Slashdot Mirror
Microsoft Unveils Open Source Exploit Finder
Houston 2600 sends this excerpt from the Register about an open-source security assessment tool Microsoft presented at CanSecWest:
"Microsoft on Friday released an open-source program designed to streamline the labor-intensive process of identifying security vulnerabilities in software while it's still under development. As its name suggests, !exploitable Crash Analyzer (pronounced 'bang exploitable crash analyzer') combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers. Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
LOL
Damn you microsoft! For the next few months I won't be able to read the "not" operator without giggling.
'hellfrozeover' tag in 3... 2... 1...
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Does this bombard all exposed functions with garbage data and look for overflows, or does it actually comb source code, look for off-by-one bugs and try to outwit the code by using boundary conditions? It's nice for Kaminsky to praise his pimps, but how does this tool really differ from any of the other leak-detectors and bug-finding tools that already exist?
I want to delete my account but Slashdot doesn't allow it.
Microsoft has released an open source product that detects security flaws in code... my irony detector just exploded. :)
Could Microsoft be purposely trying to confuse people and associate the terms "open source" and exploits?
There's a presentation that explains how it works: http://download.microsoft.com/download/7/2/8/728FE40F-93B6-47BD-B67D-78D04B63E27D/Automated%20Security%20Crash%20Dump%20Analysis.pptx
They talk about what to do when a bug is discovered. My understanding is that beta testing may result in thousands of crash reports. Clearly you'll want to prioritize fixing the exploitable crashes before the non-exploitable ones. It seems this software is to help you do that, although the article is short on technical detail.
Microsoft releasing their internal tools finally. I myself am waiting for their '!MakePortedAppsSuck' and '!CrushAllResistance' apps with baited breath...
OK, so the source is viewable, but does it qualify as free software as in freedom?
Or is that a senseless question anyway since it runs under Windows?
The threat free software has to your buddies at M$ is astronomical. This is the reason M$ will do anything ion their power to remove all free softwre from M$ Winblows, which includes the use of M$'s new tactic of removing free software and using multiple accounts to back the story. The only way to eliminate the M$ exploits is to use free software instead of non-free software, or any software from M$.
--
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in committing suicide.
Your comment loses all credibility not so much because of your lack of evidence but because of your use of "M$."
Also, your suicide joke wasn't funny.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
But it almost sounds to me like the users are supposed to run this and then report their findings.
Do the people that run it get a paycheck? Or is that the part that's open source?
Aren't there other programs that also do this? If so(I really can't imagine that MS are the first to release something like this), then how is this news?
Some people are only alive because it's against the law for me to hunt them down and kill them.
-- derby
...only see Windows.
"Now, Microsoft wants to help secure third-party applications that run on top of Windows."
Microsoft can't even secure their OWN stuff, what makes them think anyone can take them seriously when they try to secure third party stuff? Who knows, maybe it will make third party stuff more secure, which puts the blame back onto Microsoft for every exploit. It will just enhance the fact that the best way to make Windows secure is to use as little Microsoft software as you can on it. It may also backfire on them if people start wondering why they don't use their little tool to make Microsoft software more secure too. If they do, will the difference be noticeable? Will people get noticeably fewer malware infections per week?
int assess_severity( struct* bug )
{
string vendor = get_application_vendor( bug );
if ((vendor == "Google") ||
(vendor == "Adobe") ||
(vendor == "Mozilla"))
return MAJOR_RISK_UNINSTALL_IMMEDIATELY;
else if (vendor == "Microsoft")
return TRIVIAL_SECURITY_RISK;
else
return MODERATE_SECURITY_RISK;
}
It's called Turing's halting problem.
File under 'M' for 'Manic ranting'
Windows 7 is delayed 8 months, and Vista is being recalled...
Comment removed based on user account deletion
http://www.penny-arcade.com/images/2002/20020722h.gif
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
is run it against explorer.exe and find out why explorer.exe is such a stinking piece of shit application. If there has been one thing in every version of Windows since 95 that has caused me to nearly lose my temper and smash something so many times it is explorer.exe. Freezing, glacier slow with networks and networked drives, and other assorted annoyances like taking the goddamn task bar and desktop out when having to kill the explorer.exe process in Task Manager. Every time one of those things happens in XP, I'd love to smack Ballmer in the face with a chair.
Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
Maybe I'm just totally out of touch here, but for my development, finding the bugs is the time consuming part, fixing them usually goes pretty quick. I welcome anything that helps find my bugs, that saves so much time. If your code is so decrepit that this tool is going to find "thousands" of bugs, you need to go back to school for awhile.
Given a tool like that, I'd be running it regularly and not just addressing the "important" bugs. Making that thing pass clean would be one of the steps in my development cycle.
Or maybe he's just speaking more about a common windows programming philosophy? (I certainly hope not)
I work for the Department of Redundancy Department.
whether microsoft has run this app on itself? I'm waiting for the first exploit. Let me suggest that we name it "crash bang exploitable crash analyzer".
This is another form of FUD, IMHO, Why not focus on finding all the exploits in their own software which results in easy installation of rootkits and spyware and other malware in their systems which results in boot times of 5 to 15 minutes, where there can be literally HUNDREDS to THOUSANDS of processes infesting the Windows platform and the Microsoft Office suite?
I have yet to see an exploit in *nix that can't be relatively easily removed. I HAVE seen rooted boxes but they have been installed by determined crackers - on slowlaris and Linux - in those cases the exploit was able to be removed and verifying against known-clean machines has verified they were clean - in an enterprise environment at a state college. Other infections I've seen have been confined to individual user accounts, or to an individual application (apache).
Heck, I've had a machine rooted because I did not want to update OpenSSL on one of my machines a few years ago. I had opened the machine up to the net (it was normally on a clean net but I opened it up and forgot to close the firewall after I finished testing) but even that was easily cleaned, and I verified against a backup that I had successfully cleaned the system. I did reinstall as a safeguard and finally patched OpenSSL. However that was a known-and-patched exploit that I didn't care to upgrade because it was a private machine normally inaccessible from the wild. It was the result of carelessness. I cleaned it in under 15 minutes and could have left it and been safe but I took the opportunity to upgrade to a newer distro release anyhow.
The difference is, so many Windows apps require admin/root access that it is the normal operating mode of Windows, and one application with an exploit (MSIE and IIS in particular) can almost invariably result in the box being rooted, and Windows does not make it easy to clean. Why? Because even "safe mode" can be exploited to run processes at startup. Cleaning up the mess is a tedious process, and while BartPE or WinPE (if you have access to WinPE) do make the job a little easier, it's still a pain in the neck.
Linux exploits usually are the result of one to three things:
1. Carelessness: running an intentionally-or-uninentionally patched box open to the 'net. I've done this before and had to clean up the mess.
2. User running as root - this is a surefire way to get exploited. No mainstream applications not designed for administration tasks require root access, and unlike Vista's UAC, the privilege escalation mechanisms in *nix variants/distros actually do what they are designed without being obnoxious.
3. Sheer determination: the cracker just keeps pounding and pounding on the box using all known exploits and then turns to brute force. Eventually the user will get in unless the firewall detects the attempts because you can't stop determined douchebaggery.
Now, as far as Windows is concerned: there are a quintillion (OK, a slight exaggeration) unpatched known exploits (some of them having been known for 10+ years), probably >99% of users run as Administrator because many applications and even some games require admin access to run, so the boxes are uber-easy to hack.
So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits? Why are they using their resources to create tools for testing open source software for exploits? It is so they can give windows fanbois tools to create yet more anti-Linux and anti-F/OSS FUD, pure and simple. It's not about caring about F/OSS, it's not about wanting to contribute, and it certainly is not about being a good netizen. It is entirely self-centered. And, it makes sense for Microsoft since their duopoly is in danger and they know they peaked long ago and the only direction they have to go is down, and they know it.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Just wait till people get to see the code for this thing, then we'll see the true colors of their idea of security
Well, that's a nice idea, but it takes a finite nonzero amount of time to do so. And, during that time, if you already have a product which is out (as many people do), people may be exploiting it, and so the bugs they are most likely to exploit are probably worthy of being deemed more urgent to fix, and what bugs are more likely to be exploited than the ones you can find using automated tools?
The World Wide Web is dying. Soon, we shall have only the Internet.
yeah, FOSS exploits are cuddlier
But strange that in the 20 years I've been using Microsoft OSes, I've never had a virus or trojan or malware. I must be doing something wrong.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I would be more impressed if they released a free and open static code analyzer to include for their compilers that may also compile to native code (e.g. Visual C++).
That said, I'll be nice and applaud this effort. But if anywhere possible, use managed code (scripting or a secure VM) instead of relying on this kind of analysis. With this rate, it will take centuries to get rid of all the buffer overflows and other rather inexcusable code out there. I would be very amazed if this tool would (help to) remove all those kind of vulnerabilities.
This article scores an 11 on the inflammatory headline, shame on the editors for letting this get through. Slashdot seems to be getting worse (which is certainly kind of amazing).
Once again, Microsoft invented the ... drum roll ... wheel!
Fuzzy data injection is used by ages in the security world. By both bad and good guys.
Oh, and the Address Space Layout Randomization thing, Linux had it long before them, so I guess that according to their very same rules, they invested that too.
Are you sure, Coward?
http://www.opensource.org/licenses/ms-pl.html
Or you say it won't be released under ms-pl?
Patents Drive Free Software as Hurricanes Drive Construction Industry
Or maybe you're an educated user and know what you're doing and know how to safely use the the internet and install programs. I haven't had any malware or viruses either, because I know not to install questionable programs and go to questionable sites.
That which does not kill me only postpones the inevitable.
Microsoft Unveils Open Source Exploit Finder
Kind of makes one wonder why they don't oh I don't know... say... Run it on their Windows source???
I work for the Department of Redundancy Department.
http://bugspy.net/ do this already- It gatheres tens of thousands of bugs.
Microsoft's program aimed at finding and analyzing security and exploit issues is named "Windows". All version will help you do this.
N still, they dont use that in Win?! lol
Haven't read TFA. Will not do, but this sounds a lot like a mixture of grep and valgrind on a bugzilla.
If they've been sitting on this for a while, we know how good it is then.
Hi bleeding rectum.
So...let me get this straight...they're open sourcing their Windows code base?
I'm here all week. The veal is amazing!
This tool "combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers". So we then decide whether to fix the crash or not based on whether the crash is exploitable? Anyone that buys this idea is fired.
more cowbell
Yeah, because we all know how benevolent Micro$oft is, right?
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
I don't care why you're posting AC
Has Microsoft run Crash Analyzer on Crash Analyzer?
Most people don't get why the integral of "e to the x" is so funny. Most math majors don't have a sense of humor.
Since Microsoft receives millions of crash dumps every days for every single Windows app (including third-party apps) they need hardcore bug triaging tools.
For decades each crash they received went into the "!analyze -v" automatic bug triage tool which tries go figure out whether it's a Microsoft bug or a bug in the third-app. It also tries to classify the bug using advanced heuristics which has been refined over many years.
Now, they have decided to do the same for security bugs as well and thus they created the !expoitable windbg plugin. This plugin has been in production use inside Microsoft for over a year already. However, they know that it doesn't matter in what application the security hole is, if a box is owned Microsoft always get's bad press regardless.
Also note that this tool cannot easily be used to find security bugs in the linux kernel and not in linux-only apps either because you must run it inside windbg. Further, in order for windbg to be useful you just have debug symbols loaded from the proprietary debug symbol format PDB that Microsoft created, which in practice mean you must have compiled it with Visual Studio (and not mingw etc).
So you need not just a port to windows (using mingw or similar) but you actually need to port the app to compile under MS compiler if you want to use this.
Apps like Firefox will be able to use this tool though, they already have debug symbol server online that hosts PDB debug symbols for every single release build of Firefox.
I absolutely think the open source community should use this tool to scan cross-platform apps but in the long term, I hope there will be a gdb plugin with similar functionality which also has heuristics geared for *nix exploits.
Hi troll
--
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in committing suicide.
1. Fork the project
2. Change the name
You're saying you ship a product with so many crashes that you can't possible fix them all quickly? We are not just talking bugs. To quote the original post the tool "combs through bugs that cause a program to seize up, and assesses the likelihood of them being exploited by attackers". You're fired.
more cowbell
So, why doesn't Microsoft produce these tools for Windows
The tool in question is a debugger extension for WinDbg. I'm not sure how many people are debugging their Unix/Linux applications with WinDbg, but I'm guessing it's not a large number.
Not that this is important, but was it really pronounced "bang exploitable" when it started its life? It sounds to me like some top brass (or a journalist) wanted to show off that they know how "!" was pronounced in old UNIX speak, but without a real understanding of what it meant. You know, as in, "I am one of you, but I have no idea what the hell I am talking about".
End anonymous moderation and posting on
Here's a better idea... Fix all the bugs and then you're sure you've fixed all the big bugs.
Well, that's a nice idea, but it takes a finite nonzero amount of time to do so.
You both make good points. MS's security culture is fairly awful in that when developers find bugs that are potential security issues, they have to fight the system to get them prioritized for fixes and most are considered "low risk" and ignored. Anything that helps prioritize bug fixes is good, provided it is not used a an automated way to ignore a huge number of bugs in an effort to produce a mediocre and "good enough" product in terms of security.
To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
It's also meaningless, since every business is out for dollars. You might as well say $un too, and same goes for any business with an "s" in its name.
If you don't connect your computer to the net it does not count :)
Alternatively, it's a bit like a poker game, if you don't know who the idiot is, it's you. In other words, the chances are big that you were at some point virused, trojanned or malwared but you did not detect it.
When adaware first came out I ran it on the machines of some friends and it was quite surprising how much crap there was on these so-called clean machines.
Probably you install very little software on your machines, that alone would be a big factor in your favour. If you have kids around the house browsing the net with those pc's then kudos to whoever set up your AV.
MP3 Search Engine
While an argument shouldn't be cast aside just because someone uses M$, I don't agree that it is "a concise, efficient and - IMO - accurate moniker". It's really just an irrelevant and off-topic device unless the conversation is specifically about cost of software.
It would be like constantly referring to RMS as "The Great Unwashed Guru" in a discussion that had nothing to do with personal hygiene or delusions of Godhood.
Did anyone else misread this (before reading the summary) as Microsoft is working on an automated program to find *security exploits in open-source projects*?
Man, I had to readjust my tinfoil hat for a second there.
--
Toro
Could somebody please mod this clown down? He couldn't be more wrong.
Or, in short:
So, why doesn't Microsoft produce these tools for Windows, so the mass populace can help identify, log steps to reproduce, and report the exploits?
This tool is for Windows you dumbshit.
Comment of the year
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
But being annoying to a given reader does not cause a comment to lose all credibility. I mean, you can judge a comment by any criteria you choose, even moderate that way if you like. But you and I can't have a conversation either, if at any time you might write off everything I've said because I violated some arbitrary boundary you have. It's like people who dismiss an otherwise intelligent comment because it was posted AC. Again, it's their prerogative, but it makes it hard for the rest of us to talk to them.
And I am not suggesting the comment you replied to was "otherwise intelligent." The comment you replied to was obviously a troll, and should be dismissed for that reason. I would agree that a user who says something like "Winblows" isn't making any kind of lucid point with that act, but he may just be really frustrated for a good reason. Let him vent - he "paid" for that right - then see if he has an actual point.
In defense of the use of M$ etc, I see it as sort of a short hand, like Garry Trudeau would do with politicians. A feather for Dan Qualye, a bomb for Newt Gingrich ... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
In two characters, the anonymous poster - who is probably Twitter - told us all we need to know about his opinion of Microsoft. I don't think an anti-Microsoft - or anti-Google/Linux/Apple bias for that matter - invalidates anyone's opinion. If it does, good grief we're all doomed.
BTW, I agree with you about the suicide remark.
I beg to differ. If you're so puerile to have the need to use "M$ Winbloze" or "open sores software" in a rational discussion, it seems as if you're trying to sidestep the issue with colorful language. Call things by their name and focus on arguments rather than taking trite potshots.
As for identifying corporations by their stock ticker symbols, it allows to easily differentiate between corporations who would have otherwise similar names(for example, an article talking about the Royal Bank could refer to both RY and RBS) and to look them up quickly and unambiguously.
Jean-Francois Im's blog
why there aren't any erotic references to ! "bang" in the comments is beyond me. /.?
Am I on
You speak London? I speak London very best.
One of the CS professors here is working on a research project that seems to have a similar use, except it relies on binary analysis. http://bitblaze.cs.berkeley.edu/ They also made a tool to automatically generate exploits based on Microsoft patches, and I guess they're just hoping that that capability doesn't fall into the wrong hands... Professor Song is scary.
All your base are belong to Wii.
I don't generally use "M$" but I wanted to tell you how I see it. I see it as a way to separate the petty members of the audience who cannot overlook a small and harmless "transgression" (even that word is too strong for it) from those who are less superficial. I prefer to directly deal with wrong responses so this does not tempt me, but this is something that I wish more people understood. If I wanted to apply a self-maintaining "filter" to the audience, then I would deliberately do things like this. Then they would do all of the filtering work and categorize themselves for me because the people who balk at seeing "M$" will either decide not to respond or will soon make their objection known. Either way, they filter themselves so I would not have to, thus I could quickly move on to a post that answers whatever point I was making. They would actually self-select and assist me with disregarding them (this is the important part) no matter what their actual intentions were.
What I described above is a very basic and simple example of strategy. There is a certain mindlessness to merely re-acting to what other people do. It allows their actions to determine your behavior. Just about any predictable response that you have which can be operated in such a push-button fashion can be used against you. Now, I think that's appropriate only for an adversary who cannot be reasoned with, because other human beings are not toys and it is wrong to treat them as such (even with their active assistance). However, you can bet that your politicians and advertisers and public relations types have no such moral qualms. There are far more malicious uses of this process than having people unwittingly filter your Slashdot responses for you.
It is a miracle that curiosity survives formal education. - Einstein
I disagree that using M$ to represent Microsoft is a full representation of my feelings towards that company (I'm not the AC from the comment above).
I find the M$ abbreviation to be clever, brief, and valid representation of what is a very large and wealthy corporation. Additionally, there are the past comments from Ballmer and Gates comparing open source software to communism, so the capitalist slant is appropriate.
But now you have to make assumptions about my feelings towards that observation. Just because I can see it, doesn't say whether I think it is good or bad. So you are being defensive, and projecting your own bias towards the commenter.
I use and appreciate open source software. I also purchase and use proprietary software. It's often worth the money. The only problem with some closed source products is that they lock-in my data as well, limiting how I can interact with it, and consequently lowering the value of the product being sold.
As far as commenting AC, that has more to do with the Slashdot community (which I find to be remarkably intelligent, funny, and wise; the reason for visiting this site is the comments) which is so well established, and places a premium on a low user ID (not IQ). There's little incentive at this point to create a new account.
How do you know? What tool do you use that automatically detects every rootkit ever invented? I've seen Linux boxes owned, I've seen SGI boxes owned, and I've seen Windows boxes owned. It happens to everyone: even OSX. In fact, given that every OS has had security problems, if your box hasn't been owned, it's because you were lucky enough to not have your box targeted at the crucial moment.
Every time I hear anyone using any system say, "I've never had a virus or trojan or malware," I always think, "there is a guy who doesn't know how to detect malware on his machine." And it's usually true.
I'm not saying you don't know how, but you said a genuinely stupid thing right there. It's possible that right now you're computer has been rooted, covered up, and you don't even know it. Because Microsoft sure wasn't protecting you for the last 20 years.
Qxe4
but it runs only on windows which you need a tiny $499 license for if you deploy the code in a production environment, which of course would be Win Server 2008 upwards, and using .Net 3.5 and Silverlight.
Concessions will be given to those who use text like "best viewed in Internet Explorer 8" in the footer.
We know the story all too well, out here at slashdot.
m$ sucks.
(to be factually complete, a part of the linux community sucks too, but that is for other reasons - they can't keep their open source hands to themselves... )
I can only tell you the truth.
A linux box I inherited as sysadmin was owned one time.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I appreciate seeing anyone who is willing to call things what they are. It's a pleasing thing to see. It's a shame that more people don't understand the difference between discernment and judgment. The way I often hear it explained is that discernment plus resentment equals judgment. It's as good of an explanation as any until you can see the dynamics of it for yourself (I know that you yourself can do this; that was for anyone not familiar with it).
If you think they put a premium on a low UID, they really put a premium on posting non-AC. Really though, I find that anyone who sees my six-digit UID (or anything else, for that matter) and thinks that this entitles them to make personal assumptions about me is coming from such an extreme position of weakness that I can make short work of them. I have had people do things like this when I correctly used certain "key words" -- I intended their standard meaning as found in a dictionary while they assumed that I must be just like other people who use similar words. You'll notice that some people are very desperate to find a way to dismiss you or write you off or make you (in their minds) like something they have dealt with before and to which they feel superior.
That's usually because they dislike what you say but are aware that they don't have what it takes to properly explain why they disagree with it. Maybe they are afraid of losing an argument. Maybe someone who is secure in what they believe represents a challenge to why they are not. Maybe they know you are right and still don't like it. Whatever their reason may be, they are judgmental, reactive, quick to try to make things personal, and they lack a solid foundation of self-evident truth for their beliefs. All of these things mean that they are cowardly and you have nothing to fear from them.
If anyone acted this way towards me because of my relatively high UID, they never admitted it. I never felt that UID had much to do with it in my case. I think it's more that they don't really know how to deal with someone who isn't trying to win their approval (ego) and won't cave in to their various forms of pressure (control), because most of the world does both of those things. It's as though they see something different and are not very discerning so they need to test it. Thus, they turn up the pressure to see if you will react the way that they would, i.e by doing back to them what they have done to you.
If you do, then you lose your real brightness. Then they can rest assured because the challenge you didn't know you posed to them has been eliminated. Then they can continue to feel superior to you and judge you because you crumbled under their pressure. If you do not succumb to their attempts to belittle or degrade or intimidate or pressure, then you reveal what sort of person they really are and at the same time show them a living example of a higher standard. It makes their tactics backfire and they actually experience the upset that they intended to i
It is a miracle that curiosity survives formal education. - Einstein
If Slashdot would be capable of more than ancient 7 bit ASCII, you could even write Google with a Euro sign.
Want to hear the voice of GOD? cat
Yeah. Sometimes it's obvious when a box is owned, sometimes it's not. As far as I know, I've never had a virus on any of my machines either, but then again, it could be these words I'm typing are being intercepted by a keylogger that I don't know about. I've seen smarter people than me have their boxes get viruses, so I can't say it is something special I did to prevent it. I've just gotten lucky, or it's been hidden so well I've been unaware. As at this time I may also be.
Qxe4
This is probably under one of Microsoft's "Permissive" Licenses, which is a shame, but still, this is way better than WebKit.
Microsoft: 1, Apple: 23
... To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
then isn't "freetard" more concise, efficient and accurate than "free software advocate"?
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in upgrading to Ubuntu.
Heh heh... my favorite Linux distro. :-)
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
#ifdef WIN32
fprintf(stderr, "Your system is not secure\n");
#else
fprintf(stderr, "Your system is not popular enough to be targetted, therefore it is secure\n");
#endif
return 0;
}
it is only after a long journey that you know the strength of the horse.
But strange that in the 20 years I've been using Microsoft OSes, I've never had a virus or trojan or malware. I must be doing something wrong.
You left the ethernet cable unplugged.
To be fair, any discussion where RMS is mentioned would have to be at least tangetially about personal hygiene or delusions of Godhood, you would think.
Yeah. Good job on an impersonation of twitter, but I know that isn't him.
For next time - you laid it on a bit thick.
God knows what you are doing behind your computer all day long. Playing tetris and using notepad my guess ...
But strange that in the 20 years I've been using Microsoft OSes, I've never had a virus or trojan or malware. I must be doing something wrong.
I am sure you have had to deal with the effects of viruses/trojans/malwares with your friends/family/workmates using Microsoft OSes ... or do you have another peculiarly anomalous anecdote?
Happy moony
I've never seen it demonstrated that a puerile character is the one and only reason why anyone would ever use an epithet like "M$". That would be a very difficult thing to prove and just one exception would destroy the proof. It may be a common reason but if so we have a word for that, which is "stereotype", and the problems with basing decisions on them, especially character judgments, are well known. Assuming that there is absolutely no other reason (and it is an assumption) is a convenient way to look down on someone or to dismiss what they say without ever having to show why their argument was wrong. That's about the only "useful" purpose it serves. I've never felt like those tactics were necessary or appropriate if you really are right and they really are wrong. If you're skilled, you can "win" arguments whether you are actually right or not; that is done with tactics like this.
Finding a personal trait that you find distasteful (justifiably or not) and then thinking it provides a valid reason to disagree with an argument without showing the reasoning which led you to do so is the definition of "ad hominem attack." It amounts to "I don't like you, so you must be wrong". If someone is sidestepping an issue, by all means call them on it. However, identifying that doesn't depend on the way they spell a company's name. It's so easy to identify, in fact, that using such a heuristic could only hinder you.
I believe that most of the attempts to disparage or characterize Microsoft, including this one, come from a general frustration with their strong-arm tactics and ruthless dominance of this market. Indeed that frustration is wrong, and if you want to do something about it, why not do something that has a chance of addressing the root problem? The root problem is that people see the undesirable things that Microsoft does and then they make the mistake of resenting them for it. It comes out in the language and epithets that they use and it's easy to detect. Microsoft is not exactly an angel so this wrong way of dealing with them is easy and tempting.
If you feel any sort of anger or forms of anger like frustration or resentment, know that it is always preceded by a judgment. If not for judgment, then you could watch the wrong that others do and call it what it is without being affected by it. When you see Slashdotters deal with Microsoft in this wrong way and then judge them for it, you are actually doing the same thing. You are repeating with them the error that they made with Microsoft. Describing your objection with more sophisticated or neutral language does not change this. That's actually what anger does; it makes you replicate wrong. It cannot be otherwise because it is a negative energy. Just like those people, you feel justified. Effectively, this means you are following their lead while protesting what they are doing. Thus, they won't feel a need to listen to you because this process makes you just as wrong as they are. They can sense that whether or not they are consciously aware of it (most are not).
That's what judgment is; it's the wrong way of being right. You can repeat the post you just made until you every last Slashdotter has read it. It would either change nothing or it would make a few people change for the wrong reason: not because they learned anything or became stronger people, but because they want to win the approval and agreement of others. The better way is to show them what I am trying to show you, that their frustration is part of the problem. That won't give you the "satisfaction" of judging the person, but all that ever did was to make a mockery of real satisfaction.
I'm trying to give you
It is a miracle that curiosity survives formal education. - Einstein
Wait! Wait! I have a new name for this amazing new marvel of original 'game changer' technology. I want to call it 'The Stanford Code Checker'. ...Oh, oh wait. No. It seems that name is already taken.... by software that checks computer software source code for bugs. And since microsoft doesn't release source code (ever), how will this help, you know, local developers create secure code? How was that supposed to work again? Oh.. oh yeah. That open (at least OSI approved) license thingie. Got it.
Dan Kaminsky, a well-known security expert who also provides consulting services to Microsoft, hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk.
I, for one, welcome our new, less risky, Horde Overlords!
If this Game Changer doesn't work, does that mean it's game over?
Say hello to my little sig.
Another devious attempt by Microsoft to slander Open source.
Except $ourceforge (LNUX). Cos... ya know.... they seem to be more about losing money ;)
3laws: No freebies, no backsies, GTFO.
Right now, Windows really is pure crap. For all the fanbois that defend it, it remains a joke (and the fanbois prove their total ignorance). BUT, the problem remains that IFF Windows ever gets to be more secured than say Linux, mac, or even DOS, then the crackers WILL focus on less secured systems. Basically, this will be a case of not having to run faster than the bear, but simply having to run faster than somebody else. At this time, nearly ALL OTHER OSs are more secure than Windows. Something like this COULD BE A GAME CHANGER.
I prefer the "u" in honour as it seems to be missing these days.
"...hailed the release a 'game changer' because it provides a reliable way for developers to sort through thousands of bugs to identify the several dozen that pose the greatest risk."
Yea, because who would want to fix EVERY Bug before release? Certainly not Microsoft, that's for Service Packs are for!
If i had one dollar for every brain you dont have, i would have $1.
it's about cooperation...and community...
don't be faked by so-called technical reports....
they are really......"technical".....without human factors....u think this world is driven by competition?....hell no......hahaha.....
only few guys in this world really know how this world runs.....r u the 1? or 0?
No, it's twitter. He always does that.
You probably wont believe this, but he posts anonymously because Anonymous Coward has a starting score (0) higher than all of his 15-20 other Slashdot accounts.
Personally, I strongly disagree with the whole FLOSS vs Commercial debate (I also disagree with describing FLOSS as "free", but that's another story and mostly related to my pedantic usage of proper English). If something that's "free-libre" happens to do the job you want it for better than commercial alternatives, do it. If something commercial is better, use that.
Why don't the zealots just let us use whatever the fuck we want? I happen to like Windows. I also like Mac OS. Hell, I even like Linux. Of course, because I said I happen to like Windows, people like twitter would have you believe that I am paid by Microsoft. Hell, I wish I were - they'd pay more than my real employer.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
You know, that argument has always annoyed me.
You say that because you've never seen a virus or trojan on your PC, it's just because you didn't detect it.
Why does this particular perspective only apply to Windows? Why is it never said that if you've never seen a virus or trojan on Linux that it's because you never detected it?
(Actually, quite amusingly, the comment below me says exactly that. Go him or her!)
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
I don't think you can lay the "twitterism" on too thick. He's pretty "thick" as it is (and I am not referring to his intelligence, merely that I don't think you can get any more twitter-like than he is)
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Microsoft has long had a closed-source exploit finder that this article doesn't mention: "Microsoft Windows".
You know, I'm starting to take issue with comments that protest the use of the M$, Micro$oft etc. memes. I know how something can get on your tits - articles that identify companies by their stock symbols is a particular irritant of mine.
It goes both ways. I'm irritated that `$' is being used as an intended insult. It's supposed to be a symbol of _earned_ wealth, which is never a bad thing in my book.
I had a lot more fun irritating a former roommate expanding MS to Multiple Sclerosis. At the time, it was the more recognized expansion of MS.
I don't mind using stock symbols as abbreviations either. I even recently proposed that when the CSC namespace runs out for Cisco bugids (we've been as wasteful as the IPV4 guys were) we use CSCO to identify an expanded namespace.
Personally, I think using "M$" as an abbreviation for Microsoft just identifies the user as an idiot. Same as if one would write "Ci$co". The abbreviation that *really* pisses me off is abbreviating Microsoft Windows as "win". "Win" has unfortunate and untrue connotations when applied to Microsoft Windows.
I guess I'll just be more fastidious and always write the names out in full, instead of occasionally using the stock symbol as an abbreviation.
(I'm glad you got modded up to +5 by the time I saw this)
If you're so puerile to have the need to use "M$ Winbloze" or "open sores software" in a rational discussion, it seems as if you're trying to sidestep the issue with colorful language. Call things by their name and focus on arguments rather than taking trite potshots.
Hear, hear!
If one must troll or lay down flame bait, one should at least be clever about it. Simple sarcasm merely goes over the head of many moderators and should tend be avoided. Name calling is always boring.
If you can see that I wrote all of the above without ever thinking that I'm any better than you just because I know of a better way (a way that I did not invent), then you will understand where I'm coming from.
I don't understand where you're coming from. You present an extraordinarily literate argument[1] though. Anyone who can write like you do has utterly no business defending `M$', justifiable anger or not. IMO.
[1] And one which is going to fly over the heads of 99.99%, as a rough guess, of the folks here.
So this is so they are able to weed out the exploitable crashes from the regular crashes! Cool, since we all know Microsoft does really care about regular crashes very much!!
More accurately: un$
If you can see that I wrote all of the above without ever thinking that I'm any better than you just because I know of a better way (a way that I did not invent), then you will understand where I'm coming from.
I don't understand where you're coming from. You present an extraordinarily literate argument[1] though. Anyone who can write like you do has utterly no business defending `M$', justifiable anger or not. IMO.
[1] And one which is going to fly over the heads of 99.99%, as a rough guess, of the folks here.
He's not defending the use of "M$" in place of "Microsoft;" he's saying it doesn't affect the validity of the argument. It's not even about "M$" in particular, but about people refusing to use their brains whenever they encounter presentation they don't like. It'd be like someone saying, "That mathematical proof must be invalid because it's printed in an ugly font."
While an argument shouldn't be cast aside just because someone uses M$, I don't agree that it is "a concise, efficient and - IMO - accurate moniker".
You don't agree that text in bold is HIS opinion? I don't agree with your disagreement :P
+Raider of the lost BBS
The Irony being that it's for Open Source software...not their own. Microsoft really needs to stop acting desperate and just making good software. Once their marketing machine can ratchet down the bullshit and just sell a solid reliable product instead of a complicated piece of software that has become synonmous with death (BSOD reference here). If they REALLY want to make money (hope you are reading this Ballmer) They could easily make an OS based on Linux open source it keeping certain elements proprietary while still keeping with the GPL and release at a lower price point. They do something like that that allows existing compatibility with ALL Windows and Linux programs (can you imagine a debian-like OS with 100percent windows compatability) And no not like WINE, great project but still far from 100 percent compatibility. They get the best of both worlds. They get the linux marketshare...and the anti-trust hawks off their back. Because people still have a choice. And if they do what is right by consumers while respecting their freedom of choice (creating a great product without the lame ass lockin), they will earn their name as a quality software provider. As it is they create "tools" to find the openings in other products flaws, but seem to miss their own. They had a few thousand bugs still open from 2002 do they not?
A tool to find exploits of open source software? That is so evil.
He's not defending the use of "M$" in place of "Microsoft;" he's saying it doesn't affect the validity of the argument. It's not even about "M$" in particular, but about people refusing to use their brains whenever they encounter presentation they don't like.
That's a fine thing to say Mr. Anonymous Coward. If you _really_ believe that, you could at least have taken the time to log in and attach a name to those words.
Name calling (and ad hominem attacks in general) are indicative to me of being part of a weak argument. I do not think I've ever seen an argument strengthened by usage of such. I've followed 'net discussions in various settings for over 20 years and US (first, Asian later) politics for much longer than that. Sociology is fascinating.
Perhaps I am just disgusted with "The Politics of Personal Destruction", a phrase popularized by the man who brought its application to a high art form.
Now, pop quiz, do the first two sentences in this response make me look good and strengthen what I have to say, or weaken it? (Actually I'm hoping someone will flame me over that before reading the rest of the post, thus making my point).
It'd be like someone saying, "That mathematical proof must be invalid because it's printed in an ugly font."
It's more along the lines of 99.9% of erroneous mathematical proofs use that font and unless I see something obviously interesting and very quickly, I'm going to ignore it. Guilt by association.
What! You mean they Open Sourced Windows!??!
"Flyin' in just a sweet place,
Never been known to fail..."
On the contrary, I'd like to see MORE usage of "M$ Winbloze". But just so that nobody gets left out of the fun, I also recommend the following names:
Lin$ux
InbRed $Hat
WHO?buntu
Devient
Genitoo or GentLoo
Mac Oh It $ux
FreeBS
Has it been run on itself?
Will subsequent versions exploit the exploits, setup botnets, send spam etc?
If Microsoft entered the armor business, would they also supply arms to the other side?
But seriously, Microsoft put a ton of research into finding their security holes, including embedding the acquired techniques in tools. They're useful tools, and have been critically useful to them. Why not release them? My only worry is that it is not in their fighter-nature to help their competitors, and of course the tool can also be used by crackers.
Nope, PD or BSD are not maintaining freedom.
Even in real life you hear:
"The price of freedom is eternal vigilance"
which means you aren't free to just ignore it and hope you remain free tomorrow.
"the tree of liberty must be watered with the blood of revolution"
which means that if you want to remain free, you will have to remove the freedom from others else they will become your masters.
PD and BSD are all "I was free yesterday so I'm free today!" and DO NOT WORK. They only remain free as long as someone uses their freedom to keep it free. And even that will fail if someone uses a patent. You CAN patent something up to a year after you code it up in a BSD program. And then you are in violation of using your own code. BSD be damned, you are not free any more.
Of course, you all know there's a difference between open source and Microsoft's opened source. Microsoft's offerings don't qualify as open source. It isn't free of restriction to use and reuse and it isn't free of the restrictions of the OS.
There's no word for open source in Microsoft's vocabulary. It is opened source which is simply an opportunity to view the source but you can't use it outside of your closed project and can only be used under Windows.
You can lead a man with reason but you can't make him think.
Microsoft + OSS = LOVE ????
Have you tested your software on .Net CLR1 and CLR2
- Windows XP Pro, no service packs
- XP Home, none
- Pro/home/Media Center edition, service pack 1
- SP2, 3, etc
- Vista, etc
- Win XP MCE SP2 with IE8
- Win XP Home SP1 with
I've skipped around 782 permutations, any of which may cause a crash that will not occur on another combination.
Release software to enough users and they'll let you know when it fails. If one customer in 10,000 suffers a crash once ever then you have a lot of very happy customers, and on a 100m install base you also have 10,000 crash reports to sift through.
Which crash do you spend the 8 man-months trying to replicate so you can fix it?
Paradoxically, it's much easier to understand than it is to explain. It's one of those things that is not so complex that few people could understand it, but rather, it is so simple that almost everyone overlooks it. I certainly overlooked it for a long time. Because of that, please excuse the length of this post.
If your respect for my arguments or my ability as a writer were genuine, you would perhaps be puzzled by my perceived defense of "M$" and may ask me about it but you would not presume to tell me what is or is not my business. That's tantamount to telling me what I should or should not say, or how I should or should not feel about an issue. I strongly doubt you would go along with someone else doing this to you; you seem far too independent and free-thinking for that. It's alright, for I think being so easily offended is a serious weakness, but you should know that it won't work.
I wasn't actually pronouncing the use of "M$" to be right and good. I was accepting the reality that people are going to use it whether or not I enjoy it. The least-understood quality of human beings is that they always feel like what they do is right, or at least necessary. That's true no matter how wrong they actually are. This has an interesting effect because human beings also have egos.
There is nothing to which ego is more sensitive than anger and its various manifestations, such as frustration or resentment. When you tell them "you're wrong", not because you see that they are misguided and want something better for them, but because what they did has offended you or caused you to resent or condemn or judge them, you stimulate their ego. Now it's no longer about whether you had a point. Now it's about who's going to yield to whom, who's going to win the contest in which you are now engaged. That's if they are inclined to contests. If they are not, they'll just write you off by judging you as "unpleasant" etc. and ignoring you. Then nothing changes.
The simple fact is, you cannot convince anyone of anything without their consent. Get them on their high horse and they will make it a point to prove that to you. The way you were attempting to correct "M$" was from one ego to another, yours to theirs, which is why it must fail. It will fail or it will succeed for the wrong reason by appealing to the people-pleasers who should not be so concerned with whether you approve of them. Either way, no one learns anything and no one becomes a stronger person.
It does not have to be that way, of course. There can be compassionate understanding instead. I'll sum up the true problem for you, the obstacle of obstacles, the one cause of all of the ignorance in the world. People are leaves in the wind. They are products of their environments with no real self-hood who better resemble automatons than independent, free-thinking human beings. They can be this way while still clinging to the idea that their beliefs and impulses are their own. Modern education and mass media only encourage these things because both are heavily invested in them. If you properly see this, then you realize that these people are like slaves and don't know it. You realize that they are far less free than you are and that they suffer in many ways because of it.
If you yourself have not been too compromised, then you cannot see this without wishing that they be more free, that they not suffer so needlessly. You'll understand that any problem you could have with them comes from their slave status because only free people can truly understand and only free people can truly love. If they had real understanding and if they loved other people, then any "problem" you could have would not be a problem. You a
It is a miracle that curiosity survives formal education. - Einstein
In other words, "I'm not a human being; I am a prize. Reaching me is the same as winning the prize. If you want to win that prize, you will submit to my control and play the game according to my rules. If not, you lose the game before you even started playing."
The people-pleasers love this kind of invitation because then you can praise them for being "good" and agreeable. They go along to get along. It's the only "goodness" they will know because they are addicted to the approval of others. That addiction is what you exploit when you set yourself up to be some sort of prize. Hypothetically, it's like telling a crack whore that you'll give her some crack if she'll perform some sexual favors for you, except that doing it the way you do it allows you to believe that it's somehow noble. The crack whore has no such delusions, nor do her clientele, because in her case it is easy to call things what they are. In your case, the easy excuses that lead to a belief that you are doing anything other than attempting to control is an obstacle to calling this what it is. The belief in this sort of control and that it is ever legitimate leads to all sorts of perversions of the idea of authority. On the personal or family level, it leads to "do as I say, not as I do." On a national level, it's one of the forces that turns democratic nations into totalitarian states with increasingly authoritarian policies.
It's an attempt to cause people to do what they would not otherwise do in order to please you and avoid your judgment of guilt, by association or otherwise. You won't be able to truly respect anyone who submits to this sort of coercion, so even if you get what you want, it is tainted. That is a proper result because this is one of the more subtle, less in-your-face ways to bully people (there are many such ways, some of them even look quite agreeable on the surface). No bully ever respects the weak people who submit to him, nor could he. Likewise, no bully respects the weak people who want to be an even bigger bully, which is why seeing the wrong of this does not tempt me to condemn you or insult you for it, not even in my mind.
Of course the real flaw in the first paragraph is that you are in fact a human being. Control of others isn't worth reducing that status to a mere prize. The price is too high. Further, if you had a pure intent and were seeking knowledge, you would navigate the obstacles (real or perceived) like incorrect presentation and would not allow them to stop you from examining that knowledge. You would need no heuristic to replace or complement the process of evaluating the knowledge and applying whatever tests of truth you think are appropriate. That's why this is about control and can only be about control. I can tell that you are intelligent. If you really wanted to know something, it would probably be difficult to hide it from you. That's why this stumbling block is artificial.
The alternative is childishly simple. It consists of accepting that people will often do things you don't like and realizing that they may feel the same way when they look at you, and then appreciating that the vast majority of those things don't matter. They don't matter unless they materially determine the truth or the falsehood of any claims that are made, facts that are presented, or reasoning that is elucidated. Things like the choice of a font or the spelling of a name fail this test. It cannot be otherwise. The actual truth or falsehood of an argument can only be determined on a case-by-case basis, so statistical comparisons based on the aesthetic choices of others cannot help.
It is a miracle that curiosity survives formal education. - Einstein
well yes, I've cleared loads of em off but been lucky in myself
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
To a passionate free software advocate, M$ is a concise, efficient and - IMO - accurate moniker.
It's also meaningless, since every business is out for dollars. You might as well say $un too, and same goes for any business with an "s" in its name.
You can't say that on $lashdot.
coffee | nose > keyboard
M$ Winblows has so many vulnerabilities it would not take long for a fresh install of M$ winblows to be breached, even when the network has numerous firewalls. That would make you a lying shill for M$ Troll. What you did wrong was becoming a M$ addict and shill.
--
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in committing suicide.