Slashdot Mirror
Microsoft vs. Computer Security
ArieKremen writes "The Slate has a piece written for the average user attempting to explain why Windows is `still` grappling with security issues. Although Gates made security and privacy top priority four years ago, not much progress has been made." From the article: "Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed 'critical' have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer." An interesting look at the whole issue.
Although Gates made security and privacy top priority four years ago, not much progress has been made. Excuse me? No Progress? Including a firewall with Windows is no progress?
Some kind of anti-microsoft site?
Their solution about how to shore it up: don't use IE, Media Player, Outlook, etc.
I hate to sound like a kid, but DUH!
Given, I use Firefox, Thunderbird, and other non-Microsoft programs because I like them better and they tend to work better, but the fact that they're less likely to compromise my system is also a consideration.
Note, though, that I say less likely. We have had bug/security fix releases of Firefox and there was a brouhaha with the GreaseMonkey extension inducing a vulnerability, BUT for the most part it seems the fixes were less frequent than with IE-related patches, plus they usually only compromised the browser, not your whole PC.
That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC.
- Greg
Start a happiness pandemic
Is all three of those worms/trojans flaws were fixed by patches that were out, in some cases months, before the release of the attack vector.
The Slate .. ?
The Slashdot seems to have similar problems too, not just your fault
Computer security will get worse before it gets better. It's the second hardest problem in computing, coming second only to DRM; which is provely impossible to do properly.
The problem comes from many quaters: some theortical, some practical, some managerial. For example:
I could go on for quite sometime.. the point to appreciate here is that it isn't all Microsoft's fault but they could do a whole lot more. If we could just get rid of the overflows that would be a good start!
Simon
The article is advising people: "Besides avoiding Microsoft products, one way would be to use substitutes whenever possible. If you run Windows or the upcoming Vista, use a different e-mail program, browser, and/or media player than the ones that come in the box. Stay up to date on patches and anti-virus software."
I thought most importantly users should be responsible enough not to simply click on or open anything in front of them.
Virtual Betting on Facebook for non-geeks.
will be under these kind of attacks all the time. Geeks, like everyone else, wants to stick it to the man. The man in this case is Gates and Windows. While this does not excuse the flaws and lack of attention at times, it does present another angle. To make a OS as robust as windows without things like this happening is hard to imagine honestly. If Macs were what windows is today, the story would be the complete opposite I assure you. You see the SAME thing in popular games as well. The most hacked games are the biggest and best, not because it is easier, but there are far more people attempting to exploit the system.
Invexi - a Phoenix, AZ based web design and web development company.
Gates urged that new design approaches must "dramatically reduce" the number of security-related issues as well as make fixes easier to administer. "Eventually," he added, "our software should be so fundamentally secure that customers never even worry about it."
Fair enough, but regardless of what is happening in the way of "new design approaches", the current installed base is the problem. The best ways to show dedication to the reduction of security issues would be a) rigorous code review + pre-emptive bugfixes and b) more rapid response to issues that are found elsewhere. There have been improvements, but the sum of the successes will not outweigh the sum of the failures.
I want to drag this out as long as possible. Bring me my protractor.
FTA:"With the company's security problems still monopolizing the news, you might have expected that Bill Gates would address the vulnerability at the Consumer Electronics Show in Las Vegas. Instead, he boasted how Microsoft's new operating system, Vista, would extend the company's tendrils into your living room. Sure, it might be nice to connect your computer and your television set. But is it worth it to give hackers access to your television?" LOL!!! My prediction? One week after "tendrils" are extended, we have Goatse pics on all of the network's broadcasts- gaping across screens all over America...IN HDTV!!!!!LOL!!!!I can't wait, then maybe will start to wake up about security after getting "spammed" with Goatse on their tv's! HaHaHaHaHA!
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
From TFA: "...Microsoft is still the dominatrix of the desktop..."
Yeah, baby. Tie me to your platform and make me pay.
That's "Mr. Soulless Automaton" to you, Bub.
I'd like to see a market breakdown by Windows version. How many of these security issues are with earlier versions?
tens of billions of dollars to clean up
you know we as a tech community lambast the **AA whenever they (and the media) say a "hacker" did millions of dollars pirating
why do we not do the same when crap like this gets printed?
tens of billions? prove it, thats our job, thats what we do
The More Knowledge you have the Luckier you Get- J.R. Ewing
That "unending stream of patches" seemed to have made Windows & Win32 API based programs less bug-prone/filled than Unix (and its derivants/offshoots like MacOS X (via BSD) & Linux (via MINIX))!
:)
See here:
http://www.us-cert.gov/cas/bulletins/SB2005.html
As of the year ending of 2005...
(And, yes, guys (specifically the Pro-Linux/Unix/Mac crowd here @ slashdot (you KNOW WHO YOU ARE, lol, the guys that endlessly blast on windows here))
* That's an IMPARTIAL 3rd party that wasn't sponsored by Microsoft, & a gov't. agency that specializes in the area - security!
APK
P.S.=> Considering also that Windows based OS nowadays are the most used out there overall, on the most utilized hardware platform (x86) between personal computers/laptops & servers? That's QUITE an achievement on Microsoft's part imo... (Ducks as the Penguins prepare to flame the hell out of me) apk
The only thing worse that "Windows" in the common OS versions in use... is the orphaned version of XP called "XP 64 bit edition" that doesn't work with all the tools normally used to resolve security issues. Many applications that we use here in the shop just flat dont work with 64. It looks like MS just took Server 2003 slapped an XP theme on it, and then broke all the strengths of both OS's. As a result, I've got a number of issues over here that I can't get resolved. As soon as I get a decent copy of the latest Vista Beta, I'm just going to make that switch. XP x64 is just about useless because of the security issues. This box is getting hit left and right, and is constantly stumbling. I'm not looking forward to all the new issues with Vista, but at least I won't still be using XP64 any more. (Yes, I've got a Linux partition... but that's not the point)
MadOgre.com
There, I've just saved you from having to RTFA.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I read to the bottom of the page, reflected that it was a pretty well-argued article, and then my eyes bugged when I got to the "Slate" box at the bottom. I damn near fainted! Imagine finding a pithy article on quantum physics in a back issue of "Vogue". I even checked out "The End of Moore's Law" and *it* seemed too high-quality to be on the old Slate.
You know when you see something that's right, you just feel it. "Versus" is the only word that appears natural between "Microsoft" and "Computer Security", something inside me just knows...
Except if we all do switch then FF and TB will become the most common browser/e-mail clients, and there's no reason to believe that Mozilla's coders are that much better than MS's. FF has gone through how many versions these last 12 months?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I have never read a more scathing remark of Bill outside of /. :
And the next time Bill G. promises to make software that is so fundamentally secure that customers never have to worry about it, ask him what decade he plans to release it.We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
this article seems to me a bit on the unfair side off things... i personaly have even
stopped caring that much about the many security flaws.. i know there are just too many
found because the os wasnt designed with security in mind.
i'm just gonna wait and see how vista does.
Julien. http://free.hostdepartment.com/8/81fortune/
It was noted elsewhere that Microsoft spends six billion a year on R&D. If they hired mathematically-inclined software engineers at 100,000 a go, they'd be able to keep a small army of 10,000 such programmers. You can probably reverse-engineer a specification, prove, then re-engineer the code for about 10 lines an hour. Assuming a 40 hour week, that means they could formally re-engineer 208 million lines of Windows per year. Even with all of the standard applications, libraries and utilities, the team should have an iron-clad damn-near-bugproof Windows within 2-3 years. It wouldn't cost them any more than they're already burning on patents for stuff nobody else cares about, and would save three times the total cost of the bugs to the country within a single year.
The overflows are easier. You compile all the applications with something like ElectricFence, dmalloc, or some other debugging malloc. A few tests at Microsoft should then collect a lot of the overflows. You then recompile such that the debugs won't cause fatal errors but will still generate alerts. You have the Windows error reporting tool collect all those alerts and either notify the user at the time & allow them to send, or send in bulk on the next major error. Microsoft can then fix the overflows BEFORE someone exploits them, because the odds are high that they'll be accidentally triggered long before any black hat learns about them. If only because there are several hundred million users, and most will be trying to do things that are impossible or - at the very least - seriously warped.
Of course, they could also get a copy of the Stanford Code Validator, or even just download a copy of splint off the Internet. Both would pick up the majority of coding errors and allow Microsoft to fix them.
Regardless of which of these solutions is used, a company the size of Microsoft should be able to completely and utterly clean their software of 98%-99% of its defects within three to four years. As the article noted, it has now been over four years since the proclamation of taking security seriously, but yet there is no sign of any kind of rigorous campaign to really erradicate faults. Rather, there seems to be much more of a campaign to make users more accepting of the fact that there are faults.
Not everyone can guarantee 99% fault-free software within a reasonable timeframe. There aren't the mathematician/software engineers, for a start. However, maybe it would be possible to have a standards authority that could certify a software product as "mid-grade" (50% bug-free), "high-grade" (75% bug-free) or "mission-critical" (99.99% bug-free). Software providers could elect whether or not to be certified and consumers would then be free to decide how much quality they want to pay for, because they'd know how much quality was there. Consumers would also be in a stronger position to interpret the lack of such certification.
Thoughts?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
While i am no MS fanboy, I stick with OS X/Kubuntu and FreeBSD I think MS are making progress, Since the os was writen years ago (alot of the origional NT shit is still in XP/2k3) there is bound to be security issues, Releasing patches is the best they can do short of releasing a new OS (which theyre doing, which is writen mostly in dotnet where all memory is managed for you, aka little to no buffer overflows) I cant stand MS, I dont like the way they do things, but to say things like theyre making no progress? But ultimatley it isnt about firewalls and antivirius and patches and anti this anti that, Educating people will do a far better job than giving them some shitty tool
It makes no comments as to why Microsoft stuff is any better or worse than anything else. There's no mention, let alone a comparison between Microsoft and Linux, Apple, or anything else beyond just a mere fluff sentence.
But beyond that, my biggest issue is there are no FACTS in the damn piece. Everything is anecdotal. How are Microsoft product's better/worse? Why? By what measurement?
All this article does is pick on Microsoft because it's the biggest and easiest target, so any flaws make the news. It's like saying Wal-Mart still offers only low wages and busts up unions. Duh - so do a lot of other companies, but Wal-Mart gets the attention because they are the biggest.
Explain how they are better/worse/the same as the mean, or average, or some kind of realistic comparison. This is just a rant, nothing more.
Somedays it's just not worth chewing through the restraints...
Microsoft made the choice to tie things closely to the OS. In particular, their Netscape killing plan was to essentially make IE part of the OS. Outlook also requires the presence of IE to render html mail, or at least it used to. Similar decisions were made regarding hooks to the OS for other Office programs. These decisions were made for reasons of competitive advantage over competing software such as WordPerfect and Lotus.
The consequences of these decisions is an OS with fundamental security issues. Microsoft has an opportunity to change this with Vista, but I'm betting that they haven't.
Some mornings it's hardly worth chewing through the restraints to get out of bed.
An insane amount of progress has been made on Windows security. Automatic updates ensure even the most retarded of end users has a chance of being patched, built in firewall has resulted in a significant chance of end users having a firewall, the security added to IE in SP2 has given a whole lot of protection.
It doesn't matter who the dominant OS / company is, the biggest threat to security on anyones computers is the person sitting in front of it.
You can't win a fight against ignorance, misunderstanding or plain stupidity. Microsoft has made some pretty damaging blows and that is commendable.
I think it's time the end users' took just a little bit of responsibility for their security issues. It's callous to assume (and blame) Microsoft when so many 'issues' are avoidable with a little common sense.
God help the *nix world if they ever get bundled with the masses of ill-informed, ill-prepared and irresponsible people who use Microsoft software.
I like this whole "versus" thing. It encourages the idea that Microsoft is against or competing with the idea of Computer Security in general.
You can create bullet-proof software in a totally proprietary fashion. The problem is that bullet-proof code requires far more designers and coders than most companies can throw at the problem. Open Source is good, from that perspective, in that a single company doesn't need to find huge armies of coders.
It would be possible to formally prove Fedora Core, and get it 99.99% bug-free, but Red Hat can't afford to hire the hundreds of thousands of brilliant engineers it would require. However, there probably ARE a few hundred thousand brilliant engineers who have access to the Internet who could perform a complete re-designing and re-implementation on the scale you'd need, who would be willing to volunteer at least a little time to do so.
I've shown elsewhere that this is not true of Microsoft, who really could afford to hire the extra staff needed to completely re-engineer Windows in a provably correct form that would also run at a decent speed. They don't have any of the usual excuses. They burn 6 billion a year on R&D they don't do anything useful with, they have offices in virtually every country so can draw directly on the manpower of every single one of those countries without any work authorization issues. And they could do it all without having to sacrifice their egos or a single line of source.
Theirs is not a fate caused by the limitations of human beings. Theirs is a fate entirely created and sustained by choice alone.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If popularity were truly what dictated worminess, Apache would have been overrun long ago.
For the love of God, please learn to spell "ridiculous"!!!
The popularity argument is pure bullshit. Non Microsoft runs most of the web and anything that's mission critical. Those foolish enough to try making M$ do things live to regret it and it has nothing to do with popularity, Geeks and Nerds but everything to do with marketing and crappy software. Apple, Sun, Linux and every other kind of software works better and non have had the kind of automated worm problems M$ has.
From the above, you can imagine that the functionality and features excuse is also bogus. Operating systems robust enough to provide services over the network can also be made with pretty GUIs that are equally robust. There is nothing a Windoze user can do that I can't do better with free software and many things that I can do that they can't without lots of effort and money. I share my classwork with anyone who's interested and I share my music and movies with myself without any of the problems Windoze users suffer just connecting to a network, reading their email or browsing the web.
When is the big Linux worm coming? Never, thanks to the diversity of excellence that a truly free market for software provides. Free software writers also don't make the mistake of mixing content with executable code, unless they are copying someone else's bad implementation for compatibility sake. Still everyone makes mistakes but that still won't do to free software what it does to M$. As an example, imagine Firefox had a problem. It would get about 1/3 of GNU/Linux users. Why? because the rest of them are using other browsers and all of them can stop using the browser with a problem until it's resolved one or two days later. Because Free Software is all about code, binary problems don't automatically propagate across distributions. A Red Hat exploit might not work on Debian and probably won't on Gentoo and won't do anything to a BSD box. The Free Software fix is always easier too. When things go wrong on a free software box, the user downloads the latest and greatest to fix it. The worst case is a rebuild, which preserves all user data and takes less than 20 minutes. In the Windoze world, the user takes out their "original CDs" or blows a few hundred bucks at the computer store for software that's at least two years old and probably has the same problems. Things are much much more difficult for crackers outside of the M$ monoculture of binary crap.
Friends don't help friends install M$ junk.
And I shudder at the realization that this person has students.
.Net, is sand-boxed and includes declarative security, and all you need do is go to CERT to see that the number of Windows vulnerabilities is lower than that of *nix.
Anyone who takes the time to become informed and check facts can clearly tell that many improvements arose from the security initiatives. Patching is far easier and less expensive, the new architecture of IIS is very secure, the new development platform,
If I were grading this diatribe disguised as an article I'd give it an F based on the discussion of buffer overflow exploits alone.
He fails not only in his technical analysis, but in the basic tenants of journalism as well.
In short, Mr. Penenberg, what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.
might as well tell me ford is grappling with their SUVs blowing tires and tipping over at speed. i don't think i could be convinced to BUY anything as effed up as windows or an explorer (whoa, a naming coincidence or what. hey, both CEOs are named bill too)
i don't buy fisher-price tools to use for my trade (roofing), and i don't use windows on my PCs. i like to think i can logically choose the right tool for the job.
Serenity now, insanity later.
You know what?
;) Im a happy camper.
Ive noticed that the time I spend learning about my Linux system is far less than the time I wasted when I was using Windows. On windows I got my "near-daily" "windowsupdater-needs-to-restart-computer" that annoyed me beyond belief because it was usually very unconvinient. And sometimes these updates would completely screw up my installations or drivers.
When I switched to Linux for a year ago...permanently, I had a lot of troubles too - mostly learning how to do stuff differently from windows and entirely new ways of thinking, that was hard and sometimes very annoying too.
But Ive come to notice something that I take for granted with Linux... Theres no more worms...viruses...silly attacks from script-kiddies. Wonderful! My computer has finally been left alone from all of those daily plagues. I dreadfully remember at work when all the computers went down due to some kind of sober virus and how worried everyone where about losing their work. And not to mention the hassle of waiting until the network administrator finished the servicing because of these incidents.
I dont even see this stuff on Linux.
So for all its worth, all the hassle learning and maintaining Linux - its actually a better world (at least for now).
No wonder Microsoft is worried - imagine if the truth leaks out and people find out on their own?
What this world is coming to - is for you and me to decide.
Their overall conclusion that MS products are still vulnerable to security problems is correct, but it is not accurate to suggest that Microsoft has done nothing to address buffer overflows. Now it is clear that they have not done all they could. Specifically, they have not started writing their applications in type-safe languages, and they have only recently starting trying to apply automated static analysis to detect buffer overflows in existing code (A technical report about their efforts can be found
here ). And of course, they haven't even vaguely considered requiring that drivers carry safety proofs (using the proof-carrying code stuff from Peter Lee and George Necula, for instance).
However, they have added support for computer architecture features which guard against this sort of attack, such as flagging data memory as non-executable and requiring jumps into code be word-aligned, features which is available in most new processors. They've also begun loading libraries to random addresses making it much harder for worms to know what address to jump to. Although none of these is a silver bullet which prevents all buffer overflows, they have definitely made it significantly more difficult to exploit buffer overflow errors in both operating system and application code. These features even have benefits to third-party applications.
So although the battle is certainly far from won, suggesting that Microsoft is doing nothing is ridiculous. These sort of features are not going to be visible to the user in any obvious way, but they are very good steps in the right direction. I'm certainly no Microsoft lover (I have a Mac and a Linux box and tend to avoid MS products), but if you actually keep up on Microsoft's security research and what from that is making it into the operating systems, it's obvious that they're taking buffer overflow attacks very seriously and making progress. The simple fact of the matter is that the reporter has not done his research.
Keith
>>>> "That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC."
>> I would like to know where everyone heard this crap, and why they keep repeating it vebatim., because it's a bunch of bullshit. Flaws in Microsoft products have no greater danger than equivalent flaws in any other Windows application.
And I would like to know where you have been living. Mars?
Everybody, his wife and the dog knows there are lots of undocumented APIs, registry variables and other animals inside Windows. Everyone knows Office is promiscuously integrated with Windows, so as to start quicker, so as to look leaner, so that Windows erm "appreciators" can say M$-apps can work better, of course, because the OS is also from M$.
Now don't come you, Sir, with your agenda. It's their fault! Their fault, can you hear me now? (a pity there's no emoticon for frothing...)
And what's more? A corollary: if unknown secrets are dangerous, people get scared like the guy from the parent post. Then people start using non-M$ apps on purpose... to avoid M$ apps which _are_ dangerous. Have you ever read Gartner recommending IIS to be avoided? What about everyone being phished with IE?
Therefore undocumented features become a liability. IOW, people want to know -- or want to be assured by those in-the-know -- that the application is secure. I guess open source mentality is becoming mainstream, huh? Who'd say that? If you have your source closed, pray no other company comes up with a free/open alternative, lest you'll eat dust and become history -- or do you think life at M$ has been easy? For starters, I predict they'll need more chairs.
People can be lazy, irresponsible and make Firefox insecure, but it requires a lot more effort than IE.
One thing to help would be a default account type in the Users group, and if currently an admin, switch your group to Users. Third parties need to fix their programs that requires more privileges (not necessarily admin) after the program is installed because of write access to system folders and HKEY_LOCAL_MACHINE. Vista fixes this, but if you ask me I think MS is only encouraging the bad behavior of alot of third party programs by providing this method of keeping non-compliant applications compatible with least privilege. (Keep in mind, there are a$$holes like Even Balance who purposely wrote their anti-cheat to require true admin privileges)
Sure they have a firewall... you're screwed as admin because the code that launched can also create an exception for itself via netsh command or damn it all to hell and disable the firewall via "net stop". Malware does do this today, and sad how easy it was stopped.
Don't want to run as non-admin? XP can run specified apps automatically with User privileges even if you are admin (and I am not talking about Run As with a lower privileged account). And for fuck's sake, don't take the default of "SYSTEM" for your apache or whatever server software services.
Blame the user, not the software.
I just think there's some people out there you, that no matter how much you may try, you just can't help, and you can be absolutely sure that these people are using Windows.
In short I think the most critical security issue with Windows is the poeple that use it.
Actually the article is a lot of the same old "what's wrong," and darn little "why." Accurate enough, but nothing new—waste of a Slashdot posting, if you ask me.
I figure by 2030 or so my 6-digit UID will be something to brag about.
"Although Gates made security and privacy top priority four years ago, not much progress has been made."
Excuse me? No Progress? Including a firewall with Windows is no progress?(emphasis mine)
There's this thing called reading comprehension. There was never the claim that there was no progress made, only that there was not much, ie little, progress made. Considering how many and how deeply worms have been able to attack in spite of said firewall, I'd have to concur. Feel free to try to disprove his "not much process" claim, btw, because if you argue against the actual point you might be able to point at things with put at least some weight behind your counter argument.
Eurohacker European paranoia, gun rights, and h
I tend to prefer the question, why are Windows customers still grappling with security issues?
Relax. Don't worry. Be happy. Your daily stress will be less if the main server crashes.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
That's the extent of my "l33t" speak, basically OSX on (hopefully) affordable Intel hardware spells doomy woomy for M$, last I checked OSX wasn't bothered by to many virii (viruses?) and hackers, and the few that were bugging (pun intended) were getting in thru M$ office suite (tee hee).
I used to like M$, yes I know that's blasphemy here but I did, I now see them for what they are, an anachronism.
Now if only Open Office would boot faster on my PC...
"If any question why we died, Tell them because our fathers lied."
Excuse me? No Progress? Including a firewall with Windows is no progress?
Of course that is progress but the real problem with Windows is the fact that it carries a burden of bad design decision at a fundamental level made for all sorts of business and marketing reasons. Why does a process like Microsoft Internet Explorer (Which is mainly a bigger gateway for malware than Firefox because it is badly written not becaue it is a Microsoft product) have to run with admin privileges? There is a reason why that is going to change in IE7 on Vista. Come to think of it, why the hell does the normal Windows user even have to have Admin privileges for day to day work to begin with? Thousands of Linux and Mac users get along just dandy with restricted user privileges apart from the occasional annoyance of having to either log in as root or in the case of OS.X feed a nag window the root password so that the occasional installation program can touch sensitive parts of the OS. You can try to write this off as *NIX evangelism but it is hard to deny that in the ancient past this sort of shoddy design work solved complicated problems for MS quickly and cheaply and for that reason it was allowed to happen without contemplating the long term effects. Unfortunately MS has since learned the hard way that thinking ahead sometimes pays but now they are also learning that back-pedaling is hard work.
Only to idiots, are orders laws.
-- Henning von Tresckow
You're confusing the layers, there. There are parts of Windows that Microsoft WANTS people to use, and those are reasonably clear. Then there are those part that Microsoft doesn't want people to use, and those parts ARE obfuscated. I only need name 2, ".doc" and "ntfs", both under vigorous attempts to reverse-engineer ***for the legally protected purpose of interoperation*** by third parties, for YEARS, with only marginal success.
Arguably, a clearly, concisely, well-defined data structure or format would also fall to reverse-engineering fairly readily. Many people have long suspected that Microsoft has deliberately complicated their formats, for the specific purpose of hindering interoperation. There have even been statements *from Microsoft* about "rich binary" data formats and protocols in order to protect their products. But the sword cuts 2 ways... Last I heard, there was no engineering or programming document describing ".doc", the documentation was the source code of the ".doc" reader. Maybe that's ok for a minority-share product, or a SOHO product. But about the time they're insisting that government institutions should use ".doc" as their archival data format, IMHO it just doesn't cut the mustard. Excess complexity also makes it difficult to get all the bugs out - just the thing you want in archival data storage - or a filesystem.
Microsoft may not be guilty of every sin that everyone would like to pin on them. But they DO have plenty of sins that do stick, and to not pin those is a disservice.
The living have better things to do than to continue hating the dead.
Microsoft is no different than many other large publicly traded companies. They hire inexperienced programmers right out of college who have little or no programming experience background. These people wind up writing insecure applications that become widely exploited by external individuals, groups, corporations and the very programmers that Microsoft hired. Its hard to sit back and assume that these programming errors are indeed actual mistakes. A whole cottage industry has formed around these programming mistakes, the "anti-virus industry".
Microsoft is driven by profit, has made private agreements with other companies behind closed doors. I would not be surprised if in years to come it is exposed that Microsoft has purposefully made their various software insecure to allow the anti-virus industry to thrive and prosper. I'm sure that put in the same position of a powerful software company, most people would do the same thing. Whoever said capitalism was supposed to be moral?
Besides this, Microsoft is in no rush to fix their software problems. Why should they? You already paid for their product. They have your money. It makes no sense for them to fix it after they have already been paid.
Ubuntu quite frequently tells me there are updates available for a large variety of packages I run, so what's the difference. This close-minded MS hating mantality gives me the shits. Everything is fallible to some degree, it's just a question of how much that degree affects you.
Anonymity of the internet is responsible for the views expressed in my post.
I thought they made some change in their compiler/s and libraries last year to preclude buffer overflows, and were working through the code base one module at a time to make it compliant. Haven't heard anything for a while though. Does anyone know more about this?
-- All your bass are below two Hz
A firewall that isn't all that configurable and poorly documented. At what levels in the protocol stack does it work again? I've been looking for a top to bottom firewall/protocol stack that works properly for quite awhile now. What, the good protocol stack is going to debut in Vista? What's this pbonebook error, the connection is already dialing, when my ISP drops the connection. Why doesn't my dial-up connection show up when I type winipcfg.
Just encountered this problem with Windows Update. It wanted to apply 6 patches to an XP-Home box that specifically stated they were for SMTP services on Server 2003 boxes only. Now why should WinUpdate tell me to apply Server grade patches to a Home Grade system?
Due to that error, I've been forced to ensure that any so called windows update actually applies to the home systems I'm the support tech for and because of this, I'm currently in the process of developing a linux installation for those computers to reduce my headaches while improving the usefulness of those computers.
Can you name me which modern OS shipping made a MARKETING decision to put their video drivers in the kernal? When NT went from 3.51 to 4.0 and they tossed in the Win32 widgets and they FORCED the kernal team to put the video driver in RING ZERO. They did not like the numbers they were getting. Was the user going to pick another VENDOR'S OS? :-) They wanted a reason for the user to PAY for an upgrade. Nobody pays for a SLOWER OS. Those just don't sell well.
;-)
:-)
;-)
:-D
Want another example?
How about 'priority boosting'? That is where only MS boost the thread level of the actively running application so it 'appears' to run faster to the user. This has created all kinds of fun problems for developers but 'hey' it SELLS upgrades baby.
Here is a fun one for you.
Why is it when I go into my CMD shell I can do a 'NET STAT'? Where did that stuff come from?
That would be when they put it in the NT kernal to compete with Novell. They have just been too busy helping the customer to take it out. All of the NET commands came from MS Lan Manager. I'm sure there isn't a Netbui stack that has kernal access either.
And people wonder why Linux runs so much quicker? I mean has anybody bothered to empty the garage lately that we all call the XP kernal? I mean what else is running at ring zero these days? Seriously if MS Basic hadn't been in the EPROM I bet the LOAD command would still work.
You think I'm kidding right?
Has anyone tried to nuke the msmsgs.exe task? That would be MS's Instant Messaging application. This is STUCK in your toolbar and if you TRY to remove it you are told
OTHER applications are USING it! Don't we call other programs that do this viruses or trojans? This is a very rich example of why an OS vendor should NOT be allowed to compete in the application space. But hey it allowed them to KILL Netscape even when they had 80% market share. This might have been OK when MS DOS was seen as a HOBBY only used by kids but NOW IT IMPACTS every companies BOTTOM LINE!
Final point. Anyone ever bother to read what the findings of fact were in the MS anti-trust trial? I mean we all paid several million in taxes for that one and it makes GREAT bed time reading.
Are you aware that MS MANAGEMENT STOPPED the release of Windows 98 UNTIL AFTER Christmas so key DLLs could be part of the kernal? Since this statement sounds like I'm on a narcotic I'm going to PROVE IT IS TRUE.
BTW
Not one other company could pull this kind of crap NOT EVEN IBM. MS has created their own monster. The reason their kernal has SOOOO many holes in it is because the product managers HAVE DRILLED them there in the first place. I mean even a blind guy can fall into ring zero and take over your system. Why is it folks can READ the code for the kernal in Linux and it is SAFER but I can blind fold you and you 'might' get admin rights in XP?
MS could never allow you to read their kernal code. You would see how too many of their APPLICATIONS work.
The link for the DOJ trial doc is here: <URL:http://www.usdoj.gov/atr/cases/f3800/msjudge. pdf>
From page 83 of the above link:
Allchin followed up with another message to Maritz on January 2, 1997:
You see browser share as job 1. . . . I do not feel we are going to win on
our current path. We are not leveraging Windows from a marketing perspective
and we are trying to copy Netscape and make IE into a platform. We do not use
our strength -- which is that we have an installed base of Windows and we have a
strong OEM shipment channel for Windows. Pitting browser against browser is
hard since Netscape has 80% marketshare and we have <20%. . . . I am convinced
we have to use Windows -- this
There's too much money to be made having the predominant computer architecture being buggy forever, and there's little practical downside for those who profit from this phenomena. It forces hardware upgrades when users computers are "broken" from bugware and they think it's the hardware, it forces software upgrades because all of a sudden the old stuff becomes "too slow", it creates a perpetual fix-it shop cash cow bonanza from whitebox shops on up, it requires legions of "experts" in the backrooms of industry to continually patch systems, etc. There's some profit in building and selling true quality products, but there's a lot more profit in offering perpetually buggy betaware.
I would guess it should be obvious that Windows evolved by random chance. There's certainly no evidence of Intelligent Design there...
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
Couldn't it be that Windows gets more attacked because it's just more popular? Maybe if other OSes were that popular they would also fall like that.
---------- Ramibotros - For MSN Nicknames : www.nicknameZ.tk (http://i.domaindlx.com/RaJoe/)
How much privacy has been violated in the last 15 years using this exploit?
Before info on the exploit was splashed on news websites, it may very well have been known to intelligence agencies, Microsoft, and organized crime. We will likely never know. However, it is the window of time between when an exploit is privately found and it is made common knowledge that the real mischief occurs. For the WMF exploit, that window may have been 15 years!
It's not hard to see how this simple exploit could have been used for corporate espionage, perhaps against you or your company, and you would be none the wiser today. Government agencies at every level use Windows. Your doctor probably does. Your bank probably does. Someone with knowledge of this exploit before it was widely known would have been in "god mode" in the monoculture of Windows. They could have made a ton of cash rooting a few stock brokers.
There's LOTS of nasty things that could have happened, that it is just as reasonable to assume happened as to not. We'll never know, because digital tracks are very easy to cover up. Why the press isn't asking the bigger question: how could Microsoft (or someone else) NOT have known about this, and how do we deal with a world where some people, right now, might know about the next WMF exploit and might currently be using it to make a quick buck.
So let's not focus totally on the cost to clean up the mess once the problem is known to the script kiddies. The unknown cost of the undetected zero-day exploits is quite possibly much higher.
(And for those who say "there's nothing we can do about that!", I suggest you compare Windows security to something like SELinux.)
The author specifically mentions this. The problem is certainly compounded because Windows is more popular, but the fundamentally, it goes back to shoddy programming practices, an emphasis on getting releases out before they are tested, and most important, the tight integration of the ENTIRE suite, such that, "If you compromise one program, you've compromised them all."
Your Servant, B. Baggins
"Incorrect. They are the two options available via the control panel's users control, yes. However, if you right click "My Computer" and choose "Manage", you'll have access to the same users and groups admin that's been present since at least NT 4. By default, that gives you Administrators, Power Users and Users, and you're free to create whatever other groups you wish, assigning them whatever privileges you desire."
He's talking about XP Home, in which there is no "power user" group - even when you go into the advanced user management.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
It must be Murphy's law of mod points at work again: "As soon as your modpoints expire, you will find something worth modding up."
AC's formatting sucks but he doesn't deserve to stick around at 0. AC, get an account, please, this sort of contribution shouldn't be anonymous.
Although, for the record, it's spelled 'kernel'.
XP x64 is just about useless because of the security issues. This box is getting hit left and right, and is constantly stumbling.
Sureley you're not stupid enough to place a Windows box (*any* flavor of Windows) directly onto the public Internet without securing it behind a substantial firewall???? If you did, then Dude..., that's messed up!
Comment removed based on user account deletion
windows auto update does not get the Optional Software Updates you need to use the windows update web site for that and you need to be a admin to do that. runas does not work
You know, it's interesting that Gates made this statement, when you look at how MS deals with security issues. Does he also believe that slapping some band-aids on his arms will take away his ability to bleed?
How many Linux PC's have been pwn3d this year just visiting a web page?
No, Windows is not "less bug-prone/filled" than Linux (you got that wrong anyway, it's not "bugs", it's "vulnerabilities", that matter in terms of security).
Mulder? Is that you?
I don't make predictions, and I never will.
Exactly as was predicted by knowledgeable people at the time: "Adding security to an existing, large insecure system will, in my judgment, prove an impossible task." Bill Joy
Ok I'll grant, MS has come along way from throwing out the unsecure crap that it had been until about 02-03, and while I generally agree with what people are saying here I would like to add one thing. Even for someone who is very literate like myself its still a pain in the butt installing these patches every week. Now before you jump me and say I'm lazy, wait and let me clarify. Its not that I don't update my software, or that I shouldn't, or can't. The issue that causes me the most time is how about once a month when I install a MS patch, I have go to back and reinstall one piece of software or another because the patch screwed up something else. I'm not saying there arn't perfectly valid reasons for this but the point is that other people who don't want to take the time, or don't know what they are doing, like at least 3 people I know rather well simply won't do it. They refuse flat out to install any MS updates for their system for fear of it blowing up their important software. I can't exactly blame them, but the question I have to ask myself is, if MS put out software that was crap for so long and is finally now trying to get up to par then I think some real support for users should be avaliable, or at least a warning if the program is going to effect something that could interfear with an often used program.
Jack
Microsoft security.
.wmf file format security hole, a real gapping maw of a hole. The following Monday, YESTERDAY, _two_ (2) more .wmf flaws are reported and posted with exploits.
That Microsoft has security like a cheese grater has bouyancy is a very well known fact, but the interesting point underlying the well known fact is _why_ Microsoft has such lousy security.
I suggest it's their attitude towards security. For example, last Thursday Microsoft released a patch for the
This is the way Microsoft does security: They wait for users to get hammered and scream, _then_ they might fix it, but just that one thing, anything else related is ignored until the cycle starts again with users getting hammered and screaming about it.
After the past two years of Microsoft "security," the only people who still run that junk are the ones locked in by their PHBs and the clueless pubic who buy PCs based on what they see on TV. Oh yes, and the willfully locked-in Microsoft fanbois who are out in droves today defending their sinking ship against the crush of reality.
Microsoft fans are much like the "Intelligent Design" people: They believe and insist their belief is the same thing as knowledge. This gives them the excuse to ignore reality with it's rather unpleasant (to them) consequences.
Face the reality of the situation with Microsoft products: They want your money first and foremost, anything and everything else is, at best, second thought. This includes security, quality -- everything else.
That's your reality, deal with it in a constructive way by getting off the Microsoft Gerbel Wheel from Hell (tm): It's the only way to be sure.
Cheers.
Everything in the Universe sucks: It's the law!
Yes, because this is oh so different from the way Apple handles everything, right? *rolleyes*
I'd say Apple is indeed doing something different, since it's five years and counting without a single instance of OS X-specific malware being seen in the wild.
And if you think it's because nobody's trying, you're deluded. There are plenty of assholes out there who would love to be the first guy to come up with genuine OS X malware. Any fool can pwn a Windows box, but you really have to be 1337 to crack a Mac. So far, nobody's measured up.
OS X was designed to be secure from day one. Until Microsoft give up, chucks everything they've got and starts fresh, Windows will always be betrayed by its roots as a completely unsecure, single-user OS that had the security (and everything else) bolted on later-- it's like a straw hut with a steel door.
Will Microsoft really be more secure? With all the antispyware, antivirus, firewall software with billions invested into it from the makers of these programs, it won't happen. Not if Symantec, McAfee and all those other companies out there have anything to say about it. Besides, 95% of the world out there thinks windows IS the only OS you can load on a computer anyway and changing that is going to take YEARS to do this. Microsoft knows this, and with billions of dollars in revenue coming in, there is not need to really change, as long as the overall impression is given that they are really concerned about security, hence the reason for stupid stuff like the security center that came with XP Service Pack 2.
Little troll, the facts are obvious and all your silly games are useless. There's a new M$ nasty every month, and it has a half life of 12 minutes on any network. People who don't use M$ junk don't have problems, people who do get popups and corrupted files and machines that don't boot. As much as you would like to blame the users, admins or anyone but Microsoft, the only thing people with computing problems have in common is Microsoft. Replace M$ with Apple, Sun, Linux or BSD and 99.9% of the problems vanish. It's not the users. It's not the people who have to fix Microsoft's problems, it's the software they use.
Don't give me any bull shit about how much people hate M$ or how M$'s popularity is the cause of all the problems. Sure, anyone who's used computers for more than a year or two knows that M$ sucks. It's the Quality, stupid. Most people have no clue about the ethical problems the company has. Yes, there are many people who actually hate M$. That's what you get when you sue public school systems, lie about competitors and do all that other "sharp" business crap. Only a small percentage of the population keeps up with that kind of thing, but a small percentage of many is a lot of people and sooner or later, everyone will know. Performance alone and broken promises are enough to make many people others without a clue hate M$. You can contrast this hatred with the love people have for about any other OS and see what a turd M$ really is.
In short, Microsoft has EARNED it's reputation and all the apologies in the world won't change a thing. After four years of "Security is job 1" and no real changes in system behavior, the public has had enough.
Friends don't help friends install M$ junk.
Sounds like Bush. Now more people will switch to Democ^H^H^H^H^H Mac OS X.
Shop as usual. And avoid panic buying.
However, it is more likely that none of the staff in any position to improve things gives even a rat's asshole about security. They can make money still without it.
So, what were the allusions to the U.S. Apollo program about? Beats me. Maybe a diplomatic way of informing the current administration of a desire to get on the dole. Corporate welfare to the tune of $25 bn of taxpayer's money.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
For everyone who doesn't use OS X: The main difference between an administrator and a normal user under OS X is that the administrator may sudo. When using shell programs as a normal user sudoing will fail (because the normal user is not in /etc/sudoers) and Aqua apps that require administrative access will ask you for both the name of an administrator and the corresponding password. As an administrator manual sudo works and Aqua apps will only ask for your password.
/etc/sudoers.
root has much greater (and usually unnecessary) privileges than an administrator and is locked by default. I have only had to use root twice, in both cases because I had broke
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
When I mentioned that non-admins are not in the sudoers file I forgot to mention that admins are in it via the admin group.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
but *nix has never been marketed as easy-to-operate. Microsoft has made great promises on ease-of-use, and should be held to that. If security is compromised as a result of this simple user experience, then I would consider Microsoft to have over-promised and under-delivered.
I've been on the internet 25+ years with Linux and Firefox, until recently I didn't even have a firewall or spyware scanner or NIC, I've never been hacked... I don't get it. Even with the base install not having sudo I still was able to perform all tasks with a limited account inside a chroot without being logged in. My issue with the 2.6 code base are issues with BOs* and that's a limitation all OS's will have to encounter. My confidence was severley shaken with the WINE WMF issue, basically at the point the graphics program over every application/OS feature that tries to view WMF graphics is a ticking time bomb the code paths are mind boggling... Jesus_666 shields up!
* Body Odors
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Slate is a shill for Microsoft. How dare you publish something so stupid? Remember how they blamed their bad software on users?
As for the rest of you below, defending Microsoft: you must be REALLY stupid to not get it.
It's unfortunately not a law you can't be stupid, but it is a law you're not allowed to procreate. So stop fucking around, you morons.
No, the WMF problem is an incredibly silly code insertion technique that was designed in - deliberately allowing the image to embed its own arbitrary code - in the days when anything on a machine was deliberately put their by the user and could arguably be trusted. There's no buffer overflow or anything here - just a windows object which is insecure by design.
This kind of code shows how little windows was designed with networking in mind. It wasn't a problem in 1985, but still working that way 20 years later shows how Windows still includes horribly insecure legacy code that should have been revisited if they were serious about 'secure by design'.
Justin.
You're only jealous cos the little penguins are talking to me.
Alrighty then, the Win2003, Exchange 2003, and Vista OS are not radically different than the ole NT, Exchange 5.5 and heaven help us Windows 3.3 products. If it is possible to run your 32 bit programs and .dlls ('seamlessly' as one article described it)on the 'new' 64 bit Windows then trust me, it's security and exploit business as usual. The new versions are essentially lipstick on a pig.
'The longing to be primitive is a disease of culture' George Santayana
Security is like that. No one wants to pay for it until they need it. Then they want to chisel the price down even though all kinds of flashing red lights and klaxons are going off. See the fact is that MS is simply following the mindset of its customer base. Its customer base thinks of security STRICTLY in terms of identity theft and credit card fraud as per the monthly cable news nuggets. And if their machines crash or slow to a crawl those same customers simply shrug and say "The internet's broken" shut off their machines and hope that it will all magically fix itself soon.
Moreover given that the retail price of MS operating systems hasn't dropped, ever, since 1981, it's unlikely that customers would pay a premium for 'security enhanced MS products. Would you? Would you pay a $50 premium for a fixed version of MS code? I wouldn't.
So here's what MS should be sweating. Apple. Yesterday Apple demoed an iBook they claim runs 3-4x faster on Intel hardware. Combine that with the rugged secure OSX and you have a big hammer with which to smash the MS mindset. If Apple-Intel+ OSX gets anywhere near the price point of MS-Wintel I and millions like me will switch in droves.
Now - will that mean better security? Yes in the short run it will until Apple becomes a big enough target then it will suffer a wave of problems. But once they've let the OSX genie out of the bottle it will be hard to put back in and claim that 'Security's hard' because we'll know that that's not entirely true. Customers will demand and get a better stable BSD based security platform and they'll never look back.
BTW Linux-heads. You ignore this at your own peril too. The value add of Linux versus MacOS X at the price point you'll see on Intel hardware will make Linux irrelevant.
I'm actually a lot more optimistic about security (specfically Microsoft security) these days. I used to think (probably correctly) that Microsoft was incompetent in this regard. Microsoft has apparently been ruled by the cowboy coders on one side, and the irresponsible marketeers on the other. But watching the various videos (especially the Going Deep series) on Channel 9 (http://channel9.msdn.com/) interviewing lead developers of various areas, I am more and more impressed. Microsoft employs some DAMN SMART people in Microsoft Research and even a lot of their core development areas (kernel, tools). In the vista kernel video you can tell they are pretty embarrassed about the history of Windows, the registry, etc., finally understand there is a problem, and are actively trying to solve it (creating gigantic dependency graphs of binaries, trying to sort out the configuration (they refer to it as "state") issue). Given that a lot of this good stuff can be incorporated into a commercial product without the bastardization of the marketeers and cowboy culture, I'm optimistic. Watch the video about Avalon - what the guys is describing is essentially X11. That's not news to us, but I have to imagine it's revolutionary at Microsoft to break down, admit to themselves that the existing display/rendering technology is shit and inflexible and un-extendable, and pro-actively go about implementing a network-transparent graphics framework that mimics alarmingly technology of their arch-competitor (*nix). If they can do that, I have hope they can bury a lot of the other problems they have caused for themselves and maybe start doing the Right Thing.
;)
ok, enough </fanboy>
It's 10 PM. Do you know if you're un-American?
Ive had a windows computer for years....and im about convinced that they are concerned less with viruses and worms and such....until there's a big hullabaloo about it and they have to fix it. And the reason i feel they're less concerned about it is because they're in bed with Norton and/or McAfee. That's what i think.
I have. For a small mickey mouse program they're fine. For a huge program
such as an OS they're pie in the sky. Its almost impossible to formally
prove the entire OS because:
A) Its not a single "process". It has multiple interlinked processes (I don't
mean kernel processes, I'm mean logically seperate processing flows) so
you'd need multiple levels of proofs.
B) Someone has to write those proofs. If theres a *single* flaw in *any*
proof the whole exercise is null and void. Since proofs are written by humans
I can guarantee there'll be flaws.
C) The proofs have to be run through a formal proof program which itself
must be formally proved if its to be of any worth.
You beginning to see the problem?
That's one of the reasons why many companies (like major airlines) do their own in-house software development. That way they can create software in their own way and on their own schedule without having sales weenies interfering with the process, creating unworkable release dates, etc.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
I don't understand why everyone is always trying to kill the Windows OS. Is it that big a deal to make a virus? Ooh, woow, you made a virus that bring Windows down. Aren't you the big man on campus. Grow up and get a job.
Current versions of REAL player require user write access to the System32 directory.
WTF?
Yes, Windows application developers force users to run their systems insecurely.
A house divided against itself cannot stand.
No, and some people screamed at the time. What did they scream about? Executing e-mail attachments and ActiveX are the two that I seem to recall, though I'm sure there are others that people said, "That's not a very good idea because of security". But very few listened. In particular, neither Microsoft nor the industry press listened to the idea that a feature could also be a security flaw.
(In the end, those components of EUROGAM I was involved in writing were capable of handling 33 megabits/second - and it was the network that failed before my software. Those components included data storage, linear interpolation of matrices with any size dimensions and any number of dimensions, data display and data upload/download to external storage.)
Project scale doesn't matter, because good software design is all black-box. All contexts and all threads are logically independent except at controlled points, so you push all of the complexities a regular formal language cannot deal with into those controlled points and prove the rest as ordinary modules.
The controlled points then aren't any more complex. They are not really systems, the variation is between threads/contexts and not time, so you simply rotate the problem and write your Z schemas between threads/contexts, and not between operations. There are no operations, you're at a single point.
The reason formal methods are regarded as "difficult" has nothing to do with any actual difficulty and everything to do with the fact that the industry has no desire to pay more for the extra skills needed and get the product later, because for them speed is everything. First to market. First to this. First to that. Gotta have it last week, no matter how broken, not next week, no matter how superior.
You do not have to "prove the whole OS" - that is monolithic thinking. You only have to prove each black box (horizontal slices through the logic, if you like), each thread/state (vertical slices, using the same analogy), each interface and the entire initial state. By taking fragments of slice, you reduce any specific problem to one that can trivially be solved. By slicing in every direction and doing the same, you reduce ALL the problems into ones that are trivial to solve. By finally proving the interfaces between fragments of slice (whether the fragments are in the same slice or not), you prove that all micro-flows are valid.
Provided your proofs are satisfactory, you can now prove by induction any given horizontal or vertical slice in its entirity. Since we know the interactions between the two directions are valid (as that's already been proved), we can now prove by induction the full array of horizontal and vertical slices.
Honestly, the biggest problem I see to the adoption of widespread use of formal methods are the lecturers who introduce it but who completely lack the understanding necessary to apply what they are teaching. Remember, those who can do, those who can't teach. Don't trust those who can't as the source of wisdom.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The certification system would ideally be fine-grained and cover all kinds of behaviours, but consumers get confused easily. As such, it seems better to reward good practices such that the only way to stay ahead of the pack is for companies to keep improving those practices. The specifics of the bugs will then fall away of their own accord.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Secondly, bugs only spread in the way you describe in unstructured code. If each module is strictly black-box, no bug can EVER spread outside of that box OR enter into it from the outside.
Thirdly, black-box coders don't talk to each other, so communication is a non-issue. Same with reverse-engineers. You have some block of code, you turn it into a specification, you then prove that the specification is correct and matches the code. Communication between individuals is irrelevent, because there is nothing that one is dealing with that will impact another. That's not the way this kind of engineering is done.
Because no communication is required, no communication problem exists. Remember, the logic of the unit is treated by one person and any given single interface or set of interfaces by another. Even the interface person doesn't need to talk to anyone. They know from the spec what the inputs and outputs are, they don't need to know or care what they do, only how they interconnect to each other or other black boxes, between contexts, processes or threads. ALL they have is the interface to study.
There is no debugging here and none of the usual team rules apply, because you'd have 10,000 independent teams of 1 person, not 1 team with 10,000 people.
The complaints raised by most other people show a woeful lack of imagination on how to apply formal methods. First rule of mathematics: If you can't solve the problem in one domain, apply a suitable transform and turn it into a domain you can solve the problem in.
However, your talk of debugging indicates the malady runs deeper and that there is also a woeful lack of understanding of what formal methods even are.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
How would I solve the scalability problem? I wouldn't. One of the most important rules in maths is that if a problem is not easily solvable in one domain, you should transform it into one it can be easily solved in.
This applies to formal methods. A Z Specification, for example, describes a set of states and state changes. All problems need to be reduced to something in this format to be usable. When a problem cannot be trivially reduced, you apply transforms until it can.
For example, threading. You describe the thread as the state and the operations that the thread can do are the statements reflecting the state change. You would do a whole different set of schemas for the operations themselves. And then another set for every other dimension that you can identify.
You are correct that proving more than a few hundred lines is extremely hard, but if you assume "black box" development, you only ever have to prove the box. Nothing outside of the box matters, because it will have no impact on the inside.
It is time-consuming, it does require some very skilled mathematicians, but it can be translated into a set of problems where each member of the set is solvable.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
In the first place didn't microsoft go back to the drawing board for Vista? Didn't they totally rewrite it from scratch? I thought that is what i read! if not someone please correct me. If what i read back when they started on it is true that it should be a little more secure(hopefully) if they have learned anything. And can anybody answer if Vista was affected by the latest worms. Yes wmf is an old legacy piece o'crap but come on, why does everybody make a big deal out of the microsoft issues. But i bet i can look at most linux distros and find them having multiple if not more patches comming out all the time for there distros. Alot of them are for the core. The reason everybody talks about it is cause microsoft is on most computers. Guess what microshaft is gonna be the target! That is why it is such a big deal. There is nothing secure! Trust me everything can be brute forced or there is someway to crack it! it just takes time. Or lots of super computers. Or maybe just great social engineering!
I am giving away 2000 premium accounts on my new dating website myfantasyromance.com check it out!
The troll you're arguing with will keep misrepresenting what you've said in a vain attempt to make it appear that he's right.
Stop wasting your time.