux has more features than Windows.
And this is the same reason your car doesn't come standard with a muffin warmer.
Useless "features" are not features, they are extras.
Feature: as defined by Websters.
3. a prominent part or characteristic
4. a special attraction
Useless additions can not be features as they are neither prominent nor special.
How many of the 'features' in the linux kernel are useless?
find a few, google for it and meet the thousands of people using it and wanting more.
Linux meets the needs of all the fringe users who cant do away with windows. Thats because it has all the features.
-- "Give orange me give eat orange me eat orange give me eat orange give me you."
-Nim Chimpsky
Re:Doubledge sword
by
Anonymous Coward
·
· Score: 0
You're putting words in my mouth. Nobody is saying customers have already decided what features they want and set it immutable, I said features come out and customers decide. Period. It's a changing state.
But they still decide - therefore, most of them will not care about anything far beyond their understanding. Thus they will not care about platform ports, non-mainstream hardware, thread implementation, or memory management beyond how cool it sounds.
And those aren't reasons anybody I know uses firefox. The reasons, like immunity from spyware, native popup blocking, skins support, tabs, and other tangible features, mean that memory management, non-mainstream hardware, thread implementation, and platform ports are largely irrelevant in terms of a browser which has many demonstratable reasons to switch, including a scathing denouncement of IE by the US government.
Considering that Firefox ISN'T an alternative TCP/IP stack or a specially compiled kernel with a different scheduler whose performance has subtley superior characteristics, your arguement ends up sounding exactly the way I make it sound, because there ARE tangible reasons to use it, and only user ignorance can be to blame for not knowing about them.
Us OS/2 guys always said the same thing about Windows - why wait for Windows95 when OS/2 had all its features, and stability as well?
Probably because the Windows 3.11 / DOS users wanted their programs to continue working, didn't feel like buying a new printer, and didn't want to learn yet another radically different UI.
Backwards compatibility wins big. Pity Linux can't even manage to stay backwards compatible with itself.
I had all my Win 3.11/DOS apps working and my printer working just fine at the time. In fact, the primary reason I went to OS/2 was to run my DOS-based BBS and my Win 3.1-based compiler (Borland C++ v4) simultaneously. About all I can grant here is games. It wasn't until much later that things like WinModems and the like appeared which really killed OS/2's driver capabilities.
This detracts from my analogy with Mac... how? All these points apply to the Mac, and, as evidenced from my experience in point 1, it applies to the Mac more than to OS/2.
Re:What?? 100% known secure isn't possible.
by
failedlogic
·
· Score: 1
I have to agree with you.
Further, to what end will end-user friendlness be compromised for security? Personally, if I were running a business from my computer, or had sensitive information, I would simply unplug the computer from any network and use another computer for web surfing. Still not 100% secure, but my tinfoil hat protects me too.
Just another example...
by
rd_syringe
·
· Score: 0, Flamebait
...of the now obsessive Microsoft article rate on Slashdot. What is this, four Longhorn articles a day now? Even the Microsoft mouse article had a pointless bash of Microsoft Bob for no reason!
SURELY there is something interesting going on with GNOME, or something on the kernel mailing list? Where is the OSS news?
Re:Just another example...
by
SlightOverdose
·
· Score: 3, Funny
Don't worry. the instant someone commits another change to the Linux Kernel cvs repository or someone uses a GPL program that happens to be less free than another GPL program because GNU/RMS said so we'll know about it.
And of course we'll hear all about the Bowolf cluster in Soviet Russia that set us up and bomb and all your hot grits are belong to Natalie Portman. which will result in a four page flamewar over the correct spelling of Beowulf.
Re:Just another example...
by
Anonymous Coward
·
· Score: 0
Even the Microsoft mouse article had a pointless bash of Microsoft Bob for no reason!
There's always a good reason to bash MS Bob.
Re:Just another example...
by
Anonymous Coward
·
· Score: 0
I'd say this is just another example of how obsessed you are with/.'s coverage of MS. For cryin' out loud, you need to get out more, get a fucking life!
Re:Just another example...
by
maxwell+demon
·
· Score: 1
And of course we'll hear all about the Bowolf cluster in Soviet Russia that set us up and bomb and all your hot grits are belong to Natalie Portman. which will result in a four page flamewar over the correct spelling of Beowulf.
... in Japan.
-- The Tao of math: The numbers you can count are not the real numbers.
I've been curious to hear more about when and where that's actually going to show up.
I thought that M$ was allready working with BIOS makers on this and that it was already here. This could be an admission that trusted computing is not secure computing.
--
Friends don't help friends install M$ junk.
Proven wrong again and again.
by
Chris+Burke
·
· Score: 2, Interesting
There is some truth to Windows being targetted because it is the most popular. However, the example of Apache vs IIS demonstrates that it isn't necessarily the most popular target that is targeted, but the easiest target. That Windows/IE/Outlook are both popular and insecure just makes them even more attractive.
"ALL SOFTWARE IS INSECURE" is just a cheap way of avoiding the fact that some software is less secure than others, that some architectural decisions lead to less secure designs than others, that some corporate environments are more conducive to insecure software than others, etc. The maxim "all sufficiently complicated software contains bugs" is absolutely not an excuse in any way for exceptionally buggy software.
I don't want to abuse your car analogy too much, but if one of the major auto manufacturers was lagging in safety technology by forty years would you still use the excuse that such things are incremental and no car is 100% safe? Did "all cars are capable of crashing" save the Corsair or the Pinto, or were these in fact crap designs?
I couldn't prove that Linux/Mozilla/whatever have fewer vulnerabilities. Nevertheless, your belief that they would be the same, based on the assumption that known vulnerabilities scale with popularity and nothing else, including the design of the software in question I find highly suspect.
Define "secure"
by
gone.fishing
·
· Score: 2, Interesting
At first I wanted to make some wry but funny comment about Microsoft's ability to make anything secure but as I was trying to come up with something I realized that "secure" is the sort of term that is hard to define.
What is "secure" anyhow? Is "As secure as a nuclear weapons facility" really secure? Not if we believe 60 Minutes last night. How about "As secure as Ft. Knox" - there was something a few months ago that said that Ft. Knox was susceptable to attack (especially air attack if I remember right).
So, nothing is really sercure. Secure is really an analog thing. The keys to your car make your car resonably secure (and if you want more security, add an alarm). But is your car really secure? No, many a locked and alarmed car have been ripped off.
Banks are secure right? If so, why are they robbed?
Windows will never be secure, because nothing can ever be 100 percent B.S.-free "secure" Not Linux, not Windows, not Ft Knox.
Will Windows be reasonably secure in ten years? Probably by many people's standards, yes. But there will still be need for added security when it is called for. Just like a typical bank has more security than a typical house.
Re:Define "secure"
by
Anonymous Coward
·
· Score: 0
You have a point. However, Microsoft Corp. really needs to pull its head out of its ass and start working to provide bug-free code - it isn't impossible.
There will have to be some major changes in MS Windows before I will even think about running it on our 2,600+ computers.
I don't think MS will ever have 100% of the user market.
Actually, it's nothing more than yet another completely exagerrated headline on Slashdot. Microsoft didn't say Windows wouldn't be secure until 2011. A security guy there, talking about the browser timeline, mentioned 10 years as a timeline for clamping down software.
He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such.
What really happened is some L00nux d00d fanboy caught wind of this Wired sidebar "interview," drew conclusions that had nothing to do with the content of it, wrote up a Slashdot summary with a completely biased headline with the knowledge that Slashdot's editors would jump on it, then just kicked back and waited. Viola, instant typical Microsoft Slashdot article.
I don't like Microsoft's tactics any more than the next guy, but honestly this website has degenerated into complete biased silliness with regards to its Microsoft coverage. No Microsoft-owned "tech news" site would be able to get away with this if they did this to Linux, but when an OSTG-owned "tech news" site does it, it's all right...interesting, seeing as how OSTG sells and makes money off of OSS products and all.
He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such.
This whimsical exaggeration actually obscures a more subtle point--yeah, he said in the article that he updated Firefox, which implies that he uses it--but to say "he uses Firefox" suggests that uses it as his primary browser, when in reality he's probably just checking on what the competition is doing. But, even if you were trolling as others accuse you of, you were right about the 10 year time line--"secure" is a term somewhat relative to your competion--chances are, Windows, Linux, and Mac will still have security problems 10 years from now, though perhaps fewer of them.
I'm a huge Firefox and Mozilla fan, but I agree the blurb submitted to slashdot was somewhat of a misrepresentation, though in it's defense it may have been intended as a joke.
Hrm... That 2011 date is awfully close to the Mayan end time scenario of 2012.
So what really causes the singularity and the end of time is a secure version of Windows on a Quantum computer? Since both being a paradox of existence, it tears the fabric of space-time and bringing about Armageddon?
Or at least a good day to thinking about patching reality v1.
Re:What?? 100% known secure isn't possible.
by
falsifian
·
· Score: 1
...it's not as if you'd have a way to detect when you'd achieved it even if it was achievable.
What about correctness proofs?
If "100% secure" has any meaning at all, I'd say it means the software does what it's expected to. Although it's probably not practical at the moment, it's not impossible to write a provably correct OS and software.
Of course, that doesn't prove that the CPU and other hardware running the software doesn't have flaws that make the computer insecure, but that doesn't mean the OS itself can't be called completely secure. It's like running a completely provably secure web browser on a mere mortal operating system: the browser can still be called secure even if it isn't in that context.
I suppose one could also say that the specifications themselves could have bugs in them, especially since they might have similar complexity to the software... but it's still something to think about.
Anyway, in general, I agree with you. Although a quick google search for "provably correct operating system" returned at least one interesting
result, I doubt if anything as powerful as Linux or Windows will be made this way in a long long time.
I just don't like it when people assume that computer science cannot be anything other than empirical.
-- Each language has its purpose, however humble. -- The Tao of Programming
Your argument is old, well known, and well refuted
by
argent
·
· Score: 2, Interesting
When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure...
The historical record does not support your assertion.
Microsoft was not always the dominant player, and it is not the dominant player in all markets. In markets where they are not the dominant player it is still common to find exploits for Microsoft applications outnumbering non-Microsoft applications.
A technical examination of the exploits fails to support your conclusion.
There are entire classes of security holes, like "cross zone" exploits, that only exist because Microsoft's software is using fundamentally unsound designs. There are classes of exploits that nobody even bothers to seriously track on Windows because Windows is missing the security boundary that such an exploit would attack: there can't be a "break chroot" exploit in Windows because Windows doesn't have "chroot", and the equivalent of a "local root" exploit on Windows is uninteresting because enough Windows users run as Administrator all the time... because that's how Microsoft sets the default user up... that it's irrelevant.
Microsoft's design is such that they only have to fail in one place, and at that point the game is over, the attacker has won. On other platforms the attacker has to first get their exploit into an environment where it might be executed, then (because automatically executing untrusted content is a Microsoft innovation) they have to trick the user into executing them, and then they have a fairly limited ability to cause problems until they break root. And it's possible to run your browser in a chrooted environment or jail to add a fourth hurdle that must be overcome before they can change any system or executable files. On BSD a fifth layer of security, the immutable flag, would mean they'd then have to wait for a reboot before they could have a hope of compromising the system.
Why does UNIX have all these layers of security? Because it was developed in a hostile multiuser environment from early days. Particularly BSD: you have professors and students working on the same computers, with the only thing keeping the students away from their professor's files (next week's test, their grades) was the local security. This isn't all that unusual, most operating systems developed during the '70s and early '80s were subject to the same evolutionary pressure... and UNIX-based operating systems benefit from that historical background.
Windows was not developed for a secure environment. The assumption was that there was really only one local user and he could do anything. When NT was shoehorned underneath this, most of the security capabilities had to be bypassed because they made things just too hard for applications that had been developed for a more trusting environment. It will require a significant redesign *and* breaking many many applications (for example, every application that uses the HTML control) to fix this.
I don't see that happening. that's why I said this guy has a really tough job.
Yes, like fish in the sea and cars on the road ...
by
twitter
·
· Score: 1
Microsoft is... the biggest fish in the sea. Every 'fisherman' is out to get them.
As yes, as someone else so well put it, "Finding a vulnerability is like finding a fish. If the pond is overfished, it's harder to find them. Hackers are rather evenly split between running Linux and running Mac OSX. As much as a few professional NASCAR drivers drive Dodge Neons, a negligible amount of skilled hackers use Windows as their primary OS. Not to mention, many Win32 fish are given out for free by Microsoft when releasing patches. Here, there can be only one option. Even extremely modern versions of Windows have a TC0 much lower than older Linuxes" Why is it that the Microsoft sea never seems to run out of big, ugly fish?
--
Friends don't help friends install M$ junk.
Re:What?? 100% known secure isn't possible.
by
Terrasque
·
· Score: 0
Of course it's possible, you just don't let anyone use the machine.
Therefore, by 2011 they've created an OS that goes directly to BSOD on boot, and never even checks the keyboard and network cards.
This will of course revolutionize the way we use computers, and will finally get rid of the driver hell we currently have.
-- It's The Golden Rule: "He who has the gold makes the rules."
Matter of proportion
by
gillbates
·
· Score: 4, Insightful
The objection is not that Microsoft's software is insecure, but rather that their closest competition has at least two orders of magnitude fewer exploits and viruses than they.
If hundreds of exploits per month were discovered for Macs or Linux, your point would be valid. Problem is, the number of exploits available for all computers systems since the 50's is easily less than the number discovered in Windows in one year.
To make matters worse the rate at which exploits are being discovered is increasing, not decreasing, or even remaining stable. And this from a company making three billion dollars a month. How is it then, that a bunch of ragtag volunteers put together a more secure OS than a company which can spend a billion dollars a month on development?
Microsoft Windows, and the attendant problems it has experienced has brought shame on the entire profession. It isn't a matter of a few human errors here and there - Microsoft releases code with wanton disregard for the effects it will have on the user. You would expect more from a such a successful company, but apparently, Microsoft believes the professional standards followed by the rest of the industry simply do not apply to them.
And that, is why they get bashed. They dismiss the wisdom gained by years of computer science, and when their systems run rampant with bugs and security holes, they claim that such lofty goals as security and reliability are unattainable - in spite of the fact that their peers who did heed the lessons of computers science have managed to build such systems.
-- The society for a thought-free internet welcomes you.
Re:Matter of proportion
by
Utopia
·
· Score: 0, Troll
Pray tell us who is this closest competitor who has less bugs than found in Windows.
Re:Matter of proportion
by
grunties
·
· Score: 1, Insightful
the number of exploits available for all computers systems since the 50's is easily less than the number discovered in Windows in one year.
How is this possible, when the former category is a superset of the latter?
And this from a company making three billion dollars a month. How is it then, that a bunch of ragtag volunteers put together a more secure OS than a company which can spend a billion dollars a month on development?
Is it because the old political addage about throwing money at a problem is true?
Money doesn't solve problems. Effective leadership and hard work solves problems. Indeed it would seem that many times, money poses a hurdle to effective leadership and hard work.
So you're saying that an interview with only 4 questions isn't an interview? Exactly how many questions must it have, then? Is 5 enough? 6?
I'm grateful when anybody in the media asks challenging questions. It's not like the media was harassing somebody that doesn't have anything to do with the security of their software, for pete's sake.
--
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Misleading statement.
by
halfabee
·
· Score: 5, Informative
From the article: "Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
I presume that Toulouse was referring to the update that fixed the "shell:" exploit.... this was only a problem with Firefox on Windows machines, because the flaw is inherit in the OS, not in the Firefox browser.
True, security is an issue about which everyone in the industry should be concerned. Call a spade a spade, though... Microsoft is well behind the curve.
Having someone say "it's more of a 10-year timeline" does not equate to "MS not expected secure until 2011"...much less "MS says" 2011. The phrase "more of a..." connotes a generality.
You are right, he did not make any promises other than to work on it.
In ten years Winblows will still be the easiest to exploit OS around. Three years ago, they promissed to make security "job #1" more important than new features. Yesterday, they promissed new features for a new OS that will be out two years from now, but are here saying that security may be here in 10 years. If your memory allows you to put those two statements in your head at once, you should conclude that M$ lied three years ago and that security is nothing but an empty promise for M$ three years ago, now and ten years into the future.
Microsoft, however, might not be around to worry about it.
"In ten years Winblows will still be the easiest to exploit OS around."
I'll just ignore this speculation.
"Three years ago, they promissed to make security "job #1" more important than new features. Yesterday, they promissed new features for a new OS that will be out two years from now, but are here saying that security may be here in 10 years."
Saying that security is more like a ten-year plan does not imply no security for ten years, nor that security will just happen at one instant in ten years. It's a gradual process of refining your design principles.
Security is not a feature. It's a design principle first and implementation principle second. Applying those principles to software that has already shipped, although a worthwhile goal, is not as viable as applying them for future products. Look at what happened to Netscape when they decided to scrap their code and rewrite the browser: they lost to IE. What would happen to Windows if it was stagnant while every line of code was scrutinized: it'll lose. It makes sense to educate developers, and do things right in the next release. (XP is not the next release after that announcement, 2003 was. Compare (honestly) the security of 2003 against XP, it's a staggering improvement and the competition should be watchful that they don't get too arrogant).
Microsoft could get this done MUCH faster
by
erroneus
·
· Score: 1
If they start now, they can build a BSD system with exclusive support for NTFS as their filesystem and their own version of WINE. This would make a whole LOT of things possible and fix a whole lot of problems.
Is it pride or are they just that stupid?
Re:Microsoft could get this done MUCH faster
by
Anonymous Coward
·
· Score: 0
> Is it pride or are they just that stupid?
It can't be pride, because no one in their right mind would take pride in a Microsoft product. So, it must be stupidity.
My computer at home is 100% secure right now.
by
Anonymous Coward
·
· Score: 1, Funny
That's because it is turned off.
Re:My computer at home is 100% secure right now.
by
Beryllium+Sphere(tm)
·
· Score: 1
>That's because it is turned off.
But are you sure it doesn't have wake-on-LAN functionality?
/moo/ The correct answer to the classic trick question "Have you stopped beating your wife yet?". Assuming that you have no wife or you have never beaten your wife, the answer "yes" is wrong because it implies that you used to beat your wife and then stopped, but "no" is worse because it suggests that you have one and are still beating her. According to various Discordians and Douglas Hofstadter the correct answer is usually "mu", a Japanese word alleged to mean "Your question cannot be answered because it depends on incorrect assumptions". Hackers tend to be sensitive to logical inadequacies in language, and many have adopted this suggestion with enthusiasm. The word `mu' is actually from Chinese, meaning `nothing'; it is used in mainstream Japanese in that sense, but native speakers do not recognize the Discordian question-denying use. It almost certainly derives from overgeneralization of the answer in the following well-known Rinzei Zen
koan:
A monk asked Joshu, "Does a dog have the Buddha nature?" Joshu retorted, "Mu!"
Re:spoiler
by
Anonymous Coward
·
· Score: 0
Several Rinzai Zen Buddhist monks who have heard that definition have dismissed its interpretation. They say that the answer to the Koan is not "question denying", but simply saying "nothing", i.e. that a Dog does not have the Buddha nature.
If anything, I think it is a widely believed fallacy based on a mistranslation.
The logically correct answer is "no". If you have never done it, you can not have stopped.
--
In Soviet America the banks rob you!
"Secure" is an end user decision - a balance
by
cheros
·
· Score: 3, Interesting
Although I agree with you questioning the definition, I disagree with your subsequent line of reasoning. An end user should not be expected to have to become a car mechanic to just run a car, but this is precisely what Windows is presently asking.
I've switched people (end users, not techies) to both Mac and Linux, and in both cases there was a general relief of not having to patch so much (I let them try for a month first). "So much" is the defining factor here - it's way, waaay too much for a common end user (and now well beyond the capability of an average modem to cope with, see SecurityFocus.com). To stay with car analogies, the Windows end users now run cars that need a brake fluid change every half mile. And when they ask the dealer they are told that the next car they buy will be better - out in the next couple of years or so.
Ask yourself: would you really, really like to buy another car of that make when there is a growing mountain of evidence that it can be different? Those I switched over didn't want to go back once they passed that first "It's new and scary" hump. That tells me more than marketing campaigns or "facts" give me.
Enough is enough - they had their chance. Anyone responsible for running a business should start to look at the risks they run - and insurances should start to have a good look at how much risk they insure if the business runs Windows.
-- Insert.sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
Re:"Secure" is an end user decision - a balance
by
gone.fishing
·
· Score: 1
I don't disagree with you at all. Windows must be made more secure and it should not require regular repairs by the end user (in the form of patches) very often if ever.
The only point that I was really trying to make is that the term "secure" is really unattainable. If someone wants something badly enough, has enoush resources, and enough time they can get through all of the security we can put up. Secure is different from secure enough. But secure enough is different for each individual, each company, and each kind of use.
We do not need a secure operating system, we need one that is secure enough for our needs. Yet each of us have different needs. Makes it kinda hard for the target to get defined beyond a minimum set of standards don't ya think?
So, in ten years we may have "secure enough" operating systems. Perhaps they will be sold according to security level? You pay extra for more security? Or do we all pay for Ft Knox level security when what we need is more akin to a padlock?
Firefox is probably not his only browser...
by
RichM
·
· Score: 0, Redundant
He also reveals that he runs Firefox.
Yes, but that doesn't mean he doesn't run IE most of the time.
Re:Firefox is probably not his only browser...
by
RichM
·
· Score: 1
How is this redundant?
I am a pure 100% Mozilla supporter but merely pointing out that the guy probably uses IE most of the time because he's an M$ employee - nice moderation folks...
I too am getting sick of YAMBOSHS. (Yet Another Microsoft Bug Or Security Hole Story).
Windows isn't secure. It probably won't be for the forseeable future. Get over it... There's not much point in restating the obvious. Yes, we know Windows is a toy; maybe someday, it will qualify as a real Operating System. Till then, there's not much point in talking about security or reliability in the context of Windows, because, in spite of what Redmond says, things aren't getting better.
When people mention the success of Windows, and infer that "it must be good, 'cause everybody uses it...", I ask them what they think of New Kids On The Block. The response is usually something like, "Well, they talk tough... but I can't see my grandmother being scared of them... they're kind of just posers..."
And then I say "Microsoft is New Kids On The Block":
They talk about security and reliability, but can't deliver.
Everywhere you go, you see their ad.
They seem popular, but anyone who knows anything about the business regards them as a bunch of wannabe's.
It's kind of like that. The rest of the corporate world quietly computes on UNIX and Mainframes as Microsoft claims another security "victory" in a battle already won long ago by UNIX and Mainframes. They talk of reinventing computing - using ideas implemented long ago in MVS... (WinFS, anyone?)
We sit back, chuckle and grin, and think to ourselves, "You know, someday, they might just write something useful..."
But there's really little point in getting all riled up. Microsoft has had 20 years to develop a secure OS; there's no reason to believe that Longhorn will be any different from the rest...
-- The society for a thought-free internet welcomes you.
While being wrong is not a good thing, I commend Microsoft for admitting they need THAT much time, as well as him running FIrefox. I actually think more highly of their security team. I respect truth, even if its admission of wrong.
Does it really matter?
by
hollywoodb
·
· Score: 3, Insightful
I'm really starting to wonder that by the time Longhorn is released, will anyone really care? The hardcore will have read enough articles to make their eyes bleed. The linux folk will continue life as usual. Some of the better features have already been stripped. Microsoft says 2006, but I don't trust MS to keep a launch on schedule for two more years.
-- I may have to share this planet with animals, but I'm doing my damn best to eat every last one of them.
Great, so Win 3.1 will be secure in 2011...
by
Anonymous Coward
·
· Score: 0
This is great news! So the next question is, when will Windows 95 be expected to be secure? I can't wait!
Actually, you're wrong.
by
transops.net
·
· Score: 5, Informative
Your comment was:
"He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such."
To quote TFA:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
Please RTFA before posting corrections to the comments of others. Thank you.
Re:Actually, you're wrong.
by
Anonymous Coward
·
· Score: 0
YHBT. YHL. HAND.
Love,
rd_syringe (aka Overly Critical Guy aka bonch)
Re:Actually, you're wrong.
by
Anonymous Coward
·
· Score: 0
that doesnt say he uses firefox as his browser. do you think as a security dude he might actually have other browsers available to keep up with their security concerns? doesnt mean he uses tham as his browser.
Re:Actually, you're wrong.
by
babybird
·
· Score: 1
I have Internet Explorer on my computer, and I keep it patched against known exploits. This does not mean that I use it.
What is revealed in the article is simply that he HAS Firefox on his computer, and being a competent security manager, he keeps his software patched against known exploits where possible. This doesn't mean that he USES Firefox as his browser, simply that he has it installed.
Probably it's not too uncommon for any company to have in their posession the products of their largest competitors. I know several companies who do this regularly. It's part of keeping up with current market demands. Microsoft personel wouldn't be doing their job if they weren't aware of what their competition is doing, indeed their success would seem to indicate that they are KEENLY aware of what their competition is up to (Internet Explorer notwithstanding).
-- Keith D.
Firefox isn't so wonderful
by
Anonymous Coward
·
· Score: 0
I have no axe to grind either way with IE or Firefox but it tickles me no end reading all the evengelical crap here about how marvellous Firefox is. I recently switched to it as my main browser (v0.9.3) and now Slashdot only loads three times out of five. The other times I get the stuff down the left and the rest is blank. I can no longer read topics by anything except the default view, and to post this I have had to fire up IE. What a choice - a browser that is supposedly secure but cannot reliably load the site where its most fervent supporters hang out, or one that works but has more holes than swiss cheese. Sigh.
Re:Firefox isn't so wonderful
by
bmantz65
·
· Score: 1
And you just gave up? Visit anyother websites? I run 0.9.3 and/. loads dandy.
Re:Firefox isn't so wonderful
by
311Stylee
·
· Score: 1
and now Slashdot only loads three times out of five.
That probably has nothing to do with your browser. Seriously. 'Get a life' as they said in the ninties.
Not Equivalent.
by
Anonymous Coward
·
· Score: 0
Linux users do not normally run as root, nor does Linux software expect a user to run as root. Products that require root privs to operate are generally designed to switch to a lesser account or drop all unneeded privs immediately after starting.
By contrast, Windows users run almost exclusively as administrator. This is in part due to the unfortunate fact that a large number of Windows-based software products will not function properly unless the user has administrator privs.
So no, these are not equivalent situations at all.
5 yr plans?
by
Anonymous Coward
·
· Score: 0
10 years? Even the Soviets had 5 year plans. Who knew their bureaucracy grinds twice as slow as that of the Soviets.
They're ALREADY 10 years late, DOH!
by
Spy+der+Mann
·
· Score: 1
Getting everyone in the Windows world to that point is the stated goal of the MS security initiative. The Slashdot headline made it seem like a MS rep said point blank that to make Windows secure would take until 2011. And that is pretty clear.
They're ALREADY 10 years late, DOH! Oh. Correction. NINE years. When Microsoft launched Windows 95 with Internet Explorer included, they just did that as a marketing hype. They were NOT concerned with security, the option of having various user accounts was not very clear in 9x. Well, at least it wasn't obvious. (And guess what - you need WinXP _PRO_ ($$$) to set up advanced file "sharing" under the administrative tools)
Oh, what happened with ActiveX controls? Did they care about security? No, it was just another lame way of getting rid of Netscape plugins in favor of their own implementation.
But wait, let's go back further in history. Remvember the nasty MS Word viruses, even before the "web" was worldy available?
Wait, wait! It gets better! DOS. Ever seen those BIOS "virus" alerts? Well those should have been implemented by the Operating System, because the BIOS cannot REALLY know if something's a virus.
DOS should have implemented a decent secure File System. Unix already had those user thingies called "privileges" and the famous read-write-execute attributes.
Face it. When security wasn't even in Microsoft's radar screen, the *nix world was already eating, drinking and breathing security. It's been around 15 years and the Microsoft guys are _JUST_ realizing what this is about.
So, Yeah, I can really understand why Microsoft's goals are long term. To change THEIR WHOLE WAY OF DESIGNING SOFTWARE is a long term goal, DOH!
Re:They're ALREADY 10 years late, DOH!
by
SillyNickName4me
·
· Score: 1
Hmmm.....
Seperation of users does not in itself make for security.
Unix grew into being a multiuser system, and that comes with many of the things you mention. Untill relatively recent times, secure implementation of those was not really much of a concern.
DOS was aimed at Personal computers. Personal is capitalized there because it was intended for single user situations, and to run in a much smaller environment then any Unix at that time.
When you look at MS' supposed multiuser systems, you'd have to start at NT 3.x, which incidentely includes many of the same features (seperate user accounts, filesystem with permissions etc). It is not like this is news or anything, even for Microsoft.
Security depends on a lot more then this, and so far, a system that can prevent privilege escalation from user to administrator level on a mathematically provable way still has to be implemented (and most likely invented).
As long as this is the case, there will at least always be theoretical possibilities to remotely exploit a machine and get full access through a process running with normal user privileges. (It may be difficult, or practically almost impossible, but not absolutely impossible, even OpenBSD has had the situation happen, all this requires is a LOCAL root/admin exploit)
At any rate.. security has to do with mentality, translated into procedures, supported by the right tools. If you believe just picking the right tools will make you secure, you are mistaken. If you decide to be secure, and use your tools accordingly, you may find that better tools do a better job of course.
Re:They're ALREADY 10 years late, DOH!
by
Anonymous Coward
·
· Score: 0
At any rate.. security has to do with mentality, translated into procedures, supported by the right tools. If you believe just picking the right tools will make you secure, you are mistaken. If you decide to be secure, and use your tools accordingly, you may find that better tools do a better job of course.
theres an assumption that if the world was linux then security wouldnt be a problem. i would like to see what millions of inexperienced users and a new monoculture would reveal about its security?
Re:They're ALREADY 10 years late, DOH!
by
Dirk+van+der+Broek
·
· Score: 1
Seperation of users does not in itself make for security.
No, but you must admit that separating normal system user privileges from administration privileges is important for security.
Unix grew into being a multiuser system, and that comes with many of the things you mention.
All the historical facts do not coroborate your claim, Unix was designed as a multi-tasking, multiuser OS from the beginning. You are correct that security was not a great concern in the beginning, if you do some searching you will find information pertaining to back doors in login, sendmail, etc.
Re:They're ALREADY 10 years late, DOH!
by
SillyNickName4me
·
· Score: 1
> No, but you must admit that separating normal system user privileges from administration privileges is important for security.
And your point is? I guess that that is exactly why I go into an explanation of the issues regarding privilege escalation eh? of course it matters, but it does not make for a secure system like many Linux zealots here believe.
> All the historical facts do not coroborate your claim, Unix was designed as a multi-tasking, multiuser OS from the beginning
What I am saying is that that is more coincidence then anything else. The coincidence is that at that time it was the only more or less practical way to do it. Had it been a decade later, chances are that that would have been different.
Its nice that you seem to feel defensive about unix systems in general (and linux in particular I'd bet) but you'd do well to read my post better and think about what I am saying before replying again.
Re:They're ALREADY 10 years late, DOH!
by
SillyNickName4me
·
· Score: 1
> theres an assumption that if the world was linux then security wouldnt be a problem. i would like to see what millions of inexperienced users and a new monoculture would reveal about its security?
And there is an assumption that security doesn't matter for the average user, or at least they don't care.
Readign my previous statement, and adding this, I'd bet that a Linux monoculture would have its own security problems.
Those however will be a lot more a matter of user behavior then technically broken software.
It appears /. is getting more like...
by
bob670
·
· Score: 1
the Inquirer everyday, taking statements out of context and making them headlines. This is the type of hit count whoring I expect out of Ziff Davis and Dvorak, not the supposed beacon of geek culture.
Re:What?? 100% known secure isn't possible.
by
jd
·
· Score: 2, Interesting
Actually, it is. It's just very difficult to achieve and very expensive to maintain.
To be 100% secure, you must demonstrate the following:
A robust specification exists or can be derived. (A robust specification is one in which it is not possible to construct an improperly handled input)
Each component of the software, in turn, can be verified against the specification -OR- can be proved by formal methods as being robust
Each component of the software that manages resources can be shown to be robust against exhausting that resource
The security model is such that a component's scope is clearly defined and enforced
None of this requires the typical "inspect 'til you collapse of old age" method of securing software. If a component is verified or proven, then it's 100% bullet-proof, or damn close. By then placing the additional constraint that it can't do anything outside of a rigidly-defined scope, you render any flaws that do remain unable to be exploited.
As great as this method is, there are problems. Specifications, of any meaningful size, are extremely difficult to write. Most Software Engineers don't bother, precicely because it is so hard to do well enough to be useful.
Proving a specification as complete and robust is relatively straight-forward, but still very time-consuming (and therefore expensive).
Mathematically proving that a program is both a complete and sufficient implementation of a specification (ie: any case that can happen to one will happen to both in exactly the same way) is absolutely horrible to do. Even a relatively simple, short function can take days to prove. Something like the Linux kernel would take decades - by which time the kernel you'd verified would be so out-of-date as to be useless.
Making a function 100% bullet-proof on the resource front isn't easy. Resources aren't so easy to handle in pure mathematics, because they are finite in size, react in finite time intervals, and otherwise behave in inconveniently Real World-ish ways. Here, you'd have to demonstrate a total mapping between the theoretical ideal and the physical reality, and the appropriate trapping/handling of errors and extreme conditions.
Finally, the security model. It is always possible to miss something, even when using very exacting, detailed models to describe the behaviour of software. It is also always possible for someone who understands the behaviour well enough to exploit what should happen, for their own purposes. By running every single component of the software through a security model that rigorously controls what can happen, you trap any missed errors and any correct but abused behaviour.
I mentioned that this was difficult, time-consuming and expensive. A company the size of Microsoft, investing every cent it had into formal software verification, could probably produce a 100% secure version of the Linux kernel within a year or so. It would then go broke, having spent nothing on making an income in all that time. The "security" would last up to the next kernel patch, after which new bugs may well have been introduced.
"But that means it's impossible!" No, not quite. If, say, the US Government invested that kind of money into Linux security, you could be looking at provably-secure "A1-compliant" full-featured Linux distributions by 2011. It's not impossible. But it's not that likely, either.
There are no "provably secure" commercial or free OS' in existance, and any military ones that exist are probably very specialised, extremely secret, and utterly impossible to maintain. (The number of people who could maintain such a beast is extremely small, and not growing any larger. With the move away from robust designs, those who even could do the work have no incentive to keep those skills honed.)
I do not expect to live to see the day where there is even mo
-- It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re:Download.Ject -- CORRECTION
by
SlowMovingTarget
·
· Score: 3, Interesting
Hee hee hee... I find the following bit from Microsoft's instructions on how to clean the trojans funny:
Note If you have difficulty running the Download.Ject removal tool from this page, it may be due to your browser's security settings. You can also try downloading the removal tool... (emphasis added)
Basically, they're saying that you don't have IE in pants-down mode, so their ActiveX scripty-do can't run. Is that ironic, or just amusing?
No system is secure
by
Pan+T.+Hose
·
· Score: 2, Funny
Please, let us not be so unfair to Microsoft. No system is 100% secure. I am sure that by 2011 OpenBSD might have another two or maybe even three local exploits in some services not installed by default. Security is very hard and nothing is totally secure, be it Windows, OpenBSD, KeyKOS or EROS--no difference.
-- Sincerely, Pan Tarhei Hosé, PhD. "Homo sum et cogito ergo odi profanum vulgus et libido."
Windows Not Expected Secure Until 2011?!
by
Pan+T.+Hose
·
· Score: 0, Redundant
"Windows Not Expected Secure Until 2011, Says Microsoft."
Wow, what an optimism! Personally, I wouldn't expect Windows secure until the the next ice age in Hell--but Microsoft? Those people have got vision, genius and determination! Meanwhile, any sane admin will continue using Debian and EROS for at least 7 more years, thank you very much.
-- Sincerely, Pan Tarhei Hosé, PhD. "Homo sum et cogito ergo odi profanum vulgus et libido."
BZZZZT, thanks for playing.
by
twitter
·
· Score: 1
[security is] a gradual process of refining your design principles.
In the case of Winblows, it should be a complete and radical rebuild. They can start with a kernel that really keeps track of memory usage, has real PIDs, users and file based permissions for user, group, world, read, write, execute and force it on applications. Lord knows, they've broken enough of their erstwhile competitor's programs to have done this already. Other nifty ideas would be not running email clients and web browsers that auto-open anything as close to root with permissions to overwrite system files. People have been telling them that their single user mode junk was not internet ready since DOS and winblows 3.1, you would think they understood by now and would implement some of the features of the OSes they coppied, VMS, Unix, etc.
What would happen to Windows if it was stagnant while every line of code was scrutinized: it'll lose.
That's happening now, but I doubt every line is being "scrutinized" while they blunder along with DRM features and database filesystems. A rebuild would be quicker than such scrutiny anyway.
Compare (honestly) the security of 2003 against XP
You mean that thing that banks and others run that just got totally owned by the makers of download.ject? I don't have to honestly compare that to that other OS I don't run because others have done it for me.
Why do people listen to Microsoft anymore? Due to monumental arrogance, they never listen to anyone else. "Best Windows Ever" again? Who's going to believe that?
--
Friends don't help friends install M$ junk.
Re:BZZZZT, thanks for playing.
by
Anonymous Coward
·
· Score: 0
Windows already does everything you listed, try again zealot. Everything since NT4 has had full memory protection. Fine-grained ACLs (unquestionably better than Linux) apply to all software. If a user isn't logged in as administrator, their processes don't have admin access either - same as Linux. Your email client or browser is physically unable to run anything at a higher privilege level than you. Why don't you come up with some real arguments, you fuck?
Re:BZZZZT, thanks for playing.
by
Anonymous Coward
·
· Score: 0
Shatter Technique. NULL Sessions
Try again.. you fuck!
Re:BZZZZT, thanks for playing.
by
Anonymous Coward
·
· Score: 0
We all know it's you cock-gobbler, why don't you log in to respond to ACs?
Re:BZZZZT, thanks for playing.
by
praxis
·
· Score: 1
"They can start with a kernel that really keeps track of memory usage, has real PIDs, users and file based permissions for user, group, world, read, write, execute and force it on applications."
- keeps track of memory usage: check - has real PIDs: check - users: check - file based permissions for user, group, world, read, write, execute, forced upon applications: check. Windows ACLs are a little better than what's built into the kernel. Read up on it, you'll see.
"Other nifty ideas would be not running email clients and web browsers that auto-open anything as close to root with permissions to overwrite system files."
Email clients and web browsers don't auto-open anything "as close to root with permissions to overwrite system files," they run as the user. Try running a web broswer and email client on Linux as root, it's quite the same.
Care to make a zealot-less point which actually attacks a real design flaw?
Re:BZZZZT, thanks for playing.
by
twitter
·
· Score: 1
Care to make a zealot-less point which actually attacks a real design flaw?
If any of what you said was true stupid stuff like midi and wav file attachment attacks would not work. Oh yeah, that reminds me of another flaw or two. How about that stupid extention based file typing? Also, zero choice or change in system files makes for exploits that nail everyone. I assume that any winblows computer connected to a network has been rooted.
I'm not a zealot, I've simply got a memory. Windows gets a new auto root every month or so. None of your blind apologies or praise of ACLs will change that.
--
Friends don't help friends install M$ junk.
Re:BZZZZT, thanks for playing.
by
Anonymous Coward
·
· Score: 0
Hey moron, you're the one who brought up ACLs and user permissions. Everything he said was true, so you change the subject. If you worked for me, I'd fire you after sexually harassing you.
Re:BZZZZT, thanks for playing.
by
praxis
·
· Score: 1
Could you point me to an exploit where a midi attachment compromises a Windows box? I'll even run Outlook if you want. I'll even click on the attachment for you. But, I won't run as Administrator. Nor will I change my ACLs to allow world write to any system file. Just's just dumb. I bet you don't run as root with world write in/etc on a Linux box, do you?
Re:Download.Ject -- CORRECTION
by
ConceptJunkie
·
· Score: 0, Flamebait
The irony, of course, is that MS admits they can't combine usability with security.
Of course, the site was probably created with that bloated monster FrontPage and running on that famous security sieve IIS.
-- You are in a maze of twisty little passages, all alike.
I see a lot of posts complaining that "it's more of a ten year timeline" got turned into 2011. But no one seems to have noticed that 2011 is 7 years away, not 10. The slashdot headline, if taking the MS rep as literally as the critics are claiming, should have said that Windows would not be secure until 2014.
The MS Marriage
by
Anonymous Coward
·
· Score: 0
If your wife had a 10-year timeline plan to finally be faithful, would you wait?
are apples the same as oranges?
by
way2trivial
·
· Score: 4, Insightful
I've got an idea, lets make a list pitting product A's strengths against Product B's weaknesses..
can your car go as fast as my bicycle?
can my sister pee farther than my uncle?
how many different programs can you burn dvd's with in linux?
how many linux computers can play doom 3?
I'm not playing favorites, just objecting to your biased list.
-- every day http://en.wikipedia.org/wiki/Special:Random
Re:are apples the same as oranges?
by
Anonymous Coward
·
· Score: 0
I've got an idea, lets make a list pitting product A's strengths against Product B's weaknesses..
can your car go as fast as my bicycle?
A bike is slower by design. So are you saying that Windows is slower, less secure, less featured, etc, by design? If so, then you're probably correct there.
can my sister pee farther than my uncle?
Just a guess, but I have to say: probably.
Re:are apples the same as oranges?
by
strider44
·
· Score: 3, Informative
how many different programs can you burn dvd's with in linux?
Just off the top of my head, four. There are also two major (and free) dvd movie authoring packages. Look them up.
Re:are apples the same as oranges?
by
Nosf3ratu
·
· Score: 1
Why are comments such as these moderated as "Insightful"? Merely because they have a dissenting opinion? Merely because they play devil's advocate and (badly) attempt to point out flaws in the parent post's truly insightful (read: OMGLINUXZEALOT) commentary?
Regardless of whether the parent post made good points or not, you cannot denounce them by making such a bullshit prefab rebuttal as "THAT'S COMPARING APPLES AND ORANGES U IDIOT LOL".
I'll type this slow and clear, for you to comprehend.
Windows:Linux -/-> Car:Bicycle. A more proper analogy would be Windows:Linux -> Ford:Mercedes. Read: They are both cars (operating systems) but they have not-so-moot architectural and design differences).
Stop modding up knee-jerk reaction posts just because someone takes the goddamn obligatory stance of devil's advocate. I'm all for dissent, but at try least be somewhat coherent in your statements, you dumb shit.
Oh, and by the way: I've been playing Doom 3 in Linux since the first week it was released (via Cedega, and soon, natively, as someone else pointed out), and I've burned not just data DVDs but also a home movie, and a backup of a DVD I own, just to prove a point that it can be done. Simply because you run Redhat 7 on some shitty Compaq in your closet to make yourself feel "3r33t" doesn't mean Linux is not cutting-edge. Mercedes aren't cutting-edge either, if the only one you own is a 1988 that hasn't ran since Hector was a pup (oh, snap there's my GOOD analogy again).
Mod me as a troll. I LOVE IT.
-- The old Lie: Dulce et decorum est Pro patria mori
Re:are apples the same as oranges?
by
animeorb
·
· Score: 1
well what good is a car without gas and of course we can pedal the bicycle by ourselves its like the story of the tortouis and the hare
Re:are apples the same as oranges?
by
Anonymous Coward
·
· Score: 0
4... How many exist in the Wintel world?
Re:are apples the same as oranges?
by
mnmn
·
· Score: 1
You missed the point.
I'm only saying Linux is more featureful than Windows. Nowhere did I say Linux is easier to use, or better for Joe Public.
And I'll say it again.
Linux has more features than Windows.
-- "Give orange me give eat orange me eat orange give me eat orange give me you."
-Nim Chimpsky
Correct me if I'm wrong but isn't 2011 the end of the Mayan calendar. This means that the world, according to the calendar of the ancients, will end just as Microsoft gets it's security act together.
Well, what the heck good is that? Some of us would like to use our PC before then.
What I mean is, sure, all the earth cracking and bismuth would add a whole new dimension to playing those antique games, but we only get a year or less of game play and then we're all snuffed cataclysmically.
That's hardly what I'd call productive software engineering.
I'm not buying windows anymore. It's time to send all that money to Burt Rutan so we can get off this rock.
I wonder what's over at http://www.happypenguin.org
Re:The Mayans were right!
by
oneandoneis2
·
· Score: 0
Correct me if I'm wrong but isn't 2011 the end of the Mayan calendar.
Nope - 2012. December. The 21st, I believe... so big savings on Xmas presents:o)
-- So.. it has come to this
Won't be secure until 2011... hmmm
by
Allnighterking
·
· Score: 2, Funny
With Longhorn (or maybe since it's had it's most valuable assets removed we should call it Steerhorn) due out in 2006 and Security not reached until 2011, does that means that Windows isn't expecting a secure product until Steerhorns replacement?!?
Oh well maybe by the time my 4 year old graduates from college Windows will be a viable OS. They've always had potential as a desktop OS but keep falling short.
--
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
If a Christian says he prays to a different god, then he does. A scholarly analysis proves nothing, because mainstream Christian, Judaic, and Islamic beliefs are not based on scientific, scholarly debate.
To put it another way, you can't say that my imaginary friend is the same as your imaginary friend just because they're both loosely based on, say, Yoda. Neither friends are provable in the "real world", just as neither the Islamic nor the Christian god are provable. Their existence is entirely subjective and while that doesn't make them any less real (IMO), it does make them immune to this sort of logic.
Exactly. Anyone who thinks that any company is going to invest two years, ten years, or a zillion years and then have a "secure" product is missing the point.
What I hope Mr. Toulouse meant is that the current project of excising bad security decisions is a ten-year project. That's realistic for a code base whose DNA dates back to the days of friendly networks or no networks at all.
(If anybody doesn't recognize the quote in the title, it's from Bruce Schneier).
Is it a fix? Or is it a fux?
by
Pan+T.+Hose
·
· Score: 2, Funny
That's not a fix, that's a FUX. It looks like a fix but if you percieve a FUX to be a FIX, you're bound to get FUXED.
Is it a fix? Or is it a fux? No! It's a fox! Firefox!!!
-- Sincerely, Pan Tarhei Hosé, PhD. "Homo sum et cogito ergo odi profanum vulgus et libido."
Re:Is it a fix? Or is it a fux?
by
Foofoobar
·
· Score: 1
Firefox is a fix for a fux which is IE.
-- This is my sig. There are many like it but this one is mine.
cute little red daemon?!
by
Anonymous Coward
·
· Score: 0
Pay no attention to the penguin and cute little red daemon over there.
Hey! That "cute little red daemon" has a name, you insensitive clod! That's lady Ceren Ercen for you!
They should just dump Windows...
by
BalkanBoy
·
· Score: 2, Informative
And go with Mac OS X... they will have at least one cash cow, MS Office X ported as is.
Windows needs a redesign.
--
'A lie if repeated often enough, becomes the truth.' - Goebbels
flamebait?
by
Henk+Poley
·
· Score: 2, Interesting
which version of windows has more GUI features than the latest KDE or GNOME?
Without editing files and getting complicated? 95/98/Me/2000/XP/NT 4
Pardon me, but I've used KDE for quite some time now but I never edited a single KDE config file. Since I started using Linux I've done less configuration fiddling than under Windows.
All the other answers are also simply flamebait or plain incorrect (maybe except the hardware thing). For example, BSD 'is' not the only operating system that is more secure than windows.
MOD PARENT UP
by
Anonymous Coward
·
· Score: 0
I actually found that link useful, since the color scheme here is very hard on the eyes.
Re:What?? 100% known secure isn't possible.
by
DunbarTheInept
·
· Score: 1
No. I can complain about it now, when people mistakenly believe it is even possible to calculate those percentages you post. The whole point is that you don't even *know* where the line is. So you never know what percentage you are at.
The evils of MS are too important to be using stupid logic to water down rhetoric agaisnt them. The arguments agains them are stronger when they are better thought-out.
--
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Re:What?? 100% known secure isn't possible.
by
DunbarTheInept
·
· Score: 1
If a component is verified or proven, then it's 100% bullet-proof, or damn close.
By throwing in that caveat of "or damn close", you just shot down your own argument.
--
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
This is what an interview in Wired has come to? In case you didn't read the article, let me paraphrase:
Wired: IE sucks, do you release this?
M$ Guy: Well, it's not as simple as that. We're constantly analyzing IE to make it a better product.
W: Firefox or Opera kicks your ass, just say it.
M: There certainly are areas we can improve on, and we're currently redoing IE to make it more secure and feature-rich.
W: M$ SuX0rS! Admit it now!
M: We're committed to making IE an industry-leader and we appreciate user feedback.
The interview was just four questions where the interviewer just spouted nonsense. I don't blame the marketing droid responses, there weren't any questions to respond to.
Is this a quality interview from Wired?
--
Buses stop at a bus station
Trains stop at a train station
On my desk there's a workstation....
So I guess the question is...
by
ztwilight
·
· Score: 1
If Microsoft claims that their operating system won't be insecure until 2011, why are people still using it?
-- Who moved my sig?
Re:Even XP SP2 is easy to tamper with ( Firewall)
by
zijus
·
· Score: 1
Hello,
here's a Python script that will automatically kill the new "Windows Firewall" in to XP Service Pack 2.
I probably use XP first version (no SPs). I disabled Firewall by using the tool "msconfig" ( start from the command line ). Works pretty fine : no need to play with registry, or scripts, or...
I believe it is a slightly different kind of "securing" he talks about. Let me tell you a story:
I live in Latvia and constantly use internet banking services. Every customer-oriented bank here has a web interface where we can overview our accounts, shares, investements, debts, credits, fill different forms online, request new features, etc, etc, etc. A proper virtual bank.
A colleague from USA came to work with us and company opened an local account for him as well. And now the interesting part: after working in quite high profile company in USA as a security advisor (or smth like that) he simply couldn't grasp how it comes that we, here, in exCommie state, a developing, third world with averange salary of 2500 usd per year, could have so secure, efficient and usable internet banking services. From what he told me, he was used to authenticate with his card number and pin on http:// site in his american bank.
The point: Our banks started to develop their internet banking solutions (and infrastructure in general) when technology was quite mature and security implications was already well known and easy to avoid. Hell, nobody here even understands why you should use cheques, if you can quickly get in closest internet cafe, with computers usually ridden with spyware and keyloggers and totally securely, withing 10 seconds, transfer any amount to whom you please.
Hovever the pioneers took all the burden to find out the problems the hard way and now simply cannot afford to change their insecure, obselte and dangerous web interfaces to something at least half as secure and efficient as we have here. It would be too much of an investement.
And here comes the moral: Those 10 years are the time Microsoft will require to move most of their applications and operating system to the point where any security starts to become a possibility. Or, we will see a 1995/6 year story with mac. They dumped their macOS as FUBAR and aciquired NeXT to gain a necessary expertise to create a better os for their needs.
Anyway - who needs Microsoft. MacOSX is reasonably secure, easy to use and damn sexy today. And for a similar performance costs about the same as that dual cpu athlon 64 you are thinking to buy;D
Linux will never be. There will be just another FreeBSD fork with proper graphics and useable software.
It's a tool on the Windows 95 CDROM called poledit
by
babybird
·
· Score: 1
This was available all the way back in Windows 95 days as well via a system administration tool on the Windows 95 CDROM (in a folder labelled administration tools or something like that ironically) called poledit (Policy Editor). It's existed since Windows file-sharing began. Of course you're right that it isn't obvious, it would involve reading a lot of documentation to know it existed.
This is a site dedicated to getting page views, not providing unbiased news.
As a bonus, this continuing trend of over-hyped drivel gets people reading the articles so they don't sound like an idiot when they concur with the original poster.
-- "Don't waste your time or time will waste you" -MUSE
A bicycle is slow by design?
by
hackwrench
·
· Score: 1
Since when? IF so, I want a bicycle that's designed to go fast, I'm sure there'd be a merket for it. But I think that bicycles are designed to go as fast as possible given the power source is a human being.
Linux is now good at reading NTFS and can write NTFS inplace without problems, so..
Create a file on the NTFS drive from Windows to hold linux
e.g. in qbasic (so it'll take a while)...
open "linux.part" for output binary as #1
for n = 0 to howmanybytes
put #1,,0 next
then format the linux.part to be reiserfs4 or ext3 or whatever (you can do this under windows, you can access the file from linux and do it there) and install linux on it using loopback so there's no need to re-partition you HDD.
I think mandrake can install out of the box using this method.
Oh, and if you ment 'read the reg files', I'm working on that one.
I used to be mad at MS for intentionally not recognising Linux filesystems and partitions.
Now, I'm very grateful. A virus that takes advantage of their security holes cannot hurt my Linux partitions. My family may lose their data, but most of mine will be invisible and out of reach. The only thing of importance I keep on the FAT partitions are music and tv shows. Actually, I do have pictures on the ntfs partition and I think I will make copies of them in Linux right now.
-- Ops, I shuld have usd the prevuwe but in.
Re:Blessing in disguise
by
Anonymous Coward
·
· Score: 0
Actually windows can trash any partition on any drive that's attached to your system. No matter what filesystem. It's pretty simple to obtain lowlevel disk access and overwrite any disk sectorwise - ignoring all partition information.
You make a good argument, but
by
trigggl
·
· Score: 1
Windows is the biggest fish in the sea when you are talking about desktops. If you are a hacker, are you concerned with desktops? They may be willing to hack some computer for the standard processor and a few Gigs of hard drive space. Oh, and that DSL connection may be good for a little spamming.
However, correct me if I'm wrong, but I do believe that *nixes are just as popular for servers. That T-* connection sure looks tempting for abuse of some kind. This is the same reason I have tinted windows on my car and keep temptations out of view. Nobody is going to break my windows if there is nothing visible to take. My wife's window was just broken because my daughters purse was left in it. That expensive damage for a purse they got nothing valuable out of. I believe hackers are going to go for the most tempting victim. Sometimes Linux systems are compromised, but rootkits hunters find when that happens. Some times the offender can be traced, but the server
will be backed up and reinstalled quickly. The thing with *nixes is that each one is different and with Linux, each distro is different. Linux flaws really are patched quicker than Windows. When the software is already free and the code is available, it is harder to pass off warez. There is a whole community of developers with eyes out. With Windows, there is a whole company of eyes out and we don't know how long between discovery of problem and release of the "fix".
I suppose on one key part, you are right. When the same lazy people start using Linux and run as root in spite of the window warnings telling them not to, Linux will be just as insecure. Windows XP has the ability to be more secure, but nobody is using it. My MIS department set me to connect to the network as a user with Administrator privaledges. I haven't figured out yet, how to connect as a lower pivaledged(sp) user. I set up the account, but it does not connect. I guess I should ask them. They were too busy to put the anti-virus program on; I had to do it myself.
My company does use MS ISA server. Thankfully, our drafting program is on AIX.
-- Ops, I shuld have usd the prevuwe but in.
Meanwhile at the grassroot level...
by
avanaardt
·
· Score: 1
...I have been installing various flavours of Linux (mostly Xandros 2) on more than 50 PC's over the last few months -- mostly for HOME users. These are ordinary Joe Soaps who have reached the stage where they are totaly fed up with all the malware infesting Windows boxes. And they do not have the time to download an 80 mb patch.... which doesn't work properly. Just last night an MCSE phoned me and asked for a copy of Xandros Open Ed. -- appears he went online with his XP machine and was compromised within 5 minutes.
Microsoft made it big when their CONSUMER product, Win95, took off big time. Consumers are now starting to discover easy-to-use Linux distro's, such as Xandros and Suse, and being able to surf the Web safely is a Big Thing. All these Joes want is to read their emails, surf the Web and do some simple budgeting on a spreadsheet -- and they are all VERY happy with their "new" computers.
The point is that CONSUMERS created the support base for MS in '95, and CONSUMERS are now quietly moving away from MS. Mark my words: 2004 will go down in history as the tipping year. I live in a small town, and the number of people using Linux is surprising, and INCREASING. A Quiet Revolution indeed.
Uh
by
Anonymous Coward
·
· Score: 0
... XP will make your computer more secure and reliable than previous versions of Windows. Which is arguably true.
It seems to me to be demonstrably false, in that XP had worse remotely exploitable holes than any other version of Windows. Things that flattened XP didn't affect 98 at all.
XP is a decent product, and it's not terribly hard to harden. Take a Windows XP box, turn on auto-updates, run FireFox, and be done with it "Windows Update?" that's the thing I disable on any system I install. "But why?' you may ask. I'll tell you why: becuase they don't work. Typically they break functionality, and restart services I've specifically disabled. I don't need extra services running on linux or windows, but they scare the heck out of me on windows, I never know when a service will have a hole discovered.
I'll give you that there are many linux distributions which are not secure, especially red hat. I've stopped running htem, for the most part, simply becuase of all the unnneccesary services loaded initially. I see all kinds of security hole posted for linux applications, but most of them are in version ".x" e.g. prerelease, so I don't really expect less. Sometimes an older omne will have a security hole but typically the comment along side it is:" we're not sure how you'd use this but there's genuinely a flaw here; so we fixed it. "
Getting everyone in the Windows world to that point is the stated goal of the MS security initiative. Mostly I think windows takes a bad rap on slashdot more becuase of "trusted computing" amd "microsoft security model" , etc, than becuase there's a huge gap. But I do know that IE _IS_ the root of their problems and SP2 is just a sign of that. Since they say they can get as much scrutiny as they say they can, of their OS, then, these sorts of things shouldn't be happeneing. Linux only has theses in post-release becuase A) they rease as beta/ prebeta, and B) becuase of deeply hidden flaws like the one recently found in the kb5 lib.
The Slashdot headline made it seem like a MS rep said point blank that to make Windows secure would take until 2011. And that is pretty clear.Also I'd like to point out that newspaper headlines are almost always misleading, but I'm sure I would have drawn the smae conclusion, even though the though of Microsft changing the focus that much is just unbelievable.
Y'know, you really should read some of the books that Slashdot reviews, as well as just Slashdot. Bob Glass has 45 years of experience in software engineering design; I'd tend to trust his expert opinion over most. From what I read of his book (which indirectly can help make a lot of sense of where both Microsoft AND Linux are screwed up), you seem to be wrong on points 1, 2, and especially 3-- testing reduces bugs, but even the best testing cannot completely eliminate them. Point 4 is addressed indirecly, in his points on schedule estimation-- and also seems to say you're sort of wrong, although not as a badly with the others.
Unless you are using mathematically PROVABLE methodologies (got an assignment statement? there goes provability....), there will be the risk of bugs in the code.
Your suggestions are good for REDUCING the number of errors. They won't ELIMINATE errors completely.
-- //Information does not want to be free; it wants to breed.
Slashdot Mirror
WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?
In case anyone is wondering about Download.Ject, check this link out. It's only a matter of time until a high-volume site gets compromised with this exploit. Scary stuff.
Sadly, Firefox isn't affected.
Right is wrong when left is right.
Hey, at least their honest about it. They could have put a spin on it.
I thought Microsofties had to eat their own dog food?
Mit der Dummheit kämpfen Götter selbst vergebens.
Stephen Toulouse also admitted he is retiring in 2010...
-- www.globaltics.net
Political discussion for a new world
So, either he's incredibly brave, incredibly stupid, or that's a point for Microsoft, for allowing their employees to be candid about the state of their products.
What sort of "interview" only includes four loaded questions? Wired gets hold of the Microsoft "security program manager", and these are all the questions they ask? I'm no M$ fanboy (though I must admit I make a living writing programs for Windows), but surely they can do better than this obvious hatchet job:
WIRED: It's been more than a month since the first news of Download.Ject, and you still haven't issued a real fix for Internet Explorer. How long is it going to take?
In other words: So, when will you stop beating your wife?
Meanwhile, Firefox and Opera look awfully appealing.
Ok, the guy really stepped in it here when he plugged Firefox (though I'm an Opera fan, myself).
What about removing capabilities from IE to beef up security?
You think you'll get him to promise to cut off "capability"-dependent programs (and their programmers) at the knees?
Seems like you're fighting a losing battle.
Objection: counsel is badgering the witness. The only appropriate answer would probably be, "Yes, we are, f*** you very much."
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Windows hasn't been all that secure since, well, forver. Has the horrendous security done anything other than support thousands of jobs and spawed a massive aftermarket security industry?
This
Sounds like an acknowledgment of the extended timeline for something like Palladium/Trusted Computing. I've been curious to hear more about when and where that's actually going to show up.
He also reveals that he runs Firefox.
If you were working in the X divison of a company wouldn't YOU be using a competitors program so that you could know what they were doing to make their side better? I know I would.
In fact, I would be completely disappointed if he DIDN'T run Firefox.
Now I really havea reason to buy Longhorn... I would move to Linux full time but I can't get MySQL running, grr...
Eat My Bad Karma...
I thought having a CTO/CEO declare security as high priority would get the soldiers all in line and squash all those bugs in millions of lines of code. After all, MS is better at writing software than any other corporate entity right?
"it's more of a 10-year timeline... but my stock options will be fully vested in 5 years, so I'll be long gone before the shit hits the fan on security still not being fixed!"
"Freedom means freedom for everybody" -- Dick Cheney
The context made it seem more like he saw an opportunity to mention a flaw in the competing product.
StrategyTalk.com, PC Game Forums
Only four questions? Yikes! That's not much of an article!
Javascript + Nintendo DSi = DSiCade
Download.Ject information is actually here. The exploit referred to above is actually the "what a drag" exploit. Still pretty scary if you ask me.
Anyway, the editor (me) regrets this error. =)
Right is wrong when left is right.
slashdot reveals it will not fix the IT color scheme for 10 more years...
... So please refrain from computing for the next 7 years. Just go about your lives. Pay no attention to the penguin and cute little red daemon over there. Hey look! Over here! Have this complimentary Plush Clippy!
And gee, I thought that service pack 2 with a firewall that can be controlled by ActiveX was going to fix all of those holes!
Oh, wait, actually service pack 2 renders some computer unbootable, so that must be the real trick!
Geez, if I said things like that about my product, to the extent where I wouldn't even use it because it's so insecure, I'd be shown the door in next to no time.
Yeah, who wants to bet that Stephen Toulouse gets a pink slip? It wasn't long after Salon suggested people switch to Firefox or Mozilla until IE was patched, before we learned that MS was selling the magazine.
The dangers of knowledge trigger emotional distress in human beings.
According to the Mayan Calendar We'll only get a year to enjoy it!
The first thing I thought of when I saw the guy's name. Still cracks me up everytime I see it. Am I the only one that thought of this sketch?
I was kidding, dipshit. =)
Right is wrong when left is right.
If everyone is spreading viruses, it ceases to be a stigma, and becomes the accepted norm. Think of it this way:
If everyone had AIDS, you wouldn't have to be all that concerned about STDs now, would you?
New Apple add:
iMac, its like a computer with a condom!
But that's just it, at least he had an update to install, MS doesn't release security updates as quickly as it needs too, as the first question mentioned.
his MS timeline will be much shorter now.
Yes buy a car from me today. Look at all the great features! The controls are so easy to use! Any idiot can drive one!
Of course we won't perfect the brakes or the air bags for another 10 years or so, but hey the seat belts work most of the time. So buy my car version "XP" now so you can get a taste of what a safe car of the future will be like
Fine. I'll hold off installing XP until 2011 then.
Norman Cook's Ode to Sl
Man, that's a long time for Mr. Bush to loose sleep. Should not the States just occupy Microsoft, to prevent an obvious, known threat to Homeland Security?
This Slashdot page is being served with a Microsoft ad boasting about their security. Really.
Everyone bashes Microsoft because of their fallible software.
Let's think about this for a moment: ALL SOFTWARE IS INSECURE. Microsoft is just the biggest player, so they are targeted the most often. There have been 'proof-of-concept' viruses written for Linux, Macintosh, even cellphones via BlueTooth.
Compare Microsoft to automobile makers. When they started, they were unsafe. So they added a 'fix' like seatbelts. Then they added crumple zones, an enhancement to make them safe. Airbags, side impact curtains, rear-sensors for backing up, and so on, and so on.
If the stupid driver of the car wants to get drunk and drive backwards 100mph down the freeway with no lights on, do we blame the automobile manufacturer?
No... so, maybe we should just START to take a little blame for windows security problems. Stop running that cute screensaver your Aunt Matilda sent you. Don't go to webpages that advertise 'warez' and 'free 3leet mp3z!'
Microsoft is partly to blame, but they're the biggest fish in the sea. Every 'fisherman' is out to get them. When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure... They may get fixed quicker because of the relative smallness and open source attributes, but the bugs are there. Just no one is looking/caring too much. Yet.
(I fully expect to be modded down a bajillion points for making a case for Microsoft here. Go ahead, then)
Check out the best P2P sharing website: MEDIACHEST.COM
Comment removed based on user account deletion
What in the blazes does it mean for something to finally be "secure"?? It's not as if it's actually an achievable goal, and it's not as if you'd have a way to detect when you'd achieved it even if it was achievable.
The 100% secure line is an asymptote. You can get fractionally closer to it, but never ever actually achieve it.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
he didn't say that FireFox was his primary browser, he just said that he had to patch it because of a vulnerability.
I would hope that as a program manager he would have a copy of each of the competing browsers on his system, so that he can steal... ah, borrow, ideas from them.
Then tell us if a secure OS is important...
glad to see he is running firefox.
seems these days, everyone is switching over to it because running IE means that you can expect to have your computer taken over every other day.
firefox hopefully will put those anti-spyware programs at least partially out of business.
and
If MS is running firefox, I image the next version of IE will look familiar to those of us who have already switched away..
anime+manga together at last.. in real time.
First, someone posted above, the analogy between windows security fix, and Slashdot's terrible "IT" theme.
Second, the idea that an MS head is using firefox is hardly surprising, it's much more at issue that he's willing to admit it to Wired, and doesn't even seem to mind that open source is a better alternative.
Microsoft has had a history of using open source projects, most famously with qmail+unix on their hotmail, but even branching to the MSN gaming zone, etc. It's really not too surprising, considering a lot of the unix foundation implemented in their NT-XP series.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
He also reveals that he runs Firefox
/. zealots who don't take the article at face value.
Indeed, parent post is correct. Besides, the article doesn't say that he uses FireFox exclusively by any means. In fact he only mentions FireFox to prove that all browsers are susceptible to attacks.. Here's hoping he also uses NS, Opera, Safari, and whatever browser he can to do testing and research.
Yet more spin by
What kind of pathetic headline is that? When did MS say "MS not expected secure until 2011"?!?! This is called sensationalist GARBAGE, people! Stop putting this swill up as headline material.
Having someone say "it's more of a 10-year timeline" does not equate to "MS not expected secure until 2011"...much less "MS says" 2011. The phrase "more of a..." connotes a generality. The headline is pure, conjured specificity.
Crap like this makes me become seriously disenchanted with Slashdot.
Change the following registry value to 4 and the new "Windows Security Center" will stop working upon reboot... it runs as a service that any admin user can kill. Did I mention that by default all XP users are admin ;)
w scsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
Also, here's a Python script that will automatically kill the new "Windows Firewall" in to XP Service Pack 2. You can bet your ass that hackers are already tampering with this. Click a URL and bam... the firewall goes down.
This is just two example of what MS does to "secure" their systems. God help us all.
A) A Microsoft representative said that it will take an estimated 11 years to fully secure Windows
B) Slashdot reports this
What spinning or unfair editing took place here? Your pullquote doesn't seem to show anything unfair. Yes, they are reworking key system components. But that still doesn't change the fact that Windows is so insecure that it will, by their own admission, take over 10 years to fix it. That's pretty important.
Take them 10 long years? what are those Microsoft folks doing? smoking a halibut or something? I think Microsoft should start hiring decent programmers and test engineers to test their product before they release.
The Benevelent Software Source is pleased to report that in the last quarter, the seventh three-year-plan for software patches has been overfulfilled by 98%
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
Buy Steampunk Clothing Online!
Great. Linux should be ready for the desktop by then!
Are you...Are you some kind of genius?
No, ma'am, I'm just a regular Slashdot reader.
Guess its official Microsoft has reached beaurocratic status. That sounds an aweful lot like a government timeline. Oh well, the masses are content. So whatever happened to innovate? hmmmm...
Oh they are a monopoly they don't have to do silly things like compete anymore. Too bad there isn't someone out there that created a secure solution already. Its not like Microsoft would steal it and drive them into bankruptcy. Hey, thats a great idea I am sure that some entrepeneur will get right on that....
Not certain what the big deal is about him running firefox. It seems to me the only statement he made was that he has to download patches for that program too not that he exclusively used Firefox as his browser because of secruity problems with IE.
The only secure computer is one that is turned off and encased in six cubic feet of concrete surrounded by a faraday cage.
Until Windows includes a Mozilla-based browser by default.
I worry about what will happen after that though...
Will Mozilla stagnate without any competing browsers?
Will MS start committing code to Mozilla?
All that we see or seem is but a dream within a dream.
1. Read the C2 security certification guide from the NSA.
:)
http://nsa2.www.conxion.com/
2. Remove the network card from your computer.
3. Install Windows 2000 Workstation.
4. Install all service packs and security hotfixes from Microsoft from CD.
5. Turn off all unecessary services, including server, messenger, networking, etc...
6. Get 2000lite and nuke internet explorer off your computer.
http://www.litepc.com/
7. Lock down a restricted user for general machine use.
8. Install OpenOffice.org for office applications.
9. Remove floppy and cdrom drives and lock case.
10. Epoxy shut the USB ports to discourage thumbdrive use.
All done! I dare anyone to hack into this machine
My Other Computer Is A Data General Nova III.
The previous year Lucifer appears in the sky, and in the following Windows will be secure... Coincidence or Prophecy... You decide ^^
Funny though, I figured it would take MS more than one year to gather all the souls it would need to sell in order to make it secure... either that or I need to read my EULA more carefully..
meep!
Since when did security become a goal you can achieve after a certain amount of time?
It's something you always need to keep an eye open for, and combat exploits whenever necessary. How can Microsoft say "it's more of a 10-year timeline". That statement alone makes me wonder how sane Microsoft's security program manager is. So Microsoft are going to dismantle their security team in 2011?
What would the Linux community think if Linus went out claiming that "we expect the Linux kernel to be secure in version 3.0"??
Anyone who takes software security seriously should understand that you can never expect a product to be secure after some period of time.
"Secure" is also relative and not at all an absolute term.
Beware: In C++, your friends can see your privates!
I've always felt that MS isn't inherently an evil company, it's just that any company that size is going to screw up. The fact of the matter is that no one else can pull off what MS has done - it takes a huge amount of resources to make some of their products and innovate like they do. Yes, Linux, Firefox, and a host of other free software has pretty much identical functionality, but that functionality wouldn't have ever been thought of without MS. This interview indicates to me that MS is not trying to hide anything, but is instead genuinley trying to improve their products. They know that apps that size are going to have products, and they apologize - it's too bad when they are accused of being a horrible company because of bugs. Applications these days are just too complicated to be completely secure. In recent months MS has actually been very forthcoming with what their plans for the future are. As much as you might like open source, MS's influence has been integral to the developement of those technologies. I'm not exactly sure what my point is, but articles like this really make me like MS more - maybe even feel sorry for them as they fight a losing battle against people who want to cause damage to their customers and to the company itself.
If the stupid driver of the car wants to get drunk and drive backwards 100mph down the freeway with no lights on, do we blame the automobile manufacturer?
No, but if ford releases the new Explorer, that hits a curb, sign, or barrier on average within 15 minutes of getting on the highway for the average driver, and the only way a professional driver can safely go 60 in it is to buy a Honda brand mini-car to drive in front of it and tow it safely out of the way of accidents. When all large companies have company cars, but they require their employees to drive on their special corporate backroads and be hauled in a car carrier truck when on the highway. Maybe, just maybe, we would consider, putting some of the blame on Ford/MS.
By the looks of it Mr. Currently-Owned-by-Microsoft Toulouse does not desire to be desired by Microsoft enough to feel he could die, but that's just what might happen if he keeps working on this mission impossible project.
Ah, you have nothing Toulouse^Wto lose, but your job at Microsoft.
That does it. He's fired.
"Doing what i can, with what i have." ~ Burt Gummer
The key to focus on, however, is that Toulouse has access to fast, easily applied patches for Firfox, while an MSIE flaw is fought with Russian law enforcement. When will the MSIE software be patched? "We're still working on that."
That's the gist of it.
"Even for Slashdot, that was a very obscure reference!" - Anonymous Coward
...to run all those hotfixes.
it won't be taken seriously at all.
So Jupiter will collapse into a sun and Europa will support life before Windows is secure?
Did anyone else read that as "Windows Not Expected Until 2011, Says MS"? I thought Longhorn was pulling a Duke Nukem Forever.
This reminds me of the old ADODB.Stream vulnerability that is (was?) in Internet Explorer 6.
See here for details.
New Apple add:
iMac, its like a computer with a condom!
New add for Linux:
Linux: you can't get infected unless you get laid.
Didn't a Microsoft Executive get fired for recommending FireFox because of an IE security hole?
Everyone so far has missed the point about him saying their security plan was a 10 year plan. Microsoft looked long and hard at the trends and figured out that in 10 years Windows would be displaced as the leading client OS by Linux (or some other system).
/. about this).
Case in point, they are paying out huge dividend this year. Why? So they can all pocket a boat load of money before everyone finds out that Longhorn won't be delivered on time or with all features (see other recent story on
So now that they have drawn down that huge cache of money and paid it to all those that hold stock they can cruise control for a few years as they start figuring out ways to sell of portions of the company to turn it into money to put in thier pockets.
I believe they have seen the writing on the wall and have started the process of shutting things down. Only problem is that you don't shut down a colossus like Microsoft over night. Very similar to AT&T, they have been in a downward spiral for many years. In AT&T's case they have at most another 5 years before someone picks up the carcass and finishes stripping it. Microsoft will take another 20 years before they finally have squezzed every last nickel out of the user population.
like Firefox stealing the Popup-Blocker Notification bar from the xpsp2 IE release? :) It's a cannibalistic industry.
True, but when you are only at 20%, you still have a LOOOOOOONG way to go. You can start complaining about this when MS is closer to 95-99% :-P
Space for rent, inquire within
In other news Longhorns arrival was postponed until 2012 so it can ship secure.
Give one example of something microsoft innovated and didn't steal from another OS/Company. If you actually do the research, which no one does, you can always find where microsoft stole their ideas and concepts from.
Yes, they do deserve credit for making computing mainstream, but this was inevitable. Now they (and other companies like them) are holding society back. Give them credit for what they deserve credit for. Not for being innovative.
Is the "what a drag" exploit the same as the drag and drop exploit?
:)
I couldn't open the sample exploit listed in the parent, but I could open he one in the link I provided. The proof is safe and scary.
If they are not going to fix these errors, Microsoft should at least give us a naming system! It's hard to discuss the exploits when we don't know how to name them correctly.
Should we call this one "how to skin a windows box"?
> "In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline."
Why am I not surprised. I doubt they'll get it right in 2011 either. Here's a hint... don't use Microsoft Windows. They just admitted that it isn't secure and won't be for years.
> He also reveals that he runs Firefox.
So, Microsoft employees don't even run Microsoft software. This should be a huge hint to people who are dumb enough to run Windows.
It doesn't get better than this!
Microsoft will take TEN YEARS to get secure?
After pissing away thirty billion in R&D money for a one-time stock prop scheme?
And their head of security uses Firefox?
This is like discovering Bush prays to Allah!
BWAHAHAHAHAHA!!!
Hey, how about this theory?! Gates is secretly a hacker like the guy in the Sandra Bullock movie and really wants everybody to be insecure so he can take over the world!
BWAHAHAHAHAHAHA!!!
Mod this troll, mod this flamebait! Is that all you got, huh? Are you nuts? Come at me!
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
We're two and a half years down a much longer road; it's more of a 10-year timeline.
So 2004 minus 2.5 years = 2002 somewhere
2002+10 = 2011?
Slashdot editors fail math? Thats unpossible!
In other words "Windows Expected Insecure Until At Least 2011, Says MS".
--
make install -not war
Screwing the devil is like screwing Saddam!
what, no :P more humor! please!
2011...if that soon!or
sounds optimistic...
or anything like that?
I think he meant it would take until 2011 before they had completed fixes for 100% of the currently known security problems.
So what's he's saying is technically possible.
That's a joke folks; start laughing.
Poor guy is really having to struggle to say something that'll make his job look less hopeless. The "patch to Firefox" that he's talking about is actually a patch to a PNG library used by a lot of applications, not just Firefox.
On the other hand, he didn't say "Windows not secure until 2011", and I think his "10 year plan" is more of an acknowledgement of the magnitude of the problem than a hint as to Microsoft's timeline.
I wonder if he's even got the authority to deal with the real problems buried deep in the design of IE. If not, they can take 10 years or 100 years and still not get rid of "cross zone" attacks. I suspect only hope is that other browser developers will suddenly agree with microsoft that security zones based on the current location of a file is a much better idea than limiting the potential targets for an attack to just the application that's responsible for downloading and displaying an untrusted document. If that happens, then they'll REALLY be able to argue "everyone else has the same problem" and mean it.
Did anyone else note that the article appears to be from the future (Sept. 2004)? In my time zone, its still Aug. 30, 2004.
Perhaps Wired has invented a time machine too?
That's not a fix, that's a FUX. It looks like a fix but if you percieve a FUX to be a FIX, you're bound to get FUXED.
Seriously though, they can't fix it without removing IE from the system. You can easily get around their FUX by using a shell call... which makes this bug even scarier.
This is my sig. There are many like it but this one is mine.
So the sweet-heart deal with symantec is a 15 year thing. Windows has been a security nightmare ever since they cloned Norton utilities and got their ass sued off. Windows could have been air tight. The MS Swiss Cheese approach to security can only be deliberate.
or even "death is good because it creates jobs". Think of the morticians, gravediggers, floral industry, casket industry etc.
I'm sorry, the number you have dialed is an imaginary number. Please rotate your phone 90 degrees and dial again.
Oddly enough I happened to read both the WSJ article and the Toulouse mini-article during my lunch a few minutes ago and came back to find this on slashdot.
I also have to commend the graphic that accompanies the WSJ article. The article says that for the first time ever IE share dropped, presumably because of the virus threat. Also a few words about the Mozilla developers.
For example, they don't use Visual Source Safe. Of course, you don't have to know what's in VSS not to trust it: just try and use it for a project once:)
*** Sigs are a stupid waste of bandwidth.
whoa...
I bet after the "you know what" hits the fan here, this guy is toast... fired.... gabye.... out the door... history.
You don't make that kind of revelation while working for Redmond!..
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
The heavy use of anonymous pointers, multi-function entry points, and DLL initialization/release interactions create an absolute nightmare to maintain.
Even for a relatively small project, you have to spend a fair amount of time just getting code separated into mainline and DLL. Then you get the joy of dealing with the weirdities of the Windows variation on process interaction with DLLs.
I can't imagine any way of securing that spaghetti except to scrap the Win32 API and make the .Net framework the Windows programming layer. Then you can get rid of those holdover APIs from DOS-thunker days and replace the kernel with one that was designed for multi-user security.
You can be grateful Microsoft is finally taking security seriously if you like. I look back on 10-15 years of pager calls, system recoveries, and late projects because of bugs, many of which have never been fixed. My patience with their problems and excuses ended a long, long time ago.
Don't forget Microsoft has been around almost exactly as long as GNU.org. Linux is a pup compared to Windows, yet look how much faster that team addresses problems than the much larger team at Microsoft.
If Microsoft's market share begins hurting because of their security issues, they've no one else to blame but themselves. If the industry demands POSIX server APIs and Windows can't deliver, Microsoft has no one to blame but themselves -- the Cygwin team seems to have managed the task.
Microsoft and a lot of other companies need to get back to re-verifying their core business and refocus on producing marketable products and services. Times change, and last decade's sure winner is last year's end-of-life product. A little less focus on the stock market, and a little more on realistic business models and long-term viability.
I do not fail; I succeed at finding out what does not work.
Hey, if they are bright enough to not use unsecured software, well, it shows that they are quite a bit brighter than the average Windows user.
I prefer the "u" in honour as it seems to be missing these days.
From the article:
Software written by humans will always contain errors.Should read:
Software written by Microsoft will always contain errors.
I write software that doesn't contain errors, every day, on systems which deal with far more data than the average MS app. It seems to me that Microsoft's has no idea what constitutes professionalism:
I understand why the majority of the world runs windows. Most people don't want to complicate things any more than necessary. But the inability of users to grasp technical details does not justify releasing a product, which in any other industry, would be a prime lawsuit candidate under fraud and lemon laws.
The society for a thought-free internet welcomes you.
I've never had to make sure mysql was owned by mysql.
(Whatever you do, don't get me started on ALSA...)
Granted that "it's more of a ten year focus" is a stupid answer, but /.'s criticism is equally stupid. What would the correct answer be? It's not "Yep, we've been at it for two years and we're done. All our software is secure now." Rather, the correct answer is, "We will continue to focus on security for the foreseeable future."
To a software engineer, the much-publicised "Microsoft focus on security" seems actually to have been more of an internal awareness drive. Microsoft just wanted to educate all its programmers so they stopped writing buffer overflows and absurd permissions holes. At the same time, I imagine some existing code was reviewed with an eye toward identifying security holes. All commendable stuff (although it's mindboggling that this sort of thing should even be necessary).
But even with that part supposedly accomplished, security is never "done". Once you start paying attention to it, you're now doing the right thing. You don't stop. The focus on security education may be over. The focus on security as an important part of software engineering should continue as long as, and to the degree that, consumers need secure software.
Why don't they just have their coded auditted and catch potential problems early on? As many programmers as they have, I don't see why it would take until 2011.
Instead of making the code more complicated and potentially more insecure, include a 32-bit emulation subsystem comparable to the existing 16-bit emulation subsystem in NT/2000/XP.
While I have little kernel development experience, the NT kernel design was lead by Dave Cutler, who had previously led development for the RSX-11 and VMS operating systems (VMS has an incredible reputation for security). Here is an interview with Cutler.
Security was an original objective with NT, and I imagine that, from the kernel code, this objective was met.
Where NT security has obviously failed is the userland, where Microsoft rushed to destroy Netscape (et al), and in doing so sacrificed security.
If only Microsoft had maintained a high standard in NT development, perhaps Cutler's claim that UNIX was "a junk OS designed by a committee of Ph.D.s" might have held water.
It's not a switch that can be flipped. Software written by humans will always contain errors.
:)
- Lucas Graves
I like to believe that software can be perfect. I might be wrong at least it keeps me busy.
- Save a tree, eat more woodpeckers
Linux will always be 1 step ahead in security.
MS will always be 1 step ahead in features.
Guess what, features sell. Maybe in the year 3000 things might be different.
I have to agree with you.
Further, to what end will end-user friendlness be compromised for security? Personally, if I were running a business from my computer, or had sensitive information, I would simply unplug the computer from any network and use another computer for web surfing. Still not 100% secure, but my tinfoil hat protects me too.
...of the now obsessive Microsoft article rate on Slashdot. What is this, four Longhorn articles a day now? Even the Microsoft mouse article had a pointless bash of Microsoft Bob for no reason!
SURELY there is something interesting going on with GNOME, or something on the kernel mailing list? Where is the OSS news?
I thought that M$ was allready working with BIOS makers on this and that it was already here. This could be an admission that trusted computing is not secure computing.
Friends don't help friends install M$ junk.
There is some truth to Windows being targetted because it is the most popular. However, the example of Apache vs IIS demonstrates that it isn't necessarily the most popular target that is targeted, but the easiest target. That Windows/IE/Outlook are both popular and insecure just makes them even more attractive.
"ALL SOFTWARE IS INSECURE" is just a cheap way of avoiding the fact that some software is less secure than others, that some architectural decisions lead to less secure designs than others, that some corporate environments are more conducive to insecure software than others, etc. The maxim "all sufficiently complicated software contains bugs" is absolutely not an excuse in any way for exceptionally buggy software.
I don't want to abuse your car analogy too much, but if one of the major auto manufacturers was lagging in safety technology by forty years would you still use the excuse that such things are incremental and no car is 100% safe? Did "all cars are capable of crashing" save the Corsair or the Pinto, or were these in fact crap designs?
I couldn't prove that Linux/Mozilla/whatever have fewer vulnerabilities. Nevertheless, your belief that they would be the same, based on the assumption that known vulnerabilities scale with popularity and nothing else, including the design of the software in question I find highly suspect.
The enemies of Democracy are
At first I wanted to make some wry but funny comment about Microsoft's ability to make anything secure but as I was trying to come up with something I realized that "secure" is the sort of term that is hard to define.
What is "secure" anyhow? Is "As secure as a nuclear weapons facility" really secure? Not if we believe 60 Minutes last night. How about "As secure as Ft. Knox" - there was something a few months ago that said that Ft. Knox was susceptable to attack (especially air attack if I remember right).
So, nothing is really sercure. Secure is really an analog thing. The keys to your car make your car resonably secure (and if you want more security, add an alarm). But is your car really secure? No, many a locked and alarmed car have been ripped off.
Banks are secure right? If so, why are they robbed?
Windows will never be secure, because nothing can ever be 100 percent B.S.-free "secure" Not Linux, not Windows, not Ft Knox.
Will Windows be reasonably secure in ten years? Probably by many people's standards, yes. But there will still be need for added security when it is called for. Just like a typical bank has more security than a typical house.
Actually, it's nothing more than yet another completely exagerrated headline on Slashdot. Microsoft didn't say Windows wouldn't be secure until 2011. A security guy there, talking about the browser timeline, mentioned 10 years as a timeline for clamping down software.
He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such.
What really happened is some L00nux d00d fanboy caught wind of this Wired sidebar "interview," drew conclusions that had nothing to do with the content of it, wrote up a Slashdot summary with a completely biased headline with the knowledge that Slashdot's editors would jump on it, then just kicked back and waited. Viola, instant typical Microsoft Slashdot article.
I don't like Microsoft's tactics any more than the next guy, but honestly this website has degenerated into complete biased silliness with regards to its Microsoft coverage. No Microsoft-owned "tech news" site would be able to get away with this if they did this to Linux, but when an OSTG-owned "tech news" site does it, it's all right...interesting, seeing as how OSTG sells and makes money off of OSS products and all.
Hrm... That 2011 date is awfully close to the Mayan end time scenario of 2012.
So what really causes the singularity and the end of time is a secure version of Windows on a Quantum computer? Since both being a paradox of existence, it tears the fabric of space-time and bringing about Armageddon?
Or at least a good day to thinking about patching reality v1.
If "100% secure" has any meaning at all, I'd say it means the software does what it's expected to. Although it's probably not practical at the moment, it's not impossible to write a provably correct OS and software.
Of course, that doesn't prove that the CPU and other hardware running the software doesn't have flaws that make the computer insecure, but that doesn't mean the OS itself can't be called completely secure. It's like running a completely provably secure web browser on a mere mortal operating system: the browser can still be called secure even if it isn't in that context.
I suppose one could also say that the specifications themselves could have bugs in them, especially since they might have similar complexity to the software... but it's still something to think about.
Anyway, in general, I agree with you. Although a quick google search for "provably correct operating system" returned at least one interesting result, I doubt if anything as powerful as Linux or Windows will be made this way in a long long time.
I just don't like it when people assume that computer science cannot be anything other than empirical.
Each language has its purpose, however humble. -- The Tao of Programming
When Linux or Mac or Mozilla or whatever becomes the primary player, they will be found out to have just as many liabilities in the security department, I'm sure...
The historical record does not support your assertion.
Microsoft was not always the dominant player, and it is not the dominant player in all markets. In markets where they are not the dominant player it is still common to find exploits for Microsoft applications outnumbering non-Microsoft applications.
A technical examination of the exploits fails to support your conclusion.
There are entire classes of security holes, like "cross zone" exploits, that only exist because Microsoft's software is using fundamentally unsound designs. There are classes of exploits that nobody even bothers to seriously track on Windows because Windows is missing the security boundary that such an exploit would attack: there can't be a "break chroot" exploit in Windows because Windows doesn't have "chroot", and the equivalent of a "local root" exploit on Windows is uninteresting because enough Windows users run as Administrator all the time... because that's how Microsoft sets the default user up... that it's irrelevant.
Microsoft's design is such that they only have to fail in one place, and at that point the game is over, the attacker has won. On other platforms the attacker has to first get their exploit into an environment where it might be executed, then (because automatically executing untrusted content is a Microsoft innovation) they have to trick the user into executing them, and then they have a fairly limited ability to cause problems until they break root. And it's possible to run your browser in a chrooted environment or jail to add a fourth hurdle that must be overcome before they can change any system or executable files. On BSD a fifth layer of security, the immutable flag, would mean they'd then have to wait for a reboot before they could have a hope of compromising the system.
Why does UNIX have all these layers of security? Because it was developed in a hostile multiuser environment from early days. Particularly BSD: you have professors and students working on the same computers, with the only thing keeping the students away from their professor's files (next week's test, their grades) was the local security. This isn't all that unusual, most operating systems developed during the '70s and early '80s were subject to the same evolutionary pressure... and UNIX-based operating systems benefit from that historical background.
Windows was not developed for a secure environment. The assumption was that there was really only one local user and he could do anything. When NT was shoehorned underneath this, most of the security capabilities had to be bypassed because they made things just too hard for applications that had been developed for a more trusting environment. It will require a significant redesign *and* breaking many many applications (for example, every application that uses the HTML control) to fix this.
I don't see that happening. that's why I said this guy has a really tough job.
As yes, as someone else so well put it, "Finding a vulnerability is like finding a fish. If the pond is overfished, it's harder to find them. Hackers are rather evenly split between running Linux and running Mac OSX. As much as a few professional NASCAR drivers drive Dodge Neons, a negligible amount of skilled hackers use Windows as their primary OS. Not to mention, many Win32 fish are given out for free by Microsoft when releasing patches. Here, there can be only one option. Even extremely modern versions of Windows have a TC0 much lower than older Linuxes" Why is it that the Microsoft sea never seems to run out of big, ugly fish?
Friends don't help friends install M$ junk.
Of course it's possible, you just don't let anyone use the machine. Therefore, by 2011 they've created an OS that goes directly to BSOD on boot, and never even checks the keyboard and network cards. This will of course revolutionize the way we use computers, and will finally get rid of the driver hell we currently have.
It's The Golden Rule: "He who has the gold makes the rules."
The objection is not that Microsoft's software is insecure, but rather that their closest competition has at least two orders of magnitude fewer exploits and viruses than they.
If hundreds of exploits per month were discovered for Macs or Linux, your point would be valid. Problem is, the number of exploits available for all computers systems since the 50's is easily less than the number discovered in Windows in one year.
To make matters worse the rate at which exploits are being discovered is increasing, not decreasing, or even remaining stable. And this from a company making three billion dollars a month. How is it then, that a bunch of ragtag volunteers put together a more secure OS than a company which can spend a billion dollars a month on development?
Microsoft Windows, and the attendant problems it has experienced has brought shame on the entire profession. It isn't a matter of a few human errors here and there - Microsoft releases code with wanton disregard for the effects it will have on the user. You would expect more from a such a successful company, but apparently, Microsoft believes the professional standards followed by the rest of the industry simply do not apply to them.
And that, is why they get bashed. They dismiss the wisdom gained by years of computer science, and when their systems run rampant with bugs and security holes, they claim that such lofty goals as security and reliability are unattainable - in spite of the fact that their peers who did heed the lessons of computers science have managed to build such systems.
The society for a thought-free internet welcomes you.
So you're saying that an interview with only 4 questions isn't an interview? Exactly how many questions must it have, then? Is 5 enough? 6? I'm grateful when anybody in the media asks challenging questions. It's not like the media was harassing somebody that doesn't have anything to do with the security of their software, for pete's sake.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
from know on we should out source non-humans to write all software
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline."
I didn't read the article. This was Bush talking about Iraq, right?
free online diet tracking.
From the article:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
I presume that Toulouse was referring to the update that fixed the "shell:" exploit.... this was only a problem with Firefox on Windows machines, because the flaw is inherit in the OS, not in the Firefox browser.
True, security is an issue about which everyone in the industry should be concerned. Call a spade a spade, though... Microsoft is well behind the curve.
-- Halfabee
You are right, he did not make any promises other than to work on it.
In ten years Winblows will still be the easiest to exploit OS around. Three years ago, they promissed to make security "job #1" more important than new features. Yesterday, they promissed new features for a new OS that will be out two years from now, but are here saying that security may be here in 10 years. If your memory allows you to put those two statements in your head at once, you should conclude that M$ lied three years ago and that security is nothing but an empty promise for M$ three years ago, now and ten years into the future.
Microsoft, however, might not be around to worry about it.
Friends don't help friends install M$ junk.
If they start now, they can build a BSD system with exclusive support for NTFS as their filesystem and their own version of WINE. This would make a whole LOT of things possible and fix a whole lot of problems.
Is it pride or are they just that stupid?
That's because it is turned off.
I thought you had advanced beyond our primitive Download.Ject technology...on the Moon!
Your mind is squeezed by a blast of pain!
Although I agree with you questioning the definition, I disagree with your subsequent line of reasoning. An end user should not be expected to have to become a car mechanic to just run a car, but this is precisely what Windows is presently asking.
I've switched people (end users, not techies) to both Mac and Linux, and in both cases there was a general relief of not having to patch so much (I let them try for a month first). "So much" is the defining factor here - it's way, waaay too much for a common end user (and now well beyond the capability of an average modem to cope with, see SecurityFocus.com). To stay with car analogies, the Windows end users now run cars that need a brake fluid change every half mile. And when they ask the dealer they are told that the next car they buy will be better - out in the next couple of years or so.
Ask yourself: would you really, really like to buy another car of that make when there is a growing mountain of evidence that it can be different? Those I switched over didn't want to go back once they passed that first "It's new and scary" hump. That tells me more than marketing campaigns or "facts" give me.
Enough is enough - they had their chance. Anyone responsible for running a business should start to look at the risks they run - and insurances should start to have a good look at how much risk they insure if the business runs Windows.
Insert
Microsoft actually releases a secure OS.
I too am getting sick of YAMBOSHS. (Yet Another Microsoft Bug Or Security Hole Story).
Windows isn't secure. It probably won't be for the forseeable future. Get over it... There's not much point in restating the obvious. Yes, we know Windows is a toy; maybe someday, it will qualify as a real Operating System. Till then, there's not much point in talking about security or reliability in the context of Windows, because, in spite of what Redmond says, things aren't getting better.
When people mention the success of Windows, and infer that "it must be good, 'cause everybody uses it...", I ask them what they think of New Kids On The Block. The response is usually something like, "Well, they talk tough... but I can't see my grandmother being scared of them... they're kind of just posers..."
And then I say "Microsoft is New Kids On The Block":
- They talk about security and reliability, but can't deliver.
- Everywhere you go, you see their ad.
- They seem popular, but anyone who knows anything about the business regards them as a bunch of wannabe's.
It's kind of like that. The rest of the corporate world quietly computes on UNIX and Mainframes as Microsoft claims another security "victory" in a battle already won long ago by UNIX and Mainframes. They talk of reinventing computing - using ideas implemented long ago in MVS... (WinFS, anyone?)We sit back, chuckle and grin, and think to ourselves, "You know, someday, they might just write something useful..."
But there's really little point in getting all riled up. Microsoft has had 20 years to develop a secure OS; there's no reason to believe that Longhorn will be any different from the rest...
The society for a thought-free internet welcomes you.
Mac OS X
Or, you could count Linux.
If you really wanted to get going, even OS/2.
Wow, I just got trolled. Oops...
Oh well....
While being wrong is not a good thing, I commend Microsoft for admitting they need THAT much time, as well as him running FIrefox. I actually think more highly of their security team. I respect truth, even if its admission of wrong.
and it goes like this:
Say it right: "Nuc-le-ah Powah".
I'm really starting to wonder that by the time Longhorn is released, will anyone really care? The hardcore will have read enough articles to make their eyes bleed. The linux folk will continue life as usual. Some of the better features have already been stripped. Microsoft says 2006, but I don't trust MS to keep a launch on schedule for two more years.
I may have to share this planet with animals, but I'm doing my damn best to eat every last one of them.
This is great news! So the next question is, when will Windows 95 be expected to be secure? I can't wait!
Your comment was:
"He doesn't "reveal" that he uses Firefox either. Nowhere in the article does it state such."
To quote TFA:
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."
Please RTFA before posting corrections to the comments of others. Thank you.
I have no axe to grind either way with IE or Firefox but it tickles me no end reading all the evengelical crap here about how marvellous Firefox is. I recently switched to it as my main browser (v0.9.3) and now Slashdot only loads three times out of five. The other times I get the stuff down the left and the rest is blank. I can no longer read topics by anything except the default view, and to post this I have had to fire up IE. What a choice - a browser that is supposedly secure but cannot reliably load the site where its most fervent supporters hang out, or one that works but has more holes than swiss cheese. Sigh.
Linux users do not normally run as root, nor does Linux software expect a user to run as root. Products that require root privs to operate are generally designed to switch to a lesser account or drop all unneeded privs immediately after starting.
By contrast, Windows users run almost exclusively as administrator. This is in part due to the unfortunate fact that a large number of Windows-based software products will not function properly unless the user has administrator privs.
So no, these are not equivalent situations at all.
10 years? Even the Soviets had 5 year plans. Who knew their bureaucracy grinds twice as slow as that of the Soviets.
Getting everyone in the Windows world to that point is the stated goal of the MS security initiative. The Slashdot headline made it seem like a MS rep said point blank that to make Windows secure would take until 2011. And that is pretty clear.
They're ALREADY 10 years late, DOH!
Oh. Correction. NINE years. When Microsoft launched Windows 95 with Internet Explorer included, they just did that as a marketing hype. They were NOT concerned with security, the option of having various user accounts was not very clear in 9x. Well, at least it wasn't obvious. (And guess what - you need WinXP _PRO_ ($$$) to set up advanced file "sharing" under the administrative tools)
Oh, what happened with ActiveX controls? Did they care about security? No, it was just another lame way of getting rid of Netscape plugins in favor of their own implementation.
But wait, let's go back further in history. Remvember the nasty MS Word viruses, even before the "web" was worldy available?
Wait, wait! It gets better! DOS. Ever seen those BIOS "virus" alerts? Well those should have been implemented by the Operating System, because the BIOS cannot REALLY know if something's a virus.
DOS should have implemented a decent secure File System. Unix already had those user thingies called "privileges" and the famous read-write-execute attributes.
Face it. When security wasn't even in Microsoft's radar screen, the *nix world was already eating, drinking and breathing security. It's been around 15 years and the Microsoft guys are _JUST_ realizing what this is about.
So, Yeah, I can really understand why Microsoft's goals are long term. To change THEIR WHOLE WAY OF DESIGNING SOFTWARE is a long term goal, DOH!
the Inquirer everyday, taking statements out of context and making them headlines. This is the type of hit count whoring I expect out of Ziff Davis and Dvorak, not the supposed beacon of geek culture.
To be 100% secure, you must demonstrate the following:
None of this requires the typical "inspect 'til you collapse of old age" method of securing software. If a component is verified or proven, then it's 100% bullet-proof, or damn close. By then placing the additional constraint that it can't do anything outside of a rigidly-defined scope, you render any flaws that do remain unable to be exploited.
As great as this method is, there are problems. Specifications, of any meaningful size, are extremely difficult to write. Most Software Engineers don't bother, precicely because it is so hard to do well enough to be useful.
Proving a specification as complete and robust is relatively straight-forward, but still very time-consuming (and therefore expensive).
Mathematically proving that a program is both a complete and sufficient implementation of a specification (ie: any case that can happen to one will happen to both in exactly the same way) is absolutely horrible to do. Even a relatively simple, short function can take days to prove. Something like the Linux kernel would take decades - by which time the kernel you'd verified would be so out-of-date as to be useless.
Making a function 100% bullet-proof on the resource front isn't easy. Resources aren't so easy to handle in pure mathematics, because they are finite in size, react in finite time intervals, and otherwise behave in inconveniently Real World-ish ways. Here, you'd have to demonstrate a total mapping between the theoretical ideal and the physical reality, and the appropriate trapping/handling of errors and extreme conditions.
Finally, the security model. It is always possible to miss something, even when using very exacting, detailed models to describe the behaviour of software. It is also always possible for someone who understands the behaviour well enough to exploit what should happen, for their own purposes. By running every single component of the software through a security model that rigorously controls what can happen, you trap any missed errors and any correct but abused behaviour.
I mentioned that this was difficult, time-consuming and expensive. A company the size of Microsoft, investing every cent it had into formal software verification, could probably produce a 100% secure version of the Linux kernel within a year or so. It would then go broke, having spent nothing on making an income in all that time. The "security" would last up to the next kernel patch, after which new bugs may well have been introduced.
"But that means it's impossible!" No, not quite. If, say, the US Government invested that kind of money into Linux security, you could be looking at provably-secure "A1-compliant" full-featured Linux distributions by 2011. It's not impossible. But it's not that likely, either.
There are no "provably secure" commercial or free OS' in existance, and any military ones that exist are probably very specialised, extremely secret, and utterly impossible to maintain. (The number of people who could maintain such a beast is extremely small, and not growing any larger. With the move away from robust designs, those who even could do the work have no incentive to keep those skills honed.)
I do not expect to live to see the day where there is even mo
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Hee hee hee... I find the following bit from Microsoft's instructions on how to clean the trojans funny:
Basically, they're saying that you don't have IE in pants-down mode, so their ActiveX scripty-do can't run. Is that ironic, or just amusing?
Please, let us not be so unfair to Microsoft. No system is 100% secure. I am sure that by 2011 OpenBSD might have another two or maybe even three local exploits in some services not installed by default. Security is very hard and nothing is totally secure, be it Windows, OpenBSD, KeyKOS or EROS--no difference.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
"Windows Not Expected Secure Until 2011, Says Microsoft."
Wow, what an optimism! Personally, I wouldn't expect Windows secure until the the next ice age in Hell--but Microsoft? Those people have got vision, genius and determination! Meanwhile, any sane admin will continue using Debian and EROS for at least 7 more years, thank you very much.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
In the case of Winblows, it should be a complete and radical rebuild. They can start with a kernel that really keeps track of memory usage, has real PIDs, users and file based permissions for user, group, world, read, write, execute and force it on applications. Lord knows, they've broken enough of their erstwhile competitor's programs to have done this already. Other nifty ideas would be not running email clients and web browsers that auto-open anything as close to root with permissions to overwrite system files. People have been telling them that their single user mode junk was not internet ready since DOS and winblows 3.1, you would think they understood by now and would implement some of the features of the OSes they coppied, VMS, Unix, etc.
What would happen to Windows if it was stagnant while every line of code was scrutinized: it'll lose.
That's happening now, but I doubt every line is being "scrutinized" while they blunder along with DRM features and database filesystems. A rebuild would be quicker than such scrutiny anyway.
Compare (honestly) the security of 2003 against XP
You mean that thing that banks and others run that just got totally owned by the makers of download.ject? I don't have to honestly compare that to that other OS I don't run because others have done it for me.
Why do people listen to Microsoft anymore? Due to monumental arrogance, they never listen to anyone else. "Best Windows Ever" again? Who's going to believe that?
Friends don't help friends install M$ junk.
The irony, of course, is that MS admits they can't combine usability with security.
Of course, the site was probably created with that bloated monster FrontPage and running on that famous security sieve IIS.
You are in a maze of twisty little passages, all alike.
I see a lot of posts complaining that "it's more of a ten year timeline" got turned into 2011. But no one seems to have noticed that 2011 is 7 years away, not 10. The slashdot headline, if taking the MS rep as literally as the critics are claiming, should have said that Windows would not be secure until 2014.
If your wife had a 10-year timeline plan to finally be faithful, would you wait?
can your car go as fast as my bicycle?
can my sister pee farther than my uncle?
how many different programs can you burn dvd's with in linux?
how many linux computers can play doom 3?
I'm not playing favorites, just objecting to your biased list.
every day http://en.wikipedia.org/wiki/Special:Random
Correct me if I'm wrong but isn't 2011 the end of the Mayan calendar. This means that the world, according to the calendar of the ancients, will end just as Microsoft gets it's security act together.
Well, what the heck good is that?
Some of us would like to use our PC before then.
What I mean is, sure, all the earth cracking and bismuth would add a whole new dimension to playing those antique games, but we only get a year or less of game play and then we're all snuffed cataclysmically.
That's hardly what I'd call productive software engineering.
I'm not buying windows anymore. It's time to
send all that money to Burt Rutan so we can get off this rock.
I wonder what's over at http://www.happypenguin.org
With Longhorn (or maybe since it's had it's most valuable assets removed we should call it Steerhorn) due out in 2006 and Security not reached until 2011, does that means that Windows isn't expecting a secure product until Steerhorns replacement?!?
Oh well maybe by the time my 4 year old graduates from college Windows will be a viable OS. They've always had potential as a desktop OS but keep falling short.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
Like there's actually going to *be* a Windows or Microsoft by 2011.
If a Christian says he prays to a different god, then he does. A scholarly analysis proves nothing, because mainstream Christian, Judaic, and Islamic beliefs are not based on scientific, scholarly debate.
To put it another way, you can't say that my imaginary friend is the same as your imaginary friend just because they're both loosely based on, say, Yoda. Neither friends are provable in the "real world", just as neither the Islamic nor the Christian god are provable. Their existence is entirely subjective and while that doesn't make them any less real (IMO), it does make them immune to this sort of logic.
Microsoft announced they will release their first real operating system, dubbed Windows 2008, in 2010.
>The 100% secure line is an asymptote.
Exactly. Anyone who thinks that any company is going to invest two years, ten years, or a zillion years and then have a "secure" product is missing the point.
What I hope Mr. Toulouse meant is that the current project of excising bad security decisions is a ten-year project. That's realistic for a code base whose DNA dates back to the days of friendly networks or no networks at all.
(If anybody doesn't recognize the quote in the title, it's from Bruce Schneier).
Is it a fix? Or is it a fux? No! It's a fox! Firefox!!!
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Pay no attention to the penguin and cute little red daemon over there.
Hey! That "cute little red daemon" has a name, you insensitive clod!
That's lady Ceren Ercen for you!
And go with Mac OS X... they will have at least one cash cow, MS Office X ported as is.
Windows needs a redesign.
'A lie if repeated often enough, becomes the truth.' - Goebbels
which version of windows has more GUI features than the latest KDE or GNOME?
Without editing files and getting complicated? 95/98/Me/2000/XP/NT 4
Pardon me, but I've used KDE for quite some time now but I never edited a single KDE config file. Since I started using Linux I've done less configuration fiddling than under Windows.
All the other answers are also simply flamebait or plain incorrect (maybe except the hardware thing). For example, BSD 'is' not the only operating system that is more secure than windows.
I actually found that link useful, since the color scheme here is very hard on the eyes.
No. I can complain about it now, when people mistakenly believe it is even possible to calculate those percentages you post. The whole point is that you don't even *know* where the line is. So you never know what percentage you are at.
The evils of MS are too important to be using stupid logic to water down rhetoric agaisnt them. The arguments agains them are stronger when they are better thought-out.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
If a component is verified or proven, then it's 100% bullet-proof, or damn close.
By throwing in that caveat of "or damn close", you just shot down your own argument.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Wired: IE sucks, do you release this?
M$ Guy: Well, it's not as simple as that. We're constantly analyzing IE to make it a better product.
W: Firefox or Opera kicks your ass, just say it.
M: There certainly are areas we can improve on, and we're currently redoing IE to make it more secure and feature-rich.
W: M$ SuX0rS! Admit it now!
M: We're committed to making IE an industry-leader and we appreciate user feedback.
The interview was just four questions where the interviewer just spouted nonsense. I don't blame the marketing droid responses, there weren't any questions to respond to.
Is this a quality interview from Wired?
Buses stop at a bus station
Trains stop at a train station
On my desk there's a workstation....
lollergates. Like lollerskates, but cost more money than the second to seventh richest people evar!111! have put together.
"Yes, sir, don't worry about the problem, we'll have it all worked out and fixed for you by 2011."
If there was ever an excuse to use an alternative software supplier to Microsoft, this is it.
Gentoo Linux - another day, another USE flag.
really within 10 yrs that is good news !
Chris ,
Php Programmers.
If Microsoft claims that their operating system won't be insecure until 2011, why are people still using it?
Who moved my sig?
Hello,
here's a Python script that will automatically kill the new "Windows Firewall" in to XP Service Pack 2.
I probably use XP first version (no SPs). I disabled Firewall by using the tool "msconfig" ( start from the command line ). Works pretty fine : no need to play with registry, or scripts, or ...
Regards - Z.
I believe it is a slightly different kind of "securing" he talks about. Let me tell you a story:
;D
I live in Latvia and constantly use internet banking services. Every customer-oriented bank here has a web interface where we can overview our accounts, shares, investements, debts, credits, fill different forms online, request new features, etc, etc, etc. A proper virtual bank.
A colleague from USA came to work with us and company opened an local account for him as well. And now the interesting part: after working in quite high profile company in USA as a security advisor (or smth like that) he simply couldn't grasp how it comes that we, here, in exCommie state, a developing, third world with averange salary of 2500 usd per year, could have so secure, efficient and usable internet banking services. From what he told me, he was used to authenticate with his card number and pin on http:// site in his american bank.
The point: Our banks started to develop their internet banking solutions (and infrastructure in general) when technology was quite mature and security implications was already well known and easy to avoid. Hell, nobody here even understands why you should use cheques, if you can quickly get in closest internet cafe, with computers usually ridden with spyware and keyloggers and totally securely, withing 10 seconds, transfer any amount to whom you please.
Hovever the pioneers took all the burden to find out the problems the hard way and now simply cannot afford to change their insecure, obselte and dangerous web interfaces to something at least half as secure and efficient as we have here. It would be too much of an investement.
And here comes the moral: Those 10 years are the time Microsoft will require to move most of their applications and operating system to the point where any security starts to become a possibility. Or, we will see a 1995/6 year story with mac. They dumped their macOS as FUBAR and aciquired NeXT to gain a necessary expertise to create a better os for their needs.
Anyway - who needs Microsoft. MacOSX is reasonably secure, easy to use and damn sexy today. And for a similar performance costs about the same as that dual cpu athlon 64 you are thinking to buy
Linux will never be. There will be just another FreeBSD fork with proper graphics and useable software.
This was available all the way back in Windows 95 days as well via a system administration tool on the Windows 95 CDROM (in a folder labelled administration tools or something like that ironically) called poledit (Policy Editor). It's existed since Windows file-sharing began. Of course you're right that it isn't obvious, it would involve reading a lot of documentation to know it existed.
Keith D.
This is a site dedicated to getting page views, not providing unbiased news. As a bonus, this continuing trend of over-hyped drivel gets people reading the articles so they don't sound like an idiot when they concur with the original poster.
"Don't waste your time or time will waste you" -MUSE
Since when? IF so, I want a bicycle that's designed to go fast, I'm sure there'd be a merket for it. But I think that bicycles are designed to go as fast as possible given the power source is a human being.
Make it run on a NTFS partition, please.
Now, I'm very grateful. A virus that takes advantage of their security holes cannot hurt my Linux partitions. My family may lose their data, but most of mine will be invisible and out of reach. The only thing of importance I keep on the FAT partitions are music and tv shows. Actually, I do have pictures on the ntfs partition and I think I will make copies of them in Linux right now.
Ops, I shuld have usd the prevuwe but in.
However, correct me if I'm wrong, but I do believe that *nixes are just as popular for servers. That T-* connection sure looks tempting for abuse of some kind. This is the same reason I have tinted windows on my car and keep temptations out of view. Nobody is going to break my windows if there is nothing visible to take. My wife's window was just broken because my daughters purse was left in it. That expensive damage for a purse they got nothing valuable out of. I believe hackers are going to go for the most tempting victim. Sometimes Linux systems are compromised, but rootkits hunters find when that happens. Some times the offender can be traced, but the server will be backed up and reinstalled quickly. The thing with *nixes is that each one is different and with Linux, each distro is different. Linux flaws really are patched quicker than Windows. When the software is already free and the code is available, it is harder to pass off warez. There is a whole community of developers with eyes out. With Windows, there is a whole company of eyes out and we don't know how long between discovery of problem and release of the "fix".
I suppose on one key part, you are right. When the same lazy people start using Linux and run as root in spite of the window warnings telling them not to, Linux will be just as insecure. Windows XP has the ability to be more secure, but nobody is using it. My MIS department set me to connect to the network as a user with Administrator privaledges. I haven't figured out yet, how to connect as a lower pivaledged(sp) user. I set up the account, but it does not connect. I guess I should ask them. They were too busy to put the anti-virus program on; I had to do it myself.
My company does use MS ISA server. Thankfully, our drafting program is on AIX.
Ops, I shuld have usd the prevuwe but in.
...I have been installing various flavours of Linux (mostly Xandros 2) on more than 50 PC's over the last few months -- mostly for HOME users. These are ordinary Joe Soaps who have reached the stage where they are totaly fed up with all the malware infesting Windows boxes. And they do not have the time to download an 80 mb patch.... which doesn't work properly. Just last night an MCSE phoned me and asked for a copy of Xandros Open Ed. -- appears he went online with his XP machine and was compromised within 5 minutes.
Microsoft made it big when their CONSUMER product, Win95, took off big time. Consumers are now starting to discover easy-to-use Linux distro's, such as Xandros and Suse, and being able to surf the Web safely is a Big Thing. All these Joes want is to read their emails, surf the Web and do some simple budgeting on a spreadsheet -- and they are all VERY happy with their "new" computers.
The point is that CONSUMERS created the support base for MS in '95, and CONSUMERS are now quietly moving away from MS. Mark my words: 2004 will go down in history as the tipping year. I live in a small town, and the number of people using Linux is surprising, and INCREASING. A Quiet Revolution indeed.
Arguably true my ass.
XP is a decent product, and it's not terribly hard to harden. Take a Windows XP box, turn on auto-updates, run FireFox, and be done with it
"Windows Update?" that's the thing I disable on any system I install. "But why?' you may ask. I'll tell you why: becuase they don't work. Typically they break functionality, and restart services I've specifically disabled. I don't need extra services running on linux or windows, but they scare the heck out of me on windows, I never know when a service will have a hole discovered.
I'll give you that there are many linux distributions which are not secure, especially red hat. I've stopped running htem, for the most part, simply becuase of all the unnneccesary services loaded initially. I see all kinds of security hole posted for linux applications, but most of them are in version ".x" e.g. prerelease, so I don't really expect less. Sometimes an older omne will have a security hole but typically the comment along side it is:" we're not sure how you'd use this but there's genuinely a flaw here; so we fixed it. "
Getting everyone in the Windows world to that point is the stated goal of the MS security initiative.
Mostly I think windows takes a bad rap on slashdot more becuase of "trusted computing" amd "microsoft security model" , etc, than becuase there's a huge gap. But I do know that IE _IS_ the root of their problems and SP2 is just a sign of that. Since they say they can get as much scrutiny as they say they can, of their OS, then, these sorts of things shouldn't be happeneing. Linux only has theses in post-release becuase A) they rease as beta/ prebeta, and B) becuase of deeply hidden flaws like the one recently found in the kb5 lib.
The Slashdot headline made it seem like a MS rep said point blank that to make Windows secure would take until 2011. And that is pretty clear.Also I'd like to point out that newspaper headlines are almost always misleading, but I'm sure I would have drawn the smae conclusion, even though the though of Microsft changing the focus that much is just unbelievable.
Can I be a Luddite too?
Unless you are using mathematically PROVABLE methodologies (got an assignment statement? there goes provability....), there will be the risk of bugs in the code.
Your suggestions are good for REDUCING the number of errors. They won't ELIMINATE errors completely.
//Information does not want to be free; it wants to breed.