Slashdot Mirror
$10k Bounty for Critical Windows Flaws
An anonymous reader writes "iDefense, a Verisign company, is offering $10,000 to any researchers who find and report to it information on a previously unknown Windows flaw for which Microsoft later issues a "critical" advisory, according to a story over at Washingtonpost.com. Not really surprising, considering that Russian hacking groups are now paying thousands of dollars for exploits that attack unpatched holes in Windows. From the article: "Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid...iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities.""
I mean, who better than Bill Gates himself to submit hundreds of thousands of Windows exploits and makes zillions of them?
1. Design flawed OS
2. Wait for bounty on flaws
3. Submit flaws
4. Issue "critical" advisories on those flaws
5. Profit!!!
Mind you, if the bounty is for announced "patch" instead of "advisory", it will be almost impossible for BG to claim the prize.
Virtual Betting on Facebook for non-geeks.
Now where's my check?
It's times like this, when the rent is due, that I wish I knew more about hacking. :(
Operation: Who Wants To Be A Millionaire?
If you're in the hunt, don't focus on Windows 3.1 or ME, since as of June 30, 2006 Windows will no longer be issuing critical warnings for either of those Operating Systems even if they know they exist. Well they might issue one out of the goodness of their hearts to encourage an upgrade to X...err Vista, but there will be no official patch.
On second thought, maybe looking at Windows 3.0 coding errors would reveal flaws in Vista. After all, think of the WMF flaw...
Saskboy's blog is good. 9 out of 10 dentists agree.
I can't imagine MS is gonna be too pleased with this.
And they have a couple law-talkin guys on staff.
You forgot step 4.0.1 ???
Which is probably:
Buy Bounty company - then pay self.
Saskboy's blog is good. 9 out of 10 dentists agree.
This is what Linux companies should be doing. Pay developers that find an exploit in Linux a couple thousand dollars and make sure the hole gets fixed quickly. Obviously then it becomes a race for the companies to have their own employees find and fix the holes before outside developers do the same. Maybe have some lesser (since they're already getting a paycheck) bounty available to their own employees that find the holes and fix them.
As open as Linux is this kind of motivation could really bring in the eyeballs to make those holes shallow and get them patched up. Make the bounty $10,000 for critical bugs and maybe $2000 for lesser security bugs. If you get the kernel patched up then start working on libraries and then apps and by then it should be time to start looking at the kernel again.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
That isn't a lot when you could sell the exploit on the internet like the WMF exploit was a snip at $5000 each, think how many people bought that in the malicous website, porn internet, fake-anti spyware companies like Win Hound. Some how I don't think this will last long.
iexplore.exe
You may send the prize money to PO Box 3872, Moncton, NB, Canada
Because they don't want to spend time diving into stolen source; who wants to learn to read Hungarian notation on top of english?
They're investing in the first corporate-sponsored botnet. Now you can give your spam relay the corporate sponsorship it's always been craving! For an added bonus, we'll throw in a few auth certificates if you decide to become an elite Platinum Botnet customer!
Don't delay, act now! Really, we mean it. Because offer is only valid until Microsoft's next Critical Advisory.
Weaselmancer
rediculous.
Some Vista developer is saying to himself, "I'm gonna code me a minivan!"
http://religiousfreaks.com/I mean, couldn't someone find a flaw, get together with 10 of his friends, and everyone reports it independantly? What happens then?
autopr0n is like, down and stuff.
Or, iDefense may never pay any of the $10K prizes, citing independent discovery, not-really-critical status or just the fact that Verisign knows how to say "fuck you" better than almost anyone. Instead, they'll just get shitloads of free press for their cheesy security contest and a couple of marks will sign up for and/or buy whatever it is that Verisign/iDefense is hawking today.
Microsoft patches 87,000 critical flaws. Verisign files for bankruptcy protection.
This would be more about notoriety than money.
;)
Think about it - hacker gets paid $10k for finding a critical flaw and reporting it.
Hacker finds a critical flaw and blackmails a company for HUNDREDS of thousands.
It happens, I see it often enough when called in to do security-audits after-the-fact, and no, it's not me that's doing the blackmailing
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
Better?
d iculous
http://www.urbandictionary.com/define.php?term=re
Nerd rage is the funniest rage.
Maybe I am provocative... Anyway: when are we going to have similar initiatives for OSX or linux?
It's an interesting concept, but I wouldn't trust Verisign to get the tuna out of a can that had already been opened. I wonder what their deal is here.
Slashdot Burying Stories About Slashdot Media Owned
If iDefense (Verisign) can come up with $10K per critical Microsoft Windows flaw, why can't HP (or any other party interested in a secure environment) come up with money to support the development of applications for their own, very secure operating system: HP OpenVMS? Why does this industry focus so much on Microsoft Windows and totally ignore alternatives?
The $10K is certain. The few hundred K is a risk (or not an option for those with scruples)
-mkb
(a) There is no telling how many remain. Windows may be getting close to "tight" in terms of remote exploitability, or it may still have several gaping holes. RPC-based exploits (the "real" dangerous ones) seem to have been closed for a while. It's mostly overflows and breakouts now, and mostly on user-initiated processes. [User-initiated processes don't spread like wildfire inside of corporate networks, like RPC-type flaws. Dangerous, but not panic-level stuff...]
(b) People pay for these exploits because if they can take advantage of them, they can continue to spread their spam and malware from and to unwitting, unwilling and unaware people. Turning thousands of PCs into your own private email relay stations is motivation. Installing scumware/adware/spyware on thousands more is motivation.
I didn't RTFA, but I'd guess it goes something like:
Maybe not
/* Hacker finds a critical flaw and blackmails a company for HUNDREDS of thousands. */
/* The $10K is certain. The few hundred K is a risk (or not an option for those with scruples) */
I believe the correct phrase is "extortion".
Given the above comment, it's also not an option for those that don't want to go to prison.
A Haiku: my language choices/assembler pascal lisp c/old school programmer
You're not seriously insinuating I lack scruples are you?
I said I see this when I'm asked to come in and TRY to make sure it doesn't happen again, not because I do it myself?
If you work in the finance sector you will KNOW this happens and you will KNOW Banks and other financial businesses don't like it publicized when they are taken for a ride.
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
Yet someone else who is assuming I'm extorting companies?
I said in the above, I SEE this as part of my job, I don't DO it?
You guys love your conclusion-jumping don't you?
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
Users.
My prize may be donated to the Association for Smacking Stupid People Upside the Head.
/* Yet someone else who is assuming I'm extorting companies?
I said in the above, I SEE this as part of my job, I don't DO it?
You guys love your conclusion-jumping don't you? */
uhh.... seriously, no more espresso. I didn't accuse you of anything, I said that the thing you are DESCRIBING is extortion. Now, you can gather whatever info you want from the above comment, and re-think your response.
A Haiku: my language choices/assembler pascal lisp c/old school programmer
My apologies, but I would've thought ANYONE on Slashdot would know it's illegal and immoral and runs the risk of prision? That's common knowledge?
;)
What may NOT be common knowledge is how often it happens, because the companies it happens to don't like their customers to know their security has been compromised.
I read into your response because you stated the obvious... just having my first coffee of the morning now, cafe-latte, not espresso
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
put down the crackpipe please.
Do you have a disease? you think everyone on the internet is talking about you?
Neither the GP nor its sibling post are implying anything about your conduct. Both are making the same point - for some people extortion isn't an option. They're not suggesting YOU engage in extortion.
No possible reading of their posts suggests anything different to me.
Besides, if you can't take a few cheap digs and insinuations without wetting yourself, you shouldn't be here, pinhead.
my password really is 'stinkypants'
-
Design flawed OS
-
Sell flawed OS
-
Profit !!!
Any ressemblance to any situation, person, event, past, present and future is completely fortuitous.Umm... what's to stop iDefense from sitting on the details of the flaw? They say the submission must be exclusive and to get the cash Microsoft must issue a critical advisory. If iDefense does whatever they want with it and doesn't tell Microsoft, doesn't that mean Microsoft can't issue an advisory on a flaw they don't know about and iDefense doesn't have to give the submitter jack? Yeah, I admit it's far-fetched but I'd be reading the fine print to say the least.
// Dumps core here
You crazy English are messing up my English!
http://outcampaign.org/
"Sir, you've just violated the DMCA by making our mistakes public. Off to jail you go."
If I discover an obscure remotely exploitable security flaw in a Microsoft beta product (thus, unlikely to lead to a "critical" advisory,) why should I not sit on it until a few months after release and get paid?
Lurking at the bottom of the gravity well, getting old
Klootzak is an extortionist!!
Klootzak smokes crack for breakfast!!
Klootzak jumps to conclusions!!
see, noone cares about you, your sad life or your pathetic insecurities.
my password really is 'stinkypants'
Bugs are worth more on the black market. Blackhats do not release their bugs to $VENDOR, that puts a stop to their money making by droping adware, keyloggers, and trojans on poor unsuspecting Joe Average User. No matter how large the bounty is, no matter how appealing the company tries to make it, it will only attract white hats, and some greyhats.
The best exploits stay underground for an extremely long time until a whitehat catches a blackhat doing something careless (like not deleting their exploit they load on a system) or sniffing the exploit off the wire.
da w00t. mtfnpy?
So now hacking can be a career? It's now beneficial to train lots of people in the art of hacking?
$10,000 for the first person to discover a backdoor into the national bank!
one of those people is gonna leave with $10,000, the rest are leaving with a lot more than that!
Rich Gentlemen Hide - The Existential Comic
I just picked this up from Gizmodo
That article is sez that Vista is too secure, and that the British govt wants a back door....
The Russian mafia are going pay haxors big bucks for a back door if they find one (like the recently found WMF exploit - which some claim is a purposely put in 0 day exploit). I cant believe a Governments would push for this type of exploit, as they really just fuel the spy-ware and hacking economy!
If the British govt get their way, Vista WILL have exploits, so its just a matter of finding them.
The haxors mindset is completley different if they know if there is a way in.
At the end of the day I'd rather have the Russian mafia snooping my computer... They are less likely to turn up at 5am in SWAT gear and arrest me for copying my CD to my iPod at the MPAA's request....
well... all I can say is I welcome these new Russian hacker overlords...
Maybe crackers can sell their exploits to the highest bidder with the 10 Grand to I Defense being the reserve price.
With all of the programmers out of jobs due to outsourcing, this is a way for American workers to compete on a level playing field.
Wow - And people complain that I make little sense sometimes. I mean, seriously - if you write a program computed the distance between two objects, and later on used that distance to get out of style, it just has suited up.
what about e-bay.. sell the exploit to the higest bidder?
For sale: One windows Exploit, hardly used. Make money quickly through carefully placed advertizing. Reserve $10,000.
Hahaha, good idea, obviously you're the entrepreneurial type. :)
Make more money just working in "white-hat" security consulting if you are good enough to find exploits though, any company involved in asset-management or even just high-volume b2b transactions craves those skills (for obvious reasons).
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
There's no inherent security architecture protecting Firefox, Linux, OSX that doesn't also exist in Windows.
That's total bollocks. Granted, the fact that windows is more popular than linux is *one* factor that discourages malware for linux, but it's far from the only one.
Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement. Windows developers have been encouraged for years to write programs dependant on root access. Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!). The move over to NTFS was good, but it only really hit the public with XP. I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem? There's a few architectural security advantages Linux has over windows. On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.
Firefox is another issue entirely; it's an application, not an OS. But comparing it to MS's Internet Explorer, it's far and away more secure. It doesn't install things behind the user's back, as MS IE does so very often. It doesn't allow the incredibly-insecure ActiveX components. I've never had a spyware infection or browser hijack simply by browsing in firefox. On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
No, I'm not insinuating anything about you. You read my post incorrectly.
I said that blackmailing for hundreds of thousands of dollars is not an option for those with scruples. There is no ambiguity in that sentence.
-mkb
My apologies, but I would've thought ANYONE on Slashdot would know it's illegal and immoral and runs the risk of prision? That's common knowledge?
OK, in the root of this thread, in the subject line, you say that more incentive is required to make this offer worthwhile. My reply and the GP state that there is, in fact, a possibility that there are security researchers who would rather have bugs fixed and get a smaller reward than risk prison time for a larger purse that may end up being nothing. This may be a result of a risk vs. reward calculation, OR it may be a result of actual honesty.
The fact that you see this so often suggests that it is NOT common knowledge that blackmail is illegal.
-mkb
Do the world a great service by finding windows bugs and then take it up the ass for 15 years when Shyster H. Lawyer decides to prosecute under the dmca because you took apart some binaries. Don't agree? Why do you think symantec and friends didn't want to mess with the BMG fiasco? Same reason. Microsoft made this mess, let them straighten it out.
Join the Slashcott! Feb 10 thru Feb 17!
Hurray, verisign is going broke!
d:\setup.exe
I'll take my ten grand now. Oh wait, I found another one!!
explorer.exe
There's twenty grand you owe me now!
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
In other news, Microsoft scraps their old advisory system and implements levels similar to Homeland Security Advisory System.
No bounty for you.
Either MS can start paying out for exclusive bugs, making iDefense's offer worthless, or they can start being more proactive about finding and patching critical problems.
It seems like a real win/win for Windows users no matter what.
the ability to turn on a machine running windows! now, where's my $10k?
I think with that bounty, they'll be bankrupt in 4 days.
Every time you call tech support, a little kitten dies.
Verisign iDefence charged with selling exploit information to Russian hacker groups
Heh... so blind, so sad.
This is solely an application problem. It has _nothing_ to do with Windows.
[...] and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement.
It's always had the functionality.
Windows developers have been encouraged for years to write programs dependant on root access.
Encouraged how ? What Microsoft documentation can you provide showing that developers have been told to write applications dependant on Administrator level access ? How do you reconcile this claim with the requirement of the "Made for Windows XP" logo that applications must run in a normal user account ?
Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!).
Very little malware is executed "accidentally". If you seriously think the need to run "chmod a+x" or GUI equivalent is going to stop many people from running their "watching the dancing elephants" program, you're delusional. People are happy to open up password-protected zipfiles to get their malware fix, having to make something executable is barely a speed bump.
The move over to NTFS was good, but it only really hit the public with XP.
Probably because XP was the first release of NT that was aimed at the public. Not that file permissions are particularly important to malware in the typical case.
I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem?
Does it matter ? Most unmanaged machines are single user and the most important files on the system are the ones the user has full permissions to anyway.
Windows NT has defaulted to NTFS since the day it was released. If people are running it on FAT, someone has made a conscious decision to change the default.
There's a few architectural security advantages Linux has over windows.
Like what ? Having to manually make files executable is about the only thing I can think of that would come close to this, and at most it's a minor issue.
On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.
There's been no shortage of "critical vulnerabilities" in OSS apps that have gone unnoticed for extended lengths of time.
On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!
Maybe not.
(Although I bet you weren't running as a non-Admin user, as well.)
Ass? Uh...
Heh ... so smug, so laughable
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
the devil is in the details. Any really good flaw reported will fall just this side of critical. Not critical no $10,000.00. No bad press.
The race isn't always to the swift... but that's the way to bet!
Encouraged how ? What Microsoft documentation can you provide showing that developers have been told to write applications dependant on Administrator level access ? How do you reconcile this claim with the requirement of the "Made for Windows XP" logo that applications must run in a normal user account ?
...and click it that I'm talking about. Particularly when the last ".exe" has been hidden by the OS. The problem is that double-clicking a file has two meanings - "execute me" and "open me with associated program". If the OS uses an execute bit, then it forces users to manually specify which of these actions are to be performed - which means fewer users accidentally executing what they assumed to be a non-executable file.
They encouraged it prior to the release of XP. Then they released XP, and changed the way programs are supposed to perform OS operations. Ok, that was a good step. But you can't expect millions of programs out there to be re-written to do it the new way. Even though they have now changed the way they recommend programs be written for their OS, their previous stance still has repurcussions in the current state of windows software.
Very little malware is executed "accidentally". If you seriously think the need to run "chmod a+x" or GUI equivalent is going to stop many people from running their "watching the dancing elephants" program, you're delusional. People are happy to open up password-protected zipfiles to get their malware fix, having to make something executable is barely a speed bump.
I'd say a whole lot of malware is executed accidentally. Ok, so the people who will jump through a hundred hoops to destroy their system are beyond hope, no matter what architecture they use. But it's the people who encounter a file like...
"holiday photo.gif_________________________________.exe"
(Due to slashcode, you'll have to pretend those underscores are whitespace)
Does it matter ? Most unmanaged machines are single user and the most important files on the system are the ones the user has full permissions to anyway.
Many of the machines used by inexperienced people I see these days are family machines. There's a Mum account, a Dad account, a little Johnny and little Betsie account. Households with multiple computers (at least in Australia, might be different in the US) tend to be those with computer-savvy household members in my experience. And if your file system is permissions-based, it means little Johnnies naieve attempt to access the wonderful world of internet porn won't delete all Daddy's financial records.
There's been no shortage of "critical vulnerabilities" in OSS apps that have gone unnoticed for extended lengths of time.
Which is why I used the word "potentially". Also, notice that I wasn't talking about bugs that go unnoticed, I was talking about bugs that are found, but sat on by Microsoft. In the OS community, as soon as a bug is found it can be patched by anyone. This is the advantage of an OS whose source code is public - anyone can modify it to protect themselves. So even if Linus (or Redhat, or whoever you consider to be the MS equivelant in Linuxland) doesn't develop a patch, some other party can. You're not going to be seeing the same sort of thing happening in Windowsworld because nobody really has any clue how it all works - they don't have access to the code.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
1) Find flaw
2) Report to iDefense
3) Sign Non Disclosure Agreement as a condition for receiving payment
4) iDefense reports info to MS
5) MS never publishes flaw
6) ???....WTF!
Or perhaps I am just being too cynical.
Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
How ? Give some specific examples.
Ok, that was a good step. But you can't expect millions of programs out there to be re-written to do it the new way. Even though they have now changed the way they recommend programs be written for their OS, their previous stance still has repurcussions in the current state of windows software.
Developers have had no excuse not to be writing LUA-friendly applications since about 1998. That's when every shipping version of Windows had support for per-user profiles and registries.
I'd say a whole lot of malware is executed accidentally.
Ignorantly != accidentally. If they double-click an icon, that's deliberate.
Ok, so the people who will jump through a hundred hoops to destroy their system are beyond hope, no matter what architecture they use. But it's the people who encounter a file like [...] and click it that I'm talking about.
Look, I realise it's difficult for a lot of technically-inclined folks to grok, but these sort of people make up the _majority_ of computer users. Heck, the number of people who will even think _at all_ of the possible and expected results before trying to open some arbitrary file would struggle to hit a double-digit percentage.
To most people a PC is like a TV, only less reliable. They don't need to worry about some TV show destroying their PC, why should they worry about some piece of software doing that same thing ?
Particularly when the last ".exe" has been hidden by the OS.
Realistically, this makes no difference. If people will open password protected zipfiles to run software, then they'll follow the one or two instructions in an email it takes to chmod +x a file and run it.
The problem is that double-clicking a file has two meanings - "execute me" and "open me with associated program".
Conceptually, a double click action only has one meaning - "open this" (or "activate this"). Whether this actually entails running an executable or passing the file to a handler program is an implementation detail that the user doesn't - and shouldn't have to - know about (it's like the difference between turning the TV on via the power switch or the remote). I'd be astounded if you could find even a handful of people out of every hundred who knew about the concepts of "running an executable vs opening a file".
If the OS uses an execute bit, then it forces users to manually specify which of these actions are to be performed - which means fewer users accidentally executing what they assumed to be a non-executable file.
It won't work. All it'll do is piss people off who have to go through extra steps to do the things that have been completely transparent up until that day. Then they'll go and set the file executable and run it anyway.
(Also, FWIW, NTFS does have the equivalent of an "execute bit".)
Many of the machines used by inexperienced people I see these days are family machines. There's a Mum account, a Dad account, a little Johnny and little Betsie account.
You'll probably also find that the vast bulk of data on these machines is in a "shared folder". IIRC Windows calls it "Common Files".
Households with multiple computers (at least in Australia, might be different in the US) tend to be those with computer-savvy household members in my experience.
Well, I'm Australian as well and from what I've seen, most "household computers", if they're even used by more than one person, just have a single account that everyone uses.
And if your file system is permissions-based, it means little Johnnies naieve attempt to access the wonderful world of internet porn won't delete all Daddy's financial records.
I'm well aware of what it means, my point is that the vast bulk of non-OS/application data on any given machine i
thats 1.21 jiggawatts actually
RedHat
... and any other distro which enabled OpenSSH versions 2.3.1p1 through 3.3 by default.
;)
Mandrake
Slackware (IIRC)
So, is that $10,000 per instance...?
Developers have had no excuse not to be writing LUA-friendly applications since about 1998. That's when every shipping version of Windows had support for per-user profiles and registries.
.PIF was a .JPG.
That was support for multiple users was added. But when did MS start saying that programs should be developed so they can work in a non-root setting? From the development perspective, "LUA-friendly" is just another feature. If you don't need it, you don't use it. You just keep doing things the way you usually do. It's not until MS issues best practices and "written for XP"-type certification that development houses are going to change their in-house practices (if then). The "encouragement" I was trying to refer to in the last paragraph was that situation. Microsoft didn't go out there saying "we want everyone to write insecure code". But they created a system that let developers assume they had global read/write to the harddrive. Once the developers fall into that mindset, changing it is going to be a long, slow process. That's the encouragement I'm talking about - they set up single-user system, and then tried to change it mid-stride to a multi-user one.
Ignorantly != accidentally. If they double-click an icon, that's deliberate.
It's a deliberate action, but they're not intentionally trying to run a program. It's like the difference between giving away your credit card numbers to random strangers, and being spoofed into giving to someone setting up a fake ebay interface. One is plain stupidity, and one is fraud.
Conceptually, a double click action only has one meaning - "open this" (or "activate this"). Whether this actually entails running an executable or passing the file to a handler program is an implementation detail that the user doesn't - and shouldn't have to - know about
Except that every user has to know that running code can be dangerous. Every user has to know that, or there's no helping them. And most, especially these days, do. If you simply modified the popup box that appears when you double-click a file with an unassigned helper app to say something like "This file appears to be an executable. Executable files may damage your computer and/or files. If you are sure you want to execute this file, right click and tick 'Make File Executable'" it would be a big help. It wouldn't help those bound and determined to run the happy elephants screensaver no matter the cost, but it'd help those who were fooled into believing that
You'll probably also find that the vast bulk of data on these machines is in a "shared folder". IIRC Windows calls it "Common Files"....most "household computers", if they're even used by more than one person, just have a single account that everyone uses
Maybe we've just had exposure to different households. Most that I've seen just save stuff to "My Documents" or the desktop, both of which are separate for each user.
In the Real World, however, this hypothetical difference doesn't add up to a hill of beans, because the vast bulk of OSS users only get their software through "vendors" like Red Had, Gentoo, Ubuntu and the like - so they're in exactly the same situation waiting for them as they would be waiting for Microsoft.
The thing is, the vendors themselves don't always write the patches. People in the Linux community did. With MS, there's one central point of failure - Microsoft. If they drop the ball, you're SOL. With Linux, if the usual guy doesn't deliver a patch in a timely fashion, some other interested party can. And then the vendors can vet his patch, and deliver it. People don't have to be able to code themselves to benefit from the advantages of open code. It's not a case of telling people to patch their own kernel, it's about not being totally dependant on a single entity for your patches.
When Linux has the same userbase proportion and demographic that Windows does, it will have the same problems, unless som
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
"Your computer is connected to the Net. We recommend ripping your modem, network card, and wireless networking devices to ensure your PCs safety."
There are two other effecting patching mechanisms:
1)With a turkey baster, apply a decoction of Starbucks's latest Windows XP patch, Christmas Blend, released this last December.
2)This is a more complex process, but well worth the effort.
a)unplug your AC
b)make a diagram of the weird slanty plug shape (the slants keep out hackers!)
c)with a pair of craftsman hacker pliers, ply the PC plug into an anti-hacker configuration matrix
d)plug into the anti-hacker power plug, making sure the switch on the power supply says 110 (the lower bandwidth also keeps hackers out)
Please stop stalking me, bro.
Probably long before then, given NT was multiuser since the day it was released.
You are making an extraordinary claim that Microsoft's development guidelines contradicted not only general best practices, but also sheer common sense. I think that demands some proof.
From the development perspective, "LUA-friendly" is just another feature. If you don't need it, you don't use it.
Rubbish. Taking advantage of per-user data stores and avoiding writing or modifying data in system areas unless absolutely necessary is are practices that any remotely competent software should follow without even thinking about it. Shit, I'm only a SysAdmin and even I remember enough from my programming classes to know that.
You just keep doing things the way you usually do. It's not until MS issues best practices and "written for XP"-type certification that development houses are going to change their in-house practices (if then).
Rubbish. If you're a developer with even a shred of pride in writing good software you don't write software that needs Administrator privileges to run.
The "encouragement" I was trying to refer to in the last paragraph was that situation. Microsoft didn't go out there saying "we want everyone to write insecure code". But they created a system that let developers assume they had global read/write to the harddrive. Once the developers fall into that mindset, changing it is going to be a long, slow process.
"Because I can" is not sufficient justification for writing bad software. Developers have had 7+ years to change their habits and code.
That's the encouragement I'm talking about - they set up single-user system, and then tried to change it mid-stride to a multi-user one.
No, the move from DOS-based Windows to NT-based Windows was a punch that had been telegraphed for a good 8 years by the time it actually happened. This included a transitional period of both OSes being - from the developers' perspective - "multi user" of _at least_ 3 years.
It was in no way a "sudden" or "mid-stride" change. It was a planned, structured transition. Developers have had no excuse for releasing apps that needlessly require Administrator level privileges for at _least_ a period of 5 - realistically closer to 7 - years.
It's a deliberate action, but they're not intentionally trying to run a program.
If they're consciously double-clicking an icon, expecting something to happen, it's a deliberate act. I'll grant you the *results* - installing malware instead of seeing the dancing elephants - might not be desired, but that's beside the point, which is that *users will run stuff that will hurt them if they think it will do something they want and this is nearly impossible to "protect" against*.
Except that every user has to know that running code can be dangerous.
Sadly, no. Mainly because most users don't really understand what "running code" (vs, say, "opening a document") really is and why a computer can't understand why something is "bad"[0] when it's so obvious to them.
Every user has to know that, or there's no helping them.
This is kind of the point I'm trying to make.
And most, especially these days, do.
Rubbish. If they did, malware would be an annoyance, not a plague.
If you simply modified the popup box that appears when you double-click a file with an unassigned helper app to say something like "This file appears to be an executable. Executable files may damage your computer and/or files. If you are sure you want to execute this file, right click and tick 'Make File Executable'" it would be a big help.
That the "Open Attachment" dialogs in Outlook have been saying essentially this for ~6 years now, and also defaulting to "Save" rather than "Open", sugges
I don't mean to sound overly pessimistic, but this is my take on this: M$ has a long history on understating the severity of bugs. Their own ratings, for what we would call a "critical flaw", ranges anywhere from "This is a feature!" to "Minor bug". My opinion here is that the odds of M$ publicly agreeing with you that it's a critical flaw, are somewhat worse than your chance of winning the lottery, getting hit by lightning, and meeting an alien from another galaxy... all on the same day.
"Put your message in a modem, and throw it into the cyber-sea." - Rush
...iDefense recently signed a secret agreement with Microsoft whereby Microsoft would pay it $20,000 for every unknown Critical Windows Flaw it could find.
Coder's Stone: The programming language quick ref for iPad