IE Holes Not Microsoft's Fault, Says Bill

thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?

No thanks

[BWJones]

Gates: Understand those are cases where you are downloading third-party software.'

Hrmmmm. Downloading third party software on my Macintosh does not seem to get me into trouble in the same manner as it does on Windows........Why is that Mr. Gates? Furthermore, I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?

Moving along: Q: Might you add anti-virus/spyware protection in Windows? Gates: It's not a thing you build in. You have to offer a service......Why is that Mr. Gates? I would have thought that you would offer a secure environment as part of your product out of the box? What does that tell us about the quality of your products? After all, does not my automobile come with airbags and antilock brakes and skid control and all wheel drive? Under your logic, those features would only work if I paid a monthly premium.

You know, I kept waiting for something better to happen with Windows, but I have work to do and things to create, so I'll stick with OS X and my Macintosh. Thanks anyway.

Re:No thanks

[etnoy]

Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?

[risk of being devil's advocate]
Just for clarification, is that computer hooked up directly on the internet without firewall, or is it running behind a NAT router? I am not sure if it is true, but most of the Linux distros' default installation aren't to good to hook up directly onto the net.
[/risk]

Re:No thanks

[gforceamg]

So, by "third-party software" is he referring to all plugins and prorgrams for IE? Or is he referring to just those programs not made by M$?

Re:No thanks

[mibus]

It's just a matter of scale.

A pristine WinXP box will be compromised in 20 minutes (on average).

I'm still waiting for my unfirewalled 'nix box to be rooted ;)

Re:No thanks

[Jugalator]

Hrmmmm. Downloading third party software on my Macintosh does not seem to get me into trouble in the same manner as it does on Windows........Why is that Mr. Gates?

Because you haven't been downloading spyware and such things?

I mean, it's no secret that downloaded software ran under admin privilegies can do basically whatever it wish to your system, regardless if it's a Mac or not.

A big problem to me is that MS doesn't even *try* to tell that working in admin mode all the time is very bad.

Re:No thanks

[drumist]

After all, does not my automobile come with airbags and antilock brakes and skid control and all wheel drive?

So you're saying the antilock brakes will work forever if you don't regularly service them? Cars need to be maintained, too, and that is part of the necessary "service". In fact, an improperly maintained ABS would be more dangerous than standard brakes.

Re:No thanks

[notthe9]

I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?

Impossible! You must be lying!

(Sorry, I realize this mihgt not be defensible, but I accidently checked the "Always Trust Microsoft" box during an install a few years ago. If only I could turn back time.)

Re:No thanks

[grcumb]

"I'm still waiting for my unfirewalled 'nix box to be rooted ;)"

Oh, it won't be rooted... again. I've tightened things up nicely, now.

P.S. Thanks for the porn!

Re:No thanks

[WilyCoder]

Ownage! What Mrs. Bill says is pure PR spin. Man, Fuck him (yes, with a capital F)!

Re:No thanks

[zakezuke]

I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised.

Have you done the same experiment with win2k pro with either SP1 or SP2? It's only fair since boxes are shipping with both service packs. I don't disagree with you, i've noted that buying a PC equiped with winxp home edition to this day still will get infected right out of the box. I've not observed this under SP2.

Why is {[virus proection something]You have to offer a service} Mr. Gates? I would have thought that you would offer a secure environment as part of your product out of the box?

I have to agree with Bill on this one. Even if you are not paying a fee for your virus proection, it is a service that someone provides. This is diffrent from an automobile with airbags because you typicaly don't have to update/replace your airbags. You do have to pay to get your car serviced and you do have to update your virus definations. Now given that windows will auto update, you could argue that this is something that microsoft should provide out of the box. Frankly I'm glad they don't as compitition is good motive for the virus software companies to improve their product, and there are a number of free solutions that are really good. Avast and AVG come to mind.

Re:No thanks

[Zork+the+Almighty]

I think he is referring to the viruses and worms.

Re:No thanks

[nsillik]

... digital bytes never get old or need to be routinely checked by some paid worker

Well, while I agree that Microsoft should bundle anti-virus/spam/spyware/any-bad-thin with their OS, I don't think that this statement is right. I'm sure that the people who work for Symantec and MacAffee would be very unhappy to hear that they are not paid workers. Both of these companies, and presumably MSFT if they were to bundle anti-whatever software, must be constantly updated to detect the changes in viruses and what-have-you.

Re:No thanks

[Tim+C]

Downloading third party software on my Macintosh does not seem to get me into trouble in the same manner as it does on Windows

That'll be because no-one targets the Mac with spyware or viruses, because Windows is a soft enough target and has vastly more market share; it's not worth their while to yet.

Q: Might you add anti-virus/spyware protection in Windows? Gates: It's not a thing you build in. You have to offer a service......Why is that Mr. Gates?

Because if he did, he'd have avs companies and MS-unfriendly tech sites screaming bloody murder about MS using their monopoly to enter new markets, just like they did when they first included a firewall. They can only weather so much of that before people start muttering "anti-trust" and starting court procedings. They're in the middle of getting slapped for that sort of thing here in the EU, I don't suppose they want another one just yet.

Re:No thanks

[strider44]

Of course the simple solution is not to run under admin. I like the way that linux actually forces (well it doesn't but severly recommends) the user not to run something under admin. Then again usually for newbies spyware can be installed as easily as

Installation Instructions
1. Login as root
...

Re:No thanks

[strider44]

*sigh* having more market share is not an excuse. Just look at Apache vs. IIS and you'll see that more market share does not automatically equal more security holes.

Re:No thanks

[asadsalm]

Q: Might you add anti-virus/spyware protection in Windows?

Gates: It's not a thing you build in.

Us: But a browser is a thing you can build in ... Right?

Re:No thanks

[Negatyfus]

To be fair, a Windows machine would be targeted sooner and more overwhelmingly than a *nix box. Age-old argument, but still true.

Re:No thanks

[EqualSlash]

I guess you are making a point but stating that even an unfirewalled 'nix box won't be compromised is farfetched.

Re:No thanks

[bakes]

I think I remember a recent /. story that said the average was now down to about 12 minutes.

But, maybe SP2 takes it back out to 20mins.

Re:No thanks

[mikkom]

Most of the servers are unix boxes that are connected to internat and many of them don't have firewall. Simply because there are no services that need to be firewalled.

Windows instead has many "default" services that you can't turn off.

Re:No thanks

[Tim+C]

*sigh* I'm talking about viruses and malware, not remote exploits - don't worry though, I'm used to people mixing the two up.

There's also the (always ignored) point that most script kiddies "grow up" (you know what I mean) targetting Windows, and so once they've found an IIS exploit they have lots of ready-made 'ware and experience with which to root the box. On the other hand, the vast majority of apache installs are on Linux, for which they generally have neither.

With literally tens of millions of machines to choose from and generally nothing tangible to gain, why bother going for anything but the easiest of targets? That's ignoring the other fact that the vast majority of people targetting machines are just using exploits developed by one of handful of actual crackers, too. Besides which, by far and away the most commonly compromised type of box is the desktop, and the vast majority of those run Windows. It's very much rarer for a server to be compromised, mostly because most of them are maintained by people who know what they're doing, unlike the vast majority of desktops...

Re:No thanks

[ajd1474]

If MS included Anti-virus, serious Firewall software and whatever else you feel they should include to make it "secure", you'd be the first person up in arms claiming it to be another example of MS using their monopoly to push out competitors.

Everyone wants MS to remove things like CD-burning, Media Player, IE etc because it is anti-competitive and now you WANT THEM to build MORE APPS IN??

Also, motor companies do NOT make Airbags, ABS and skid control... they are usually made by third party companies (Bosch for example). So are you suggesting that Windows comes bundled with Norton Antivirus/Firewall, that you shouldnt get a choice, and that we should add another $50 to the cost? Sounds anti-competitive to me. Sounds like you're another /. er who trips over their own arguments in an effort to be the first to bash MS.

Re:No thanks

[stephanruby]

"*sigh* I'm talking about viruses and malware, not remote exploits - don't worry though, I'm used to people mixing the two up. "

He wasn't criticizing what you said, he was criticizing your reasoning behind what you said. If what you said is true for "viruses" and "malware", why wouldn't it be also true for "remote exploits"?

It sounds to me like you came up with an overgeneralization and now you're trying to rationalize it in face of contradictory evidence. *sight* You can be as impatient with us as you want and you can patronize us all you want, but your backtracking rationalization about the technical proficiency of users doesn't hold much water. For me, the only reason I first installed Apache was because I had no clue about how I could install Microsoft's Personal Web Server. I suspect it's the same for most users. Apache simply worked out of the box, that's it magic and that's partly why it has the biggest marketshare.

Re:No thanks

[aichpvee]

You're obviously very confused. The *nix box "can" be compromised, but probably won't be. The windows box "WILL" be comprimised, and in a matter of minutes.

Whether things would be reversed along with the marketshare, it's impossible to say. But there's really no way anyone can do it worse than what microsoft is doing.

Re:No thanks

63.161.169.137

Take your best shot, kiddie!

Re:No thanks

[shut_up_man]

Ah, I see - It's our fault for using those nasty third party viruses and worms. We should be sticking with the official Microsoft virus and worm family, that are, by a massive stroke of irony, totally harmless to our systems.

Apparently the upcoming version of Windows will have enhanced official viruses too, that do even less but will need significantly more powerful hardware to run.

Re:No thanks

[thegrassyknowl]

It's not a thing you build in. You have to offer a service......

But we'll build in a browser, mail client, media player, etc to hold on to our monopoly.

Re:No thanks

[buffer-overflowed]

Software CAN kill you though.

There have been cases where 911 systems went down due to software glitches(Windows IIRC), that can certainly put a hurt on your life expectancy(in the case I'm thinking of, the phones stayed on, but the computer systems died, so they had to dispatch the 'ol fashioned way).

Or Medical databases, mix up what drugs someone is taking when prescribing new ones and that software glitch can certainly be hazardous to your health, if not kill you. Small risk, since there's a double check(Doctor and Pharmacist), but there.

Or the computers in your car, big error in one of those chips and BAD things can happen. Or airtraffic control. SCADA(old crappy UNIX, being replaced by new crappy Windows) systems. Fly by wire. Etc. Etc.

Software can definately kill you, it permeates so much of our lives a glitch in the right place can actually kill you. Don't lose sleep over it, a real gremlin has to be in the works for this to happen and for no actual person to be there to compensate for it.

Now, your desktop software decision isn't likely to do so.

Re:No thanks

[tuxlove]

You're not playing devil's advocate, your point is just irrelevant. The original poster's point is that there are plenty of security holes that have nothing to do with downloading third party software. You can get compromised by reading your email, visiting websites (there are dozens of known vulnerabilities) or even having your computer sitting idle on the Internet, all of which have nothing to do with downloading third party software. A firewall is moot for the first two, and irrelevant for the third, because as soon as you take away the firewall the machine's toast w/o downloading a thing. Putting a NAT router in front of Windows doesn't fix it, it just masks the problem Bill Gates says isn't there.

Re:No thanks

[ozmanjusri]

It's simple to get a *nix box which can not be compromised. Any of the Demolinux/Knoppix live distros which can boot from an inexpensive RO media are almost uncrackable, and even if the box were somehow compromised, all you'd need to do to clean it is reboot. That's not something MS will ever allow with Windows.

Re:No thanks

[Ilgaz]

Maybe the reason is different?

If you would steal a car, would it be Toyota or BMW? I mean, if I was a haxor trying to steal someones CC, it would be $3000 dual G5 owner rather than $500 Taiwan OEM owner.

Or... Something real interesting showed up when I check my Internet Plugins folder (Yes, mac IE even uses Netscape plugin arch)

cable25-100:/Library/Internet Plug-Ins ilgaz$ ls -l
total 72
drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 DRM Plugin.bundle
drwxrwxr-x 3 root admin 102 6 Jul 22:00 Flash Player.plugin
-rwxrwxr-x 1 root admin 963 22 Jul 17:09 Java Applet Plugin Enabler
drwxrwxr-x 3 root admin 102 22 Jul 17:23 Java Applet.plugin
drwxrwxr-x 3 root admin 102 31 Aug 05:17 JavaPluginCocoa.bundle
-rw-rw-r-- 1 root admin 4752 22 Jul 17:09 NP-PPC-Dir-Shockwave
drwxrwxr-x 3 root admin 102 1 Apr 2004 QuickTime Plugin.plugin
-rw-r--r-- 1 ilgaz admin 0 15 Oct 11:42 RealPlayer Plugin
-rw-r--r-- 1 ilgaz admin 0 15 Oct 11:42 RealPlayer Plugin.xpt
drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 Windows Media Plugin
-rw-rw-r-- 1 root admin 856 22 Mar 2004 flashplayer.xpt
-rw-rw-r-- 1 root admin 2394 1 Apr 2004 nsIQTScriptablePlugin.xpt

Look which companies plugin is installed in awful insecure way?

Microsoft!

While at it, if you don't have "spyware" concerns, as a admin user, go to www.pcpitstop.com (in fact, they aren'T spying) and run their tests...

See the amazing things ActiveX can do! Thats the root of problem.

Re:No thanks

[PipsqueakOnAP133]

20 minutes? Holy shit, where do you work? Antarctica on a 300 baud modem? The time it takes now for infection is on the range of seconds.

When CodeRed came out, some of us actually noted it on the job at UC Berkeley ResComp.
The shortest one was on the range of 5 minutes., barely enough time to do an update from windows update.

Years later, for Welchia, etc, it was within 1 minute that we'd see the machine do the reboot by itself. So the infection actually took place before that (since the rest of the minute was the download and install of the virus)

Re:No thanks

[Ilgaz]

"Moderators: Read posts twice before wasting your points modding up trolls."

It seems mods didn't care about your signature on this topic. Proof? Your posts score :)

I tell you one interesting thing. While it was working back in 2003, I updated a 68030 Mac Duo laptop 7.6's modem driver from Apple site. I even had support about how to add more ram. That machine is back from 1994 or something.

OS X updates aren't service packs, they are new OS'es. 10.3.0 is a new OS , 10.3.1 is a service pack.

About antivirus and anti adware? As its a BSD based real OS, its run by rights. As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.

Oh there is a program on OS X, comes with it and has a unsolved security problem. Yes, it still exists. Guess what is it? INTERNET EXPLORER macintosh edition.

Re:No thanks

Yes, and your wife is very attractive, keep up the good work. I only want to know who those other women are.

Re:No thanks

[Atrax]

Yes, Age of Mythology requires admin rights. Good game too.

This KB article makes a passing mention of this, but doesn't tell you which games require Admin privs.

Really I think this is just bad design - they could be written to operate normally under non-admin accounts, but ren't. and it's not just games - numerous applications on windows do this for various reasons (registry access/file access etc..)

Re:No thanks

no sex *and* no porn. you poor b*stard. Divorce her and join a monastery, it'll be easier and cheaper ;)

Re:No thanks

[bickerdyke]

No no.. Bill is completly right.

All those viruses, dialers and worms comming in via email, malicious websites and so on, ARE Third party software indeed.

Or is WinXP now delivered with preinstalles Melissa-Virus?

Re:No thanks

[Shokac]

I suggest that M$ removes all IExplorer, WMplayers, CD burning etc. software from Windows, and sell them for $10. The price is reasonable becouse you don't need to pay extra developers fot this stupid programs. Then we will have free comptetition market, and choise. Maybe then M$ Windows would be on any PC.

Re:No thanks

[shintaro]

Please do not try to reason with the /. crowd when it comes to MS. Just say no!

Re:No thanks

[Jugalator]

well, it is mentioned here [microsoft.com], but yes, it should certainly be more prominent than that. that's the first example I could find after probably 10-15 minutes of looking.

Yeah, it's possibly mentioned on the web, but why not in their OS? Why not hide the admin account after a Windows install? Why not have a red bar at the top of the Windows screen saying "Warning: You are logged in as an administrator. Click here for the implications this cause"?

No one should need to be logged in like that except in very rare cases, like when upgrading system drivers. The annoying part is that Windows is nowadays a multi-user OS with personal user profiles and healthy amounts of file system and OS restrictions one can set. They just make use of them incredibly poorly for the average user, which needs some restrictions most of all because of their inexperience.

Re:No thanks

[fafaforza]

But isn't unix a server os? Isn't its main purpose to run network services and applications? I realize you can use it on the desktop, but Unix/Linux is a server OS.

Windows (XP especially) is a consumer OS. It isn't supposed to be serving any networked services. Why are things like DCOM, NetBIOS, Messanger, etc running on XP, which is installed mostly on consumer computers. Anyone remember how blazingly fast that DCOM hole was exploited and spread, how many Windows boxes went down at once, and how much bandwidh was consumed?

If microsoft closed those services, there would be a dozen fewer eggs on its face. At least if you install Linux, you might have a few things running, like SSH, and RPC. RPC you close automatically, but exploits in SSH are not as easily and automatically exploited like DCOM.

Re:No thanks

[dasunt]

*sigh* having more market share is not an excuse. Just look at Apache vs. IIS and you'll see that more market share does not automatically equal more security holes.

There are two problems:

1) Security of the default install. Microsoft isn't too bad in this department, but OS software tends to be better.

2) Technical capability of the users. OS wins, hands down, in this department. If OS ever replaced MS for the masses, I'm sure we'd have many viruses running around. Window VB viruses don't even need a security hole -- there are enough ignorant people out there who will happily run as root and click on executable attachments. Speaking of security holes, there are many more users that will happily run a box unpatched.

#2 is a valid excuse, and I don't fault Microsoft for mentioning it.

As for #1, does the average user want a secure OS? MacOS X, another OS-for-the-masses, appears to be able to impliment some security features (auto-updates, root password prompt) without confusing non-technical users, which indicates room for growth, but to be honest, the same marketing decision behind many other poor-security decisions is active in Windows.

Re:No thanks

[Ice_Balrog]

A firewall and virus scanner are important to a Windows box running well (or at all). A media player, CD-burning app, and web browser are not. See the difference?

Re:No thanks

[thepoch]

Argh I'm beginning to sound like a broken CD lately, having to always repeat myself.

It isn't only that Microsoft doesn't even try to tell people that using Admin all the time is bad. It's also the stupid developers that never test their software with non-Admin accounts. And don't even start to talk about RunAs. That's broken as well for most apps.

The only way for all this nonsense to hopefully be worked out is if Microsoft forced developers by making the default account a "User" account. Not even a "Power User" as that's pretty lame as well. Then every app out there will be forced to store their settings in the user's respective "Documents and Settings" folder. At this time, a lot of apps still store settings in either C:\Program Files\ or in HKEY_LOCAL_MACHINE. I'd rather have it in my own C:\D & S\username\Application Data folder and in HKEY_CURRENT_USER. This makes it more similar to *nix where it stores all settings in my /home/username in .files or .directories.

Double Argh. Palm is one company that does this badly. Imagine everyone having to be an Administrator just because Palm Hotsync's data to C:\Program Files\Palm\$palmname. Sheesh.

Re:No thanks

[Asprin]

For what it's worth, Ubuntu actually disables the root account by default so you have to sudo everything.

(I'm sure other distros do that too, but Ubuntu stands out in my mind because I had to wrestle with it unexpectedly over the weekend.)

Re:No thanks

[Ford+Prefect]

The example you're using is a directory, not a file. According to your logic, Apple's Quicktime plugin is also installed insecurely.

Quite a few things on MacOS X are directories, even though they appear as single objects in the Finder (applications are a good example of this).

It's more the Unix-style permissions you should be looking at:

drwxrwxr-x 3 root admin 102 1 Apr 2004 QuickTime Plugin.plugin

Directory, owner (root) can read, add to, delete from and list contents; group (admin) can read, add to, delete from and list contents; everyone else can read and list contents.

drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 Windows Media Plugin

Directory, owner (ilgaz) can read, add to, delete from and list contents; group (ilgaz) can read, add to, delete from and list contents; everyone else can read, add to, delete from and list contents.

So, basically, any old user could delete some important executable file from the Windows Media Plugin directory and replace it with one of their own. It's not even got the root:admin user stuff like a normal system file...

Re:No thanks

[skraps]

That is a fringe example and doesn't have any effect on the main thrust of the argument. Making the boot media read-only in an effort to stop security holes is like cutting off your legs so that you won't accidentally stub your toe. You are right that Microsoft will never provide that as an option - because it doesn't make any sense for ordinary use.

Re:No thanks

[Mike+Morgan]

I thought that that would work too. I set my mom up as a restricted user under Windows 2000. After about 6 months the machine was clogged with spyware and would no longer dial.

I wrote a program to detect what directories were still writeable as the restricted user, turned out to be quite a few (even including C:\).

Re:No thanks

[DigitumDei]

What people fail to realise, is that if we had all listened to Bill in the beginning and realised that the internet was not going to get big and thus never "forced" him to destroy netscape, we wouldn't have this problem. ;)

Re:No thanks

[smacktits]

I recently installed Windows 2000 on my sister's computer. For some reason I forgot to disconnect the network cable ahd before I had even started to install a firewall, it was compromised.

In all seriousness, the time of first boot to compromisation was under three minutes.

I daresay it was my own fault for forgetting about the network cable, but even so...

After that, I experimented with a Unix computer connected directly to the internet instead of being behind a router, as is my normal practise. Like you said, I waited a month for it to get rooted. Never happened. Eventually I put it back behind the router.

Re:No thanks

[ConceptJunkie]

Everyone wants MS to remove things like CD-burning, Media Player, IE etc because it is anti-competitive and now you WANT THEM to build MORE APPS IN??

I don't. I just want them to build in stuff that doesn't suck.

I always thought this bundling issue was just an excuse for Netscape to whine because they couldn't write a good browser (or more specifically, that they had a good browser and MS'ed it up by bloating it beyond usability). No one complains that Windows comes with WordPad, which as far as I'm concerned is all the word processor I need.

Re:No thanks

[doob]

I'd venture to say most people who use OS X are logged in as admins.

Even if this is true (but may not be, see below) being an admin under OSX is very different than being an admin under Windows. On Windows, you have rw permissions on everything, whereas under OSX, all it means is that you are in the sudoers file. This means that in order to do anything dangerous, you still need to type in your password again to gain (temporary) root privs.

Can someone else comment on how the OSX install/add user process prompts you to set up permissions. AFAICR the user is set up as a normal user first, and you then have to explicitly go to the user manager and give them admin permissions. Very different to Windows, where you are prompted to set up an admin user as part of the install process!

Re:No thanks

[DMadCat]

So are you suggesting that Windows comes bundled with Norton Antivirus/Firewall, that you shouldnt get a choice, and that we should add another $50 to the cost?

Nope. I'm suggesting they scrap this train-wreck of an OS and rebuild from the Kernel up. With all they've learned about security patching maybe next time they can get it right.

Re:No thanks

[IamTheRealMike]

That'll be because no-one targets the Mac with spyware or viruses, because Windows is a soft enough target and has vastly more market share; it's not worth their while to yet.

Yes indeed. Given Apples history of remote code execution via web pages in Outlook stylie (look up the disk:// and help exploits), I think the only thing really "protecting" the Mac is statistical irrelevance. Same is true of Linux to some extent.

Re:No thanks

[ewg]

Mac OS X is the same way, FWIW. sudo only, from accounts with appropriate permission.

Re:No thanks

[ultranova]

Unfortunately, running as a normal user won't do any good in a single-user system. After all, you have the right to access your own folders, and thus are still vulnerable to malware which installs there - you just can't pollute other users with it.

Linux isn't immune to this problem either. It was designed to sandbox users from each other, but a single normal user will find it difficult to sandbox individual processes. Any process running at my privileges can access all my files, install cron jobs to be run automatically at machine boot, etc.

A real solution is a fine-grained permission control. For example, a Web browser should be able to read it's configuration files and plugins/extensions, connect to any Internet address, and write to the bookmark file(s) and download and cache directorie(s). It shouldn't be able to do anything else. If there was an easy way to do this, even if the browser was compromised by a web site, there wouldn't be much that site could do. Especially if you could set the bookmark and configuration files to be stored as a "journaled" file, which would record the changes to it and allow returning to any given point in time. Obviously, you'd also need to move any downloaded files away from the download folder and check them with MD5/SHA1 checksums to avoid tampering (but how do you get that checksum, if you suspect your browser has been compromised ?)

I'd imagine something like this could be done with relative ease with Hurd, since one of it's design goals is to allow each user to replace parts of the operating system (even the file systems) with new parts without disturbing others. So you could install a translator to control access to your home directory or any subdirectories (but of course such translators can also be removed by programs runnign with your permissions - that's one permission that should be droppable).

An alternative way would be to allow users to build and set up "subusers" - simply add 32 bits to processes (and files) user id. The complete id would then be in the form of userid.subid. Userid.0 would have all the rights of the user, while userid.1 would be a "subuser" and have limited rights (the system would basically make userid.0 the root of his own home directory). This could also be generalized into a hierarchical authority tree, allowing individual programs to run parts of them as more restricted users (for example, a p2p-application could generate separate processes for managing file storage and network connectivity, allowing the part that touches the network to run without any access to filesystem and thus reducing the likelihood of a bug in it from causing damage).

To summarize: the traditional access controls are designed to protect users from each other. This is not enough. A single unprivileged user needs an easy way to make sandboxes for programs to run in. If the computer is a house divided with walls to different rooms for each user, then all those users need the ability to further subdivide their own rooms with more walls, and they must be able to make/remove those walls without help from the janitor (administrator).

Re:No thanks

[SlamMan]

That is correct for additional users. The original user created during install is an Administrator.

Re:No thanks

[jadenyk]

Well, it's pretty easy to make a Windows box that can not be compromised as well.

Remove the power cord.

Re:No thanks

[chongo]

> Q: Might you add anti-virus/spyware protection in Windows?
> Gates: It's not a thing you build in.

This is because Microsoft allows spyware to be installed as part of its critical updates!

Last month I watched as a friend:

1. removed his machine form the network
2. installed Windows 2000 on a new box from CDs
3. installed both spybot and AdAware 6.0 pro (anti-spyware tools).
4. ran a scan of the system (no spyware problems were found)
5. plugged in his machine behind a firewall
6. accessed (via IE) the Microsoft OS updates and office 2000 updates sites
7. downloaded the service packs and critical updates
8. disconnected his system from the network
9. installed the service packs and critical updates
10. Reran the spyware scan
11. looped back to step 5 until there were no more service packs and critical updates to install in step 6/7

During the last update and spyware scan cycle, AdAware discovered a spyware issue in the registry!

FYI: The spyware entry came into by friends system as a result of one of these Microsoft critical updates:

• Office 2000 Service Pack 3 - English version
• Outlook 2000 SR-1 View Control Security Update
• Office 2000 Security Update: UA Control Vulnerability
• Office 2000 Security Patch: KB822035
• Word 2000 Security Patch: KB830347
• Word 2000 Security Patch: KB824936
• Excel 2000 Security Patch: KB830349
• Outlook 2000 Update: December 18, 2002 - English version
• Outlook 2000 Collaboration Data Objects (CDO) Update: Security - English version
• Microsoft Office 2000/Windows 2000 Registry Repair Utility - English version
• Office 2000 WordPerfect 5.x Converter Security Patch: KB824993 - English version
• Access 2000 Snapshot Viewer Security Patch: KB826292 - English version
• Security Update for Office 2000: WordPerfect 5.x Converter (KB873380) - English version
• Microsoft GDI+ Detection Tool (KB873374)
• Security Update for Internet Explorer 6 Service Pack 1 (KB833989)

AdAware discovered:

ArchiveData(auto-quarantine- 20-09-2004 10-33-41.bckp)
ALEXA
obj[0]=RegKey : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa0 03c157a}

For more info on ALEXA spyware see:

• http://www.itellu.com/spyware_alexa.htm
• http://simplythebest.net/info/spyware/alexa_spywar e.html

This is not the 1st time that I have seen somebody install a Microsoft critical update and receive spyware. No wonder Gates is not interested in building anti-spyware into his products!

Re:No thanks

[akh]

$ whois 63.161.169.137
Sprint SPRN-BLKS (NET-63-160-0-0-1) 63.160.0.0 - 63.175.255.255
FEMA SPRINTLINK (NET-63-161-169-0-1) 63.161.169.0 - 63.161.169.255

whitehouse.gov is on FEMA's network? Interesting. Though it kind of makes sense if you think about.

Re:No thanks

[Darby]

Wouldn't a male cow be a hermaphrodite?

A note to all dairy farmers:

Please be very careful milking your hermaphroditic cows.

Thanks you.

Re:No thanks

[1u3hr]

nothing to do with downloading third party software

Bill is right, in the same way that Clinton was when he said he "never had sex" with Monica. I guess Bill is defining "download" in the quite correct sense of data arriiving on your PC via network. What most people think though is of software they choose to download and install, not stuff that exploits OS or browser holes or even user gullibility (clicking something with a deceptive label).

Re:No thanks

[tomhudson]

What people fail to realise, is that if we had all listened to Bill in the beginning and realised that the internet was not going to get big and thus never "forced" him to destroy netscape, we wouldn't have this problem. ;)

It's not just IE, it's the whole Microsoft product line. Even DOS was prone to viruses. The only MIcrosoft product that doesn't have an exploit *yet* is their keyboard.

Re:No thanks

The only MIcrosoft product that doesn't have an exploit *yet* is their keyboard.

The IntelliMouse has an exploit?!?

Re:No thanks

[jadenyk]

Windows (XP especially) is a consumer OS. It isn't supposed to be serving any networked services.

Ah.. Now I understand why they call it "Windows 2000 SERVER" and "Windows 2003 SERVER"

But since IIS is an install option for 2000 Professional (and XP I believe) and PWS is an install option for 98, I can't see how Microsoft is saying "This is a consumer OS that isn't supposed to be serving any network services." In fact, since they are providing these applications, they are saying that this is ok.

Re:No thanks

[Christianfreak]

The optical version will exploit your eyes if you turn it upside-down and look into it.

Re:No thanks

[SilentChris]

"Just look at Apache vs. IIS and you'll see that more market share does not automatically equal more security holes."

No, but it DOES equal more attempts to attack. Troll IRC for a while. People are constantly trying to find new ways to break into Apache.

Re:No thanks

[The-Bus]

Wait, which keyboard? This one? or this one?

Re:No thanks

[SammyTheSnake]

On Windows, you have rw permissions on everything

Not in my experience, I've always found switching between windows and linux frustrating because Administrator *doesn't* have 100% access to everything. Have you never clicked "End Process" in task manager and had it tell you you don't have permission even when you're logged in as Administrator? Also, try changing the security settings of a file so that only one specific user has permission to do anything to it and then try bypassing those permissions as Administrator.

As it happens, there are ways around all this (you can use kill.exe for the first and change the permissions for the second) but if Administrator actually were a direct equivalent to root, you could just do rm -rf / and kill the lot. You could cat /dev/zero > /proc/kmem and totally b0rk your entire system. Not that you'd want to, but at least if you *do* want to, you *can*.

At the end of the day, Administrator is dangerous enough that you *really* don't want to run random stuff as Administrator, but not powerful enough to do all the stuff I want to do without having to battle through another half-dozen bloody stupid click-click-click interfaces. Gimme root and properly administrated normal users with a workable CLI any day!

</rant> I guess

Cheers & God bless
Sam "SammyTheSnake" Penny

Re:No thanks

[cHiphead]

The MS Natural Elite Keyboard that my son poured an entire can of coke into says otherwise...

cheers.

Re:No thanks

[Jim_Maryland]

The idea of mounting a filesystem read-only isn't all that far fetched. In a product environment mounting the OS and application file systems as read-only prevents modification. On several production environments for clients I've dealt with, I've seen where only the only r/w filesystems were the /var directory, home directories and a couple data directories. A configuration like this may not work for all environments (software development, maybe a home system where frequent software installs occur, etc...), but it has reasonable uses.

Re:No thanks

[df4b943c678dae]

Wow, thats funny. The only Microsft product I like is their keyboard. They messed it up though with the newer models, too may wierd buttons.

Re:No thanks

[JohnFluxx]

Actually, this is being dealt with by the NSA. Look for the selinux patches. A homepage for this is at: http://www.nsa.gov/selinux/index.cfm

If you are interested in this sort of thing, you'll find the selinux stuff fascinating.

I believe the patches should be going into the kernel very soon - like in the next weeks or so.
But I may be wrong - I haven't checked on the status for several months.

Re:No thanks

[innerweb]

Ignore the parent to this. Read why below.

May have downloaded spyware...

And they are not compromised? Spyware is often as bad or worse than most viruses. Most spyware sits in the background degrading your systems performance recording things that you do, from where you visit to what you type. Spyware is invaluable to crime. If you want to steal identities, accounts, etc., spyware is an invaluable tool.

I wonder who they use for a service provider, and what kind of connection they have. Almost 100% of the Windows machines I have seen hooked up (insightBB, comcast, onenet, SBC, and other smaller companies) on everything from cable to dsl to dial-up have been infected within hours at the most(the slower and more sporadic the connection, the longer the infections took.) It may be that they are being protected by their service provider or some dumb luck combination. I seriously doubt they have some special version of windows that does not have the compromises that all other versions have.

Spyware is becoming one with viruses. The difference is that most script kiddie "virus writers" want you to know they own your box (or defaced it/erased it), whereas most criminal intent wants you to know nothing at all. Their fruits of labor will not be realized if you take actions based on their intrusions. After all, if you change your card/account number or passwords, how can they use it?

Proper spyware (with criminal intent) would install itself collect some information and then delete itself, leaving no trace or suspicion behind. By doing this, they get information and leave no clues to tip off the victim. Once the cards are used, the account tapped, or whatever else they intend to do (identity theft for instance), they no longer need your system anyway, and the damage done is to late to prevent. Try telling companies that you are no the one that ruined your credit rating.

InnerWeb

Re:No thanks

[tomhudson]

Kind of reminds me of a keyboard I made to replace the "QWERTY" keyboard layout - by re-arranging the keycaps, it spelled "FUCKBILGATES" - now that's what I call a *real* Microsoft Natural Keyboard.

Re:No thanks

[Prince+Vegeta+SSJ4]

What people fail to realise, is that if we had all listened to Bill in the beginning and realised that the internet was not going to get big and thus never "forced" him to destroy netscape, we wouldn't have this problem. ;)

Darth Gates: Everything that has transpired has done so according to my design.

Moz Skybrwoser: Your overconfidence is your weakness.

Darth Gates: Your faith OSS is yours.

Darth Gates: Everything that has transpired has done so according to my design. Your friends, up there on the sanctuary website, are walking into a trap, as is your OSS Community. It was *I* who allowed the Alliance to think IE was full of holes, It is quite safe from your pitiful little band. An entire legion of my best coders awaits them! Oh, I'm afraid IE Longhorn will be quite operational when your friends arrive.

Darth Gates: As you can see, my young apprentice, your friends have failed. Now witness the DRM of this fully armed and operational Operating System!

Re:No thanks

[theguywhosaid]

Double Argh. Palm is one company that does this badly. Imagine everyone having to be an Administrator just because Palm Hotsync's data to C:\Program Files\Palm\$palmname. Sheesh.

yeah, thats a real pain. the way around it is to:

1. Change account to an admin
2. Install _All_ Palm junk
3. Change account back to a luser

Its worked so far. Hope its handy

Re:No thanks

[Jim_Maryland]

I agree that the read-only isn't appropriate for every environment, but it can be effective. System security is still the best practice for any system (read-only or read-write). Even on the r/o system, you still want to secure information (if you password resides in /etc/passwd or /etc/shadow, you'll still want to lock it down, even if r/o) to protect it.

The systems in question are critical systems so the additional lock down is justified. The customers really didn't want anyone changing configurations without a bit of effort.

As for future systems, a multi-layer approach to security will likely be used but may differ from system to system based on user requirements. In some systems, the r/o approach may still fit in their scheme. The securing method will all depend on security requirements.

Re:No thanks

[mbbac]

And Apache would be targeted sooner than IIS due to its marketshare. But it's IIS with the most exploits.

Re:No thanks

[Buran]

You can use the root accout but it has to be enabled first (the default install has it disabled and you have to use NetInfo to enable it, which most people don't know how to do) and it does not come up in the list of available users, so you have to specifically type "root" and the root password into the appropriate boxes in the non-default login screen (which most people won't ever see) to login as root.

99% of the time, people are going to use sudo or have to type their password into a box that pops up, and if they don't know why something is asking for root privs, they deserve what they get if it's malware.

That said, I haven't heard of anything nasty that does that - yet.

Re:No thanks

[shotfeel]

viruses and spyware are not "software"

Well, they're sure not hardware...

They are peices of bad code

Bad or not, if its code, its software, and it is 3rd party.

Personally, I would have modded the grandparent "Funny" if anything. Its the same thing I thought. Technically, it is all 3rd party software that's being downloaded...

Re:No thanks

[flibuste]

Well...You installed a 3rd-party can...

Re:No thanks

[jurv!s]

sshd is not turned on by default. the only daemon that *may* be on is ntpd if you choose to use apple time servers during installation... a typical user with admin privileges would have to click a button to turn on sshd in System Preferences and then fire up Terminal.app and issue a 'sudo passwd' to enable the root account or do it the GUI way with NetInfo.app. Does this sound like a typical user to you? nah... didn't think so.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Antivirus is not a thing you "build in"

[plover]

I loved this one:

"Q: Might you add anti-virus/spyware protection in Windows?

Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans."

So, apparently Ballmer isn't the only one there who Doesn't Get It.

Re:Antivirus is not a thing you "build in"

[plover]

I want to know why Bill Gates thinks it can't be built in.

I'm not talking pure heuristic detection, because a perfect heuristic detector is theoretically impossible. But why can't Microsoft build in a scanner that downloads virus definitions?

Virtually all of the viruses of the last five years or so have been Microsoft viruses. (Boot sector viruses are soo last millenium, and everybody's BIOS already detects those.) Not "PC" viruses, not "MS-DOS" viruses, but specifically "Microsoft Windows" viruses. Since they seem to be at the forefront of providing the virus delivery systems, why do I have to pay someone else (like Symantec) to protect me from them? Why isn't patching these defects included in the purchase price of this obviously defective product?

Re:Antivirus is not a thing you "build in"

[sinthetek]

it's hard to imagine that anyone with half a brain could unintentionally write code so buggy and insecure, especially if they're getting six figures & sponsered by a multi-billion dollar company. i admit that the popularity of windows makes it a bigger target, but that same popularity is what gives them the $$ to hire a half-decent staff & do good r&d and is the prime reason to design with security in mind. apparently they haven't done much of either. even their security patches have security flaws. when was the last time they distributed a patch that wasn't vulnerable to attack or buggy and didn't require another patch to fix it? i've never patched anything in linux with the same disasterous results. if the people who do it for free can do it faster, with better performance, better security and no capital, why can't m$?

Re:Antivirus is not a thing you "build in"

[Mavakoy]

> I want to know why Bill Gates thinks it can't be built in.

It can't be built in due to the anti-trust lawsuit MS is/was in over intergrating IE, Media Player and all the rest into Windows.

MS don't want another suit to appear for 'trying to cripple the AV industry' by providing an AV software package with Windows. Sophos et al, would not be happy and they'd unfreee the Super-Lawyers and let them loose!

Re:Antivirus is not a thing you "build in"

[grcumb]

"If OSX were #1 I'm sure the attacks would be just a fast and furious."

Amen, brother! That's why I tossed out that POS Apache web server and got me a brand new IIS. I mean what with all the security holes that come from being the number one piece of software and all, I just KNOW that IIS will never be a problem.

And besides, look at the name: Ah Pah Chee. Get it? It's a Patchy web server. It's gotta suck!

[Disclaimer. The above is one man's poor attempt at humour. If, while moderating, you find that this does not satisfy your personal criteria for 'funny', return this post in its original packaging to the sender and you will be receive a full refund.]

Re:Antivirus is not a thing you "build in"

[npietraniec]

Seriously... It's impossible to have an OS without a browser built in, but it's also impossible to build in virus protection.

Or hey, here's a novel idea... maybe make your OS secure enough that you might actually have a choice whether or not you want to drop X amount of dollars on a 3rd party virus scanning app.

My god. The people at Microsoft can be so completely dense sometimes.

Re:Antivirus is not a thing you "build in"

[phasmal]

I believe that what he is referring to is the fact that you can't just put 'virus protection' on a CD with windows, install it and everything is suddenly OK. It's useless (very quickly) without pattern updates.

Because anti-virus software doesn't stand alone, continual effort is required to make it a valuable addition to Windows.

In the commercial world, continual effort like this must be funded somehow, and the easiest way is to charge people proportionally to the effort - ie. a subscription.

So MS doesn't simply have to build the software, they need the virus research, pattern creation, update mechanism etc.

This is (not surprisingly) exactly how existing vendors make their money.

--Phasmal

Re:Antivirus is not a thing you "build in"

[NevermindPhreak]

microsoft could eaisly offer their own virus scan software, as opposed to having it "built in", and charge extra for it. id be happy, because i wouldnt have to mess around with windows to disable it, and the virusscan companies would be happy because it wouldnt be free. besides that, i prefer my software to be ran by my OS, not to be integrated directly into it.

of course, this is microsoft. expect to see ads for "the new Windows, now with built in AntiVirus" as soon as they can work out the best way to handle the legal issues.

Re:Antivirus is not a thing you "build in"

[CountBrass]

I have an alternative to your disclaimer:

[EULA. By reading this EULA you have agreed that this post is "Funny" and that if you have mod points available you will use them to mod me up Funny.]

Re:Antivirus is not a thing you "build in"

[plover]

Vinnie: "Nice computer you got there, Azi. Very shiny, innit?"

Azi: "Yes, I suppose it is."

V: "Be a right shame if somefing were to happen to it, eh?"

Azi: "What?"

V: "Y'know, fings break. Your hard drive could start on fire, coodn' it?"

Azi: "Are you threatening me?"

V: "Oh, no, no, no, no, no, no, no, no. I'm just saying, it could get a virus, know what I mean?"

Uhhhh...

[Capt'n+Hector]

Yes, viri, trojans and spyware tend to be third party. The problem is, IE lets you download these and execute, sometimes by just viewing a page.

Re:Uhhhh...

[Wizarth]

I was just about to say this.

And you don't even have to view a webpage. How many Win32 worms* are there now?

* I mean real worms, not "the media calls it a worm for some unknown reason" when its really a virus.

Re:Uhhhh...

[plover]

This one reminds me of the old Yakov Smirnov joke about a Soviet visiting America:

"Now that you're in America, if you need to get the police on the phone, just dial 911."

"That's nothing. In Soviet Russia, we don't even have to dial."

Re:Uhhhh...

[robbo]

It's obvious that Bill's implying that it's perfectly safe to use IE, so long as you only browse Microsoft/Msn/Msnbc/Slate.com... It's your fault if you stray off the beaten path.

Re:Uhhhh...

[MrBlue+VT]

That was a perfectly cromulent response!

Easy to assign blame

[onyxruby]

If I did something, than it's my fault. If I didn't do something, and didn't apply a patch that was available, than it's my fault. If I didn't do something and it happens automatically with default settings, it's Microsoft's fault.

Sick and tired of fixing spyware infested machines.

Re:Easy to assign blame

[RTPMatt]

Unfortunatly if a webpage tryes to load something nore than once, IE gives me no way to say 'No to all.' They are happy to provide me with a 'Yes to all' checkbox, but if i have to sit there and click 'No' 50 times, after a while i get fed up and just click yes to all.

I use firefox at home, but my school only has IE, and it seems like i spend more time clicking the 'No' dont insall this crappy software button than actually reading webpages while browsing there!

Re:Easy to assign blame

[plover]

Then you should use Portable Firefox on a flash drive at school. Jack in the thumb drive. Run PortableFirefox. You get to bring your own bookmarks and cookies with you, and leave nothing like log files behind. And 32MB drives are available for about $10.00 (check the clearance bins at places like Micro Center or wherever.)

Re:Easy to assign blame

[PurpleFloyd]

Well, first of all, Firefox probably does have some holes. However, since it's not dominant in the market like IE, there aren't legions of crackers, trojan authors and spyware pushers probing its vulnerabilities. Still, Firefox/Win32 has some major security advantages over IE:

• First, it's not integrated into the OS. IE is used in Windows for a lot of different tasks: web browser, file browser, help browser, anything that can be made to involve browsing. It needs to have deeper access to system internals than a simple web browser like Firefox. Thus, if IE is compromised, it's much easier to get malware into the system.
• Firefox is a lot stricter about installing plugins. IE's user interface is biased towards installing whatever plugins the site's designer wishes, including malware - it takes one click to install an IE plugin. Firefox's default configuration, on the other hand, requires you to add the site to a whitelist, then enforces a wait period before presenting the option to install a plugin; the UI is biased against installing plugins. It requires active thought to install a plugin; you can't just click "install" to make an annoying dialog box go away.
• Firefox is Open Source. While this certainly doesn't mean that it's magically better than a closed source product, it does mean that if a vulnerability is found, a large number of developers can move quickly to plug the hole. Also, it's more possible for the community as a whole to take the initiative regarding security; while a kludged security risk may be left in a commercial product to make a ship date, it is likely to be replaced fairly quickly in an Open Source environment by a volunteer. Open Source isn't a magical security enhancer, but it does tend to promote better security practice and allow quick response in the event of a security breach.

Re:Easy to assign blame

[Soko]

What's to stop a spyware/virus-laden school PC (those have to be the worst) from infecting your your Firefox .exe, and then having you bring that home with you?

Ahem...

C:\>attrib +r D:\*.exe
C:\>attrib +r D:\*.dll

...assuming D:\ is the USB key, before you plug it into a Windows machine. You can also set the read-only attribute via right clicking on the file in Explorer and going to properties (obviously, on your own, hopefully clean, Windows machine) There, all better now.

To the grandparent: Thank you for pointing that project out. It truly shows that having the source code to software open and available can lead to all sorts of interesting - and very useful - things.

Soko

Re:Easy to assign blame

[spectecjr]

Ahem...
C:\>attrib +r D:\*.exe
C:\>attrib +r D:\*.dll ...assuming D:\ is the USB key, before you plug it into a Windows machine. You can also set the read-only attribute via right clicking on the file in Explorer and going to properties (obviously, on your own, hopefully clean, Windows machine) There, all better now.


What makes you think that setting a file read-only prevents a virus from modifying the file?

Read-only is only advisory; you can still write to the file, IIRC.

Re:Easy to assign blame

[Soko]

Not excatly. It a) requires privileged access to the file and b) Windows will bitch about overwriting a read-only file before doing so.

Yes, most viruses get in because the user is running with admin privs, but the above should be enough for someone who assumes that he's entering a hostile environemt to recieve enough warning, allowing him to avoid any trouble. As well, most viruses in the wild don't take this into account and will not infect the binary.

BTW, making the whole damned USB key read-only - including the dynamic stuff (like your Bookmarks) - is a good idea too. That reduces the chance that one of the nasty critters could hitch a ride to your home machine too. If you want a new bookmark, e-mail it to yourself or write it down, and put it into your bookmarks where you know you're safe.

Soko

Re:Easy to assign blame

1. USB memory is FAT. Everybody has full access on all files.
2. attrib -r is trivial to accomplish inside virus

Re:Easy to assign blame

1. His point on hardware read-only is still valid
2. Cite? I haven't seen one yet.

Rubbish!

[Any+Web+Loco]

Those holes are what LETS third-party software install its freaking self.

Third-Party?

[Machitis]

I wasn't aware Windows Update was third-party software...?

Hmmm...

[Selfbain]

I thought it was everyone else blaming their computer problems on Microsoft not the other way around.

Bill Gates lecturing about security...

is like Tony Soprano lecturing about law and order..

Re:Bill Gates lecturing about security...

[Whizzmo2]

"I'm John Kerry, and I approved this plagiarism".

software, eh?

[crackshoe]

Q: Yes, but will people continue to do that with Media Center? Gates: You might well do it. We need to use approaches that block people from ever getting software onto the machine they don't want. Me: Great. Now let me get a PC from a major OEM without windows - oh, not that software?

Bad programming model

[John+Hansen]

So, pray tell, how is making a horribly insecure third-party application model (DirectX) and then complaining about how people are exploiting it supposed to hold water? YOU ARE THE API DEVELOPER. IT IS YOUR RESPONSIBILITY TO ANTICIPATE POTENTIAL ABUSES.

Because if I'm reading this right, then that's exactly what Gates is doing. No wonder Microsoft's products are so shitty; they think that security is something that happens to other people.

Re:Bad programming model

[John+Hansen]

Aaaaaugh. It's late, and I meant ActiveX... before people jump all over me in flames, since DirectX isn't that bad...

What's that I hear dying?

[MoralHazard]

Sounds like Microsoft's Trusted Computing Initiative isn't getting as much executive support as it might've.

Remember that, Bill? When you said you were going to make all the Windows computers secure by focusing all your energies on securing your code?

Now, it's not your fault, and you won't do anything to fix it? Then why on earth did you tell everyone that you would?

Re:What's that I hear dying?

[saskboy]

Well, don't blame Microsoft. It's up to 3rd Party software companies to provide security to Windows, such as Symantec, McAfee, and Zonelabs. Oh, but wait, Gates also said that 3rd Party software is Responsible for the holes in Windows software. Now I'm confused.

3rd Party Software. The Solution to, and Cause of all of Windows' problems.

Re:What's that I hear dying?

[Eberlin]

I was working on this and never finished it. I figure it's worth posting as incomplete. Apologies and respect to the original work.

My fee's all gone, I'm wondering why
I sold my soul at all --
The morning mail locked up my Windows,
They all call me a troll.
Even if they don't, everything I say
Gets all hackers' eyes to roll --
Still I tell me that it's not so bad,
It's not so bad...

Dear Bill, I wrote but you still ain't respondin'
I left e-mail, my URL, and my home IP at the bottom
I sent two bug reports last autumn -- you must not a got 'em
There probably was a problem with hotmail or somethin
Sometimes the packets take the scenic route when you route them
but anyhoo, fsck it, what's been up? Man, how's Ballmer?
Is he still a dancin' foo, screamin' "developer?"
If I have a daughter, guess what I'ma call her --
I'ma name her Clippy.
I read about your XP SP2, I'm sorry.
I had a friend bork his box over some bitchy driver problem
I know you probably hear this everyday but I'm your biggest fan.
I even got Software Assurance that the zealots called a scam.
I got a room will all your certificates and manuals, man.
I like the stuff you did with Java, too, that stuff was phat!
Anyways, I hope you get this, man. Hit me back
just to chat, truly yours, your biggest fan
This is Dan.

Dear Bill, you still ain't ack-ed my note. I hope you have a chance.
I ain't mad -- I just think it's fscked up when the shizznit hit the fan.
If you didn't want to fix the bugs through Trustworthy Computing
you didn't have to, but you coulda posted a work-around for Matthew
That's my kid bro, man, he's only eight years old
Been a good boy, rebooted as he was told
by you for years and you just said "No."
That's pretty crappy, man, his drive was going idle.
He wanted to be just like you, man! Now he gets more porn than I do!
I ain't that mad, though, I just don't like bein lied to.
Remember when we met in Vegas? I said that I'd write you
And that I've always gots your back. See, man, patching is ok, in a way.
I wouldn't have bothered either
But my mom's machine got hosed and she's not a control-alt-deleter.

Re:What's that I hear dying?

[ceeam]

Your fault is that you think of him as a sensible businessman doing sensible business. Your life would be easier when you think of him as moral-free greedy evil bastard, like the rest of us do. ;)

(Mod me troll)

The more I look at B. Gates...

[ATAMAH]

The more he reminds me of my ex girlfriend. As in - he is just as greedy and his side is never at fault.
Although he is much uglier and....male.

Re:The more I look at B. Gates...

[darnok]

> The more he reminds me of my ex girlfriend ...
> Although he is much uglier and....male.

and not just a figment of your imagination ;->

I'm so sick of the lies

[gad_zuki!]

I hear them from the Bush administration almost daily and corporate america is getting a lot more brazen. No one fact checks, dissenting opinions are marginalized, and the corrections page doesn't have nearly the eyeballs the front page does. And that's assuming a correction is ever given.

This is the same mentality of shipping a crappy product and having tech support take care of the issues. Okay, fine, at least I have someone to complain to and I can return products, but with information you don't have that option. You complain to your peers, who are just an echo chamber. The fact that lying usually goes unchallenged in media makes for bigger more destructive lies.

The browser has holes, its a piece of software. This is way over the line. How did the information age become the disinformation age? Perhaps we officially entered the post-postman world where everything is a soundbite that flies through the subconscious and sticks there. Long corrections don't have the same stickiness, so lying is now smart business.

Keep it up Bill, you're making my next Apple purchase all the sweeter.

Disclaimer for the mods: Yes, many politicians lie. Apple isnt perfect, etc. But there is a difference between small and big lies. Lies which are harmless and those which cause destruction.

Re:I'm so sick of the lies

[killjoe]

The problem lies directly with the American people.

First of all they are utterly clueless and can't even discern between the truth and a lie. They are pretty much programmed to accept whatever somebody on the tee vee tells them.

Look at this (or any other election) for example. Is Kerry a flip flopper? Is he a coward? Did he get his metals from self inflicted wounds? Ask your typical american and they will say yes. Press them for details and you'll realiize they don't know shit, they are simply repeating what they saw on television commercials.

Same with Gates and Company. Ask yourself. Have you ever heard or read an interview with Ballmer or Gates in which they didn't tell at least one lie? Not a minor one either but a blatant out and out lie. They people are habitual and pathalogical liars. They will continue to tell lies until the press calls them on it. Since they buy lots of advertising don't hold your breath though.

Re:I'm so sick of the lies

[_xeno_]

The annoying thing with the media today is that they just report on what someone tells them to. What I mean is that they'll just rehash the talking points or press releases that are sent to them.

So you see things like "Bush said this, and Kerry said that." Which is 100% true. But there's no investigation into whether the quotes are actually, like, true.

So Microsoft will release a press release saying "We're improving security!" and then various media reports will say "Microsoft says it's improving security." But the media won't actually investigate whether or not Microsoft actually is improving security, they'll just report that Microsoft has said that they are.

About the only time you'll hear any discussions about the truth of any position anyone has is on various talk shows, where to "show both sides" you'll get two people who are representing "opposite sides" of a given debate. Directly opposite sides.

Since these people are soley debating for their side, we're ultimately left with no middle ground. Only two extreme views on a topic.

So while the two "sides" of the debate are represented, the media generally "let's the reader decide" which side they believe in. But since the veracity of the two sides has never been called into question (other than each side calling the other wrong), the average reader/listener/viewer has no way of judging complicated scenarios they don't really understand.

(For example, I don't really know what Kerry's position is on Iraq. I have no idea whether or not it's a good position, because I only hear polarized viewpoints on it. About all I know is that he intends to "do it differently" and "get international support." I have no idea about the details and don't know enough about international politics and warfare to judge it even if I did know.)

This is one of the main reasons I get all my news from the Daily Show with Jon Stewart. At least then I know it's all fake. :)

I'm currently up due to insomnia, so if any of that makes no sense, I'll try and post a correction tomorrow. It'll be in fine print and on the fifth page. :)

Re:I'm so sick of the lies

[njdj]

I hear them from the Bush administration almost daily and corporate america is getting a lot more brazen.

Politicians (especially the ones in power, regardless of party) always tend to lie. And salespeople have never been noted for truthfulness.

What has changed, gradually, over a couple of decades, is that the media no longer provide a check on politicians and corporate liars.

The purpose of the media used to be to provide information and critical comment. That's changed. A newspaper or a TV network makes more money if it's operated primarily as an entertainment. That means: nothing that requires the consumer to think, because a lot of people don't like to think. Not too many boring facts, either (unless they're sensational).

Don't be too hard on Gates. There will always be people whose goal in life is to make more money, by any means that works. The problem is that our society has lost the checks and balances that used to constrain people like him.

Re:I'm so sick of the lies

[16K+Ram+Pack]

The biggest problem isn't the lying, it's the distortion of the facts.

Tony Blair didn't lie over Iraq, but whether he was completely open and frank is another matter. There were cavaets about the evidence for WMDs in Iraq that we were not told. Now, is that lying? Probably not, but it's dishonest.

There's also the thing of playing on people's assumptions - you make a declaration, which people interpret in a certain way based on normal rules, history etc. When it isn't delivered, you can then fall back on exact wording.

Re:I'm so sick of the lies

[BenjyD]

The mantra of most of the media these days is basically "maximum sales, minimum effort". Researching the facts, using statistics correctly - these take effort and don't sell papers/advertising time.
So instead, grossly over-simplify the argument, chuck in some spurious statistics and come up with an inflammatory headline that completely misrepresents the story. Maximum sales, minimum effort.

Re:I'm so sick of the lies

[Kpau]

One has to remember that originally, news departments were run as a public service so that the station could meet its mandate and justification for the BORROWING of the public airwaves. Somewhere in the wonderful "greed is good" 80s... someone decided that news departments should be profit centers. At that instant -- the news was fucked (as opposed to just biased or agenda-driven). I'd like to see the Fairness Doctrine reinstated and an FCC mandate that news departments be NON-PROFIT... not likely at the moment.

Ones not made by Microsoft

Especially the ones that you get while downloading the updates.

So the thing the users keep doing wrong is hook it up to the internet.

Re:Ones not made by Microsoft

[sigaar]

Must be. Maybe Microsoft still doesn't believe in the internet. Remember how they said the Internet was going to blow over?

Re:Ones not made by Microsoft

[spacecowboy420]

It's "internets". There's a whole bunch of these magical internets - and only the most powerful people in the country can use them. I am not surprised that you are only becoming familiar with the internets, after all, none of us would have known without W's slip up the other day. Aliens work through W on their internets towards their master plan of total mental slavery of the lazy thinkers.

Wake up America! They're controlling our mind through the internets!!! It's almost as bad as reefer madness!!!! Run for your lives!!!!

Re:Ones not made by Microsoft

[maxwell+demon]

Yes, only silly people believe in the internet. After all, there's no indication that the internet exists. I never connect to the internet. I connect to a provider (which calls himself internet provider, but then, that's certainly just a buzzword) through my phone line through an electronic device named modem, and that provider just allows me to exchange data with other computers (like web servers). I know that the data is passed through things like routers, firewalls etc, which are also just computers. Those are connected with old-fashioned wires just as a telephone, or with just as old fashioned electromagnetic waves (like TV), also maybe through opical fibres, but I still cannot see an internet. So it's quite obvious that all this internet stuff is just made up, because whereever I look, I just find computers, electronic devices, cables, antennas and the like, but in the whole process there's obviously no internet involved. Therefore it's proven: The internet is a myth!

And tomorrow we prove that image manipulation software cannot manipulate images.

Re:Ones not made by Microsoft

[stoborrobots]

There is _NOTHING_ in Canberra... :-)

Honestly though, Canberra is a very small town, so if you are expecting to see "Australia" while you're there, there's not much. Your best bet is to look here or here for things to do there.

Otherwise bear in mind that it's about 200 miles to Sydney, 400 miles to Melbourne or 800 miles to Brisbane, where the real stuff happens...

What kind of things do you like to see when travelling?

Canberra LUG here, Wollongong LUG seems offline at the moment.

From TFA..

[mstefanus]

Q: What's your take on making Windows Media compatible with Apple?
Gates: We're big believers in interoperability.

BWWAAHAHHAHAHAHHAHAAAHHAAAA!!!!!!

Yes yes... ofcourse, interoperability within Microsoft products

Re:From TFA..

[maximilln]

What do you propose to do when someone says

Tell them to quit micromanaging.

Are you supposed to turn down business

Only business from customers you don't really want anyways. Maybe if more people would grow a spine we could stuff these halfwits who think they're stellar managers (because they use MS-Project) back in their place serving us french fries.

Or do you keep the most popular OS on the planet around because you have to have it to run some of the most popular software packages?

Is that like kids saying they have to have Kazaa otherwise they won't be popular? Is that like kids whining for $200 tennis shoes? Maybe the world does revolve around spoiled, rich, underachiever brats who like to play manager with their nifty new MS-ProjectPlusSuperStellarEdition 2005 Ultra Pro XP.

I, however, will always have the brainpower while Mr. Yuppie over there goes berzerk when his HD crashes.

Article is a troll

[ic3p1ck]

Mod article +5 Troll...

Wish there was a rating system for articles.

Best quote from Bill...

[Fallen+Kell]

Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.

That's interesting since current statistics are only showing:
2004 IE 6 IE 5 O 7 Moz NN 3 NN 4 NN 7
October 69.8% 6.0% 2.3% 17.0% 0.2% 0.2% 1.3%
September 69.6% 6.2% 2.3% 16.9% 0.2% 0.2% 1.3%

In other words, IE5/6 with 75.8%, not Bill's dream of 90% (not anymore). In fact, it has been since Jan 2002 that IE has had a number even close to 90%, when it was at 86.8%.

Bill, get a clue and stop using your PR department for your FUD.

Re:Best quote from Bill...

[wan-fu]

It doesn't really help if you don't provide what site statistics those are from... if those are the figures for mozilla.org then I'd say IE is doing very well, but if that's something like msn.com then obviously it's a different story.

Re:Best quote from Bill...

[danme]

http://www.w3schools.com/browsers/browsers_stats.a sp

Re:Best quote from Bill...

[Tom]

Good point. There are the stats from my online game. So it's not a Linux or windos site, it's not a geeks-only site, there's plenty of aol or hotmail users in the game:

Top 10 of 94 Total User Agents
# Hits User Agent
1 1122501 44.95% Mozilla/5.0
2 1057756 42.36% MSIE 6.0
3 186661 7.47% Opera/7.5
4 40541 1.62% MSIE 5.0
5 31246 1.25% Opera/7.2
6 12661 0.51% MSIE 5.5
7 7791 0.31% Feedreader
8 7377 0.30% Opera 7.5
9 4929 0.20% Ocelli/1.1
10 4456 0.18% iCab 2.9

Doesn't look like 90% IE to me. Then again, I don't work in microsoft PR, I'm sure there's a way to creatively interpret the stats.

let us all remember this, then

[calculadoru]

Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?

Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.

Let us all remember the line above then. Nothing is going to change?
I think it will

whoa this stretching

[radaway]

I need lessons with Bill so I improve my english, I guess its easy to learn it, if you stretch the meaning of the words as much as bill.

Watching a website outside microsoft.com=downloading third party software.

Technically, Bill Gates is correct

[Leykis101]

Q: Speaking of security, Internet Explorer has had well-publicized holes ...

Gates: Understand those are cases where you are downloading third-party software.

Here how it goes.
If you never download, let say a third party web-browser like Mozilla's Firefox or Opera, you'd never realize how problematic Internet Explorer is.

So it is us, the consumer, who are to blame for downloading those third party softwares. Especially the ones that make IE look so horribble.

Re:Blame Game

[ladybugfi]

See the quote: "More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change."

Money is no replacement for clue.

What Bill means

[roman_mir]

What Gates is saying is that Windows does not come with native viruses installed, you have to download them from other places. Well, I sure hope they see that they are missing a market opportunity here. Longhorn better come with its own, native viruses.

Gibberish

[gruntled]

The purpose of Internet Explorer is to download third party files (by viewing Web pages). Mr Gates's claim that vulnerabilites exist because of such downloads is therefore nonsensical; it's like saying we could end deaths due to automobile accidents by banning automobiles. Yeah, there's a certain logic to that, but it sort of misses the point. To take a recent, ongoing example: A malevolent Web page can use an image file to compromise a Windows system. This vulnerability is not created by users who have somehow previously contaiminated the local environment; it's a part of the system's design. The OS was originally built to offer features over security, and maintaining backward compatability rather than fixing those issues would make it more difficult to coax existing users into upgrading (and would also make it easier for existing users to consider alternatives rather than upgrading). I lost two years of my life covering the antitrust trial, listening to this guy and his minions cheerfully perjure themselves, and he just can't seem to stop making it up.

Re:Gibberish

[KamuSan]

It's more like banning traffic accidents by forbidding driving.

It just means that Bill Gates still doesn't get network connected computers. I remember he once thought that 'the Internet' would never be important. And now I think that, IE monopoly and all, Microsoft still, inherently, deeply, doesn't get network connected computers. Yes, they forced Netscape out of the market with IE, but for them IE is just another piece of software.

Re:Gibberish

[gruntled]

Your analogy is more precise than mine; nicely done. But I think MS does "get" networking these days; they're just in this huge bind because they can't repair all the problems without breaking nearly every existing application out there. Most people won't throw away their entire investment in software for an OS upgrade -- even a a more secure OS upgrade -- so Microsoft winds up muddling along with things like XP Service Pack 2 (the 2 stands for "too little, too late"). Must stop typing these at 3 AM....

I've heard this before.

[ImTwoSlick]

Han: "It's not my fault!"
Lando: "It's not my fault!"
Bill: "It's not my fault!"

Re:I've heard this before.

[NecroPuppy]

Hey, at least in yours, Han spoke first....

Bill

[cbdavis]

You need to see a shrink. You are SO in denial mode. Take it from your users, not your PR cronies, IE is broke, always has been broke, always will be broke. Firefox is great ( but there are still some problems with it) and it will get better. But I doubt if it will ever get a big following. Bill has us by the cojones. We know it, He knows it. Thats why he can lie, lie, and lie some more. Thats it, Bill, blame your users. Just once, I would like for M$ to admit fault. I can dream, right?

Let's pretend you are Microsoft.

First of all, you are a business, so you want to make money. Your target is average Joe NoClue. What is gonna get the attention of Joe NoClue? Features, a whole friggin lot of features. He's not a sysadmin. He's not a freaking security expert. And he certainly doesn't care about thing he doesn't see, like security. You might say that Joe NoClue doesn't like having his computer hijacked. Well he still doesn't have a clue about this. So this is not a problem. Problem arise when Joe NoClue loses some precious data. This is what's important as far as security goes.

So let's assume that your product will sell because of it's features, security isn't that much of an isue (Joe isn't going to know about those big gaping security holes, when the product will be at the middle of it's usefull life, then Joe might notice, but not before.)

If you consider this as your view of software and OS, I don't see what Microsoft has wrong. Of course thay have some version for sysadmin, but before being sysadmin, a lot of them have been user... on Windows system. If they didn't touch any other thing, they might try and use some version of Microsoft's server don't you think?

Anyway, the only thing i'm trying to say is that a lot of people, at some point in time, began thinking that Microsoft's main market is not common Joe Dumass. And then these people started expecting thing from Microsoft.

"Microsoft machines are poluting the Internet" ...
Well, yes, corporation don't care about polution, it cost way more to make something the clean way rather than pullution like a dumass.

Stop expecting secure systems from Microsoft. As long as Joe IDontCare doesn't know about security, he's still gonna be using Microsoft products. If you want to help make Microsoft systems more secure, start educating people around you about the need for secure system and the polution on the Internet.

You'll basically get the same response from people as if it where about nature and other kind of pollution.

People won't care until it's gonna be a problem.

Anyone if free not to share my opinion, but I beleive it's an environement problem. And Microsoft is only going with what people are freaking asking for.

Microsoft is in it for the money.
Features sell beter than security.

Is it that complicated?

Windows May Suck...

[Wingie]

But don't you realize that it's because MS being idiots about this that most of us here have jobs? (Or had, if you've moved beyond the hell of tech support.) Yes, crappy jobs that involve cleaning out crap from computers everyday. But imagine if there WAS a good built in virus/spyware scanner in Windows that automatically fixes systems--imagine if Windows had no holes/problems and fixed itself. Who would need tech support then?

Very rich

[thelibrarian]

So Windows Media Centre is going to allow you to navigat your media files in "a very rich way". And Longhorn and MSN search are going to provide a "very rich search" on the desktop. What exactly does this mean?

Are we going to all get gout from using Windows in the future?

Nuts!

[abacsalmasi]

I hope my mom doesn't read this, I told her that all the porn on my machine was downloaded by Windows.

Re:OS X rox!

[B.D.Mills]

I believe gravity does. Don't believe me? Try dropping it off a building.
That depends on how tall your building is, what the apple is made of and how the apple is protected.

If I enclosed the apple in six layers of bubble wrap with the bubbles on the inside, encased the bubble wrap in three inches of loose polystyrene beads, enclosed the polystyrene beads in three inches of low-density foam, enclosed the low-density foam in three inches of high-density foam, enclosed the high-density foam in a double-thickness corrugated cardboard box, enclosed the cardboard box in two layers of egg cartons and enclosed the egg cartons in another cardboard box, the apple isn't going to be damaged if I dropped it off the roof of my house.

Catch 22!

[Advocadus+Diaboli]

Q: Speaking of security, Internet Explorer has had well-publicized holes ...
Gates: Understand those are cases where you are downloading third-party software.
...
Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans.

So if I get this right the problem with security is that I download third party software and Mr. Gates thinks that it can be solved by third party service (which means probably downloading third party anti-virus software). Now I clearly understand why the problem is never solved...

The user's fault? We can fix that!

[outanowhere]

Blame it on the user.

Again.

As usual.

As always.

Microsoft and especially Mr. Gates have both blamed the user for DOS and windows bugs, et cetera, ad nauseum, since the beginning.

It's one of the things that really encouraged me to dump windows. Being told personally, to one's face, by Microsoft and Mr. Gates that the problems with DOS and windows is my fault made it very easy to walk away from the huge investment in microsoft stuff.

Since the user is at fault, the user can fix it--like I did: dump microsoft.

Amazing

[3.09+a+hour]

What I dont understand is how tactics like this have won him the title of richest man in america, Ive seen drug dealers with better customer relations

+1 FUNNY

[scum-e-bag]

Gates: We're big believers in interoperability.

Come on, mod me +1 FUNNY for all those who haven't RTA...

I pissed myself when I read this one.

Give them a Little, Take a Lot

[Exter-C]

This is a classic example of how humans are.. Microsoft give us alot (in vulnerabilities) that cant be exploited until the user downloads a file. So its not the browser thats at fault its the user...
This is just like the pinto.. the car wasnt going to blow up unless the other driver was crap.

I guess he's right

[Klowner]

I mean, spyware and viruses weren't made by microsoft, IE just helps you download and install them more easily, and even sometimes automatically!

I think we should all thank Bill for coming clean about this ever increasing problem.

Embrace, extend, and extinguish.

[DeepHurtn!]

I haven't seen anybody mention my favourite line from the interview:

Gates: "We're big believers in interoperability."

Re:Embrace, extend, and extinguish.

[TiggsPanther]

Gates: "We're big believers in interoperability."

I was amused by that, too. I was tempted to call bull, but technically they are interested in interoperability.

It's just that they seem to believe that everyone else should have to pay them for the privilege of being interoperable.
It's great from a business point of view, but not much use from a F/OSS point of view, unless projects manage to pick up a sponsor who would be willing to shell out to license the technology and manage to do it in such a way as is compatible with whatever license they're using.

Catch 22

[The+Real+Nem]

It is kind of a catch 22. If Windows had built in anti-virus software no one would buy 3rd party anti-virus software and Microsoft would gain a monopoly in the market. They would get their asses sued and everyone would complain that they have a monopoly or they have created an unfair environment. We've seen it before. If Windows doesn't have built in anti-virus software everyone complains they don't.

And even if Windows did have built in anti-virus software, can you honestly tell me, given their track record, that you would feel secure with it? If everyone used Windows built in anti-virus software wouldn't it be just that much easier to exploit and cause even more damage.

Re:infomechanics

[arkanes]

There's no such thing as "bit rot" per se - things like fragmentation can cause a gradual decrease in performance, but not failure. The term is used in software development because of the way old parts of source code don't get looked at and updated and touched.

Simply put - the "maintenance" that we refer to with software, and that's being compared to cars above is in fact no such thing. Every patch and update that's issued is to correct a _mistake_ in the software - not something that gradually failed because of wear. Cars need regular maintaining because they're physical objects in a physical environment and the stresses and imperfections of that environment cause real physical damage that needs to be repaired. Software "maintenance" is actually incremental development - it's correct mistakes that are in the original.

All that said, software (at least most of it) is far, far more complex than your typical car, and has had far less time to mature. The physical limits that a car operates in are well defined and well understood, and the vehicles are designed with that in mind. There are well known and well understood physical requirements and those requirements are easily tested. Software lives in a very different environment with a very different level of contstraint and a very different level of user expectation.

Check the history of the seatbelt in the car

[SmallFurryCreature]

The car industry, well mostly the american car industry, was extremely reluctant to do anything about safety in cars. Safety studies might give the audience the idea that driving wasn't safe.

They tried everything to stop people from doing safety studies and stopping laws making safety devices mandatory. It did not fit their marketing image to have to put safety features in.

Sounds very similar eh? Gates blames insecurity on bad users. The car industry blamed it on bad drivers (this fits marketing as noone thinks of themselves as a bad driver).

Until enough studies came out showing how dangerous cars were (things like the steering column being a spear aimed at your chest) and the public started to get aware and goverment was starting to take action ONLY then and very slowly did the car industry do something. That still won't do anything until laws enforce the use of seatbelts and even then you will have idiots claiming using seatbelts is unsafe. Same as I have met person (not heard about, actually talked to myself) who didn't use anti-virus software because it was reading their files.

So don't hold your breath waiting for MS to move on its own. SP2 was already a huge achievement. Anything more will only come after a long long struggle.

Or a very short one if you install the flippered OS. Or the horned one if your into necrophilia. Then again, that is like driving a volvo. Not cool. Sure your kids might survive an accident but who cares about that eh?

Re:Check the history of the seatbelt in the car

[Sentry21]

The car industry blamed it on bad drivers (this fits marketing as noone thinks of themselves as a bad driver).

That's kind of funny when you consider that most XP crashes are because of bad drivers too (or misbehaving malware).

--Dan

Re:Check the history of the seatbelt in the car

[DMadCat]

That's kind of funny when you consider that most XP crashes are because of bad drivers too (or misbehaving malware).

That's kind of funny when you consider I'm a System Administrator, I keep my Windows box up to date and as squeaky clean as is possible, and I still experience crashes.

Most XP crashes are Software/Hardware related, not user error. I've spent the last five years having to apologize to my users for some of the screwy, quirky things that Windows does.

Re:Check the history of the seatbelt in the car

[orac2]

The plural of "anecdote" is not data!

Even though you acknowledge the overall statistics, you then rely on one person's experiences for choosing not to wear a seatbelt in many circumstances to overrule the statistics.

To see why this is crazy, imagine asking a 1000 people all across the country to toss (fair and balanced) coins. Ask the 500 or so people who get heads to toss again. Ask the 250 or so people who get heads that time to toss again. And so on, through 125, 62, 31, 15, 7, 3, till you're left with 1 person. Now this 1 person has tossed a coin 10 times and it's come up heads every time! [1]

Now if you didn't know much about coin tossing, except a statistic that said they come up tails about 50% of the time, and you only knew that one person, should you believe her if she says "Well, the statistics say tails comes up 50% of the time, but from what I've seen, it's heads all the way!"?

Unless you know of a broad survery of many accident investigators who detect a tendancy for low-speed or low-traffic density accident injuries to be increased in either number or severity because of seat belts, then you must take what you're hearing with a hefty grain of salt, even if what they are saying is 100% true[2]. (By the way, I fail to see the difference in between accidently wrapping oneself around a telephone pole on a busy road vs. a quiet road.)

Don't forget there's an obvious potentail for observer's bias here too: you're not seeing his formal reports, but just the stories he's choosing to share with you in an environment which encourages entertaining conversation, not neccessarily statistically accurate conversation.

In the absence of such of survey, perhaps the best thing is to consider the failure mode you're really concerened about: it's not that wearing a seat belt is bad during the accident, but that you may be trapped afterwards. Put a box cutter or similar within reach, say in the door drawer. If you can't operate the cutter because of unconsciousness or severe injury, well, in your condition, you weren't getting of that car anyway .

[1] There's actually a well known stock-market scam which operates in very much this fashion.

[2] The furor over silicone breast implants is another good example: a lot of women honestly reported problems after breast implants, but when all was said and done, their problems were coincidental.

Re:Check the history of the seatbelt in the car

[Minna+Kirai]

Well, some years ago an acquiantance of mine was an accident investigator for my Countys fire department.

Yeah, "A guy I know said so". That's how Urban Legends start off...

You can't be serious, right? This must be an experimental troll to test public gullibility...

The resaon being, many people are killed outright when their car crashes, but many more are only injured, or have no serious injuries but are pinned into their car by their seat belts, and are burned to death if a fire occurs.

That doesn't make any sense. There's a standup comic with a decent routine based on the stupidity of that claim.

1. "Oh no! My wrecked car is on fire! The flames will engulf me in moments! I'd crawl away, but this accursed seatbelt binds me into the fatal seat. If only there was some quick way I could release it... some kind of
2. button I could press to open the belt! But it's not to be. Goodbye cruel world!"

In real life, if your car crashes and catches fire, you're more likely to survive with a seatbelt on. The seatbelt will reduce the chances of your being knocked unconcious or breaking bones in the collision, which leaves you mobile, and able to get out of the fire.

Some people underestimate the damage that can be inflicted by even a low speed collision. Just measure how fast you can sprint- 20, 25 miles per hour? - and then imagine what would happen if you ran into a steel wall at full speed. Taking a hit like that will stun you for longer than it takes to disconnect a seatbelt.

Re:infomechanics

[Doc+Ruby]

Software with modern complexity will always have defects. Accepting that fact, and designing for failure tolerance, is the kind of wisdom that has steadily improved automobile safety despite heavier use under less anticipated conditions by many more people. Software is no different, unless you have the magic to reduce software design and implementation errors to nothing.

Why we put up with this madness...

[infonick]

I will never understand. If a grocery store so as much hires someone *unlikeable* to work the cash registers, they lose customers. likewise with vehicle manufacturers. If a bad car is designed, it is branded a lemon, and is treated as such by all consumer reporting websites/newsletters.

So why Bill Gates is still in buisness after making such a comment: "Understand those are cases where you are downloading third-party software" it makes my eys roll. Why is the customer always right? because only the customer knows what he or she wants. If the customer wants a good solid car, they are going to buy a good solid car from *insert favorite car manufacturer here*. So why people put up with this slander from the biggest man in Microsoft is beyond me.

Personally, i think i run a very tight ship. I dont need antivirus, and a nice firewall is all that stands between me and the next script-kiddie on the block. Problems i've ever had are related to IE and poor OS performance.

Because i will shortly be entering my era of University in 2005, my thoughs turn to my financial future. I will not be able to afford a new computer, much less new games/new MS OS. When the time comes when i can no longer play games on my current setup, windows will have no further place on my computer.

*Deep Breath* - Thank you for your time.

Just a matter of definition ...

[invi]

Gates: Understand those are cases where you are downloading third-party software.

Well, sure, if you call the payload in a buffer overflow attack "third party software" ...

3rd party

[Tom]

Understand those are cases where you are downloading third-party software.

True, that. Now the point is that you're downloading this "third-party software", aka virus, trojan horse or spyware, even though you never wanted to.

Try Microsoft?

[chriseyre2000]

Why don't they offer the option of never trust Microsoft?

I'm sorry, what!?

[rincebrain]

Last Q/A in the article:
Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?

Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.
[Italics and bolded sentence my own markup]

So let me get this straight, Mr. Gates. You have thousands of people working just on Internet Explorer, and yet...a thousand or two thousand people working on Mozilla have bested you?

Nothing is going to change, indeed, Mr. Gates. You're going to keep spewing the same old story, ignoring obvious holes in your own logic (third-party software is to blame for all security problems, true...but that doesn't mean your software should allow third-party software to install itself without the user doing a thing), denying any obvious falsehoods in your own statements (" We feel like we are pioneering an experience that to us is a clear thing most households will want." - Gates, regarding Windows Media Center PCs...I'm sorry, I didn't know you pioneered multicasting from a set-top box...I presume Linksys is paying you licensing fees for their video broadcast device, to name one alternative?), and hoping people will be stupid enough to follow it.

The saddest part of the above discourse is, Gates is probably right. People are, until told otherwise, going to keep using bug-ridden products, until they are shown that there are alternatives...I know many users who have never clicked Windows Update in their lives, and not because they've never used Windows.

I could be wrong, but I'm sensing a downward spiral, when M$ can announce things such as they did in their article, and not get negative feedback from the interviewer. Just my $0.05.

Critical assesment vs Belief

[quinkin]

It seems to me that social gullibilty has nothing to do with detection of a lie - instead it stems from the belief of an assertion with no critical evaluation. Critical analysis over unquestioning belief is a much maligned concept in most education systems.

Our children are being indoctrinated from a very early age to believe what authority figures (parents, teachers, the tv, etc.) tell them. Should we be surprised when a concept ingrained for 10+ years during the most formative childhood years translates to an easily misled populace?

Do not believe anyone. Do not believe politicians, scientists, priests, your parents, the police, and please don't believe the mass media.

Teach your children to think, not believe.

Q.

He's right, of course.

[Max+Threshold]

Downloading third-party software is exactly what gets people into trouble with Windows... especially when IE holes cause them to do so unknowingly!

Let USA Today know...

[jarsyl]

...what you think of their coverage: accuracy@usatoday.com

I just did.

Sweetest Revenge: Linux Media Centers

[randalx]

Gates: What the consumer wants is pretty clear: a single remote control that lets them navigate photos, music, videos, TV in a very rich way. They want to see that on any screen in the house and then have a great portable device where they can take that stuff wherever they want anytime. The full realization of that dream is still years away, but we've taken a dramatic step in delivering that with Media Center.

I think it'd be great if we could beat Microsoft to the punch by offering all of this and more using Linux and open formats (not WMA Bill!). It seems like there is already a lot of work in the area going on (MythTV, Freevo, Mister House, VLC) but is any of this ready to be easily set up by the average Joe? Is there any work being done to put all the pieces together. Perhaps a modded distribution geared specifically to creating and setting up a Media Center type environment. Not only could a Linux based solution put anything from MS to shame it could also force Movies/TV/Music industries to support open formats if the Linux Media Center becomes the dominant player.

Am I dreaming or can the open source community take the lead here?

Re:Sweetest Revenge: Linux Media Centers

[seasleepy]

Tada! KnoppMyth does that already.

Re:A different approach

[CountBrass]

Utter crap.

If you know your customers are going to behave "unreasonably" ie, you know, actually *use* the computer, browse web pages, click stuff, then the OS should protect them guide them etc. So why is it that Windows installs a huge sign saying "COME FUCK WITH ME I'M OWNED BY SOME TWAT WHO CHOSE TO USE WINDOWS"?

The fact that OSX can and does do so much better proves that it's Windows fault. Or are you trying to say that Windows users are a self selecting bunch of morons? For those that *choose* Windows I'd agree, but most people don't get to choose: they either don't realise there's a choice or they have Windows forced on them.

Re:Not to be behind Bill or anything ....

[Rattencremesuppe]

They have flaws in the first place because debugging an operating system is pretty difficult

IIRC, the article is about the problems in IE, which should be just a normal user-space application. I don't know how tightly they integrated their IE into the ring-0 kernel space, though ;)

Re:So let me get this straight

[CamTarn]

"What's this thing you wanted me to install, son? Uhm ... anti-virus, it said, I think? Is that safe? I mean, I heard Bill Gates on the TV the other night saying that the reason thing go wrong with peoples' computers... it's all because of third party software. Nice guy, that Gates. Good mind for business.

"What was I saying? Oh, yeah. Third party software. I dunno. My computer's running pretty slow at the moment, ever since you came over a few months ago and installed all that stuff for me. What was it, Thunderfox or something?

"I remember you tried to show me how to use it, but I prefer that Outlook program. Doesn't try and stop me doing what I want to do, make all the images in my emails broken and stuff like that.

"D'you think that that's why my computer's slow? After all, that Gates guy was saying that third party software's what makes 'em go bad. Are you sure that stuff you installed was safe? I mean, I've heard there are a lot of viruses going around on the World Wide Web...

"Maybe you better just keep this anti-virus software, and take that Thunderfox thing off my machine, and see if it speeds up any. I'll just stick to Microsoft stuff, that should be safe enough.

"Besides, I don't think I need anti-virus stuff, really. My doctor always tells me to get a flu jag, and I ignore him. Hate needles. But I've not been ill for twenty years and I'm not intending to be ill any time soon. I don't go out in the rain without a scarf on, I cover my mouth when I'm sitting on a train next to a guy who's coughing and sneezing away. Sensible, see?

"It's like that with the computer. I don't use the Internet Explorer much - mostly I just use the computer for email and typing up letters and stuff. And I've never been on this World Wide Web thing - I remember a guy at work saying that you could get a lot of viruses off this Web, so I stayed away from it. So I'm pretty safe, right?

"Anyway, I'll see you next week. Oh, and hey, while you're at it ... I have something I want you to check out when you're down at mine. There's this window that keeps popping up in the middle of my screen, telling me that my Internet is slow. It's been doing it for about a year and I keep closing it, but I got to wondering - d'you think it's right? I mean, when I use my Internet Explorer at work it's a lot faster. The little picture in the top right is different, too. Does that have anything to do with it?

"Yeah, anyway, see you next week. Sure, I'll say hi to your Mom for you. Alright, bye."

Re:How does this happen?

Well, if the cable modem (router/gateway I assume) has a firewall, it will obviously block all invalid packets, and sometimes DoS attacks.
Otherwise, all (I think) cable modems / routers will give away their IP, BUT they should all protect the users behind them, through natting or dhcp.
But even then, the machine behind can be targeted using various techniques (one is to exploit the router itself).

If you're not talking about a router, then yes, the IP of the Windows machine (like linux) is exposed which means anyone can run checks and such on services which are vulnerable.

But then it really depends on how up-to-date your windows machine is. It's still highly unlikely that it'll be exploited, unless someone (clueless person) clicks on a link to activate a virus or such through an email, or activates a service for back-door entry.

BTW, note that the jpeg flaw was fixed very quickly, and most machines weren't vulnerable anyway (such as mine).

Windows XP is actually very stable, supporting multiple networked users (multi-user and multi-tasking), but lacks in that all accounts by default have admin privilege(!). And that is mostly the reason behind all the viruses, spyware and auto-spam-servers.

Besides all that, since most Windows vulnerabilities aren't based on a kernel attack (unlike linux), but instead the services you have activated, you can simply disable the ones you don't need, and just be sensible about which applications you open through emails (hopefully none!).

But even after all that, a user can come along and browse the web using IE and activate some activex component, or installs some other IE component or JScript which allows entry to the machine.

If the user isn't using IE and isn't running a server (such as httpd), then it's quite unlikely that anything bad will happen. Unless someone specifically targets the machine and scans for all activated services, etc, and launches an attack against an un-patched vulnerability.

I would be brave enough to state that a Win2k / WinXP / Win2003 is just as secure as UNIX / FreeBSD / OSX, if: -

* The user using the machine doesn't have admin rights,
* Windows and related networking software is kept up-to-date,
* Doesn't use IE / related mail product.

Just think of IE as a platform for malwares...

[aug24]

Bill does believe in interop, insomuch as IE provides an api to all sorts of things in Windows, like the phone number used for internet access. The api's a bit rough'n'ready, but who expects clean code from MS?!

J.

Liar!

[alfino]

"Gates: We're big believers in interoperability."

Hahahahaha!

Re:How does this happen?

[Stalks]

Well, if the cable modem (router/gateway I assume) has a firewall, it will obviously block all invalid packets, and sometimes DoS attacks.

You may block the packets used for the DoS from getting to your PC, but your cable line will still be saturated.

Otherwise, all (I think) cable modems / routers will give away their IP, BUT they should all protect the users behind them, through natting or dhcp.

Integrated firewalls in routers/modems are becoming more sophisticated than merely being nat drones. Firewall designers are aware that any response given from the firewall is unwise, therefore they are now stealthed firewalls. And the notion that DHCP can protect you .. well, no comment, lol.

Technical capability of the users.

[Confused]

Technical capability of the users.

Good industrial design makes sure, that the average user does per default the save things and doing unsafe things needs extra effort. For this reason, nearly all motorised saws and knives have clever hand- and finger guards to reduce the chance of accidents.

Microsoft and most other software companies take with the opposite approach, they just put the onus of safe operation on the user. Considering that most user don't have don't want the necessary knowledge to do that, this idea will fail.

The solution is not to educate users, but to build systems that can be operated in a safe manner by following simple and logical security rules that even my grandmother can understand.

Rules like: As long as you don't click on it, it can do no harm.

Unfortunately...

[cnelzie]

...there are many applications for MS Windows that simple refuse to run unless they have either Admin Privileges or are provided some fairly strong access to the system with the 'Power User' group setting.

Yeah, you can get away with running some applications using the "RunAs" command, but that is nowhere near as powerful or as capable as the much older *nix version of that.

Seriously though, out of the millions of people that use computers running Windows, very few of those people are even aware different levels of access to the PC and a smaller number of those folk understand that there is a utility in MS Windows called "RunAs".

Fighting the last war.

[argent]

At least twice a year Microsoft comes out with another security patch to try and block the latest holes in IE, without changing the underlying design flaws that make the explouts possible. Shortly afterwards, another hole surfaces. Everyone with a passing understanding of the 20th Century knows the expression "generals are always prepared to fight the last war": assuming the lessons learned in the last war are all that is needed to prepare them for the next. The classic example is france preparing for trench warfare all over again, caught unprepared for the German Blitzkreig.

Microsoft doesn't do that well. They're forever preparing for the first war all over again, never learning the lesson they're faced with after every new exploit.

The problem is that Microsoft is trying to use discretionary access control to implement a design that requires mandatory access control. In an environment with mandatory access control, every object (document, program, web page, email message) in the OS has its security level bound to it in such a way that an application displaying that object can have no more rights than the least secure object it has accessed. The only way to raise the security level of an object is through a trusted component that has explicitly been granted the rights to do so.

Their "security zones" can't be depended on unless the whole operating system and all applications operate on this basis. If they're not going to create a compartmentalised Windows AND make it the default configuration (and wouldn't people scream at that!), the only place they can create these compartments, these internal layers of sandboxes, is by having the applications themselves handle their own sandboxing. Remove the responsibility for trust management and remote access from the HTML control and let it merely render HTML. If the document displayed wants to access an image or stylesheet or script, run a script or a plugin or embedded component, let it ask the application for it, and let the application decide if the request should go through. Internet Explorer would let it fetch remote documents, but not run scripts or applets that weren't sandboxed, nor pass URLs or files to applications that aren't prepared to enforce the same level of mistrust. Windows Explorer wouldn't display remote documents at all. Outlook would be even more restrictive. And IE wouldn't blithely pass files to arbitrary desktop applications to open.

You can't do this by having the HTML control guess, no matter how good a guess it can make, because it's not in a position where it can actually know what rights the document should have. Only the application does.

Split the HTML control down the middle like this, and restrict IE to only running fully sandboxed applets and scripts, and there would be very little change in the user's experience. About the only thing they'd notice is that Windows Update would have to become a separate program instead of an ActiveX plugin (and likely run faster), and a few applications would need updates because they were doing dangerous things. There would be an enormous improvement in security, though, and Microsoft could quit wasting time on fixing the unfixable and get around to working on the NEXT war instead.

The whole attitude makes me angry

[zerojoker]

Q: Speaking of security, Internet Explorer has had well-publicized holes ...
Gates: Understand those are cases where you are downloading third-party software.

This is just a lie. I wonder if he really belives this bullshit.

Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans.

And here you can see that the whole attitude towards the security is weird at M$. I mean I don't want Anti-Virus or Anti-Spyware Software from Microsoft. I want the structural problems of Windows solved.
If you start MacOS X the root user is disabled per default. That is why Spyware doesn't have a chance. Even the most stupid user will think twice if he has to enter his system-password if he installs Software. Same with Linux. The whole Spyware-thing would be much much less trouble if the default install of Windows would create a user account.
And Windows has these capabilities. But at the moment this feature ist pretty much unusable because most of the software vendors don't give a shit about multi-user install. And why do they do this? Because M$ creates a default Admin-Account anyway. If M$ would change that, the software-vendors would adapt very quickly, like they did with SP2.
Same with Firewall: First install zillions of services which most of the users don't need at all. And instead of swichting these services off per default, you create a Firewall to fix it.

It's the whole "If we have to decide between usability and security, we will always go for usability" approach that bothers me...

Bill declares: Monopoly not Microsoft's fault....

[Roskolnikov]

After all, our customers had a choice.

Just to get the question of bias out of the way, I'm typing
on an Apple laptop.

Twice this week I've had to help customers either remove or
completely rebuild/restore Windows because of spy/malware.

In the first case the machine was 'enhanced' with a 'search-bar'
that replaced key parts (read dll's) of IE, removal of this
'enhancement' would render the machine unuasable, while
this software was installed previous to installed SP2 and the most recent batch of Microsoft issued security patches it none the less went undetected by the OS and was only found when NAV was ran.

Now I understand that Microsoft has argued that what you add to IE is your own fault and to some point I agree, but only in
the case where you realize your installing software; If you install fast freddy's pronfinder tool bar you most likely want others to watch you. But Microsoft should concede that the browser, which they've stated is truly part of the OS should be treated wtih more care then if it were just an application (as it should be).

Given that security usually comes at the cost of some
ease of use; Microsoft has choosen to make its OS easy and
at the same time they choose to ignore the customers demands
for more secure default for firstrun. It would not be hard to lock the machine down until its had a chance to check for patches/updates/service packs (call them what you will).

Recently I've read about motherboard manufacturers building appliance style firewalls into their onboard ethernet, sounds like a cool option but they're doing it because their primary audience *NEEDS* it, and truly this might be best for all of us, so long as the filters can be configured to curb outbound traffic as well.

This is great!

[emtboy9]

I just love this kind of stuff... I mean, these interviews are the things that comedy routines are made of...

Q: What's your take on making Windows Media compatible with Apple?
Gates: We're big believers in interoperability. We've stated very clearly that if Apple wanted to support interoperability, we'd make that super easy for them. The notion that a single device is all anybody is going to want is sort of like saying the Model T is the end of everything.

That just rules! We believe in interoperability, as long as you bow befor us! Kneel before Zod, errr... Bill! It is almost laughable, if it weren't so sad, to hear Bill Gates saying bad things like the above quote. Isnt what he accuses Apple of EXACTLY what Microsoft has been pusing the world to for years? What is the difference between being the sole supplier of iPods and iTunes (which Apple is) and being virtually the sole provider for desktop OSs, and using such position to force the adoption of "standards" that favor MS products.

Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans.

Funny, thats the exact thing that was said about web browsers before IE became so ingrained into the Windows code base that its pretty much inseperable... Its amazing... it really is. Its like, his lips are moving, but the words coming out dont match the movements. Just like a poorly dubbed kung-fu movie.

Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?
Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.

Ummm... if that is the case, if I were Bill, et al, I would be demanding a refund on the IE "security" expenses...

"Never Trust Microsfot" Re:No thanks

[lee+n.+field]

but I accidently checked the "Always Trust Microsoft" box during an install a few years ago. If only I could turn back time

Why isn't there a checkbox for "never trust Microsoft"?

Internet Explorer is Fine!!!

[citsacras]

Yes, Internet Explorer is a 100% safe and secure product. Its only when you use it browse web sites that it becomes vulnerable and dangerous.

Re:Internet Explorer is Fine!!!

Um, I know that this is supposed to be a humorous commentary on the obscene vulnerability of IE (dubbed Internet Exploit me), but the actual truth is even worse. The notion that IE is safe until you use it to browse web sites isn't strictly true. IE becomes unsafe the moment you boot into Windows while connected to the Internet. I've become quite adept at disentangling spyware and malware from a good number of the thousands of desktops my company uses, and I can assure you that IE doesn't even have to be fired up for malicious programs installed in it to run. In fact, if not properly "patched" and firewalled, IE doesn't even have to be running for spyware and malicious logic to get installed in it.

A truer statement would be that a Windows computer is completely safe until you plug the power cord into the wall socket.

And once again, Windows is never to blame.

[mrb000gus]

"YOUR SYSTEM has become busy or unstable."
"THIS APPLICATION has stopped responding."
"Because Windows WAS NOT SHUT DOWN correctly..."

etc etc etc - never once have i seen it admit "Sorry, but Windows just crashed."

So no surprise to see that once again, the blame is on the user and/or the applications installed.

Could he explain

[BCW2]

Why a fresh install of XP puts at least 11 instances of Alexa (known spyware) and 5 DSO exploits on a box? Try it, install XP and then Ad-Aware and Spybot. Run them both and see the results. No computer that comes into or is built at the white box store I work at, leaves without those two programs installed. Yesterdays updates put 3 instances of Alexa back in.

Lead Taken

[twitter]

Is there any work being done to put all the pieces together. Perhaps a modded distribution geared specifically to creating and setting up a Media Center type environment.

Yes, Angula. I've seen Demudi run off CD Live with zero configuration. It worked well on a 1GHz class computer. Show me a CD from M$ that does half as much.

Knoppix does some of the same.

Mepis also does much of the same but comes with non free goodies like Flash, Real Audio and a version of Xine that plays WMF.

I also think that players like Xine, Noatum etc. have been able to play non free formats for a long time. While it sucks that companies continue to make devices that use such nasty formats, it sucks even worse to not be able to use all those toys. Free software is more than up to the challenge. Sooner or later, those companies are going to turn to free formats as it's cheaper and better.

Re:How does this happen?

[rben]

If the user isn't using IE and isn't running a server (such as httpd), then it's quite unlikely that anything bad will happen. Unless someone specifically targets the machine and scans for all activated services, etc, and launches an attack against an un-patched vulnerability.

I would be brave enough to state that a Win2k / WinXP / Win2003 is just as secure as UNIX / FreeBSD / OSX, if: -

• The user using the machine doesn't have admin rights,
• Windows and related networking software is kept up-to-date,
• Doesn't use IE / related mail product.

No, Windows is not just as secure. The point is that there are lots of script kiddies constantly scanning the range of ports used for cable and dsl networked computers. Once they get a response, they scan all the ports on that IP looking for open/vulnerable services. They target Windows because the vast majority of computers on the Internet are running Windows. Look at all the posts in this thread. You can find numerous accounts where Windows computers were infected within minutes of being connected to the Internet.

It's possible that Linux/Unix would be far less secure if it received as much attention from the hacker community, but there are some good arguments that it wouldn't be. Linux/Unix has been a part of the Internet since it was first conceived and the programmers that have worked on Linux and UNIX have generally been more aware of networking and security issues.

Linux has a much more modular design than Windows. Windows has been tightly integrated on the basis of Marketing and Legal rather than Engineering decisions. I doubt that Windows will ever be secure without substantial redesign of the entire OS. Unless Microsoft is successful at throwing up legal roadblocks, Linux is going to continue to outstrip Windows in security, reliability, and eventually usability.

Did nobody else notice...

[megalogeek]

Did nobody else notice the complete lack of information in that interview? It seemed to me that Gates had two major responses:

1) We're looking into that and we're going to do it better than everyone else.
2) We suck at that so we're pretending to look into it, but don't expect any actual products.

There was no real information there. Reading that interview was a complete waste of my time and bandwidth. What a complete piece of shite. Whatever happened to hard-hitting journalists that won't let CEOs and others like them just dodge every question?

Then again, what can should I have expected? Fantastic answers to interesting questions? Gates can't really say anything because there's nothing to talk about.

Interviewer: Blah, blah, blah?
Gates: Blah, blah, longhorn. Ooh look, shiny thing.

Hmpf!
*grumble, grumble, grumble*

--James

re:

[Fringex]

Everyone says this and that about IE. A good portion of it is true and some not true. User error can't be counted out. If you download a virus without virus checking it, then yes you just got screwed. However my friends... there is a solution. Mozilla. See I used to be a fanatical IE5.0+ user. I defended it to the ends of the earth. Then ofcourse my buddy showed me what mozilla could do. I am so damn addicted to tabbed browsing. I would say the main reason I switched a good while back was that Mozilla had a built in pop-up blocker and IE didn't. Another interesting switch story was that of my fiance. She used IE 6 for a great deal of time. I tried to get her to switch but she never wanted too... that is until, the trojans started happening. Her virus checker was finding about 6-7 trojans a day and she could never figure out why. So I switch her to Mozilla to see what happens. After 3 months she has not had one trojan. Not one. I think that says alot in itself. As minorly thrilled about Mozilla as she is, I can say she is happier that her computer is now virus free.

Re:root accessibility

[kawika]

Not to make excuses for it; basically, your average worm or spyware program will be able to propagate and do bad things as a Limited User, but it won't be able to persist on the system. Reboot and it will be gone.

Newer spyware and viruses work just fine as limited users. Remember that their job isn't usually to take over or destroy the system, it's to monitor users and/or send mail. They don't need to be root to do that. Even as limited users they can install in an XP user's Application Data directory and start themselves at boot time by something as simple as a Startup folder entry.

You're forgetting the biggest counterexample

[Weaselmancer]

Developers, developers, developers.

You know, the guys who come up with third party software. Last week, your allies. This week, your scapegoats.

Media Data

[nurb432]

And how do you propose several hundred million people get their news, and know its 'fact'?

Reember they have lives, and that they dont live anywhere near the records, which are often kept from the average citizen anyway. ( perhaps not techincally restricted, but the artifical barriers that have been erected serve the same net result )

And btw, the same goes for your totally OT statement about Senator Kerry, appears you dont know diddly either.. Start reading his public voting records and then compare them to what he says.

It should be easy, he tended not to show for work too often.

Or just listen to televised debates, and actually listen to what he says from sentence to sentence.

Where did you get your 'facts', from another biased news service i bet?

( and no, i dont claim his main opponent is any better.. before you go blame me of being biased )

Yeah right

[bitswapper]

Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service.

Imagine if automakers charged to offer seatbelts and brakes as a service.

Great answer

[hotspotbloc]

Gates: 'Understand those are cases where you are downloading third-party software.'

An answer befitting a reboot/reformat monkey.

From all those people that have struggled with your crappy software over the years I say a hardy "fuck you and fix your shitty products".

Re:How does this happen?

[GlassUser]

Windows XP is actually very stable, supporting multiple networked users (multi-user and multi-tasking), but lacks in that all accounts by default have admin privilege(!). And that is mostly the reason behind all the viruses, spyware and auto-spam-servers.

Whoever told you that didn't know what they were talking about. Most users create admin accounts for themselves (or use the one admin account created) because they can't be bothered to go root to install something.

Excuse Me??? Where have you been under a rock?

[IAmAMacOSXAddict]

Every copy of windows since 98 MUST USE IE!!!!

You may not use it openly for for browsing the internet, but it is so embedded into the OS that it cannot be removed (just double click on your "my computer" icon and it is IE that browses the hard drive). Don't you remember the browser wars? this was Micro$ofts way of making sure their browser is installed into the OS no matter what.

Gates got spyware himself!

[celerityfm]

So Bill your saying it was your OWN fault?

It's also a problem that has affected Gates personally. He said his home PCs have had malware, although he has personally never been affected by a virus.

"I have had malware, (adware), that crap" on some home machines, he said.

remember?

The roof won't leak, unless it rains

[walterbyrd]

Isn't windows supposed to work with 3rd party party apps? If so, then msft can't excuse msie security flaws because users dared to use a 3rd party app.

not funny.

[Bill,+Shooter+of+Bul]

They are for interoperability when it will make them money, and against it when it won't. Duh. No contradiction here,hence no funny.

Re:How does this happen?

[ztirffritz]

Many Windows programs won't function unless you're an admin. Knowing that most users have admin level permissions, they write their programs making that assumption. I've tried locking down Windows users by giving them lower permissions and half of the programs don't work because of read/write access errors. I can make it work by finding all of the folders that the program calls and resetting permissions, but this kind of defeats the purpose doesn't it?

Different Alexa

[CharlesDonHall]

That's not the Alexa toolbar; it's a Microsoft "feature". If you click on "Tools/Find Related Links" in Internet Explorer, it does a search via the Alexa website. (And brings up a sidebar which gives you the option of downloading the Alexa spyware.)

So in a sense it's harmless; it's just a built-in web search. But it's generally considered to be spyware because of Alexa's reputation.

It probably got installed when you did the Internet Explorer update. I think you get it out-of-the-box when you install XP.

More information here: http://www.imilly.com/alexa.htm

Cows and bulls

[Frobean]

Q: What's the difference between a cow and a bull?

A: The bull smiles when you milk him...

Self-knowledge.

[master_p]

"More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change"

I am not surprised at all from the above statement. After all, IE has the biggest security problems, so it is natural that IE had the biggest expenses in making it secure.

Re:[Slaps forehead] Of course!

[dick+johnson]

A better example would be of a home builder saying, there's nothing wrong with your roof, it's the rain causing the leak!

Somewhat incorrect.

[khasim]

My Linux box is "targetted" as frequently as any Windows box.

Of course, since most of those attempts are from compromised Windows boxes, looking for other unsecured Windows boxes, the attacks don't get very far.

It just that the overwhelming majority of compromised machines are Windows machines that are now looking for other Windows machines.

I {Heart} Windows Secutiry Flaws

[MrElcee]

I make good bank flushing spyware/malware from constipated PCs. My kids eat and I get to buy myself toys. I hardly ever see a Mac come in unless it has a hardware failure.

Make windows secure and I'm going to need a real job.

(Written on an iMac)

Re:Spin is just spin

[HTH+NE1]

"It isn't pollution that's harming the environment. It's the impurities in our air and water that are doing it." -- Dan Quayle

Re:Spin is just spin

[rikkards]

Is it MS fault that a 3rd party app needs admin to run? Install yes but run? I would say so if all applications needed that permission. Lay the blame where it is deserved. The application developer not Microsoft (for once).

Don't some USB drives have locks?

[SuperKendall]

I thought some USB drives had a "lock" switch that prevented writing. That seems infallible.

The basic idea is a really good one. It adds anothe rlayer of defense, as how many spyware and virii REALLY are going to try and write to mozilla.exe?

People should make more of a distinction between what is possible and the reality of what is around now. A number of people act like because you COULD write spyware for OS X or Linux, that there's no point in switching - when the reality is Windows is the only system you have to deal with that crap right now and it will probably be years before anything hits the other systems.

Product names

[TakaIta]

What strikes me all the time when it comes to Linux products: all names are so very geek. Does anyone really think that such names give a feeling of trust, or awaken the will to try something out? At least Microsoft knows how to make people understand what a product does: IE = Internet, Media Player = Media Player, Messenger = Messenger. Open Source projects often chose some strange recursive acronym which is unpronouncable (how do you tell your friends: spell it out every time you mention it?), and suggests that insiders knowledge is not only preferred but required to use it. Also very often the webpages don't tell you what the application is about at all. Look at the mentioned http://www.agnula.org/ project. It does something with Audio presumable, but the main thing i remember is that it is funded by the EU. Now that is not a reason to try it out.

Just the names that MS gives to applications give them a very very big advantage over Linux Open Source applications.

Re:Spin is just spin

[humina]

Sorry but that isn't dan quale. Although Dan Quayle said some dumb stuff:

"Welcome to President Bush, Mrs. Bush, and my fellow astronauts."
"The future will be better tomorrow."
"We have a firm commitment to NATO. We are part of NATO. We have a firm commitment to Europe. We are part of Europe."