IE Holes Not Microsoft's Fault, Says Bill
thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?
Yes, viri, trojans and spyware tend to be third party. The problem is, IE lets you download these and execute, sometimes by just viewing a page.
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
So, pray tell, how is making a horribly insecure third-party application model (DirectX) and then complaining about how people are exploiting it supposed to hold water? YOU ARE THE API DEVELOPER. IT IS YOUR RESPONSIBILITY TO ANTICIPATE POTENTIAL ABUSES.
Because if I'm reading this right, then that's exactly what Gates is doing. No wonder Microsoft's products are so shitty; they think that security is something that happens to other people.
It's just a matter of scale.
;)
A pristine WinXP box will be compromised in 20 minutes (on average).
I'm still waiting for my unfirewalled 'nix box to be rooted
I'm not talking pure heuristic detection, because a perfect heuristic detector is theoretically impossible. But why can't Microsoft build in a scanner that downloads virus definitions?
Virtually all of the viruses of the last five years or so have been Microsoft viruses. (Boot sector viruses are soo last millenium, and everybody's BIOS already detects those.) Not "PC" viruses, not "MS-DOS" viruses, but specifically "Microsoft Windows" viruses. Since they seem to be at the forefront of providing the virus delivery systems, why do I have to pay someone else (like Symantec) to protect me from them? Why isn't patching these defects included in the purchase price of this obviously defective product?
John
Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?
Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.
Let us all remember the line above then. Nothing is going to change?
I think it will
The power of accurate observation is commonly called cynicism by those who have not got it. -- G.B. Shaw
I need lessons with Bill so I improve my english, I guess its easy to learn it, if you stretch the meaning of the words as much as bill.
Watching a website outside microsoft.com=downloading third party software.
Then you should use Portable Firefox on a flash drive at school. Jack in the thumb drive. Run PortableFirefox. You get to bring your own bookmarks and cookies with you, and leave nothing like log files behind. And 32MB drives are available for about $10.00 (check the clearance bins at places like Micro Center or wherever.)
John
> I want to know why Bill Gates thinks it can't be built in.
It can't be built in due to the anti-trust lawsuit MS is/was in over intergrating IE, Media Player and all the rest into Windows.
MS don't want another suit to appear for 'trying to cripple the AV industry' by providing an AV software package with Windows. Sophos et al, would not be happy and they'd unfreee the Super-Lawyers and let them loose!
Ahem......assuming D:\ is the USB key, before you plug it into a Windows machine. You can also set the read-only attribute via right clicking on the file in Explorer and going to properties (obviously, on your own, hopefully clean, Windows machine) There, all better now.
To the grandparent: Thank you for pointing that project out. It truly shows that having the source code to software open and available can lead to all sorts of interesting - and very useful - things.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
They tried everything to stop people from doing safety studies and stopping laws making safety devices mandatory. It did not fit their marketing image to have to put safety features in.
Sounds very similar eh? Gates blames insecurity on bad users. The car industry blamed it on bad drivers (this fits marketing as noone thinks of themselves as a bad driver).
Until enough studies came out showing how dangerous cars were (things like the steering column being a spear aimed at your chest) and the public started to get aware and goverment was starting to take action ONLY then and very slowly did the car industry do something. That still won't do anything until laws enforce the use of seatbelts and even then you will have idiots claiming using seatbelts is unsafe. Same as I have met person (not heard about, actually talked to myself) who didn't use anti-virus software because it was reading their files.
So don't hold your breath waiting for MS to move on its own. SP2 was already a huge achievement. Anything more will only come after a long long struggle.
Or a very short one if you install the flippered OS. Or the horned one if your into necrophilia. Then again, that is like driving a volvo. Not cool. Sure your kids might survive an accident but who cares about that eh?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Software CAN kill you though.
There have been cases where 911 systems went down due to software glitches(Windows IIRC), that can certainly put a hurt on your life expectancy(in the case I'm thinking of, the phones stayed on, but the computer systems died, so they had to dispatch the 'ol fashioned way).
Or Medical databases, mix up what drugs someone is taking when prescribing new ones and that software glitch can certainly be hazardous to your health, if not kill you. Small risk, since there's a double check(Doctor and Pharmacist), but there.
Or the computers in your car, big error in one of those chips and BAD things can happen. Or airtraffic control. SCADA(old crappy UNIX, being replaced by new crappy Windows) systems. Fly by wire. Etc. Etc.
Software can definately kill you, it permeates so much of our lives a glitch in the right place can actually kill you. Don't lose sleep over it, a real gremlin has to be in the works for this to happen and for no actual person to be there to compensate for it.
Now, your desktop software decision isn't likely to do so.
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
I was amused by that, too. I was tempted to call bull, but technically they are interested in interoperability.
It's just that they seem to believe that everyone else should have to pay them for the privilege of being interoperable.
It's great from a business point of view, but not much use from a F/OSS point of view, unless projects manage to pick up a sponsor who would be willing to shell out to license the technology and manage to do it in such a way as is compatible with whatever license they're using.
Tiggs
"120 chars should be enough for everyone..."
Maybe the reason is different?
If you would steal a car, would it be Toyota or BMW? I mean, if I was a haxor trying to steal someones CC, it would be $3000 dual G5 owner rather than $500 Taiwan OEM owner.
Or... Something real interesting showed up when I check my Internet Plugins folder (Yes, mac IE even uses Netscape plugin arch)
cable25-100:/Library/Internet Plug-Ins ilgaz$ ls -l
total 72
drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 DRM Plugin.bundle
drwxrwxr-x 3 root admin 102 6 Jul 22:00 Flash Player.plugin
-rwxrwxr-x 1 root admin 963 22 Jul 17:09 Java Applet Plugin Enabler
drwxrwxr-x 3 root admin 102 22 Jul 17:23 Java Applet.plugin
drwxrwxr-x 3 root admin 102 31 Aug 05:17 JavaPluginCocoa.bundle
-rw-rw-r-- 1 root admin 4752 22 Jul 17:09 NP-PPC-Dir-Shockwave
drwxrwxr-x 3 root admin 102 1 Apr 2004 QuickTime Plugin.plugin
-rw-r--r-- 1 ilgaz admin 0 15 Oct 11:42 RealPlayer Plugin
-rw-r--r-- 1 ilgaz admin 0 15 Oct 11:42 RealPlayer Plugin.xpt
drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 Windows Media Plugin
-rw-rw-r-- 1 root admin 856 22 Mar 2004 flashplayer.xpt
-rw-rw-r-- 1 root admin 2394 1 Apr 2004 nsIQTScriptablePlugin.xpt
Look which companies plugin is installed in awful insecure way?
Microsoft!
While at it, if you don't have "spyware" concerns, as a admin user, go to www.pcpitstop.com (in fact, they aren'T spying) and run their tests...
See the amazing things ActiveX can do! Thats the root of problem.
Gates: What the consumer wants is pretty clear: a single remote control that lets them navigate photos, music, videos, TV in a very rich way. They want to see that on any screen in the house and then have a great portable device where they can take that stuff wherever they want anytime. The full realization of that dream is still years away, but we've taken a dramatic step in delivering that with Media Center.
I think it'd be great if we could beat Microsoft to the punch by offering all of this and more using Linux and open formats (not WMA Bill!). It seems like there is already a lot of work in the area going on (MythTV, Freevo, Mister House, VLC) but is any of this ready to be easily set up by the average Joe? Is there any work being done to put all the pieces together. Perhaps a modded distribution geared specifically to creating and setting up a Media Center type environment. Not only could a Linux based solution put anything from MS to shame it could also force Movies/TV/Music industries to support open formats if the Linux Media Center becomes the dominant player.
Am I dreaming or can the open source community take the lead here?
I suggest that M$ removes all IExplorer, WMplayers, CD burning etc. software from Windows, and sell them for $10. The price is reasonable becouse you don't need to pay extra developers fot this stupid programs. Then we will have free comptetition market, and choise. Maybe then M$ Windows would be on any PC.
For what it's worth, Ubuntu actually disables the root account by default so you have to sudo everything.
(I'm sure other distros do that too, but Ubuntu stands out in my mind because I had to wrestle with it unexpectedly over the weekend.)
"Lawyers are for sucks."
- Doug McKenzie
That is a fringe example and doesn't have any effect on the main thrust of the argument. Making the boot media read-only in an effort to stop security holes is like cutting off your legs so that you won't accidentally stub your toe. You are right that Microsoft will never provide that as an option - because it doesn't make any sense for ordinary use.
Karma: -2147483648 (Mostly affected by integer overflow)
I recently installed Windows 2000 on my sister's computer. For some reason I forgot to disconnect the network cable ahd before I had even started to install a firewall, it was compromised.
In all seriousness, the time of first boot to compromisation was under three minutes.
I daresay it was my own fault for forgetting about the network cable, but even so...
After that, I experimented with a Unix computer connected directly to the internet instead of being behind a router, as is my normal practise. Like you said, I waited a month for it to get rooted. Never happened. Eventually I put it back behind the router.
If the user isn't using IE and isn't running a server (such as httpd), then it's quite unlikely that anything bad will happen. Unless someone specifically targets the machine and scans for all activated services, etc, and launches an attack against an un-patched vulnerability.
I would be brave enough to state that a Win2k / WinXP / Win2003 is just as secure as UNIX / FreeBSD / OSX, if: -
No, Windows is not just as secure. The point is that there are lots of script kiddies constantly scanning the range of ports used for cable and dsl networked computers. Once they get a response, they scan all the ports on that IP looking for open/vulnerable services. They target Windows because the vast majority of computers on the Internet are running Windows. Look at all the posts in this thread. You can find numerous accounts where Windows computers were infected within minutes of being connected to the Internet.
It's possible that Linux/Unix would be far less secure if it received as much attention from the hacker community, but there are some good arguments that it wouldn't be. Linux/Unix has been a part of the Internet since it was first conceived and the programmers that have worked on Linux and UNIX have generally been more aware of networking and security issues.
Linux has a much more modular design than Windows. Windows has been tightly integrated on the basis of Marketing and Legal rather than Engineering decisions. I doubt that Windows will ever be secure without substantial redesign of the entire OS. Unless Microsoft is successful at throwing up legal roadblocks, Linux is going to continue to outstrip Windows in security, reliability, and eventually usability.
-All that is gold does not glitter - Tolkien
www.ra
> Gates: It's not a thing you build in.
This is because Microsoft allows spyware to be installed as part of its critical updates!
Last month I watched as a friend:
During the last update and spyware scan cycle, AdAware discovered a spyware issue in the registry!
FYI: The spyware entry came into by friends system as a result of one of these Microsoft critical updates:
AdAware discovered:
For more info on ALEXA spyware see:
This is not the 1st time that I have seen somebody install a Microsoft critical update and receive spyware. No wonder Gates is not interested in building anti-spyware into his products!
chongo (was here)
$ whois 63.161.169.137
Sprint SPRN-BLKS (NET-63-160-0-0-1) 63.160.0.0 - 63.175.255.255
FEMA SPRINTLINK (NET-63-161-169-0-1) 63.161.169.0 - 63.161.169.255
whitehouse.gov is on FEMA's network? Interesting. Though it kind of makes sense if you think about.
Accept Eris as your Fnord and personally sate her