MS Asks Google To Delay Fuzzer Tool

eldavojohn writes "Polish Google security white hat Michal Zalewski has announced concerns that one of a hundred vulnerabilities his fuzzer tool found in IE is well known to third party hackers in China. His simple explanation provides an interesting counter argument to Microsoft's usual request that security problems not be released until they can slowly investigate them. From the article, 'Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.' You can read about and download cross_fuzz for your own use."

Microsoft losing their edge?

Microsoft is the last among browser makers to react to the vulnerability. Everybody else has released patches to address some, if not all of the holes.

Seems the IE team is so small, they can only do is development on IE9; perhaps there is no other team. Maybe they're all working to make the latest Windows Mobile platform a rousing success.

Its a much slower, conservative company now that Bill Gates has left. And I don't mean that in a good way.

Re:Microsoft losing their edge?

[hedwards]

Probably the only way that this will change is if the laws are changed to make them liable for their own incompetence. As it is software developers can release software without the ability to return it for a refund or any particular guarantee that it does what they claim it to do. Meaning that you could very well end up in the situation where you've paid for software that's badly broken and they're not liable, going to give you a refund or fix it.

Re:Microsoft losing their edge?

[_Sprocket_]

Its a much slower, conservative company now that Bill Gates has left. And I don't mean that in a good way.

There was a point in time (not too long ago by normal standards - ancient history "Internet time") when Microsoft was very slow to respond to any security issue. That was very much in the Bill Gates era. The concept of full disclosure comes from that time. The subject of disclosure has been beat to death around here more than once so we'll avoid going down that path. However, some of the intents of the "full disclosure" concept is to shame the vendor and warn the user. Even "responsible disclosure" rules tend to have some breaking point where the bug gets exposed without vendor consent.

This is less of a turning point than a reminder of where we've been before.

Re:Microsoft losing their edge?

[Ustice]

Be careful what you wish for. We are more likely to end up with well-meaning legislation that does the opposite, where it punishes those that publish security holes as helping criminals.

Re:Microsoft losing their edge?

They'd only start slapping a Beta tag on everything like Google does. That would buy them a few years of delays. Then they'd lobby to get the law modified so their liability was limited to the price of the software. Then they'd say the kernel is what costs and the rest is free bundled stuff. At every stage they'll lobby and start lawsuits to delay things. Eventually its 15 years later and you've got some silly obscure law that protects nobody unless they've got the money to fight a massive software company (something the US DoJ doesn't have).

Re:Microsoft losing their edge?

[mini+me]

That would only serve to drive the cost of software up. Is it not best to allow the free market to work? Those who want the guarantees can pay for it, while those who are willing to take the risk can use the software for less, perhaps even free.

I am certain that if you passed the appropriate amount of money in Microsoft's direction, they would be more than happy to accept liability for IE. Personally, I do not want to pay for that level of service.

Re:Microsoft losing their edge?

[Low+Ranked+Craig]

Ballmer has a hard-on for Apple and Google. Instead of focusing on their core business which is providing servers and office automation to businesses they are chasing Apple and google with WP7, chasing the iPad, the iPod, Google search, and the Sony playstation. Arguably they've been successful at the latter, the others not at all.

Look at WP7 vs Windows Mobile 6.5. WM6x is in dire need of an overhaul. WP7 cannot replace it in a business environment at this point. We use windows mobile powered devices for out warehouse management apps. The replacement for ActiveSync, Windows Mobile Device Center, is worse than AcviecSync (if you can believe that) and is more consumer focused than business focused. WP7 is not designed for business apps - there is a huge opportunity for Google to invade the embedded business app space.

Ballmer needs to cease his juvenile, masturbation fantasies of crushing Jobs and Schmidt and get back to focusing on their core business.

Re:Microsoft losing their edge?

[LingNoi]

How could anyone whine about the cost of software going up. Right now it's at rock bottom to purchase consumer software, more expensive software across the board would be a good thing assuming the money goes to the right people (haha).

Re:Microsoft losing their edge?

[Gadget_Guy]

According to the timeline, Microsoft too has also released patches for some but not all the bugs. This final delay appears to be because they had problems reproducing the crashes, which I think is probably due to the nature of this tool which makes reproducing the exact circumstances difficult. I can sympathise because I have had to find hard to reproduce bugs is the past.

Still I think that is correct that it should be all made public now, considering that the bad guys have already got the code.

Re:Microsoft losing their edge?

[mcgrew]

Get real, Microsoft's software is WAY overpriced. ALL of it is way overpriced; at least, for an average Joe buying the software outright at a computer store.

I paid over a hundred bucks for XP, upgrading from 98. I really felt ripped off. Not only did a lot of my old software no longer run, Microsoft "disabled" the app that came with my CD burner, saying it was "unstable". I'd had no stability problems with 98. What was worse, every morning when it booted it informed me that it had disabled this software, which it wouldn't let me uninstall. I had to reinstall XP to get rid of the app it had disabled! Shoddy, shoddy software. Consumer protecteion laws ARE warranted in my view.

If I buy a toaster and it won't make toast, I can get a refund. Why can't I get a refund for shoddy software?

Re:Microsoft losing their edge?

[digitig]

Yes, and they can afford to pay, whereas most of the FOSS community would have to walk away because they just wouldn't be able to afford the risk. "Refund" is ok, "liable" is a problem.

Re:Microsoft losing their edge?

I agree. It is better for people to educate themselves and make informed decisions (i.e., not using IE), then have congress make some blanket law that has 1001 unintended consequences because the it's 15,000 pages long.

Re:Microsoft losing their edge?

[mini+me]

The added costs would go to people like insurance companies who would assume more risk on behalf of the vendor for errors in the software. A lot of open source software projects would come to an end, because who wants to be liable for errors in the work they provide for free? Let the market decide. If liability is important, people will pay for it.

Re:Microsoft losing their edge?

[mini+me]

Accepting a refund is different than assuming liability for a mistake in the product. I am not against refunds on software. Though I do realize it is a difficult problem to solve in the world of piracy.

Re:Microsoft losing their edge?

[John+Hasler]

If I buy a toaster and it won't make toast, I can get a refund. Why can't I get a refund for shoddy software?

Because you bought the software in the full knowledge that it was shoddy and sold "as is, no returns, no guarantee".

Re:Microsoft losing their edge?

[msauve]

The market disagrees with you, as customers continue to purchase, and MS continues to profit from, their software offerings. Pricing is only relative to the market. From a purely economic perspective, it might be overpriced if by reducing the price they get greater profits from an increase in sales. But, I suspect that MS is pretty sharp about finding the price points which maximize profit.

"I paid over a hundred bucks for XP"

In fact, you disagree with yourself, unless you're claiming that MS somehow forced you to buy it. You had a choice, you chose to pay. If you would have paid "over a hundred bucks"+1, then it was underpriced for you. Ferraris are overpriced for me, but not for the market, since they're still a profitable business.

Re:Microsoft losing their edge?

[Sancho]

How about only having liability on code which cannot be inspected? Though the lobbys would never allow that to pass.

Re:Microsoft losing their edge?

[devent]

What free market? You mean the market where I can go to Mediamarkt and get 99% of the computer, laptop with Windows 7? Or the free market in Saturn where 99% of the computer and laptop are with Windows 7? Or the free market at best buy where 99% of the computer and laptop are with Windows 7? Or maybe the free market with Dell, Hp, Samsung, Lenovo?

To what market I go if I don't wish to buy a computer or laptop with a more secure system?

A free market can only work if there are many vendors, which are competing on fair grounds. But there is only one vendor, Microsoft which can and will dictate price.

Re:Microsoft losing their edge?

[Kijori]

Surely the GP's proposal would, at least on one understanding, be beneficial to the functioning of the market?

There are, to my mind, two constructions of what the GP said. The first is the narrow suggestion that customers should be eligible for a refund if software doesn't match the designers claims. Given that the existence of a free market relies on the dissemination of accurate information, preventing the creator of software from making exaggerated claims to sell their product would seem entirely consistent with the creation of market-based competition. Some people will claim that this is a problem that "the market" can solve itself - but when the customer has no economic redress this can only happen through some postulated dissemination of information among consumers, which requires a consumer base that is for some reason motivated to write fair and balanced reviews of the products they buy for no personal remuneration. It also takes no notice of the inbalance between the ability of a big company to project its message and that of the individual consumer.

The second, wider construction would be that a software creator should be liable for any damage or loss caused by the use of his software. On the one hand this could be said to encourage responsible authoring. On the other hand, though, it has to be borne in mind that software is not like physical products. Imposing liability could lead to quite enormous sums being paid by companies that have behaved responsibly while those which have been reckless need only provide a refund; a small, subtly bug that could escape even careful testing is often more insidious and damaging than a major one and the damage caused could be effectively limitless in the case of a very widely used program. Furthermore, it is effectively impossible in practice to create an operating system or similarly complex program without introducing some sort of bug; creating liability for software authors to third parties would make fundamental software an impossible area to work in. This would obviously not be in the best interests of anyone.

Re:Microsoft losing their edge?

[nschubach]

Hey, we are paying for "gitmo" (aren't we?)... may as well get some use out of it!

Re:Microsoft losing their edge?

[devent]

Because there is no market. The customers don't have any choice. Where ever you go you will get Microsoft Windows and your "market" will drop support if you use anything else then Microsoft Windows. Many OEMs are going so far that they even will drop the warranty if you dare to install something else on your computer then Windows.

The government, the schools, the employers support this monopoly. Because they are all dependent on Microsoft Windows. The government and the schools failed to implement open standards. Everybody have to use Microsoft Word and Excel.

What choice does he have? You cannot get a computer without Windows in the first place. Plus you need Microsoft Word and Excel to get your work done or to communicate with the government. Plus you need Windows to play the games out there. You even need Windows to pay your taxes.

The automobile market have a lot of vendors. There is GM, BWM, Ford, Ferrari, etc. In your market there is only one vendor, Ferrari, and the streets are only supporting the wheels of Ferrari. There are only garages for Ferraris and the parking slots are only for Ferraris.

Re:Microsoft losing their edge?

[mcgrew]

Because you bought the software in the full knowledge that it was shoddy and sold "as is, no returns, no guarantee".

Why didn't it say that on the box? You don't see "no returns, no gurantee" until you've paid for the POS and seen the EULA.

They have "lemon laws" for cars, why can't we have laws like that for software?

If I sell you a bucket of paint, but the bucket is empty, that's fraud.

Re:Microsoft losing their edge?

[mcgrew]

No, I had no choice, thanks to the Sony rootkit my daughter installed. It completely trashed Win 98, and I had lost the reg # for it.

I specifically bought it to run the Windows programs I already had. Had I known that Windows wouldn't run Windows programs, I'd have just wiprd the drive and installed Linux, rather than running it dual-boot.

Re:Microsoft losing their edge?

[msauve]

"You cannot get a computer without Windows in the first place."

www.apple.com HTH! HAND!

"Plus you need Microsoft Word and Excel to get your work done or to communicate with the government. Plus you need Windows to play the games out there. You even need Windows to pay your taxes."

You're fabricating things. My in-laws do all those things, and don't even have a computer.

Re:Microsoft losing their edge?

[msauve]

You lost/broke something, and chose to replace it. You're confusing "want" and "need."

Re:Microsoft losing their edge?

[mini+me]

People continue to use IE because liability from Microsoft is not a concern to them. Those who are concerned are not using IE. The free market works just fine here.

Re:Microsoft losing their edge?

[sjames]

Far worse, the big proprietary players would do that but the small shops and free software would all fold up or leave the U.S. because they couldn't afford the legal fees.

Re:Microsoft losing their edge?

[TemporalBeing]

Get real, Microsoft's software is WAY overpriced. ALL of it is way overpriced; at least, for an average Joe buying the software outright at a computer store.

While I agree here...

I paid over a hundred bucks for XP, upgrading from 98. I really felt ripped off. Not only did a lot of my old software no longer run,

Well, that's to be expected - especially in the 9x/Me->XP upgrade where the OS dramatically changed from the informal, DOS-based system that was 9x to the NT-based system that is XP and later. And early versions of XP were not the best at compatibility with 9x/ME software either.

Microsoft "disabled" the app that came with my CD burner, saying it was "unstable". I'd had no stability problems with 98.

Again - 98 (9x) was dramatically different from XP (NT) - the driver models, device access, etc. were completely different. It would have been quite remarkable if the CD burning software continued to work at all given that (i) such software on 9x had direct read/write access to the CD device and (ii) under NT such software has to go through specialized device interfaces to do the same thing, interfaces that were guaranteed to be different between 9x and NT. "unstable" was probably just a misnomer for "broken under NT".

What was worse, every morning when it booted it informed me that it had disabled this software, which it wouldn't let me uninstall.

Well, the 9x->XP upgrade process was not a very nice one given the dramatic differences in the registry and other system level changes. Yes, XP had a way to import parts of the 9x registry; but it wasn't very good at doing so.

I had to reinstall XP to get rid of the app it had disabled! Shoddy, shoddy software. Consumer protecteion laws ARE warranted in my view.

When upgrading any version of Windows (even 95->98->ME) a clean install is really the only way to go.

Face it - you took the wrong installation/upgrade path. Perhaps you learned for the XP->Vista->W7 upgrade too.

And seriously - there's a reason why most people just buy a new PC to upgrade Windows - it's easier.

Re:Microsoft losing their edge?

[mcgrew]

Well, that's to be expected - especially in the 9x/Me->XP upgrade where the OS dramatically changed from the informal, DOS-based system that was 9x to the NT-based system that is XP and later.

A warning label on the box would have been warranted: "Note, your existing programs may not run in XP". Instead, they made every effort to make it look like all your programs would not only run, but run BETTER. Hell, half the software said "runs on Win 95 or later".

Well, the 9x->XP upgrade process was not a very nice one given the dramatic differences in the registry and other system level changes.

I wiped the drive before installing XP. Of course, I needed CD burning software, so I installed the software that came with the burner, AFTER installing XP. Had Windows not been written so shoddily, rather than letting me install it and then disabling it and my ability to uninstall it, it should have simply refused to install in the first place.

And seriously - there's a reason why most people just buy a new PC to upgrade Windows - it's easier.

And half the time the newer, bmore bloated version of Windows won't run well on your old hardware.

Re:Microsoft losing their edge?

[Ciggy]

Because you bought the software in the full knowledge that it was shoddy and sold "as is, no returns, no guarantee".

Why didn't it say that on the box? You don't see "no returns, no gurantee" until you've paid for the POS and seen the EULA.

...

If I sell you a bucket of paint, but the bucket is empty, that's fraud.

Well spotted: you do NOT buy the software, you buy a licence to use the software - that unfortunately is fit for purpose, unlike the software. There is perhaps a fraud here in that they lead you to believe you are buying the software at the POS whereas once it has been opened and the install process is started then that belief is refuted by the then presented EULA?

Re:Microsoft losing their edge?

[mistapotta]

They'd only start slapping a Beta tag on everything like Google does.

Wait a minute. I thought "Beta" on Google's products just meant they hadn't figured out how to monetize them yet.

Re:Microsoft losing their edge?

[QuantumBeep]

You're fabricating things. My in-laws do all those things, and don't even have a computer.

You're being deliberately obtuse, friend.

Re:Microsoft losing their edge?

[GNious]

Why didn't it say that on the box? You don't see "no returns, no gurantee" until you've paid for the POS and seen the EULA.

I'd suggest leaving which-ever 3rd world country you live in, and move to one where shrink-wrapped EULAs doesn't hold any value - Transaction already settled, money accepted, no more changing the agreement.

Re:Microsoft losing their edge?

[John+Hasler]

> you do NOT buy the software, you buy a licence to use the software

You buy a copy of the software. The "EULA" is not a license. It is a contract. In the USA you do not need any sort of license to use or dispose of a copy you own. However, you can enter into a contract in which you agree to restrictions on what you do with the copy as a condition of sale. That is what the "EULA" is.

Re:Microsoft losing their edge?

[TemporalBeing]

A warning label on the box would have been warranted: "Note, your existing programs may not run in XP". Instead, they made every effort to make it look like all your programs would not only run, but run BETTER.

It has been very common for most of Microsoft's life that the majority of software would have major problems during a system upgrade. They've always gotten away with enough software being compatible enough to get the compatibility claim; but software - especially software that utilizes device drivers and hardware access - was always notorious for failing to work on newer software.

So while it could be expected the MS Excel 2.0 or AOL Instant Messenger would run and work; software like CD Burning software, or CD Ripping software, etc. has always had a high system upgrade failure rate.

Hell, half the software said "runs on Win 95 or later".

"Win95 or later" does NOT mean it will run on WinXP. It does mean that it is Win95 complaint and should also run on Win98, Win98SE, and WinME. But NOT WinNT4, Win2k, or WinXP.

It would be one thing if it also said "WinNT 4.0 and later" but that would have been very unlikely as most software targetted only Win9x, and not WinNT 4.x unless it needed the WinNT environment.

Most software houses did not start targetting WinNT until Win2k at the earliest. MS didn't force the issue until consolidating their OS'es with WinXP.

I wiped the drive before installing XP. Of course, I needed CD burning software, so I installed the software that came with the burner, AFTER installing XP. Had Windows not been written so shoddily, rather than letting me install it and then disabling it and my ability to uninstall it, it should have simply refused to install in the first place.

That's not MS's problem - but the software manufacturers. MS has no way of knowing by the installer whether or not it runs on only Win9x or WinNT. Granted, the mechanisms MS provides to different are extremely poor, but again - that's the software manufacturer's issue.

Of course, you probably should have looked for an updated version of the software too _before_ installing it.

Re:Microsoft losing their edge?

[nazsco]

If I buy a toaster and it won't make toast, I can get a refund. Why can't I get a refund for shoddy software?

Because you bought the software in the full knowledge that it was shoddy and sold "as is, no returns, no guarantee".

wrong. you CAN get a refund if it fail to work for you.

only thing is that it will be hard to contact thepiratebay to get that refund.

Re:Microsoft losing their edge?

[hedwards]

You're already paying the price, it's just in a different form. Rather than being baked into the cost of competent software, you pay it when somebody steals your credit card info or a sound looking bit of software crashes your computer or fails to perform.

Personally, I'd rather pay a bit more if I have to and know that I'm getting what I paid for or at least have some recourse in the matter.

Re:Microsoft losing their edge?

[hedwards]

No it wouldn't. At best it's a murky area of law, but without the appropriate key he'd have no way to prove that he wasn't a pirate, and the DMCA doesn't provide clear guidance about a situation like this, most likely he'd be found to be in violation of the anti-circumvention provision.

Morally, it might be alright, but legally, it's hardly cut and dry.

Re:Microsoft losing their edge?

[hedwards]

Furthermore, it is effectively impossible in practice to create an operating system or similarly complex program without introducing some sort of bug; creating liability for software authors to third parties would make fundamental software an impossible area to work in. This would obviously not be in the best interests of anyone.

That's what caps on liability are for. It allows the court to hand over a sizable award for damages without putting the company out of business. A cap of even $10k would be more than enough to get MS to pay more attention. Especially if you combine that with a requirement that the plaintiff prove damages such as we have in WA state.

Re:Microsoft losing their edge?

[hedwards]

There'd almost certainly be a cap on liability combined with the need to prove the damages. Which if set reasonably would ensure that the awards could sting, but not necessarily drive companies out of business needlessly.

Re:Microsoft losing their edge?

[Sean+Hederman]

Well, you CAN get a machine and install Linux on it. Some stores even sell machines pre-installed with Linux. Not as many as a few years ago of course for a very simple reason: consumers didn't like Linux and kept coming back and asking for Windows. So, yes, it's a free market, and the general consumer chooses to pay for the MS software every single day over the free alternatives.

Admittedly, there's a LOT of reasons that they make that choice and only a few of them are "they think the software is better". Nonetheless, a market where many of the alternatives are free is about as good a definition of a free market as I can think of.

Re:Microsoft losing their edge?

[Kijori]

The problem, though, is surely one of scale; Ubuntu, hardly the most popular operating system around, has an estimated 12m users according to Wikipedia. It would only take a small proportion of those to sue for relatively modest damages in order to make Ubuntu unviable. Microsoft and Apple would, if anything, be more vulnerable due to the use of their systems in business.

Obviously allowing the companies to exclude liability against the end-user would not be a solution since the result would simply be that all liability would be excluded as a matter of course.

What might be more practical is an industry regulator with the power to levy fines after a hearing. Aggrieved users could complain to the regulator which could then investigate and assess a penalty that would discourage reoffending without sending companies bankrupt. This is largely the system in place for a variety of other industries, such as telecoms, which have the same problem of ensuring accountability for negligence without opening them up to a claim from each of their millions of users in the case of a breach.

Re:Microsoft losing their edge?

[BLKMGK]

I've bought 3 computers in the last year sans OS - no Windows. http://www.newegg.com/Product/Product.aspx?Item=N82E16856173011&cm_re=zotac_ion-_-56-173-011-_-Product I could find more but you get the idea, computers without Windows exist and run just fine.

I have also created documents and spreadsheets and presentations without Office. http://www.openoffice.org/

Please show me evidence that any OEM will drop your warranty if you run another OS on their hardware.

Sorry but you're full of it.

Re:Microsoft losing their edge?

[BLKMGK]

XP did disable some older\ancient programs from the 98 days. These were often programs that accessed hardware at a low level - the CD burner software wouldn't have surprised me. Scanners, printers, and some drivers also wouldn't work. People bitched about Vista not supporting everything too. Microsoft in some cases knew that some programs would render the OS unstable and as a result blocked those drivers. Had it been allowed to run and been unstable he would have said XP was crap. With some people you simply cannot win.

He could have fixed his issue finding updated software.

Mind you, we're talking about incidents that happened what a good TEN years ago? He's still burning about that? Who lost that license key BTW and who's fault was that? I think you meant technically LEGAL BTW ;-)

Re:Microsoft losing their edge?

[AmiMoJo]

"As is" and "no returns" have no legal standing in the UK. The Sale of Goods Act requires that all goods which are sold are of reasonable quality, last a reasonably long time and are fit for purpose. Unless what is being sold is described as "scrap" or "not working" then you have a reasonable expectation that it should be usable and can get a full refund if not.

I wish someone would get this confirmed in court but all the vendors settle before it gets that far to avoid a precedent being set. Theoretically though the following should apply:

- Must work and do the job as advertised, i.e. no show-stopper or functionality crippling bugs

- Must do the job reasonably well, compared with similar software

- Should last five years at least (i.e. no turning the multiplayer server off after 1 year like EA do, or turning off activation servers etc.)

Of course this assumes that software is classed as "goods" rather than a service, but that certainly seems to be the likely interpretation as otherwise coffee machines would actually be a license to make coffee once the user has agreed to the EULA for the period of one (1) year from the date of purchase. No judge would buy that (no pun intended.)

As a general guideline a PC or laptop should last around five years if well treated. If it does not then you are entitled to a partial refund, the amount depending on how much use you have had from it before it died. If you batter PC World enough they will meet this requirement, assuming the computer is in good condition.

Re:Microsoft losing their edge?

[AmiMoJo]

I think his point may have been that XP is overpriced for the level of performance and stability it offers, compared to competitor's products. I would not necessarily agree with that, especially when it came out in 2002, but to use your analogy a Ferrari would be overpriced if it was only as fast as Fiat Panda.

Re:Microsoft losing their edge?

[AmiMoJo]

I wonder if they are hoping that the same think that happened in business with the iPhone will happen with WP7, i.e. all the trendy managers want one so IT has to figure out a way to integrate them. We had a lot of trouble with iPhone and Exchange integration, especially with the calendar, but our corporate customers would not give them up for something like a Blackberry.

It isn't beyond the realms of fantasy since MS managed to make a cool must-have product with the XBOX. I even saw a few people getting as excited about the new task bar in Win7 as people did about the dock in MacOS. WP7 does not seem to have had the same effect though.

Re:Microsoft losing their edge?

[cynyr]

like dual monitor Excel? or that shitty piece of coil selection program that can't handle when the monitor layout changes...

When

When is someone going to DO something about the possibly government sponsored hacking taking place in China? It ought to be brought up at the UN, or trade meetings, or SOMETHING! If the Chinese government won't stop it, we need to cut them off.

Re:When

[morgan_greywolf]

If the Chinese government won't stop it, we need to cut them off.

What, exactly, do you expect? Institute a trade embargo with China? If we did that, the entire economy would grind to a halt. Goods that were once being made in Europe and the U.S. are increasingly being made in China. Even high-end "designer" stuff -- it's not just the cheap stuff at Walmart.

Re:When

[drinkypoo]

Even high-end "designer" stuff -- it's not just the cheap stuff at Walmart.

Who cares? The economy doesn't depend on that shit. What's more interesting is what percentage of actually useful items are made in China (which is still ridiculously high) and what's even more interesting is how much of that stuff can't be made here, which is to say almost none of it. If we stopped buying Chinese stuff for whatever reason you'd see toaster and eggbeater factories pop back up overnight. Or, more likely, they'd pop back up in Mexico again.

Re:When

[John+Hasler]

Even high-end "designer" stuff -- it's not just the cheap stuff at Walmart.

It's the same stuff, and always has been. The only difference is the label. There is no need for quality in "high-end designer stuff" because it will be out of fashion before the defects become evident.

Re:When

[NevarMore]

Yes, lets have the UN send one of its famous "Stern Letters Of Warning" to China that they've been very naughty and shouldn't do what every other nation or its citizens doesn't already do.

Re:When

[TheCRAIGGERS]

Something as serious as a trade embargo or similar would require somebody very powerful to push it, if not more than a few. And normally, powerful people want to keep the status-quo. That is, making goods in China for pennies and selling it for a huge profit somewhere else.

No, it will take something so serious that it directly impacts the fatcat's wallets before something like that happens.

Re:When

[piquadratCH]

Who cares? The economy doesn't depend on that shit. What's more interesting is what percentage of actually useful items are made in China (which is still ridiculously high) and what's even more interesting is how much of that stuff can't be made here, which is to say almost none of it. If we stopped buying Chinese stuff for whatever reason you'd see toaster and eggbeater factories pop back up overnight. Or, more likely, they'd pop back up in Mexico again.

If the US would take such drastic measures, China would probably answer by selling their $2.5 trillions in foreign exchange reserves, most of them US Dollars. That would devalue the USD and EUR to virtually zero, bringing about economic turmoil of unprecedented magnitude.

Let's face it: China got us by the balls, and they are ready to squeeze them.

Re:When

[RoFLKOPTr]

Who cares? The economy doesn't depend on that shit.

You obviously don't understand the basics. Yes, the economy depends on that shit. Any form of trade or investment is a part of the economy. And seeing how we contribute to perhaps a trillion dollars a year (I don't know the numbers, so this is just a wild guess) to China's GDP... all of that money is a part of our economy and that much money is a HUGE part of our economy, and if we were to eliminate it then there goes Wal-Mart. There goes dollar stores. There goes much of our electronics industry. There goes auto parts, furniture, garage door openers, dog beds, alarm clocks, and perhaps every single computer in the country.

A trade embargo with China is not a thought to be taken lightly.

Re:When

[drinkypoo]

Any form of trade or investment is a part of the economy.

When you're shoving the money out of the country as fast as possible, you're doing more harm than good.

A trade embargo with China is not a thought to be taken lightly.

Slavery is not to be taken lightly.

Re:When

[morgan_greywolf]

I was including stuff like toasters, eggbeaters, even so-called "Italian" espresso (Gaggia/Saeco) machines are being made in China now.

Re:When

[bluefoxlucid]

It's the same stuff, and always has been. The only difference is the label. There is no need for quality in "high-end designer stuff" because it will be out of fashion before the defects become evident.

Very true. Tommy Hilfiger, Ambercrombie, etc etc, "it has a name that makes me street-cool," that crap is all garbage with a huge premium for the name and "current style" to make you cool. Even The Gap does it.

What you want are the mid-range business/casual outfitters. Land's End, Polo, and the like, the people that nobody gives a shit about but that try to win you over with "quality and style." The so-called "style" is "not looking like shit" but it's not going to pretend to net you "street-cred." The price tag isn't $500 either, just a bit more expensive (we're talking $18 wal-mart crap shirts vs $25 Land's End shirts). It's enough for you to risk it casually, but if it turns out to be no better you go with another manufacturer; thus the burden of actually providing quality falls squarely on the manufacturer.

Personally I don't even know what the style is today, besides looking like a moron that can't figure out how to use a belt. I like the lines and simple form Land's End uses, and have a distaste for the visual style Polo and Doc Marten provide; but others may disagree with me and go with those, or others. I'm in no great need of Ambercombie or Old Navy $50 shirts.

One thing I can definitely say about good quality clothes, though: they survive the wash without frilling, fuzzing, or fading for YEARS; but they'll still tear on concrete, wear if you kick your shoes off (grind the hem on your pants away until it frays via the sole of your shoe), and don't believe anyone that tells you this shit won't stain. Land's End has "no-iron" pants that last 30 washes without needing ironing... it doesn't hurt, they do show a little wear after 5-10 washes but they don't really start needing a press until 30 or 40. "Quality" doesn't mean it's indestructible.

Re:When

[bluefoxlucid]

Obama wanted to raise taxes on import goods a la tariff ... Income tax was unconstitutional and we instead had a tariff system for imports. Why, our country threw down a 1% income tax and the government drew in 30 times more in taxes that year than it ever did in history; 1% should have been enough to run this country forever, with constant tax refunds to the people at the end of the year for the money we took but didn't use. How it ever got to the 25%-40% graduated system we have today I'll never know.

Re:When

[jittles]

I think this would hurt China just as much as it would hurt the US or Europe.

Re:When

[RoFLKOPTr]

A trade embargo with China is not a thought to be taken lightly.

Slavery is not to be taken lightly.

That right there invalidates all your arguments, because that says you've been absorbing all the stupid propaganda and sensationalism about Chinese working conditions. Just because they don't make $50k a year doesn't mean they are slaves. Most of them are quite happy with their jobs.

Yeah, 14 Foxconn employees committed suicide in 2010. That's out of 920,000 employees total. So that's about 1.5 suicides out of every 100,000 employees. Wanna guess what the suicide rate in the United States was in 2007? 11.5 out of 100,000. That's EIGHT TIMES the suicide rate at Foxconn. And the suicide rate in all of China was 6.6 in 2008. One could argue that Foxconn, in fact, IMPROVES workers lives. Of course that's not necessarily true, because correlation does not imply causation, but that data is enough to make a big huge news story worthy of being approved by Slashdot's elite editorial team with which to draw a bunch of sheep to hark the benefits of working for Chinese electronics manufacturers.

Do some of your own research before believing the bullshit and comparing Chinese laborers to slaves.

Re:When

[DigitalSorceress]

Actually, if they did something that devalued the USD, it would hurt them badly. If the USD goes down, US goods would be cheaper to the rest of the world, so our exports would increase, and it would decrease the buying power of the dollar for imported goods.

If anything, China wants to see the USD stronger... the more the dollar's worth, the cheaper its goods and services are to the US (and world) market by comparison.

Re:When

[Frosty+Piss]

If the US would take such drastic measures, China would probably answer by selling their $2.5 trillions in foreign exchange reserves, most of them US Dollars. That would devalue the USD and EUR to virtually zero, bringing about economic turmoil of unprecedented magnitude.

Not a chance. China would NEVER destroy their CASH COW.

Re:When

[piquadratCH]

Actually, if they did something that devalued the USD, it would hurt them badly.

The Telegraph article I linked to named this course of action, rather appropriately, the nuclear option. China won't use this weapon lightly, but if the US would implement such a drastic embargo as proposed by drinkypoo, what other choice do they have?

Essentially, we're living in an economic cold war between China and the West (US, mostly). Both sides have the tools to annihilate the other's economy, but not without destroying or badly hurting its own.

Re:When

[HeckRuler]

It's reassuring to know there's a man out there whose fault everything is.

Re:When

[interkin3tic]

China would probably answer by selling their $2.5 trillions in foreign exchange reserves, most of them US Dollars. That would devalue the USD and EUR to virtually zero, bringing about economic turmoil of unprecedented magnitude. Let's face it: China got us by the balls, and they are ready to squeeze [telegraph.co.uk] them.

A few things

1. "Nuclear option" as mentioned in that link is more descriptive than you give it credit for. Just as we could not have nuked the soviet union without getting destroyed ourselves, so too would China be bringing about mutually assured economic destruction with such a move.

2. How would the Euro be affected?

3. Ready to squeeze? You might use a more recent article than 2007 when making such a claim. I mean, it IS interesting how this will affect Hillary Clinton's chances of getting elected and all...

Re:When

[geckipede]

It would hurt them very badly if they did it unprovoked. The mechanism by which it would hurt them would be undoing their currency manipulation which keeps the yuan weak and their exports subsidised.

If there was an embargo against them, dumping the currency would have no extra effect whatsoever and it would be a very sensible retaliatory move.

Re:When

[Omniscientist]

China has a permanent seat on the UN security council.

That being said, they have the ability to veto any substantive resolution designed to address their intrusion into Google's computer systems.

Re:When

[kimvette]

If the USD goes down, US goods would be cheaper to the rest of the world, so our exports would increase, and it would decrease the buying power of the dollar for imported goods.

Except for wheat and soy, what do we make to export?

Re:When

[AK+Marc]

If anything, China wants to see the USD stronger... the more the dollar's worth, the cheaper its goods and services are to the US (and world) market by comparison.

Yup. And buying our debt is a means of doing that. If people didn't snatch it up, then we'd have to increase interest to convince people to grab it. That would drain the US dollar. They'll prop it up until they are done with us, then they'll collapse our economy by just not buying anymore. At this point, the US economy would collapse from nothing more than inaction of foreigners, and yet we make that worse by invading Iraq and lying about it claiming that they are a danger to the US. We'd be safer abolishing the standing army, closing all bases, and recalling and discharging all troops. But for some reason, talk like that is unamerican, but adding trillions in debt which directly puts the US at the mercy of foreigners is ok.

Re:When

[bluefoxlucid]

Penny Arcade reference?

Re:When

[morgan_greywolf]

It is our Constitutionally-derived right to blame everything on J. Random Politician, Congress, the government, [insert your favorite political party here], etc.

Or we could simply derive wisdom from the words of Walt Kelly: "We have met the enemy...and he is us!"

Re:When

[AK+Marc]

Yes, they will. And soon. The thing you don't get is that the USA isn't necessary to China, but China is necessary to the USA. 25% of Chinese exports are to the USA, and it would hurt to have that go away. But for the US to have nearly every product in Wal-Mart disappear would cause massive failure in the bulk retail sector, with a large cascade through all the other sectors.

But why would the hit to the US be worse than that to China? Because the US is a service economy. When one person loses their job, they stop supporting the services they used. That makes a larger cascade than for a country like China which is much less service-oriented.

But why would they destroy their cash cow? Because they don't want to be a manufacturer of cheap plastic crap forever. That's what got them where they are, but they want to make everything, including higher cost electronics and such. They are exporting cars, routers, phones, and just about everything else now. But the US isn't buying as much. The US doesn't buy Chinese gear, but buys American gear (made in China). And the US is shrinking comparatively on the international market as the third world works to catch up every day. We are shrinking as an influence on them economically. But the US will never admit that they aren't more important than all other countries combined, so we'll never see it coming because no one would ever try something like that with us, right?

Re:When

[nschubach]

I think there are actually two points of thought in that post.

It's a shame paragraphs weren't invented.

Re:When

[Kijori]

The economy doesn't depend on that shit.

That's a pretty big statement to make. Imports from Asian companies with deliberately depressed exchange rates have kept inflation artificially low for a long time. A trade embargo would increase the cost of doing business for domestic companies which had to buy more expensive components and equipment and the cost of purchases for consumers who had to buy more expensive goods manufactured elsewhere. It would mean massive inflation over a very short period of time, which would be compounded by the expense of restarting domestic manufacturing. Just the fact that the Yuan is overvalued against the dollar by an estimated almost 50% (source: the Economist) could mean price increases of 25% or more on many items (once some of the overvaluation is written off as transport costs and profit). This would take place over a couple of weeks as warehouses emptied, and would conceivably be followed by shortages and massive arbitrage, further inflating prices. The result would be enormous inflation, conceivably higher than at any time in the last century. Double that if foreign countries - notably China - reacted by dumping their record stocks of US dollars. This would be coming at a time when the economy is already sluggish and when there is no possibility of taking advantage of the inevitable large fall in the dollar to export goods more competitively since world demand is massively depressed. And that's even assuming the countries you want to trade with don't get sucked into the embargo arms-race you've started by the embargo with China.

Sensationalist? Yes, a little, but not an incredible prediction. My point is that the economy does, in a very real way, depend on "that shit".

Re:When

[MostAwesomeDude]

This would trash the Chinese economy as well, crashing the Asian and American markets simultaneously.

Re:When

[MMC+Monster]

If it's going to devalue the US dollar and the Euro, go for it. That means that their value is going to decrease against the Chinese currency and other eastern european, asian, and south american currencies. Increasing exports from the US and Eurozone countries. Which is exactly what the US and Europe need.

Besides, it'll never happen. It will mean that those Chinese investments that are all dollar-based will go up in a puff of smoke.

Re:When

[bill_mcgonigle]

What, exactly, do you expect? Institute a trade embargo with China?

Ah, you've finally discovered the devious strategy by Microsoft to exact revenge on Apple.

Re:When

[dgatwood]

First, nobody mentioned Foxconn until you brought it up. Second, what you're failing to point out is that

• Foxconn is one of the better Chinese employers. There are a lot of employers that are a whole lot worse.
• Suicide is just one of the many causes of death directly attributable to abusive corporate practices in China. Start with the alarming cancer rate and go from there.

When the #1 cause of death in your major cities is lung cancer (and the #2 cause of death nationwide), you have a very real problem. It may not be slavery, but it is eerily reminiscent of other early industrial societies. You'd think that we, as a planet, would have learned better by now, but apparently not.

Re:When

[piquadratCH]

Please explain to me how exactly China selling their x trillion USD worth of reserves would devalue the Euro?

Their total foreign exchange reserves are $2.5 trillion, only a part of it is in USD (the major part, though). China already began buying massive amounts of Euro, under the premise of helping countries in peril of bankruptcy, like Greece and Ireland. With the current state of the Euro, it doesn't take much bad news anymore to sink it, completely.

And, of course, our globalized markets mean that when the US sneezes, Europe gets a cold. Rest assured that China is capable of sending the US economy directly into intensive care, and with it the Eurozone.

Re:When

[RoFLKOPTr]

When the #1 cause of death in your major cities is lung cancer (and the #2 cause of death nationwide), you have a very real problem.

FASTSTATS - Leading Causes of Death

The #2 cause of death in the United States is cancer by several hundred thousand deaths per year, and Lung Cancer is by far the leading cause of cancer-related deaths, and smoking is by far the leading cause of lung cancer cases. There are also lots of smokers in China. Damn near EVERYBODY in China smokes cigarettes... approximately 25% of their population if I remember correctly, while only somewhere around 8 or 9% of Americans smoke... but we have the same exact lung cancer problems. What's the difference?

(^ I wrote that before clicking on your link, and then I read that they DO attribute China's alarming cancer rate to smoking and vehicular pollution. Not poor working conditions and abusive corporate practices. So why even bring it up?)

And I only bring up Foxconn because that's what's been in the news lately as the posterchild for China's "poor working conditions", even though working there is way better than most peoples' alternative: breaking their backs on the family farm for almost nothing.

Re:When

[fishthegeek]

Here is the most recent break down of U.S. debt I could find.

Taiwan $126.9 Billion (not China though the Chinese like to think so)
Hong Kong $151.8 (China-ish you could argue either way but I'll get back to that)
Caribbean Banking Centers $153.2 Billion
Brazil $164.3 Billion
Depository Institutions $206.6 Billion (these are commercial banks etc.)
Insurance Companies $235.7 Billion
Oil Exporting Nations $239.3 Billion (China is not an exporter of oil)
United Kingdom $321.2 Billion
Pension Funds $513.1 Billion
State & Local Governments $531.3 Billion
Mutual Funds $663.9 Billion
Japan $795.5 Billion
China $900.2 Billion
Other $1.193 Trillion (these are bank trusts, corporate business, estates etc)
Federal Reserve Intergovernmental Holdings $5.259 Trillion (This is the federal reserve itself)

http://www.cnbc.com/id/29880401/The_Biggest_Holders_of_US_Government_Debt?slide=16

Re:When

[sjames]

If it is done in stages, it could do our economy a world of good. Yeah, I know, the same corporations would just pick a different offshore location, but hopefully it would drive offshore prices up a bit and shift the equation to make it worthwhile to move some of it back to the U.S.

Re:When

[kimvette]

For our silly sports all we do is rip off Japanese game shows.

Rap is not music.

Weapons? Sure, they're assembled here, from parts made in China.

Re:When

[Solandri]

If the US would take such drastic measures, China would probably answer by selling their $2.5 trillions in foreign exchange reserves, most of them US Dollars. That would devalue the USD and EUR to virtually zero, bringing about economic turmoil of unprecedented magnitude.

I don't know why people keep saying this. China holds about $900 billion in U.S. Treasury securities (so they're not even "most" of the $2.5 trillion foreign exchange reserves China holds). That's out of $4.3 trillion U.S. Treasury securities held by foreigners, and $9.1 trillion overall. While China holds the largest share (barely beating out Japan), it's small potatoes compared to the total. And the whole reason China has been buying them is to prop up the US Dollar, to help maintain the favorable (for them) Yuan/USD exchange ratio. The U.S. has actually been trying to devalue the USD relative to the Yuan to try to correct the trade imbalance with China (why do you think our interest rates have been so low for so long?). So devaluing the USD actually works against China and for the U.S.

Furthermore, U.S.-China trade from Oct '09 to '10 was $253 billion in imports and $88 billion in exports, or about $340 billion overall. China's GDP is a bit over $5 trillion, while U.S. GDP is around $14 trillion. A trade war between China and the U.S. hurts China more than it does the U.S. In fact, due to the trade imbalance, the U.S. is in the role of customer. In a trade war, it's easy for the U.S. to change its shopping venue to another low-cost manufacturing nation like Malaysia or Thailand. It's hard for China to find another customer to buy the products it's currently selling to the U.S. So again, it's the U.S. which is in the driver's seat, not China.

Re:When

[KarmaMB84]

The US is the third largest exporter of manufactured goods on the planet and #1 in total manufacturing. You can bet if the dollar dropped and currency manipulation and trade barriers were ended, the US would be churning out a lot more goods to export.

Re:When

[Frosty+Piss]

No. They will not. Crawl back into your tinfoil lined cave.

Re:When

[AK+Marc]

And why is your uninformed opinion more valid than mine? How many times have you been to China? They think of themselves as above the USA now. They aren't far off. The USA meddles with other countries, harming China and those China wants to sell to. At some point, castrating the yipping little dog of the USA would allow them to grow even faster. You are apparently asserting that even after the point where they'd gain more than lose by harming the USA, they won't pick that because we like to buy trinkets from them.

You are wrong.

Re:When

[SlowMovingTarget]

I could be wrong, but I suspect you missed the point. The more debt China buys, the larger the chunk of U.S. citizen's lives China owns.

Our children will be the slaves when the bill comes due.

Re:When

[drinkypoo]

Slavery is not to be taken lightly.

That right there invalidates all your arguments, because that says you've been absorbing all the stupid propaganda and sensationalism about Chinese working conditions.

Watch the "extras" on What Would Jesus Buy, where you can see the testimonial of a Chinese woman arrested for the crime of being a Christian, raped, imprisoned, and forced to make Christmas lights for sale in the USA.

Do some of your own research before believing the bullshit and comparing Chinese laborers to slaves.

No, they have actual prison camps where they force people to labor as their punishment for dubious "crimes". This is actual slavery. Odds are good that you've bought products made by an actual slave, not "just" a worker who isn't permitted to leave the premises between shifts and so on.

This is just one of the abhorrent practices institutionalized by the very Chinese government. They also actually commissioned a fleet of vehicles specifically for the purpose of organlegging. Those convicted of a capital crime (which in China, includes things like cheating on your taxes) are taken into the van, executed, and never seen again, not even in the form of a corpse. The injection used for their murder keeps the organs in a useful state.

The simple truth is that China has long had nationalized slavery as an institution, and it still does.

Re:When

[nazsco]

When is someone going to DO something about the possibly government sponsored hacking taking place in China? It ought to be brought up at the UN, or trade meetings, or SOMETHING! If the Chinese government won't stop it, we need to cut them off.

and he wrote on his chinese built laptop. sitting at his chinese built chair (bought at ikea). siping from his china glass... ok that one is bad. but you get the idea. i hope.

Re:When

[nazsco]

all that suicide data is useless until we can get one reference scale using /. numbers.

Re:When

[RoFLKOPTr]

What the fucking hell are you smoking? Care to cite any of these outrageous claims that I've never heard anything about before?

Re:When

[RoFLKOPTr]

You are comparing suicide rates of ONE company with that of an entire nation.

I also compared the suicide rates of that entire nation with this entire nation. Read sometime.

Re:When

[drinkypoo]

There is a citation in the text above. The woman making her plea is being represented by the China Aid Society. The Chinese persecution of Christians is well known. And it is a fact that you can be murdered by the state for nonpayment of taxes. It's in the news again now because they're talking about abolishing this particular practice, but for now it's all talk.

Re:When

[drinkypoo]

Yep, the USA is running the world's economy by a) previous actions, namely getting stuff based on the dollar and b) dumping currency, forcing everyone else to dump currency. Unfortunately, it's more like ruining than running, really; this mechanism can only run everyone's economy into the toilet. As far as I can tell this is the USA's economic plan; as our economy tanks, ruin everyone else's too. I'm just not sure what we're supposed to get out of it, since it will mean that the usual mechanism for balance is thrown out of wack. Perhaps it means that we'll all end up in the toilet, and USA will continue to be the biggest turd.

Re:When

[Confusador]

China's up in arms trying to stop the US Federal Reserve from devaluing the dollar, it'd be really interesting to see the reaction to a sudden about face on that.

Security through blissful ignorance...

[flyingfsck]

MS believes in security through ignorance, since it makes them money. As long as the common users don't know that their machines are infiltrated, stealing their bank information and sending spam, they are happy, since at worst, they will think their machine is worn out and slow and then go out and buy a new one, chock full of new versions of MS software.

Re:Security through blissful ignorance...

[mcgrew]

From the co,puterworld link:

"I have a conference call with MSRC [Microsoft Security Response Center]," Zalewski said in the timeline's note for Dec. 28. "The team expresses concern over PR impact, suggests that the changes made to my fuzzer code between July and December might have uncovered additional issues, which would explain why they were unable to reproduce them earlier."

MS, if you want better PR, stop worrying about PR and start worrying about code quality. For what your software costs, its performance is abysmal. You have Yugo software with a Lexus price.

Re:Security through blissful ignorance...

[v1]

I think I'd call it more "security by bliss" (from 'ignorance is bliss") Really they're not so much taking advantage of users' ignorance, but rather that they don't care. As long as their computer is functional, most users don't care if their machine is participating in a botnet and DDoS'ing or spamming.

Re:Security through blissful ignorance...

[bluefoxlucid]

Right, which is why most users are overly concerned about "credit card theft" when most infections are about spamming the shit out of people; and a large number of people who succumb to identity theft are actually taken by malware that installs itself as an "anti-virus" program but secretly records your bank transactions.

It's like walking through Baltimore City alone at night. As much as people are terrified by it, not everyone is out to kill you; that said, if you walk through Baltimore City alone at night regularly, you'll meet someone who is out to kill you. Paranoia is when you think they're all out to get you; rational sense is when you realize, no, they're not, but there's a significant risk of encountering someone eventually and it only takes one knife to stop your heart.

Re:Security through blissful ignorance...

[icebike]

That seems a bit over the top, even for the anti microsoft crowd here on Slashdot.

Microsoft doesn't sell computers, and they make very little on OEM versions of Windows installed in the factory.

Re:Security through blissful ignorance...

[v1]

For what your software costs, its performance is abysmal.

Last I checked, IE was free.

and horribly overpriced at that!

Re:Security through blissful ignorance...

[ConceptJunkie]

But the OS you need to run it isn't.

Re:Security through blissful ignorance...

[nschubach]

It's only free if you devalue your soul. ;)

Re:Security through blissful ignorance...

[Ciggy]

Directly they may get little from the factory OEM installs (do they still insist that OEMs buy enough licences at bulk rate regardless of how many actually installed?) but with the installed base, it provides excellent persuasion power with other companies to make products to work with Windows and so need to licence required I[maginary]P[roperty] from them. The OEM factory installs could be considered Loss Leaders (except that I doubt very much that MS makes a loss with the OEMs).

Re:Security through blissful ignorance...

[icebike]

Admittedly, Its almost impossible to make a loss selling each additional unit of software, since it costs next to nothing when an OEM pre-installs it from a single in house source.

A marginal load on the server for updates might occur I suppose.

Still to suggest that MS has a financial interest in getting you to believe your machine needs replacement, and it pursues this interest with shoddy software just seems a bit of a stretch.

They want to sell New Licenses of windows. The cost of a new machine raises a pretty high barrier to that additional copy. It just does not sound like even the most brain dead marketing droid would go down that path.

All the effort of developing Vista, Win 7, Security Essentials (free) have been aimed at cleaning up the mess they made for themselves over the years due to clinging to a fundamentally insecure design.

To now come out and claim it is their business plan to destroy the usefulness of your computer just seems like nonsense.

I've upgraded all my Linux machines too. Does that mean Linus Thorvald gets a cut of that somehow?

Re:Security through blissful ignorance...

[jisatsusha]

IE is only "free" in the same sense that your new phone was "free", so long as you sign away your soul for two years.

Article is dupe

http://it.slashdot.org/story/11/01/01/2142202/Security-Researcher-Finds-Hundreds-of-Browser-Bugs

Re:Article is dupe

[Abstrackt]

It's actually a follow-up. He finally got his response from MS but it was just them asking him to delay releasing the tool indefinitely.

Re:Can't blame him

[smooth+wombat]

I wonder if this tool will work on other browsers as well?

Had you read this link from the posting, you would have seen that it does. In fact, the last entry, for Opera, says the following:

Note that with Opera, the fuzzer needs to be restarted frequently.

Browse at your own risk...

Last year I attended a conference where one of the talks was about browser security. The speaker demonstrated how easy it was to gain access to someone's PC when the machine was being specifically targeted. Some of the things he did:

1) Set up a rogue access point with open access and SSID name similar to the venue..

2) Set up a rogue DNS.

3) Set up a redirect page that installed demo software...

One of the things he mentioned was that if you are being targeted specifically, your system will likely be compromised. If you are not targeted specifically, it's trivially easy to find machines that can automatically be compromised.

Adding any apps increasing your exposure.

The number of unpatched vulnerabilities is staggering and it's only a numbers game when a slew of machines are needed.

Re:Browse at your own risk...

[Securityemo]

But that assumes you're being targeted specifically and maliciously by a skilled attacker. Unless you have a high-profile job, that defies common sense. And assuming a skilled attacker, there's really nothing you can do about it except minimizing the attack surface and just plain keeping stuff off your computer. A simple encrypted VPN connection routing all your traffic will effectively stop all local wireless attacks, reducing the attack surface to the wireless drivers, kernel packet processing and the VPN software itself.

Re:Browse at your own risk...

[bluefoxlucid]

Well, if you're in Panera Bread or Barnes & Noble, you're probably being targeted "specifically" ... for some value of "specific" amounting to "the 5 people in that store dumb enough to use Wifi."

Re:Browse at your own risk...

[Securityemo]

It just makes no sense to me. Sitting with a laptop computer at a public access point and targeting people to spoof/sniff credit card information and credentials seems to have such low throughput to effort when botting at this point in time is almost simpler to execute (like firing an automatic shotgun). The people hanging out at the botting forums I've seen seem like ordinary criminals for the most part, and the barrier to entry nonexistant. Why use a low-risk low-pay method when you could use the no-risk higher-pay method?

Re:Browse at your own risk...

[bluefoxlucid]

Sitting in a Starbucks is a low-risk method because it's hard to trace. Hell, you can load automated software onto a hand-held PDA (iPaq? I ran Linux on one...) to do all the raping and infecting. The packets can be tagged with a different MAC address than your real device, making it physically untraceable; it's all in your pocket, and can auto-connect to wifi and do whatever, so picking you out of a crowd is harder than "find the suspicious person" since you just carry it around and don't go out sniping.

This works for MP3s and child porn and whatever the hell else too, btw. Assuming you know where and what to search (I assume torrents for MP3s, who knows for kiddy porn), you could have an automated program do all the relevant searches and store the results. When you get home, pop the device out and browse through the cached results... pick what you want, and next time you're out it'll find those things and download them.

For the obvious flaw, you can ban your own Wifi network and your neighbors', or have the program automatically search for certain networks (yours, your neighbors', etc) and decide you're "too close to home" and shut down. You could even have a separate daemon that handles wifi, and when it sees you're "too close to home" it prevents any wifi connections at all.

There's a lot of "I can have this here with me, but never physically do anything while connected to the network, and never use my own network" that can be done to hide your online presence. The same can be done for chatting on forums, sending e-mail, etc. The only thing you can't hide that way is real-time chat like instant messaging or IRC, because you have to twiddle the device; but for answering a forums post or blogs, you can have a program smart enough to deal with phpBB and V-Bulletin and Wordpress... it could let you record what you want to post, who to reply to, which post ID to reply to, the works... then when you're out somewhere, post.

Basically you're interacting from an alternate reality, one where you're pulled out of the real world; that interaction is transferred into the real world physically somewhere, but you're not present at that point and there's no cable running from there to here to draw a path to you. You'd have to use an innocuous device (a PDA most likely, bought in cash) and download the software from a MAC-shifted device on a public link to have absolutely zero trail (i.e. no evidence that you're even capable of this), but it'd be doable. Completely. It'd make for some interesting shit... maybe I'll write a sci-fi novella about the idea.

Re:Browse at your own risk...

[Securityemo]

It has nothing to do with application-level code execution exploits, but there's no effective difference to the person and system being attacked. It's just a different means to the same end.

Re:Browse at your own risk...

[Securityemo]

There's the latency, though. I can think of two other "bullet-proof" solutions: no-strings-attached satellite signal (you can only track so far as the uplink satellite's "footprint" as far as I'm aware), and simply tunneling the connection through two different botnet nodes in different jurisdictions, making sure not to transmit presonally identifiable data through the endpoint. If you obfuscate the data in time and shape, you could even pass a connection through the same "listening post" twice, allowing you to perform anonymous attacks or communication in your own region even under "perfect" local internet surveillance.

Re:Browse at your own risk...

[bluefoxlucid]

Enough forensics will trace the connection back to where it came from, i.e. starbucks. Satellite... good luck getting free satellite, and they can ID the device somehow if you have a log-on (z3r0c00l did this...). I'm talking about something that traces back to a pinhole in reality and then vanishes. Oh shit, the attack came from nowhere; a wizard did it.

Re:Browse at your own risk...

[Securityemo]

Actually, post-attack forensics would not be able to get anything useful out of botnet proxies even assuming black helicopters descending on them minutes after the fact. As long as it stays up, a node can be infected and malware injected and updated without ever touching disk, using multi-stage shellcode utilizing dll injection. The largest threat would be the botnet nodes being compromized during or before the attack. Now, if your criteria is that not only the attacker but also the *method used* being unknown, that puts up a few more barriers. Let's see - compromizing routers is considered "voodoo" still, and if you pulled it off right you could use it to erase or falsify the records. You'd have to somehow reset the router to a normal state afterwards though. A router log with a falsified connection record pointing somewhere amusing, on a router thought more or less "unhackable", and assuming that no other forensic information regarding the connection in question exists - that'd be "Whoops, a wizard did it". Regarding the satellite option, a *hacked* satellite could be used in the same manner as a hacked trusted router, but is probably more likely to be treated as "Whoops, a wizard hacked the satellite" than "Whoops, a wizard did it (and we don't know how)" due to the many different and unknowable methods that could have been used in the router method.

Re:Browse at your own risk...

[bluefoxlucid]

Yes, my criteria is that a spook at every position along the wire physically cannot figure out who the hell you are, even if one is standing right next to you going, "Someone within range of the access point up there on that shelf is doing this... someone within a block and a half radius, in one of these 10 story buildings. Someone in that McDonalds, or that Panera, or up there on the second floor of Barnes & Noble, or in that Best Buy across the street, or one of the 2500 people in that office building." They would have to shake everyone down; find the device; and then examine it to see if it is indeed responsible for the connection being tracked (because maybe it's someone else's device running that connection, not yours, even though yours does have the relevant software... oh, you're just downloading MP3s, we're looking for the guy downloading nuclear secrets off a Russian site, let's shake down the guy over there instead...).

Re:Browse at your own risk...

[nschubach]

You mean the "Internet" doesn't cache all communication so that they can be pulled up easily by dumping the cache on someone's webcam to get the feed sent 3 weeks ago like they say on NCIS?

(Sorry, I always have a laugh when they start doing that...)

Re:Browse at your own risk...

[Securityemo]

You can still compromize your position through tracking where and when the device switches AP. And don't forget, if the signal is identifiable up to your "device" (public routers don't use encryption, so the data from the wireless router and your device can be easily correlated) the transmission can be triangulated, though I don't know with what precision. I don't think this method provides much additional security over just using a notebook, especially since by using a notebook you could excise control over (start/stop/switch obfuscation method or MAC address) the connection. You could argue that switching APs by moving around while being tracked in real-time makes it provide *worse* security than the "sip coffee, perform attack, calmly leave the area" method. You're still leaving a large signal trail.

Re:Browse at your own risk...

[stimpleton]

The hacker also masks any obvious physical features, and goes to somewhere the hacker has never used a debit or credit card. The hacker also uses a secondhand laptop purchased from a pawn shop for cash.

Re:Browse at your own risk...

[DarwinSurvivor]

If you are within range of the device and can determine which signals are coming from it (even if you can't *read* them), it is TRIVIAL to use local triangulation to find them. HAM radio guys do this all the time when someone is illegally using one of their licensed and/or restricted frequencies.

Re:Browse at your own risk...

[bluefoxlucid]

Now you're just being ridiculous. Once you've reached a point where the only way to track this is "magic" or "tracking everything, all the time, continuously, non stop," it's pointless to take other measures; they just enlarge your exposure and make you look more suspicious.

Re:Can't blame him

[Securityemo]

Yes. There's a list right at the bottom link of other browsers it managed to break, including firefox and opera. It apparently works by stressing the garbage collection mechanisms through creating and destroying DOM objects/references; I don't know what that means really, but he's written a step-by-step of the mechanisms that seems easy enough to follow.

Re:Can't blame him

[intellitech]

Definitely can't blame him. Considering Microsoft's track record for investigating serious security concerns in it's operating system and browser series, and the total number of people using these products across the world, he acted properly.

White hat?

If it wasn't being exploited by Chinese hackers before it's going to be exploited now!

Re:White hat?

[Securityemo]

You seem to assume that any eventual spy-hackers couldn't (or haven't) come up with efficient fuzzer tools like this on their own. Assuming knowledge on how to write this class of exploits and domain knowledge of the protocol or file structure being attacked, any programmer here could write a fuzzer like this.

MS denied accusations

[should_be_linear]

"We consider all Mr. Zalewski claims invalid. Obviously he didn't contact Security Experts for IE in reality just like you cannot contact Santa".

On FF block pop up windows

[roman_mir]

Didn't work for me until I turned off the 'block pop-up windows' in Tools-Options-Content.

So I'll keep that window pop-up blocker turned on I guess.

Rather misleading...

[MerelyASetback]

The summary made it sound like IE had 100 vulnerabilities, while the article stated that there was 100 vulnerabilities between 5 browsers ...

Dup, and they didn't ask "Google" anything.

[lseltzer]

First, this article is basically a dupe of one from a couple days ago. Second, Zalewski was working on his own and MS asked him, in his personal capacity, not to release the tool. I had all this in my PCMag article referenced in the previous /.

Re:Dup, and they didn't ask "Google" anything.

[lseltzer]

I didn't write that title, the /. editor did

Reading difficulties

The title should be changed to:
Microsoft asked a guy who works at Google to delay publishing work he did on his own time and did not publish through Google or as a representative of Google.

Zalewski?

[bluefoxlucid]

Is that the guy that wrote "Silence on the Wire"? That was a good book of not-likely attacks that are completely and utterly practical, at least in a lab environment consisting of "my living room and $10 of shit I bought off Mouser." Reading the blinking lights off modems, for example.

Re:Can't blame him

A linux user who hasn't bothered to set up a VPN to his house? Come on...

Re:Can't blame him

[Cylix]

Each HTML document loaded into the browser window becomes a document object. Elements such as forms, images, anchors and links are all represented through DOM model.

While I've re-written plenty of html on the fly using this very model I've never stopped to see if the newly created points were accessible. I'm sure there are other techniques they are using or they could simply copy data in and out of an element vigorously.

This isn't too surprising since I have managed to crash browsers before and where there is a crash is a potential hole. Still, hats off for finding an inventive way of getting inside.

Why MS don't like to fix a vulnerabilities?

[gest.hds]

CIA (or maybe China Gov) asks MS to delay fuzzer tool.

Re:Can't blame him

[Dishevel]

A /. reader that dose not have control over their own computer at work. Lols.

Enough with Polish jokes!

[Ecuador]

Polish Google security white hat Michal Zalewski

-What's your name?
-Zalewski
-Zalewski? Is that Polish?
-Yes.
-Are you trying to do some Polish humor?
-That's..
-SHUT UP!
-That's just my name..
-SHUT UP! I don't appreciate racial slurs! I think them dumb Pollacks have been ridiculed enough!

MS's edge has always been cash and inertia

[HeckRuler]

Microsoft's edge has always been their ability to buy companies' products (and companies themselves) and sell them at profit and the locked-in nature of their clients. They are a business company that deals in technology rather then a technology company doing business.
There are exceptions, like their entry into the gaming arena, but don't forget their primary nature.

Um, you're kidding.

[dwheeler]

Um, what? It's hard to estimate profit margins, but Daniel Eran Dilger estimates that Microsoft has a 66% profit margin on Office and 81% on Windows. That's far beyond typical profit margins, so such prices are not "rock bottom".

Re:Um, you're kidding.

[John+Hasler]

Since the marginal cost of a copy of Office is zero Microsoft's "profit margin" is meaningless. What counts is return on investment.

which?

[HeckRuler]

Dumping the currency, or the embargo? Because the answer is still "yes", either way. Globalization means we're all in this together. You can't hurt the othe without hurting yourself.
And, consequently, if they fuck up with say, a huge housing bubble or some such, it'll mean we have to share the pain.

Re:which?

[geckipede]

On that particular issue, you don't have to worry too much. The Chinese government do pay attention to private investments and have a tendency to mess about with the market to stop them getting out of hand.

When they saw people investing in housing, they reacted with a new build scheme that put up masses of new flats ready for use at almost any price level, which dropped the value of existing housing. It didn't entirely stop a fashion for housing investment, but nobody's fooled into thinking that it's a magic money making machine.

Re:Can't blame him

[bigstrat2003]

Having control over one's computer has nothing to do with having control over the company network.

Re:Can't blame him

[element-o.p.]

It happens. For example, I don't currently have a VPN to my home network because my home network is currently off the air while I am migrating from one Internet service to another. That, and the fact that I have worked in IT long enough that after spending 40+ hours a week at work building networks professionally, I don't particularly want to spend much more time twiddling with my home network after hours.

Fuzz stuff!!

[dwheeler]

Once again, it's clear that fuzzing is really useful for testing security. Not that it's a be-all/end-all, but people developing secure software should be using fuzzers. It's unfortunate that this fuzzer's "design can make it unexpectedly difficult to get clean, deterministic repro"; without deterministic repros, it's often really hard to find and fix the problem.

Re:Any release over a holiday is a dick move!

[99BottlesOfBeerInMyF]

According to this dude's timeline [coredump.cx]. He contacted them on December 20th, and got a real reply the next day.

You fail to note that the contact in December was a reminder that he was releasing the tool. He sent them the original crash reports in July and then more detailed info in August. MS security researchers were apparently unable, unwilling, or just too lazy to do the work to replicate the bugs or contact Mr. Zalewski for the next four months until he reminds them twice more in December about the issues.

By December Mr. Zalewski was no longer wiling to give MS extra time, not because he was looking for publicity, but because he had real indications that the exploits were already known to other parties and the situation had become one that needed immediate action on the part of users and sys admins to defend themselves pending a fix from MS. I have to disagree with you about him being a dick. He was very responsible on this one, even when dealing with a vendor that ha an abysmal track record of making timely fixes for periods lasting years, right until there is public disclosure.

Re:Can't blame him

[bill_mcgonigle]

They must pay a fortune in support costs if their IT folks can't look stuff up on blogs. Self-correcting in the end.

however

[fireylord]

I wouldn't be so sure that this wouldnt work without popups if the implementation was changed.

You must be new here (n/t)

[fireylord]

n/t

Re:You must be new here (n/t)

[MerelyASetback]

No, I'm well aware there's an anti-microsoft bias, don't worry.

Re:Can't blame him

[bucky0]

You don't have somewhere you can SSH tunnel or VPN to? Maybe your home machine?

Re:Can't blame him

[bigstrat2003]

I do, although I haven't tried as I have had no real desire to provoke someone's ire if I get caught (simply put, looking at whatever I want to on the web isn't worth any risk to my job, however small). Fortunately, the restrictions got relaxed recently now that we have a better proxy that allows people to be given different levels of open access.

We also set up and test equipment for people that work at home, so we have a separate connection from the outside for that. Good times! ;)

Foxconn and working conditions

[Loopy]

Foxconn is one of the better Chinese employers. There are a lot of employers that are a whole lot worse.

This is a meaningless statement. Primarily because saying there are a lot of companies that are worse is telling us something we already know about ANY country. Further, stating Foxconn is one of the better Chinese employers removes any context. I was at their Long Hua facility for two months a few years back. Foxconn is the running joke of the Shenzhen tech area: they pay much worse than almost all of their competitors, so employees work there for 6-12 months just to get enough experience so that the other guys will hire them...for 140-180% or more pay.

One wonders what your agenda was in making the claim in the first place.

Security Essential

[kmoser]

No problem. I have Microsoft Security Essentials, which protects against exploitation of bugs in Microsoft products, so I don't have to worry about anything.