Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Modifies Open-Source Code, Blows Hole In Windows Defender (theregister.co.uk)

Posted by BeauHD on from the fork-and-bork dept.

An anonymous reader quotes a report from The Register: A remote-code execution vulnerability in Windows Defender -- a flaw that can be exploited by malicious .rar files to run malware on PCs -- has been traced back to an open-source archiving tool Microsoft adopted for its own use. The bug, CVE-2018-0986, was patched on Tuesday in the latest version of the Microsoft Malware Protection Engine (1.1.14700.5) in Windows Defender, Security Essentials, Exchange Server, Forefront Endpoint Protection, and Intune Endpoint Protection. This update should be installed, or may have been automatically installed already on your device. The vulnerability can be leveraged by an attacker to achieve remote code execution on a victim's machine simply by getting the mark to download -- via a webpage or email or similar -- a specially crafted .rar file while the anti-malware engine's scanning feature is on. In many cases, this analysis set to happen automatically.

When the malware engine scans the malicious archive, it triggers a memory corruption bug that leads to the execution of evil code smuggled within the file with powerful LocalSystem rights, granting total control over the computer. The screwup was discovered and reported to Microsoft by legendary security researcher Halvar Flake, now working for Google. Flake was able to trace the vulnerability back to an older version of unrar, an open-source archiving utility used to unpack .rar archives. Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system's antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.

71 comments

  1. Re:So Yesterday.. the news cycle is faster.. by Anonymous Coward · · Score: 0

    I think they were holding off so that all of the idiots who actually use Window Defender could get exploited.

  2. Microsoft is a clueless newbie by Required+Snark · · Score: 4, Insightful
    Mass search and replace with no testing. A complete lack of understanding of simple principles of numeric comparisons. Not knowing the difference between unsigned and signed integers.

    Sounds exactly like standard operating procedure at Microsoft.

    Microsoft: bringing the Blue Screen of Death to Open Source Software since 2015.

    --
    Why is Snark Required?
    1. Re:Microsoft is a clueless newbie by Anonymous Coward · · Score: 0

      Seeing as closed source is the biggest contributor to open source...yeah it makes sense. How about that Heartbleed

    2. Re:Microsoft is a clueless newbie by Opportunist · · Score: 1

      Yeah, whataboutism, I mean, what about it?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Microsoft is a clueless newbie by Anonymous Coward · · Score: 0

      these are the minds behind the most-used desktop operating system, office software, and corporate email system in the world... makes you wonder what other stupid, incompetent shit is in their software.

    4. Re:Microsoft is a clueless newbie by Anonymous Coward · · Score: 0

      If you're only now worrying about that, then you clearly haven't been paying attention.

  3. Re:So yesterday Beau... way to stay on top of it. by Anonymous Coward · · Score: 0

    That's why I'm listening to the current news right now on 4840 KHz.

  4. "Open source" = geek-click-bait by davidwr · · Score: 5, Insightful

    Nothing to see here.

    Someone at MS modified code without understanding all the implications, and/or they modified code and someone else at MS called the code without being aware of the modification.

    "Forking open source code" could just as easily been "bought closed-source project from third party them modified it," "hired contractor to write a library then modified it," or "forked code from another MS project then modified it."

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:"Open source" = geek-click-bait by Anonymous Coward · · Score: 2, Insightful

      Nothing to see here.

      Someone at MS modified code without understanding all the implications, and/or they modified code and someone else at MS called the code without being aware of the modification.

      Yep, nothing to see here. People at MS take code and modify it without understanding about integer overflows and signing conversion. It's not like that code goes into anything important used on billions of devices that could be exploited by mere exposure to a certain crafted filetype that mere possession should not be harmless. Certainly, MS hires people who know to take code from all sorts of sources and improve the good where those original authors don't have the discipline to write secure code.

      In all seriousness, good thing Microsoft doesn't contribute to any open source projects. Right?

    2. Re:"Open source" = geek-click-bait by LoneTech · · Score: 2

      Except the open source part meant: 1) They could make the modifications, 2) they could share those modifications, 3) the maintainer (or anyone competent) could have vetted and merged the changes, 4) there was no need to make the changes.

      The breakage in this case happened because they made the change carelessly and chose not to participate in the usual quality control. And it caused a major security flaw in the program they force on users specifically for security. I'll grant you the situation would be no better with non-free software, and the carelessness in security critical contexts is a bigger issue, but open source had relevance.

    3. Re:"Open source" = geek-click-bait by drinkypoo · · Score: 0

      I'll grant you the situation would be no better with non-free software, and the carelessness in security critical contexts is a bigger issue, but open source had relevance.

      You can have the same kinds of problems with closed-source if you just don't update the component. Sure, they made the change in this case, but this kind of sloppy behavior can just as easily result in hiding a security vulnerability brought in with a closed-source component.

      In this case, it was the behavior that was relevant, not the code licensing model.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:"Open source" = geek-click-bait by Anonymous Coward · · Score: 0

      Microsoft doesn't publish these changes back to the community or to their clients so the code can be reviewed. This is one of the longstanding problems of open source, versus free software, licensing. It can make it much easier to proprietize and make a business of of your fork of an open source project, but it takes the code out of community review and of client developer access to source code.

      In general, it's why I prefer free software licensing. I'd like my clients and users of my code to publish, so that I or others like me can be aware that they are publishing broken software and can publish fixes.

    5. Re:"Open source" = geek-click-bait by sad_ · · Score: 1

      except for the fact that MS is using OSS in their products. OK, that is nothing new, but worth repeating.
      the other news is ofcourse they are using it wrong and thus introducing errors/bugs into their products.
      and lastly, the headline makes it sound as-if it's all the fault of OSS, while the opposite is true.

      --
      On a long enough timeline, the survival rate for everyone drops to zero.
  5. Same old same old by Ol+Olsoc · · Score: 2

    This is a Microsoft product. So it is no surprise. Benn a very insecure week for them. But they are getting better at simply inviting the bad guy in. Black Hats are thankin' ya Mister Nutella.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  6. "The screwup" by FredrikKarlsson · · Score: 0

    Why this condonation in the article?

    1. Re:"The screwup" by BlueStrat · · Score: 1

      Why this condonation in the article?

      Probably as a "condom"-ation measure. :P

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    2. Re:"The screwup" by goose-incarnated · · Score: 1

      Why this condonation in the article?

      I think you mean condemnation?

      --
      I'm a minority race. Save your vitriol for white people.
  7. GPL Violation? by hackel · · Score: 1, Flamebait

    It seems like the bigger story here is that Microsoft has included code from the GPL-licensed unrar in their Windows Defender product, without releasing the full source code as required by the license agreement. Am I missing anything? The FSF needs to go after them for this!

    1. Re:GPL Violation? by Anonymous Coward · · Score: 2, Informative

      Unrar is not GPL licensed. Its freeware.

    2. Re:GPL Violation? by DamnOregonian · · Score: 1

      Am I missing anything?

      You are. unrar's source is licensed under either a BSD-like license, or the GPL, your choice.

    3. Re:GPL Violation? by tlhIngan · · Score: 1

      You are. unrar's source is licensed under either a BSD-like license, or the GPL, your choice.

      Or... neither?

      Looking at the official UnRAR source code (from https://www.rarlab.com/rar_add... ), the license.txt is really a BSD-ish style license. No GPL at all. Basically you can use it to handle RAR archives, as long as you don't use it to reverse-engineer RAR compression. No warranty, blah blah blah, but you're free to included it in anything to handle RAR archives.

    4. Re:GPL Violation? by Anonymous Coward · · Score: 0

      Alexander Roshal

      Anyone notice that is the chess player and not the author of WinRar?

      The author is Eugene Roshal.

      Interesting switch?

    5. Re:GPL Violation? by DamnOregonian · · Score: 1
      FTL:

      ALTERNATIVELY, provided that this notice is retained in full, this product may be distributed under the terms of the GNU General Public License (GPL), in which case the provisions of the GPL apply INSTEAD OF those given above.

      Like I said, it's a bsd-like license, or GPL. Your call.

    6. Re:GPL Violation? by david_thornley · · Score: 1

      I always thought it was a good thing that Microsoft got BSD networking code. The GPL(s) really aren't suited for infrastructure code.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  8. Different license? Re:GPL Violation? by davidwr · · Score: 1

    Maybe they used a version with a license similar to this one.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  9. Re:blowing a hole by Anonymous Coward · · Score: 0

    Just in case anyone on slashdot cares, the goatse link from GP does not go to the infamous goatse.cx site, but points to goatse.info which is the cryptocurrency site for Goatse Coin.

    Another internet tradition fades away...

  10. != Bigger Story by Anonymous Coward · · Score: 0

    No, that's not the bigger story. Get some perspective. This is a severe vulnerability that is going to cause very serious problems for god-knows-how-many people. The impact of this being exploited is far more important than whether or not MS violated the licence for unrar.

    1. Re:!= Bigger Story by Anonymous Coward · · Score: 0

      It's already been patched. If you have one of the affected products, go Help->About and check that the the engine version is 1.1.14700.5 or higher.

    2. Re:!= Bigger Story by Anonymous Coward · · Score: 0

      No, that's not the bigger story. Get some perspective. This is a severe vulnerability that is going to cause very serious problems for god-knows-how-many people. The impact of this being exploited is far more important than whether or not MS violated the licence for unrar.

      I believe you should take your own advice, and get some perspective.

      One vulnerability (now patched) discovered in early 2018 that affected N people, and will affect +C more who don't patch their systems.
      In 10 years, this vulnerability will be all but forgotten by almost everyone reading this Slashdot article today, let alone the general public.

      The impact of Microsoft violating a license (which it appears they did not) would be a HUGE shift in the legals around software intellectual property if allowed to go unchecked.
      It's like saying, "Sure, anybody is allowed to record the movie while they're in the theatre."
      or "Retail stores discourage but aren't going to prosecute theft any more."
      In 10 years, those entire industries would operate completely differently than what we know today.

  11. Re:H1B company top to bottom by Anonymous Coward · · Score: 0

    One of the lowest comments I've witnessed here. Even considering the worthless racist AC ones.

    And with a 2 score.

  12. Easy Fix by Anonymous Coward · · Score: 0

    just disable the option to scan compressed archives.

    1. Re:Easy Fix by Bert64 · · Score: 1

      Then you just hide some malware inside a compressed archive and it goes through, although setting a password on the archive works too as the scanner doesn't know the password and can't look at the contents.

      The fundamental flaw with AV software, especially on endpoints, is that you have extremely complex code parsing potentially hostile data while running at a high privilege level. Anyone with a basic understanding of security knows what a huge risk this is.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    2. Re:Easy Fix by ls671 · · Score: 1

      Well, it seems to me that it wouldn't be to hard to put the scanning process into a sandbox or do "su - nobody -c scanprocess file" then, return the results of the scan to the highly privileged main AV process.

      I have applied this pattern many times...

      --
      Everything I write is lies, read between the lines.
    3. Re:Easy Fix by Anonymous Coward · · Score: 0

      The fundamental flaw of AV software is needing it in the first place.

      Too much sw running with too much privilege, that is the problem. (And it is the microsoft way of doing things, so hard to fix on windows.) A weak os with lots of known holes is another problem.

      On other OSes, not having AV is not a problem. Making a working virus is much harder, and there is little gain as the user you eventually infect doesn't have privileges. Can't take over the machine permanently, can't open sockets to run a virus server . . .

    4. Re:Easy Fix by Opportunist · · Score: 1

      And it's equally easy to defeat this by simply behaving differently if not allowed privileged access to resources. Can't access device drivers? Oh, then I'm just a notepad program that waits for your input, dear master.

      Can I? Then I'm your worst nightmare.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Easy Fix by Opportunist · · Score: 1

      If cryptolocker etc. proved one thing, then that privilege levels mean jack shit when it comes to destructiveness. What are the files that really matter to you? The ones that you have in your directory, your documents, your mail, your spreadsheets, your holiday pictures and "family movies". What kind of privileges do you need to ready, write, modify or delete those files? The ones the user already has.

      The main reason that not having an AV on Linux is mostly the same reason there is less commercial software for it: Less of a market. You can actually see the popularity of an OS coincide with the amount of malware for it, when MacOS finally caught traction and gained a market share above a level where it even registers, the malware to accompany it was not far behind.

      And yes, I give you that it's probably much harder to dig malware deeply into the depths of the Linux system, but unless you need a jump host for further attacks, that's not what you're after. The current waves of malware want to gather data, to destroy data or to hold it ransom. And for none of these things you need privileged access.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Easy Fix by Bert64 · · Score: 1

      We do exactly that for gateway devices (mail/web filters) and it works out ok, and severely reduces the amount of crap which reaches end user's systems.
      For a desktop this would incur an overhead and make the AV product slower and more bloated than it already is, and there would still need to be part of it running with a high privilege in order to intercept data.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  13. NOT GPL. by Anonymous Coward · · Score: 0

    However if they didn't disclose in the Windows Defender documentation somewhere prominent that it is a violation of the license to use said code to reverse engineer the RAR file format, then they may have voided their license rights under the otherwise permissive license and Alexander Roshal may have standing to sue them.

    While I don't much appreciate the RAR format for making my life difficult, I would appreciate seeing him get a punitive payday over Microsoft from it :)

    1. Re:NOT GPL. by Anonymous Coward · · Score: 2, Informative

      However if they didn't disclose in the Windows Defender documentation somewhere prominent that it is a violation of the license to use said code to reverse engineer the RAR file format, then they may have voided their license rights under the otherwise permissive license and Alexander Roshal may have standing to sue them.

      No.

      Here, let's remove all doubt about this license issue, shall we?

      UnRAR - free utility for RAR archives
      License for use and distribution of FREE portable version

      The source code of UnRAR utility is freeware. This means:
            1. All copyrights to RAR and the utility UnRAR are exclusively
                  owned by the author - Alexander Roshal.
            2. UnRAR source code may be used in any software to handle
                  RAR archives without limitations free of charge, but cannot be
                  used to develop RAR (WinRAR) compatible archiver and to
                  re-create RAR compression algorithm, which is proprietary.
                  Distribution of modified UnRAR source code in separate form
                  or as a part of other software is permitted, provided that
                  full text of this paragraph, starting from "UnRAR source code"
                  words, is included in license, or in documentation if license
                  is not available, and in source code comments of resulting package.
            3. The UnRAR utility may be freely distributed. It is allowed
                  to distribute UnRAR inside of other software packages.
            4. THE RAR ARCHIVER AND THE UnRAR UTILITY ARE DISTRIBUTED "AS IS".
                  NO WARRANTY OF ANY KIND IS EXPRESSED OR IMPLIED. YOU USE AT
                  YOUR OWN RISK. THE AUTHOR WILL NOT BE LIABLE FOR DATA LOSS,
                  DAMAGES, LOSS OF PROFITS OR ANY OTHER KIND OF LOSS WHILE USING
                  OR MISUSING THIS SOFTWARE.
            5. Installing and using the UnRAR utility signifies acceptance of
                  these terms and conditions of the license.
            6. If you don't agree with terms of the license you must remove
                  UnRAR files from your storage devices and cease to use the
                  utility.
                  Thank you for your interest in RAR and UnRAR.
                                                                                              Alexander L. Roshal

      Microsoft is not distributing their modified source code so they are not required to display this license in a separate license file, or program documentation, or comments in modified source code. They are not distributing source code because they don't have to. Clause 3 allows the utility to be distributed freely within other software without limitations. If Microsoft open sourced their anti-virus program and published its source code with the included unrar source code, then it would have to include the unrar license in some form as described above.

    2. Re:NOT GPL. by BlueStrat · · Score: 1

      Microsoft is not distributing their modified source code so they are not required to display this license in a separate license file, or program documentation, or comments in modified source code. They are not distributing source code because they don't have to. Clause 3 allows the utility to be distributed freely within other software without limitations. If Microsoft open sourced their anti-virus program and published its source code with the included unrar source code, then it would have to include the unrar license in some form as described above.

      Yes, but never mind all that "free license" and "it is allowed to include within" unintelligible legal mumbo-jumbo!

      This is *Slashdot*!

      "Give me six lines of code written by the hand of another included in Windows, and I shall find something within them to convict Microsoft!"

      Strat :)

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    3. Re:NOT GPL. by chmod+a+x+mojo · · Score: 1

      2. UnRAR source code may be used in any software to handle
                              RAR archives without limitations free of charge, but cannot be
                              used to develop RAR (WinRAR) compatible archiver and to
                              re-create RAR compression algorithm, which is proprietary.
                              Distribution of modified UnRAR source code in separate form
                              or as a part of other software is permitted, provided that
                              full text of this paragraph, starting from "UnRAR source code"
                              words, is included in license, or in documentation if license
                              is not available, and in source code comments of resulting package.
                            3. The UnRAR utility may be freely distributed. It is allowed
                              to distribute UnRAR inside of other software packages.

      Shitty wording on the licence part, but the code is distributed in compiled binary form as a part of the sofware. MS. would have to display the license in the "about" section that covers licences. They probably do, I've never looked, but these things are the type of things that the lawyers would make damn sure that the devs knew about.

      --
      To err is human; effective mayhem requires the root password!
    4. Re:NOT GPL. by Anonymous Coward · · Score: 0

      > but the code is distributed in compiled binary form as a part of the sofware.

      No. remember that unrar is used by open source software developers as well as closed source software providers of virtually every windows anti-virus products that scan archives. If you are an open source provider and include unrar source code with release of your own source code, you're required to include the unrar license somewhere in a file like copying.txt, or documentation, or in your own comment section for your own source. Source code is not compiled binary. Unrar "utility", OTOH, refers to the portable compile binary that can be freely distributed without limitation.

    5. Re:NOT GPL. by suutar · · Score: 1

      It really depends what Alexander Roshal thinks "in separate form" means. So far I'm not aware of him claiming that a compiled binary is a form of source code, but I'm sure enough of a case could be made to take it to court if he wanted to.

  14. Re:H1B company top to bottom by Anonymous Coward · · Score: 0

    You haven't been here long, have you?

  15. How is this news? by Anonymous Coward · · Score: 0

    If MS put something out that wasn't a massive security hole, that would be news.

    MS hires nothing but numb-nuts and this is the predictable result.

  16. Re: H1B company top to bottom by phantomfive · · Score: 1

    There aren't many programmers who enjoy programming anymore. They are tough to find....Ever since the job became so lucrative. Besides, why do you think Americans are better programmers? It's not true.

    --
    "First they came for the slanderers and i said nothing."
  17. Re:H1B company top to bottom by Anonymous Coward · · Score: 0

    I'm from a third world country (not India), and even if it's shameful for me, it's true. I like to think this doesn't apply to me, but mostly our standard for excellence is very low and people's motivation to do a good job reach only to the point where their get their wages, with absolutely no desire to go beyond, learn more, or do better. Most of our programmers, with some exceptions, don't even speak passable English, and come from a diploma mill. When we hire, our average candidate's grade in a standardized international Java exam is 20/100, even below what someone would get answering randomly.

    And how can we get good professors or good candidates to begin with if all good talent (along with some of the bad one) is H1B hired in the US? I don't live in the US and hate your H1B program, as we cannot compete with the wages you offer to the few talented people we have. We used to have an IBM research lab in the 80's and some incredibly competent people (who were once my university professors), but all of them are long gone abroad.

    Source: I split my time between being a professor in an major university and having an IT company.

  18. Re:H1B company top to bottom by Anonymous Coward · · Score: 0

    Do you work at being an asshole or does it just come naturally to you?

  19. Re: H1B company top to bottom by Anonymous Coward · · Score: 0

    why do you think Americans are better programmers?

    Puritan work ethic. It's good and bad.

    An expectation of excellence. It's good and bad.

    High competitiveness and a willing to ignore work-life balance for greater professional achievement. It's good and bad.

    American programmers. They are better. Decades of facts prove that true.

  20. Re:H1B company top to bottom by Anonymous Coward · · Score: 0

    Damn I need some popcorn; this shit is funny.
    You act as if Microsoft had some heyday in the past where they were competent.

  21. Re:H1B company top to bottom by Anonymous Coward · · Score: 0

    You didn't refute any of his points. You didn't even try.

    If they were so "low", it would have been easy and in your favor to have done so.

    But you didn't. Because you couldn't.

  22. Re: H1B company top to bottom by phantomfive · · Score: 1

    The puritan work ethic is dead.

    --
    "First they came for the slanderers and i said nothing."
  23. Re:H1B company top to bottom by Anonymous Coward · · Score: 0

    I actually feel stupider after reading your post. Seriously. Somehow the black hole of your stupidity reached out across the internets and made me slightly stupider than I was before. The only way I can figure it out is if you have negative IQ. You should get that checked out.

  24. Re:H1B company top to bottom by Bert64 · · Score: 1

    mostly our standard for excellence is very low and people's motivation to do a good job reach only to the point where their get their wages, with absolutely no desire to go beyond, learn more, or do better.

    This applies to first world countries too...

    However, there is generally a higher standard of education available and ability to speak english is a given in the US and other english speaking countries.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  25. run scanner with lowest privileges by weberjn · · Score: 1

    No need that the scanner runs with LocalSystem rights, it could run standalone with no privileges and could be fed the files to scan by some RPC mechanism.

    1. Re:run scanner with lowest privileges by Opportunist · · Score: 1

      Yes, what really makes a system more secure is making it more complicated with more moving parts... try again.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:run scanner with lowest privileges by Anonymous Coward · · Score: 0

      No need that the scanner runs with LocalSystem rights, and in fact you don't need another virus scanner. Google Chrome already incorporates a virus scanner and scans your system, secretly, while you're browsing the web.

      FTFY

  26. Re:H1B company top to bottom by AHuxley · · Score: 1

    AC Z-80 SoftCard https://en.wikipedia.org/wiki/...

    --
    Domestic spying is now "Benign Information Gathering"
  27. Re: H1B company top to bottom by Anonymous Coward · · Score: 0

    Please present the decades of facts you speak of.

  28. wow are you dumb by Anonymous Coward · · Score: 0

    No need that the scanner runs with LocalSystem rights, it could run standalone with no privileges and could be fed the files to scan by some RPC mechanism.

    you don't understand a bloody goddamned THING about computer security if you think that secure code should trust the answers it gets from untrusted code

  29. Re:blowing a hole by Anonymous Coward · · Score: 0

    Holy cow I just assumed. Mentally I still see the "original" whenever that link appears in the brackets.

  30. Re:H1B company top to bottom by Anonymous Coward · · Score: 0

    Only kids and n00bs code in Java, real programmers code in C and assembler. Because real programmers aren't afraid of goto and global variables.

  31. Re: H1B company top to bottom by Anonymous Coward · · Score: 0

    It has little to do with who is better at what. I see excellent Indian programmers turn out complete turds that have to be fixed by their mediocre American peers on a pretty regular basis. A contributing factor, and the one I believe to be the most impactful, is that the Indian is a foreign contractor -- he has no skin in the game, and really couldn't care less if the product meets any standards of excellence, because his company will just find him another position should his current one be eliminated or the hiring company go tango uniform -- while the American has a job and benefits to defend.

    It also has something to do with the level of contractor you get. My company, for instance, has a special agreement with one of the largest H1B holders in the world to get their greenest contractors at a very low negotiated price. That means we have to train them to do their jobs, making them ineffective at the roles they are traditionally placed to fill, and once they start to get the hang of things their parent company places them elsewhere at a higher rate, giving us another green candidate to train.

    This leads to a lot of people disliking Indians based on copious, albeit negatively biased, first-hand experience, when they should be blaming the system and the companies that exploit it, foreign and domestic. And frankly, I can't blame them too much... most don't know the whole story, and can only draw conclusions based on what they see, which is pretty terrible.

  32. Re: H1B company top to bottom by wed128 · · Score: 1

    No it's not, it's just resting.

  33. Re:H1B company top to bottom by Anonymous Coward · · Score: 0

    > You haven't been here long, have you?

    I know your question is rhetoric (ha!), but since you asked I may have been here from the start.

    Wikipedia says Slashdot was founded on October, 1997. I was searching about Linux before October, 1998 when I bought my first Linux CD. That means I probably got to know /. in the earlier months of 1998 -- because I was interested in knowing what Linux was -- if not at the end of '97.

    So here's your answer: /. has been bad since long, but I'm older than the mediocrity era.