IE Holes Not Microsoft's Fault, Says Bill

thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?

No thanks

[BWJones]

Gates: Understand those are cases where you are downloading third-party software.'

Hrmmmm. Downloading third party software on my Macintosh does not seem to get me into trouble in the same manner as it does on Windows........Why is that Mr. Gates? Furthermore, I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?

Moving along: Q: Might you add anti-virus/spyware protection in Windows? Gates: It's not a thing you build in. You have to offer a service......Why is that Mr. Gates? I would have thought that you would offer a secure environment as part of your product out of the box? What does that tell us about the quality of your products? After all, does not my automobile come with airbags and antilock brakes and skid control and all wheel drive? Under your logic, those features would only work if I paid a monthly premium.

You know, I kept waiting for something better to happen with Windows, but I have work to do and things to create, so I'll stick with OS X and my Macintosh. Thanks anyway.

Re:No thanks

[mibus]

It's just a matter of scale.

A pristine WinXP box will be compromised in 20 minutes (on average).

I'm still waiting for my unfirewalled 'nix box to be rooted ;)

Re:No thanks

[notthe9]

I have performed the experiment: Install Windows on a computer and hook it up to the Internet. Leave it hooked up without downloading one bit of software from anywhere! and the machine will be compromised. Why is that Mr. Gates?

Impossible! You must be lying!

(Sorry, I realize this mihgt not be defensible, but I accidently checked the "Always Trust Microsoft" box during an install a few years ago. If only I could turn back time.)

Re:No thanks

[grcumb]

"I'm still waiting for my unfirewalled 'nix box to be rooted ;)"

Oh, it won't be rooted... again. I've tightened things up nicely, now.

P.S. Thanks for the porn!

Re:No thanks

[strider44]

Of course the simple solution is not to run under admin. I like the way that linux actually forces (well it doesn't but severly recommends) the user not to run something under admin. Then again usually for newbies spyware can be installed as easily as

Installation Instructions
1. Login as root
...

Re:No thanks

[strider44]

*sigh* having more market share is not an excuse. Just look at Apache vs. IIS and you'll see that more market share does not automatically equal more security holes.

Re:No thanks

[asadsalm]

Q: Might you add anti-virus/spyware protection in Windows?

Gates: It's not a thing you build in.

Us: But a browser is a thing you can build in ... Right?

Re:No thanks

[bakes]

I think I remember a recent /. story that said the average was now down to about 12 minutes.

But, maybe SP2 takes it back out to 20mins.

Re:No thanks

[mikkom]

Most of the servers are unix boxes that are connected to internat and many of them don't have firewall. Simply because there are no services that need to be firewalled.

Windows instead has many "default" services that you can't turn off.

Re:No thanks

[ajd1474]

If MS included Anti-virus, serious Firewall software and whatever else you feel they should include to make it "secure", you'd be the first person up in arms claiming it to be another example of MS using their monopoly to push out competitors.

Everyone wants MS to remove things like CD-burning, Media Player, IE etc because it is anti-competitive and now you WANT THEM to build MORE APPS IN??

Also, motor companies do NOT make Airbags, ABS and skid control... they are usually made by third party companies (Bosch for example). So are you suggesting that Windows comes bundled with Norton Antivirus/Firewall, that you shouldnt get a choice, and that we should add another $50 to the cost? Sounds anti-competitive to me. Sounds like you're another /. er who trips over their own arguments in an effort to be the first to bash MS.

Re:No thanks

[stephanruby]

"*sigh* I'm talking about viruses and malware, not remote exploits - don't worry though, I'm used to people mixing the two up. "

He wasn't criticizing what you said, he was criticizing your reasoning behind what you said. If what you said is true for "viruses" and "malware", why wouldn't it be also true for "remote exploits"?

It sounds to me like you came up with an overgeneralization and now you're trying to rationalize it in face of contradictory evidence. *sight* You can be as impatient with us as you want and you can patronize us all you want, but your backtracking rationalization about the technical proficiency of users doesn't hold much water. For me, the only reason I first installed Apache was because I had no clue about how I could install Microsoft's Personal Web Server. I suspect it's the same for most users. Apache simply worked out of the box, that's it magic and that's partly why it has the biggest marketshare.

Re:No thanks

[aichpvee]

You're obviously very confused. The *nix box "can" be compromised, but probably won't be. The windows box "WILL" be comprimised, and in a matter of minutes.

Whether things would be reversed along with the marketshare, it's impossible to say. But there's really no way anyone can do it worse than what microsoft is doing.

Re:No thanks

63.161.169.137

Take your best shot, kiddie!

Re:No thanks

[shut_up_man]

Ah, I see - It's our fault for using those nasty third party viruses and worms. We should be sticking with the official Microsoft virus and worm family, that are, by a massive stroke of irony, totally harmless to our systems.

Apparently the upcoming version of Windows will have enhanced official viruses too, that do even less but will need significantly more powerful hardware to run.

Re:No thanks

[tuxlove]

You're not playing devil's advocate, your point is just irrelevant. The original poster's point is that there are plenty of security holes that have nothing to do with downloading third party software. You can get compromised by reading your email, visiting websites (there are dozens of known vulnerabilities) or even having your computer sitting idle on the Internet, all of which have nothing to do with downloading third party software. A firewall is moot for the first two, and irrelevant for the third, because as soon as you take away the firewall the machine's toast w/o downloading a thing. Putting a NAT router in front of Windows doesn't fix it, it just masks the problem Bill Gates says isn't there.

Re:No thanks

[Ilgaz]

Maybe the reason is different?

If you would steal a car, would it be Toyota or BMW? I mean, if I was a haxor trying to steal someones CC, it would be $3000 dual G5 owner rather than $500 Taiwan OEM owner.

Or... Something real interesting showed up when I check my Internet Plugins folder (Yes, mac IE even uses Netscape plugin arch)

cable25-100:/Library/Internet Plug-Ins ilgaz$ ls -l
total 72
drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 DRM Plugin.bundle
drwxrwxr-x 3 root admin 102 6 Jul 22:00 Flash Player.plugin
-rwxrwxr-x 1 root admin 963 22 Jul 17:09 Java Applet Plugin Enabler
drwxrwxr-x 3 root admin 102 22 Jul 17:23 Java Applet.plugin
drwxrwxr-x 3 root admin 102 31 Aug 05:17 JavaPluginCocoa.bundle
-rw-rw-r-- 1 root admin 4752 22 Jul 17:09 NP-PPC-Dir-Shockwave
drwxrwxr-x 3 root admin 102 1 Apr 2004 QuickTime Plugin.plugin
-rw-r--r-- 1 ilgaz admin 0 15 Oct 11:42 RealPlayer Plugin
-rw-r--r-- 1 ilgaz admin 0 15 Oct 11:42 RealPlayer Plugin.xpt
drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 Windows Media Plugin
-rw-rw-r-- 1 root admin 856 22 Mar 2004 flashplayer.xpt
-rw-rw-r-- 1 root admin 2394 1 Apr 2004 nsIQTScriptablePlugin.xpt

Look which companies plugin is installed in awful insecure way?

Microsoft!

While at it, if you don't have "spyware" concerns, as a admin user, go to www.pcpitstop.com (in fact, they aren'T spying) and run their tests...

See the amazing things ActiveX can do! Thats the root of problem.

Re:No thanks

Yes, and your wife is very attractive, keep up the good work. I only want to know who those other women are.

Re:No thanks

[Atrax]

Yes, Age of Mythology requires admin rights. Good game too.

This KB article makes a passing mention of this, but doesn't tell you which games require Admin privs.

Really I think this is just bad design - they could be written to operate normally under non-admin accounts, but ren't. and it's not just games - numerous applications on windows do this for various reasons (registry access/file access etc..)

Re:No thanks

no sex *and* no porn. you poor b*stard. Divorce her and join a monastery, it'll be easier and cheaper ;)

Re:No thanks

[bickerdyke]

No no.. Bill is completly right.

All those viruses, dialers and worms comming in via email, malicious websites and so on, ARE Third party software indeed.

Or is WinXP now delivered with preinstalles Melissa-Virus?

Re:No thanks

[Shokac]

I suggest that M$ removes all IExplorer, WMplayers, CD burning etc. software from Windows, and sell them for $10. The price is reasonable becouse you don't need to pay extra developers fot this stupid programs. Then we will have free comptetition market, and choise. Maybe then M$ Windows would be on any PC.

Re:No thanks

[shintaro]

Please do not try to reason with the /. crowd when it comes to MS. Just say no!

Re:No thanks

[thepoch]

Argh I'm beginning to sound like a broken CD lately, having to always repeat myself.

It isn't only that Microsoft doesn't even try to tell people that using Admin all the time is bad. It's also the stupid developers that never test their software with non-Admin accounts. And don't even start to talk about RunAs. That's broken as well for most apps.

The only way for all this nonsense to hopefully be worked out is if Microsoft forced developers by making the default account a "User" account. Not even a "Power User" as that's pretty lame as well. Then every app out there will be forced to store their settings in the user's respective "Documents and Settings" folder. At this time, a lot of apps still store settings in either C:\Program Files\ or in HKEY_LOCAL_MACHINE. I'd rather have it in my own C:\D & S\username\Application Data folder and in HKEY_CURRENT_USER. This makes it more similar to *nix where it stores all settings in my /home/username in .files or .directories.

Double Argh. Palm is one company that does this badly. Imagine everyone having to be an Administrator just because Palm Hotsync's data to C:\Program Files\Palm\$palmname. Sheesh.

Re:No thanks

[Asprin]

For what it's worth, Ubuntu actually disables the root account by default so you have to sudo everything.

(I'm sure other distros do that too, but Ubuntu stands out in my mind because I had to wrestle with it unexpectedly over the weekend.)

Re:No thanks

[Ford+Prefect]

The example you're using is a directory, not a file. According to your logic, Apple's Quicktime plugin is also installed insecurely.

Quite a few things on MacOS X are directories, even though they appear as single objects in the Finder (applications are a good example of this).

It's more the Unix-style permissions you should be looking at:

drwxrwxr-x 3 root admin 102 1 Apr 2004 QuickTime Plugin.plugin

Directory, owner (root) can read, add to, delete from and list contents; group (admin) can read, add to, delete from and list contents; everyone else can read and list contents.

drwxrwxrwx 3 ilgaz ilgaz 102 9 Oct 15:08 Windows Media Plugin

Directory, owner (ilgaz) can read, add to, delete from and list contents; group (ilgaz) can read, add to, delete from and list contents; everyone else can read, add to, delete from and list contents.

So, basically, any old user could delete some important executable file from the Windows Media Plugin directory and replace it with one of their own. It's not even got the root:admin user stuff like a normal system file...

Re:No thanks

[skraps]

That is a fringe example and doesn't have any effect on the main thrust of the argument. Making the boot media read-only in an effort to stop security holes is like cutting off your legs so that you won't accidentally stub your toe. You are right that Microsoft will never provide that as an option - because it doesn't make any sense for ordinary use.

Re:No thanks

[Mike+Morgan]

I thought that that would work too. I set my mom up as a restricted user under Windows 2000. After about 6 months the machine was clogged with spyware and would no longer dial.

I wrote a program to detect what directories were still writeable as the restricted user, turned out to be quite a few (even including C:\).

Re:No thanks

[DigitumDei]

What people fail to realise, is that if we had all listened to Bill in the beginning and realised that the internet was not going to get big and thus never "forced" him to destroy netscape, we wouldn't have this problem. ;)

Re:No thanks

[doob]

I'd venture to say most people who use OS X are logged in as admins.

Even if this is true (but may not be, see below) being an admin under OSX is very different than being an admin under Windows. On Windows, you have rw permissions on everything, whereas under OSX, all it means is that you are in the sudoers file. This means that in order to do anything dangerous, you still need to type in your password again to gain (temporary) root privs.

Can someone else comment on how the OSX install/add user process prompts you to set up permissions. AFAICR the user is set up as a normal user first, and you then have to explicitly go to the user manager and give them admin permissions. Very different to Windows, where you are prompted to set up an admin user as part of the install process!

Re:No thanks

[ewg]

Mac OS X is the same way, FWIW. sudo only, from accounts with appropriate permission.

Re:No thanks

[ultranova]

Unfortunately, running as a normal user won't do any good in a single-user system. After all, you have the right to access your own folders, and thus are still vulnerable to malware which installs there - you just can't pollute other users with it.

Linux isn't immune to this problem either. It was designed to sandbox users from each other, but a single normal user will find it difficult to sandbox individual processes. Any process running at my privileges can access all my files, install cron jobs to be run automatically at machine boot, etc.

A real solution is a fine-grained permission control. For example, a Web browser should be able to read it's configuration files and plugins/extensions, connect to any Internet address, and write to the bookmark file(s) and download and cache directorie(s). It shouldn't be able to do anything else. If there was an easy way to do this, even if the browser was compromised by a web site, there wouldn't be much that site could do. Especially if you could set the bookmark and configuration files to be stored as a "journaled" file, which would record the changes to it and allow returning to any given point in time. Obviously, you'd also need to move any downloaded files away from the download folder and check them with MD5/SHA1 checksums to avoid tampering (but how do you get that checksum, if you suspect your browser has been compromised ?)

I'd imagine something like this could be done with relative ease with Hurd, since one of it's design goals is to allow each user to replace parts of the operating system (even the file systems) with new parts without disturbing others. So you could install a translator to control access to your home directory or any subdirectories (but of course such translators can also be removed by programs runnign with your permissions - that's one permission that should be droppable).

An alternative way would be to allow users to build and set up "subusers" - simply add 32 bits to processes (and files) user id. The complete id would then be in the form of userid.subid. Userid.0 would have all the rights of the user, while userid.1 would be a "subuser" and have limited rights (the system would basically make userid.0 the root of his own home directory). This could also be generalized into a hierarchical authority tree, allowing individual programs to run parts of them as more restricted users (for example, a p2p-application could generate separate processes for managing file storage and network connectivity, allowing the part that touches the network to run without any access to filesystem and thus reducing the likelihood of a bug in it from causing damage).

To summarize: the traditional access controls are designed to protect users from each other. This is not enough. A single unprivileged user needs an easy way to make sandboxes for programs to run in. If the computer is a house divided with walls to different rooms for each user, then all those users need the ability to further subdivide their own rooms with more walls, and they must be able to make/remove those walls without help from the janitor (administrator).

Re:No thanks

[jadenyk]

Well, it's pretty easy to make a Windows box that can not be compromised as well.

Remove the power cord.

Re:No thanks

[Darby]

Wouldn't a male cow be a hermaphrodite?

A note to all dairy farmers:

Please be very careful milking your hermaphroditic cows.

Thanks you.

Re:No thanks

[tomhudson]

What people fail to realise, is that if we had all listened to Bill in the beginning and realised that the internet was not going to get big and thus never "forced" him to destroy netscape, we wouldn't have this problem. ;)

It's not just IE, it's the whole Microsoft product line. Even DOS was prone to viruses. The only MIcrosoft product that doesn't have an exploit *yet* is their keyboard.

Re:No thanks

[Christianfreak]

The optical version will exploit your eyes if you turn it upside-down and look into it.

Re:No thanks

[innerweb]

Ignore the parent to this. Read why below.

May have downloaded spyware...

And they are not compromised? Spyware is often as bad or worse than most viruses. Most spyware sits in the background degrading your systems performance recording things that you do, from where you visit to what you type. Spyware is invaluable to crime. If you want to steal identities, accounts, etc., spyware is an invaluable tool.

I wonder who they use for a service provider, and what kind of connection they have. Almost 100% of the Windows machines I have seen hooked up (insightBB, comcast, onenet, SBC, and other smaller companies) on everything from cable to dsl to dial-up have been infected within hours at the most(the slower and more sporadic the connection, the longer the infections took.) It may be that they are being protected by their service provider or some dumb luck combination. I seriously doubt they have some special version of windows that does not have the compromises that all other versions have.

Spyware is becoming one with viruses. The difference is that most script kiddie "virus writers" want you to know they own your box (or defaced it/erased it), whereas most criminal intent wants you to know nothing at all. Their fruits of labor will not be realized if you take actions based on their intrusions. After all, if you change your card/account number or passwords, how can they use it?

Proper spyware (with criminal intent) would install itself collect some information and then delete itself, leaving no trace or suspicion behind. By doing this, they get information and leave no clues to tip off the victim. Once the cards are used, the account tapped, or whatever else they intend to do (identity theft for instance), they no longer need your system anyway, and the damage done is to late to prevent. Try telling companies that you are no the one that ruined your credit rating.

InnerWeb

Re:No thanks

[Prince+Vegeta+SSJ4]

What people fail to realise, is that if we had all listened to Bill in the beginning and realised that the internet was not going to get big and thus never "forced" him to destroy netscape, we wouldn't have this problem. ;)

Darth Gates: Everything that has transpired has done so according to my design.

Moz Skybrwoser: Your overconfidence is your weakness.

Darth Gates: Your faith OSS is yours.

Darth Gates: Everything that has transpired has done so according to my design. Your friends, up there on the sanctuary website, are walking into a trap, as is your OSS Community. It was *I* who allowed the Alliance to think IE was full of holes, It is quite safe from your pitiful little band. An entire legion of my best coders awaits them! Oh, I'm afraid IE Longhorn will be quite operational when your friends arrive.

Darth Gates: As you can see, my young apprentice, your friends have failed. Now witness the DRM of this fully armed and operational Operating System!

Re:No thanks

[shotfeel]

viruses and spyware are not "software"

Well, they're sure not hardware...

They are peices of bad code

Bad or not, if its code, its software, and it is 3rd party.

Personally, I would have modded the grandparent "Funny" if anything. Its the same thing I thought. Technically, it is all 3rd party software that's being downloaded...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Uhhhh...

[Capt'n+Hector]

Yes, viri, trojans and spyware tend to be third party. The problem is, IE lets you download these and execute, sometimes by just viewing a page.

Re:Uhhhh...

[plover]

This one reminds me of the old Yakov Smirnov joke about a Soviet visiting America:

"Now that you're in America, if you need to get the police on the phone, just dial 911."

"That's nothing. In Soviet Russia, we don't even have to dial."

Easy to assign blame

[onyxruby]

If I did something, than it's my fault. If I didn't do something, and didn't apply a patch that was available, than it's my fault. If I didn't do something and it happens automatically with default settings, it's Microsoft's fault.

Sick and tired of fixing spyware infested machines.

Re:Easy to assign blame

[plover]

Then you should use Portable Firefox on a flash drive at school. Jack in the thumb drive. Run PortableFirefox. You get to bring your own bookmarks and cookies with you, and leave nothing like log files behind. And 32MB drives are available for about $10.00 (check the clearance bins at places like Micro Center or wherever.)

Re:Easy to assign blame

[Soko]

What's to stop a spyware/virus-laden school PC (those have to be the worst) from infecting your your Firefox .exe, and then having you bring that home with you?

Ahem...

C:\>attrib +r D:\*.exe
C:\>attrib +r D:\*.dll

...assuming D:\ is the USB key, before you plug it into a Windows machine. You can also set the read-only attribute via right clicking on the file in Explorer and going to properties (obviously, on your own, hopefully clean, Windows machine) There, all better now.

To the grandparent: Thank you for pointing that project out. It truly shows that having the source code to software open and available can lead to all sorts of interesting - and very useful - things.

Soko

Rubbish!

[Any+Web+Loco]

Those holes are what LETS third-party software install its freaking self.

Third-Party?

[Machitis]

I wasn't aware Windows Update was third-party software...?

Bill Gates lecturing about security...

is like Tony Soprano lecturing about law and order..

Re:Bill Gates lecturing about security...

[Whizzmo2]

"I'm John Kerry, and I approved this plagiarism".

software, eh?

[crackshoe]

Q: Yes, but will people continue to do that with Media Center? Gates: You might well do it. We need to use approaches that block people from ever getting software onto the machine they don't want. Me: Great. Now let me get a PC from a major OEM without windows - oh, not that software?

Bad programming model

[John+Hansen]

So, pray tell, how is making a horribly insecure third-party application model (DirectX) and then complaining about how people are exploiting it supposed to hold water? YOU ARE THE API DEVELOPER. IT IS YOUR RESPONSIBILITY TO ANTICIPATE POTENTIAL ABUSES.

Because if I'm reading this right, then that's exactly what Gates is doing. No wonder Microsoft's products are so shitty; they think that security is something that happens to other people.

What's that I hear dying?

[MoralHazard]

Sounds like Microsoft's Trusted Computing Initiative isn't getting as much executive support as it might've.

Remember that, Bill? When you said you were going to make all the Windows computers secure by focusing all your energies on securing your code?

Now, it's not your fault, and you won't do anything to fix it? Then why on earth did you tell everyone that you would?

Re:What's that I hear dying?

[saskboy]

Well, don't blame Microsoft. It's up to 3rd Party software companies to provide security to Windows, such as Symantec, McAfee, and Zonelabs. Oh, but wait, Gates also said that 3rd Party software is Responsible for the holes in Windows software. Now I'm confused.

3rd Party Software. The Solution to, and Cause of all of Windows' problems.

The more I look at B. Gates...

[ATAMAH]

The more he reminds me of my ex girlfriend. As in - he is just as greedy and his side is never at fault.
Although he is much uglier and....male.

Re:The more I look at B. Gates...

[darnok]

> The more he reminds me of my ex girlfriend ...
> Although he is much uglier and....male.

and not just a figment of your imagination ;->

I'm so sick of the lies

[gad_zuki!]

I hear them from the Bush administration almost daily and corporate america is getting a lot more brazen. No one fact checks, dissenting opinions are marginalized, and the corrections page doesn't have nearly the eyeballs the front page does. And that's assuming a correction is ever given.

This is the same mentality of shipping a crappy product and having tech support take care of the issues. Okay, fine, at least I have someone to complain to and I can return products, but with information you don't have that option. You complain to your peers, who are just an echo chamber. The fact that lying usually goes unchallenged in media makes for bigger more destructive lies.

The browser has holes, its a piece of software. This is way over the line. How did the information age become the disinformation age? Perhaps we officially entered the post-postman world where everything is a soundbite that flies through the subconscious and sticks there. Long corrections don't have the same stickiness, so lying is now smart business.

Keep it up Bill, you're making my next Apple purchase all the sweeter.

Disclaimer for the mods: Yes, many politicians lie. Apple isnt perfect, etc. But there is a difference between small and big lies. Lies which are harmless and those which cause destruction.

Re:I'm so sick of the lies

[killjoe]

The problem lies directly with the American people.

First of all they are utterly clueless and can't even discern between the truth and a lie. They are pretty much programmed to accept whatever somebody on the tee vee tells them.

Look at this (or any other election) for example. Is Kerry a flip flopper? Is he a coward? Did he get his metals from self inflicted wounds? Ask your typical american and they will say yes. Press them for details and you'll realiize they don't know shit, they are simply repeating what they saw on television commercials.

Same with Gates and Company. Ask yourself. Have you ever heard or read an interview with Ballmer or Gates in which they didn't tell at least one lie? Not a minor one either but a blatant out and out lie. They people are habitual and pathalogical liars. They will continue to tell lies until the press calls them on it. Since they buy lots of advertising don't hold your breath though.

Re:I'm so sick of the lies

[_xeno_]

The annoying thing with the media today is that they just report on what someone tells them to. What I mean is that they'll just rehash the talking points or press releases that are sent to them.

So you see things like "Bush said this, and Kerry said that." Which is 100% true. But there's no investigation into whether the quotes are actually, like, true.

So Microsoft will release a press release saying "We're improving security!" and then various media reports will say "Microsoft says it's improving security." But the media won't actually investigate whether or not Microsoft actually is improving security, they'll just report that Microsoft has said that they are.

About the only time you'll hear any discussions about the truth of any position anyone has is on various talk shows, where to "show both sides" you'll get two people who are representing "opposite sides" of a given debate. Directly opposite sides.

Since these people are soley debating for their side, we're ultimately left with no middle ground. Only two extreme views on a topic.

So while the two "sides" of the debate are represented, the media generally "let's the reader decide" which side they believe in. But since the veracity of the two sides has never been called into question (other than each side calling the other wrong), the average reader/listener/viewer has no way of judging complicated scenarios they don't really understand.

(For example, I don't really know what Kerry's position is on Iraq. I have no idea whether or not it's a good position, because I only hear polarized viewpoints on it. About all I know is that he intends to "do it differently" and "get international support." I have no idea about the details and don't know enough about international politics and warfare to judge it even if I did know.)

This is one of the main reasons I get all my news from the Daily Show with Jon Stewart. At least then I know it's all fake. :)

I'm currently up due to insomnia, so if any of that makes no sense, I'll try and post a correction tomorrow. It'll be in fine print and on the fifth page. :)

Re:I'm so sick of the lies

[njdj]

I hear them from the Bush administration almost daily and corporate america is getting a lot more brazen.

Politicians (especially the ones in power, regardless of party) always tend to lie. And salespeople have never been noted for truthfulness.

What has changed, gradually, over a couple of decades, is that the media no longer provide a check on politicians and corporate liars.

The purpose of the media used to be to provide information and critical comment. That's changed. A newspaper or a TV network makes more money if it's operated primarily as an entertainment. That means: nothing that requires the consumer to think, because a lot of people don't like to think. Not too many boring facts, either (unless they're sensational).

Don't be too hard on Gates. There will always be people whose goal in life is to make more money, by any means that works. The problem is that our society has lost the checks and balances that used to constrain people like him.

Ones not made by Microsoft

Especially the ones that you get while downloading the updates.

So the thing the users keep doing wrong is hook it up to the internet.

Re:Ones not made by Microsoft

[spacecowboy420]

It's "internets". There's a whole bunch of these magical internets - and only the most powerful people in the country can use them. I am not surprised that you are only becoming familiar with the internets, after all, none of us would have known without W's slip up the other day. Aliens work through W on their internets towards their master plan of total mental slavery of the lazy thinkers.

Wake up America! They're controlling our mind through the internets!!! It's almost as bad as reefer madness!!!! Run for your lives!!!!

From TFA..

[mstefanus]

Q: What's your take on making Windows Media compatible with Apple?
Gates: We're big believers in interoperability.

BWWAAHAHHAHAHAHHAHAAAHHAAAA!!!!!!

Yes yes... ofcourse, interoperability within Microsoft products

Re:Antivirus is not a thing you "build in"

[plover]

I want to know why Bill Gates thinks it can't be built in.

I'm not talking pure heuristic detection, because a perfect heuristic detector is theoretically impossible. But why can't Microsoft build in a scanner that downloads virus definitions?

Virtually all of the viruses of the last five years or so have been Microsoft viruses. (Boot sector viruses are soo last millenium, and everybody's BIOS already detects those.) Not "PC" viruses, not "MS-DOS" viruses, but specifically "Microsoft Windows" viruses. Since they seem to be at the forefront of providing the virus delivery systems, why do I have to pay someone else (like Symantec) to protect me from them? Why isn't patching these defects included in the purchase price of this obviously defective product?

Article is a troll

[ic3p1ck]

Mod article +5 Troll...

Wish there was a rating system for articles.

Re:Blame Game

[ladybugfi]

See the quote: "More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change."

Money is no replacement for clue.

What Bill means

[roman_mir]

What Gates is saying is that Windows does not come with native viruses installed, you have to download them from other places. Well, I sure hope they see that they are missing a market opportunity here. Longhorn better come with its own, native viruses.

Gibberish

[gruntled]

The purpose of Internet Explorer is to download third party files (by viewing Web pages). Mr Gates's claim that vulnerabilites exist because of such downloads is therefore nonsensical; it's like saying we could end deaths due to automobile accidents by banning automobiles. Yeah, there's a certain logic to that, but it sort of misses the point. To take a recent, ongoing example: A malevolent Web page can use an image file to compromise a Windows system. This vulnerability is not created by users who have somehow previously contaiminated the local environment; it's a part of the system's design. The OS was originally built to offer features over security, and maintaining backward compatability rather than fixing those issues would make it more difficult to coax existing users into upgrading (and would also make it easier for existing users to consider alternatives rather than upgrading). I lost two years of my life covering the antitrust trial, listening to this guy and his minions cheerfully perjure themselves, and he just can't seem to stop making it up.

I've heard this before.

[ImTwoSlick]

Han: "It's not my fault!"
Lando: "It's not my fault!"
Bill: "It's not my fault!"

Re:Best quote from Bill...

[wan-fu]

It doesn't really help if you don't provide what site statistics those are from... if those are the figures for mozilla.org then I'd say IE is doing very well, but if that's something like msn.com then obviously it's a different story.

Nuts!

[abacsalmasi]

I hope my mom doesn't read this, I told her that all the porn on my machine was downloaded by Windows.

Re:Antivirus is not a thing you "build in"

[grcumb]

"If OSX were #1 I'm sure the attacks would be just a fast and furious."

Amen, brother! That's why I tossed out that POS Apache web server and got me a brand new IIS. I mean what with all the security holes that come from being the number one piece of software and all, I just KNOW that IIS will never be a problem.

And besides, look at the name: Ah Pah Chee. Get it? It's a Patchy web server. It's gotta suck!

[Disclaimer. The above is one man's poor attempt at humour. If, while moderating, you find that this does not satisfy your personal criteria for 'funny', return this post in its original packaging to the sender and you will be receive a full refund.]

Re:OS X rox!

[B.D.Mills]

I believe gravity does. Don't believe me? Try dropping it off a building.
That depends on how tall your building is, what the apple is made of and how the apple is protected.

If I enclosed the apple in six layers of bubble wrap with the bubbles on the inside, encased the bubble wrap in three inches of loose polystyrene beads, enclosed the polystyrene beads in three inches of low-density foam, enclosed the low-density foam in three inches of high-density foam, enclosed the high-density foam in a double-thickness corrugated cardboard box, enclosed the cardboard box in two layers of egg cartons and enclosed the egg cartons in another cardboard box, the apple isn't going to be damaged if I dropped it off the roof of my house.

Catch 22!

[Advocadus+Diaboli]

Q: Speaking of security, Internet Explorer has had well-publicized holes ...
Gates: Understand those are cases where you are downloading third-party software.
...
Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans.

So if I get this right the problem with security is that I download third party software and Mr. Gates thinks that it can be solved by third party service (which means probably downloading third party anti-virus software). Now I clearly understand why the problem is never solved...

The user's fault? We can fix that!

[outanowhere]

Blame it on the user.

Again.

As usual.

As always.

Microsoft and especially Mr. Gates have both blamed the user for DOS and windows bugs, et cetera, ad nauseum, since the beginning.

It's one of the things that really encouraged me to dump windows. Being told personally, to one's face, by Microsoft and Mr. Gates that the problems with DOS and windows is my fault made it very easy to walk away from the huge investment in microsoft stuff.

Since the user is at fault, the user can fix it--like I did: dump microsoft.

I guess he's right

[Klowner]

I mean, spyware and viruses weren't made by microsoft, IE just helps you download and install them more easily, and even sometimes automatically!

I think we should all thank Bill for coming clean about this ever increasing problem.

Catch 22

[The+Real+Nem]

It is kind of a catch 22. If Windows had built in anti-virus software no one would buy 3rd party anti-virus software and Microsoft would gain a monopoly in the market. They would get their asses sued and everyone would complain that they have a monopoly or they have created an unfair environment. We've seen it before. If Windows doesn't have built in anti-virus software everyone complains they don't.

And even if Windows did have built in anti-virus software, can you honestly tell me, given their track record, that you would feel secure with it? If everyone used Windows built in anti-virus software wouldn't it be just that much easier to exploit and cause even more damage.

Re:infomechanics

[arkanes]

There's no such thing as "bit rot" per se - things like fragmentation can cause a gradual decrease in performance, but not failure. The term is used in software development because of the way old parts of source code don't get looked at and updated and touched.

Simply put - the "maintenance" that we refer to with software, and that's being compared to cars above is in fact no such thing. Every patch and update that's issued is to correct a _mistake_ in the software - not something that gradually failed because of wear. Cars need regular maintaining because they're physical objects in a physical environment and the stresses and imperfections of that environment cause real physical damage that needs to be repaired. Software "maintenance" is actually incremental development - it's correct mistakes that are in the original.

All that said, software (at least most of it) is far, far more complex than your typical car, and has had far less time to mature. The physical limits that a car operates in are well defined and well understood, and the vehicles are designed with that in mind. There are well known and well understood physical requirements and those requirements are easily tested. Software lives in a very different environment with a very different level of contstraint and a very different level of user expectation.

Check the history of the seatbelt in the car

[SmallFurryCreature]

The car industry, well mostly the american car industry, was extremely reluctant to do anything about safety in cars. Safety studies might give the audience the idea that driving wasn't safe.

They tried everything to stop people from doing safety studies and stopping laws making safety devices mandatory. It did not fit their marketing image to have to put safety features in.

Sounds very similar eh? Gates blames insecurity on bad users. The car industry blamed it on bad drivers (this fits marketing as noone thinks of themselves as a bad driver).

Until enough studies came out showing how dangerous cars were (things like the steering column being a spear aimed at your chest) and the public started to get aware and goverment was starting to take action ONLY then and very slowly did the car industry do something. That still won't do anything until laws enforce the use of seatbelts and even then you will have idiots claiming using seatbelts is unsafe. Same as I have met person (not heard about, actually talked to myself) who didn't use anti-virus software because it was reading their files.

So don't hold your breath waiting for MS to move on its own. SP2 was already a huge achievement. Anything more will only come after a long long struggle.

Or a very short one if you install the flippered OS. Or the horned one if your into necrophilia. Then again, that is like driving a volvo. Not cool. Sure your kids might survive an accident but who cares about that eh?

Re:Check the history of the seatbelt in the car

[Sentry21]

The car industry blamed it on bad drivers (this fits marketing as noone thinks of themselves as a bad driver).

That's kind of funny when you consider that most XP crashes are because of bad drivers too (or misbehaving malware).

--Dan

Re:Check the history of the seatbelt in the car

[orac2]

The plural of "anecdote" is not data!

Even though you acknowledge the overall statistics, you then rely on one person's experiences for choosing not to wear a seatbelt in many circumstances to overrule the statistics.

To see why this is crazy, imagine asking a 1000 people all across the country to toss (fair and balanced) coins. Ask the 500 or so people who get heads to toss again. Ask the 250 or so people who get heads that time to toss again. And so on, through 125, 62, 31, 15, 7, 3, till you're left with 1 person. Now this 1 person has tossed a coin 10 times and it's come up heads every time! [1]

Now if you didn't know much about coin tossing, except a statistic that said they come up tails about 50% of the time, and you only knew that one person, should you believe her if she says "Well, the statistics say tails comes up 50% of the time, but from what I've seen, it's heads all the way!"?

Unless you know of a broad survery of many accident investigators who detect a tendancy for low-speed or low-traffic density accident injuries to be increased in either number or severity because of seat belts, then you must take what you're hearing with a hefty grain of salt, even if what they are saying is 100% true[2]. (By the way, I fail to see the difference in between accidently wrapping oneself around a telephone pole on a busy road vs. a quiet road.)

Don't forget there's an obvious potentail for observer's bias here too: you're not seeing his formal reports, but just the stories he's choosing to share with you in an environment which encourages entertaining conversation, not neccessarily statistically accurate conversation.

In the absence of such of survey, perhaps the best thing is to consider the failure mode you're really concerened about: it's not that wearing a seat belt is bad during the accident, but that you may be trapped afterwards. Put a box cutter or similar within reach, say in the door drawer. If you can't operate the cutter because of unconsciousness or severe injury, well, in your condition, you weren't getting of that car anyway .

[1] There's actually a well known stock-market scam which operates in very much this fashion.

[2] The furor over silicone breast implants is another good example: a lot of women honestly reported problems after breast implants, but when all was said and done, their problems were coincidental.

Re:infomechanics

[Doc+Ruby]

Software with modern complexity will always have defects. Accepting that fact, and designing for failure tolerance, is the kind of wisdom that has steadily improved automobile safety despite heavier use under less anticipated conditions by many more people. Software is no different, unless you have the magic to reduce software design and implementation errors to nothing.

Try Microsoft?

[chriseyre2000]

Why don't they offer the option of never trust Microsoft?

I'm sorry, what!?

[rincebrain]

Last Q/A in the article:
Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?

Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.
[Italics and bolded sentence my own markup]

So let me get this straight, Mr. Gates. You have thousands of people working just on Internet Explorer, and yet...a thousand or two thousand people working on Mozilla have bested you?

Nothing is going to change, indeed, Mr. Gates. You're going to keep spewing the same old story, ignoring obvious holes in your own logic (third-party software is to blame for all security problems, true...but that doesn't mean your software should allow third-party software to install itself without the user doing a thing), denying any obvious falsehoods in your own statements (" We feel like we are pioneering an experience that to us is a clear thing most households will want." - Gates, regarding Windows Media Center PCs...I'm sorry, I didn't know you pioneered multicasting from a set-top box...I presume Linksys is paying you licensing fees for their video broadcast device, to name one alternative?), and hoping people will be stupid enough to follow it.

The saddest part of the above discourse is, Gates is probably right. People are, until told otherwise, going to keep using bug-ridden products, until they are shown that there are alternatives...I know many users who have never clicked Windows Update in their lives, and not because they've never used Windows.

I could be wrong, but I'm sensing a downward spiral, when M$ can announce things such as they did in their article, and not get negative feedback from the interviewer. Just my $0.05.

Critical assesment vs Belief

[quinkin]

It seems to me that social gullibilty has nothing to do with detection of a lie - instead it stems from the belief of an assertion with no critical evaluation. Critical analysis over unquestioning belief is a much maligned concept in most education systems.

Our children are being indoctrinated from a very early age to believe what authority figures (parents, teachers, the tv, etc.) tell them. Should we be surprised when a concept ingrained for 10+ years during the most formative childhood years translates to an easily misled populace?

Do not believe anyone. Do not believe politicians, scientists, priests, your parents, the police, and please don't believe the mass media.

Teach your children to think, not believe.

Q.

Sweetest Revenge: Linux Media Centers

[randalx]

Gates: What the consumer wants is pretty clear: a single remote control that lets them navigate photos, music, videos, TV in a very rich way. They want to see that on any screen in the house and then have a great portable device where they can take that stuff wherever they want anytime. The full realization of that dream is still years away, but we've taken a dramatic step in delivering that with Media Center.

I think it'd be great if we could beat Microsoft to the punch by offering all of this and more using Linux and open formats (not WMA Bill!). It seems like there is already a lot of work in the area going on (MythTV, Freevo, Mister House, VLC) but is any of this ready to be easily set up by the average Joe? Is there any work being done to put all the pieces together. Perhaps a modded distribution geared specifically to creating and setting up a Media Center type environment. Not only could a Linux based solution put anything from MS to shame it could also force Movies/TV/Music industries to support open formats if the Linux Media Center becomes the dominant player.

Am I dreaming or can the open source community take the lead here?

Re:How does this happen?

Well, if the cable modem (router/gateway I assume) has a firewall, it will obviously block all invalid packets, and sometimes DoS attacks.
Otherwise, all (I think) cable modems / routers will give away their IP, BUT they should all protect the users behind them, through natting or dhcp.
But even then, the machine behind can be targeted using various techniques (one is to exploit the router itself).

If you're not talking about a router, then yes, the IP of the Windows machine (like linux) is exposed which means anyone can run checks and such on services which are vulnerable.

But then it really depends on how up-to-date your windows machine is. It's still highly unlikely that it'll be exploited, unless someone (clueless person) clicks on a link to activate a virus or such through an email, or activates a service for back-door entry.

BTW, note that the jpeg flaw was fixed very quickly, and most machines weren't vulnerable anyway (such as mine).

Windows XP is actually very stable, supporting multiple networked users (multi-user and multi-tasking), but lacks in that all accounts by default have admin privilege(!). And that is mostly the reason behind all the viruses, spyware and auto-spam-servers.

Besides all that, since most Windows vulnerabilities aren't based on a kernel attack (unlike linux), but instead the services you have activated, you can simply disable the ones you don't need, and just be sensible about which applications you open through emails (hopefully none!).

But even after all that, a user can come along and browse the web using IE and activate some activex component, or installs some other IE component or JScript which allows entry to the machine.

If the user isn't using IE and isn't running a server (such as httpd), then it's quite unlikely that anything bad will happen. Unless someone specifically targets the machine and scans for all activated services, etc, and launches an attack against an un-patched vulnerability.

I would be brave enough to state that a Win2k / WinXP / Win2003 is just as secure as UNIX / FreeBSD / OSX, if: -

* The user using the machine doesn't have admin rights,
* Windows and related networking software is kept up-to-date,
* Doesn't use IE / related mail product.

Re:How does this happen?

[Stalks]

Well, if the cable modem (router/gateway I assume) has a firewall, it will obviously block all invalid packets, and sometimes DoS attacks.

You may block the packets used for the DoS from getting to your PC, but your cable line will still be saturated.

Otherwise, all (I think) cable modems / routers will give away their IP, BUT they should all protect the users behind them, through natting or dhcp.

Integrated firewalls in routers/modems are becoming more sophisticated than merely being nat drones. Firewall designers are aware that any response given from the firewall is unwise, therefore they are now stealthed firewalls. And the notion that DHCP can protect you .. well, no comment, lol.

Technical capability of the users.

[Confused]

Technical capability of the users.

Good industrial design makes sure, that the average user does per default the save things and doing unsafe things needs extra effort. For this reason, nearly all motorised saws and knives have clever hand- and finger guards to reduce the chance of accidents.

Microsoft and most other software companies take with the opposite approach, they just put the onus of safe operation on the user. Considering that most user don't have don't want the necessary knowledge to do that, this idea will fail.

The solution is not to educate users, but to build systems that can be operated in a safe manner by following simple and logical security rules that even my grandmother can understand.

Rules like: As long as you don't click on it, it can do no harm.

The whole attitude makes me angry

[zerojoker]

Q: Speaking of security, Internet Explorer has had well-publicized holes ...
Gates: Understand those are cases where you are downloading third-party software.

This is just a lie. I wonder if he really belives this bullshit.

Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans.

And here you can see that the whole attitude towards the security is weird at M$. I mean I don't want Anti-Virus or Anti-Spyware Software from Microsoft. I want the structural problems of Windows solved.
If you start MacOS X the root user is disabled per default. That is why Spyware doesn't have a chance. Even the most stupid user will think twice if he has to enter his system-password if he installs Software. Same with Linux. The whole Spyware-thing would be much much less trouble if the default install of Windows would create a user account.
And Windows has these capabilities. But at the moment this feature ist pretty much unusable because most of the software vendors don't give a shit about multi-user install. And why do they do this? Because M$ creates a default Admin-Account anyway. If M$ would change that, the software-vendors would adapt very quickly, like they did with SP2.
Same with Firewall: First install zillions of services which most of the users don't need at all. And instead of swichting these services off per default, you create a Firewall to fix it.

It's the whole "If we have to decide between usability and security, we will always go for usability" approach that bothers me...

This is great!

[emtboy9]

I just love this kind of stuff... I mean, these interviews are the things that comedy routines are made of...

Q: What's your take on making Windows Media compatible with Apple?
Gates: We're big believers in interoperability. We've stated very clearly that if Apple wanted to support interoperability, we'd make that super easy for them. The notion that a single device is all anybody is going to want is sort of like saying the Model T is the end of everything.

That just rules! We believe in interoperability, as long as you bow befor us! Kneel before Zod, errr... Bill! It is almost laughable, if it weren't so sad, to hear Bill Gates saying bad things like the above quote. Isnt what he accuses Apple of EXACTLY what Microsoft has been pusing the world to for years? What is the difference between being the sole supplier of iPods and iTunes (which Apple is) and being virtually the sole provider for desktop OSs, and using such position to force the adoption of "standards" that favor MS products.

Q: Might you add anti-virus/spyware protection in Windows?
Gates: It's not a thing you build in. You have to offer a service. There are third parties who are doing a good job. We're always taking a hard look, but we don't have any concrete plans.

Funny, thats the exact thing that was said about web browsers before IE became so ingrained into the Windows code base that its pretty much inseperable... Its amazing... it really is. Its like, his lips are moving, but the words coming out dont match the movements. Just like a poorly dubbed kung-fu movie.

Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?
Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change. That's the one over 90% of people are going to keep using.

Ummm... if that is the case, if I were Bill, et al, I would be demanding a refund on the IE "security" expenses...

Internet Explorer is Fine!!!

[citsacras]

Yes, Internet Explorer is a 100% safe and secure product. Its only when you use it browse web sites that it becomes vulnerable and dangerous.

And once again, Windows is never to blame.

[mrb000gus]

"YOUR SYSTEM has become busy or unstable."
"THIS APPLICATION has stopped responding."
"Because Windows WAS NOT SHUT DOWN correctly..."

etc etc etc - never once have i seen it admit "Sorry, but Windows just crashed."

So no surprise to see that once again, the blame is on the user and/or the applications installed.

Could he explain

[BCW2]

Why a fresh install of XP puts at least 11 instances of Alexa (known spyware) and 5 DSO exploits on a box? Try it, install XP and then Ad-Aware and Spybot. Run them both and see the results. No computer that comes into or is built at the white box store I work at, leaves without those two programs installed. Yesterdays updates put 3 instances of Alexa back in.

Re:How does this happen?

[rben]

If the user isn't using IE and isn't running a server (such as httpd), then it's quite unlikely that anything bad will happen. Unless someone specifically targets the machine and scans for all activated services, etc, and launches an attack against an un-patched vulnerability.

I would be brave enough to state that a Win2k / WinXP / Win2003 is just as secure as UNIX / FreeBSD / OSX, if: -

• The user using the machine doesn't have admin rights,
• Windows and related networking software is kept up-to-date,
• Doesn't use IE / related mail product.

No, Windows is not just as secure. The point is that there are lots of script kiddies constantly scanning the range of ports used for cable and dsl networked computers. Once they get a response, they scan all the ports on that IP looking for open/vulnerable services. They target Windows because the vast majority of computers on the Internet are running Windows. Look at all the posts in this thread. You can find numerous accounts where Windows computers were infected within minutes of being connected to the Internet.

It's possible that Linux/Unix would be far less secure if it received as much attention from the hacker community, but there are some good arguments that it wouldn't be. Linux/Unix has been a part of the Internet since it was first conceived and the programmers that have worked on Linux and UNIX have generally been more aware of networking and security issues.

Linux has a much more modular design than Windows. Windows has been tightly integrated on the basis of Marketing and Legal rather than Engineering decisions. I doubt that Windows will ever be secure without substantial redesign of the entire OS. Unless Microsoft is successful at throwing up legal roadblocks, Linux is going to continue to outstrip Windows in security, reliability, and eventually usability.

Re:root accessibility

[kawika]

Not to make excuses for it; basically, your average worm or spyware program will be able to propagate and do bad things as a Limited User, but it won't be able to persist on the system. Reboot and it will be gone.

Newer spyware and viruses work just fine as limited users. Remember that their job isn't usually to take over or destroy the system, it's to monitor users and/or send mail. They don't need to be root to do that. Even as limited users they can install in an XP user's Application Data directory and start themselves at boot time by something as simple as a Startup folder entry.

Re:How does this happen?

[GlassUser]

Windows XP is actually very stable, supporting multiple networked users (multi-user and multi-tasking), but lacks in that all accounts by default have admin privilege(!). And that is mostly the reason behind all the viruses, spyware and auto-spam-servers.

Whoever told you that didn't know what they were talking about. Most users create admin accounts for themselves (or use the one admin account created) because they can't be bothered to go root to install something.

Different Alexa

[CharlesDonHall]

That's not the Alexa toolbar; it's a Microsoft "feature". If you click on "Tools/Find Related Links" in Internet Explorer, it does a search via the Alexa website. (And brings up a sidebar which gives you the option of downloading the Alexa spyware.)

So in a sense it's harmless; it's just a built-in web search. But it's generally considered to be spyware because of Alexa's reputation.

It probably got installed when you did the Internet Explorer update. I think you get it out-of-the-box when you install XP.

More information here: http://www.imilly.com/alexa.htm

Cows and bulls

[Frobean]

Q: What's the difference between a cow and a bull?

A: The bull smiles when you milk him...