Slashdot Mirror
Microsoft up to Old Tricks Again
Anonyous Coward writes "According to ZDnet UK News, Microsoft is up to its old trick of breaking competing products by changing Windows. This time it's NT service pack 6, which strangely has a problem with Lotus Notes. It denies users 'access to Lotus Notes on NT unless they have been granted administrative access to the
entire network.' So much for the 'findings of fact' putting Microsoft under pressure to stop this sort of thing." Related news: CEGadgets.com publishes the latest NT security hole.
"Old tricks" is right. Years ago, they used to say, "DOS isn't done until Lotus doesn't run."
19,999 of the "users" were computer-generated, using an expanded "Hello World" script.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Or maybe that's their hope. Infuriate him enough, and provoke him into doing or saying something rash, so that they've better odds in the appeals. It would be sneaky & underhand enough.
If that's what they're doing, you've got to hand it to them, for being devious and manipulative, above and beyond the call of profit.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
On the other hand, either way the end result is still the same in that Lotus gets broken, and that should have been caught in the extensive (yeah right) testing done by MS prior to releasing this beast on the world
The PCWeek dead tree edition from last week had this info in it. I don't have an url link. It also mentioned that it caused problems with Compaq's Network Teaming when used with load balancing causing BSOD's. Compaq did issue a patch for that, though. One of the few times I have seen ZDNet recommend to delay putting it in until MS issues SP6 fixes.
Microsoft up to its old tricks? Has Slashdot finally sunk to such depths that it needs to create bogus headlines like these?
Please name me one operating system that has to, and in many cases succeeds in inter-operating with so many other systems. The weight that Microsoft carries and the scrutiny under which it carries that weight should be a warning to everyone who wants them out of the way.
Asinine headlines like this one from "Roblimo" only have a place with the rest of the quacks looking for "the smoking man" and UFOs. Because you are making the rest of us look like those quacks when you post that garbage here.
Here is to hoping that Atlas shrugs.
(And take note this post was written in Netscape, under Linux 2.3.x)
http://windows.scares.us
This isn't exactly a security hole. It's the old thing: If you tell any program to store a password locally, it must be insecure, for this program needs to send the password and needs to decrypt it then. You could use something more complicated than xor, but it doesn't change the fact. The only issue is that they should have warned more explicitly before letting you store the password locally.
first, I want to admit that I have not checked to see what it is that SP6 breaks in Lotus.
BUT: My company sells a piece of software that will not run (at all) if certain versions of Lotus notes are installed. We don't use or interface with Lotus in any way, we don't replace any system libraries.
So should we attack lotus for breaking our software?
Lotus clearly does things that are just dumb dumb dumb, so I am not suprised that small changes in windows-nt could potentally break them. Someone needs to show that MS did this on purpose before we point too many fingers.
(The details of my problem (not the SP6 issue) are that Lotus installs a buggy "hook-dll" that gets linked into all running apps on the machine (can you say virus) and it makes our app crash while it is loading. If you are familar with Win32 programming I am sure you have encountered these stupid hook dlls.)
Who said "Never assign to maliciousness what cannot be explained by stupidity".
While the first link on this page could be explained as an MS consipiracy, the second points to the most likely reason. Namely, poor programming and testing.
Well, this certainly puts Lotus Notes in new light.
In its wisdom, Micro$oft has now declared Notes a tool of such power that should never be wielded by ordinary users.
Apparently SP6 does exactly what it should: plug a security hole.
There is no such thing as good luck. There is only misfortune and its occasional absence.
I don't really think that MS did this purposely to take down Lotus. Especially because of the FoF. But this is just a situation that happens when you control the OS and the applications. You do things for your stuff and your stuff alone. You don't care if you hurt someone on the way. MS is trying hard to get companies to develop on their OS again, since most are scared to. If the get a good product, then MS will either buy them out (a good thing for them) or come out with a clone and destroy them (a bad thing). And MS is wondering why noone is developing for them. Of course they don't want Lotus to develop on their OS, since that competes with their stuff.
;)
Thank God that MS failed to buy Quicken. Its the only product left that I use on the MS platform. Someday (hopefully) they will port to Linux
Steven Rostedt
Steven Rostedt
-- Nevermind
Microsoft is promising a hotfix.
I knew about this one over a week ago. Here is a description of the cause from the VNC mailing list.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Breaking Lotus might have been Just Gravy, but more likely was an accidental result to a proactive security fix.
I was reading about the SP6 fix earlier, and am desperately trying to remember which other application was having the same problems Lotus was but have so far failed. Essentially, Microsoft had been granting all user level applications raw socket access of some type--"raw ports" was the term being used. Likely, they discovered there was some security issues exploitable via this method.
Unfortunately, people were using this system for legitimate purposes, which caused a good chunk of programming to crash and burn all over.
We probably shouldn't be too harsh on MS for SP6--after all, how painful was the libc5->glibc upgrade effort? How many times did StarOffice mysteriously stop working?
That being said, it's extraordinarily likely that, with Microsoft's enormous test labs, they found that Lotus Notes broke with the new service pack, and intentionally neglected to inform Lotus that they'd need to put out a fix.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
PC Week article
It discusses the Lotus Notes bug in SP6. The MS web site says that a hot fix will be available next week.
One of the explanations forwarded by this article, is that SP6 denies access to TCP/IP ports including 1352, which Notes uses, to all non-admin accounts, but the article goes on to say that IIS (I think?) could use that port with no difficulty.
Unconfirmed, but I have heard that SP 6 also prevents Domino (the Lotus Notes Server) from loading as a service.
MSFT has been collecting the benefit of the doubt for so long (i.e., 'trusted', as in trusting the fox to guard the henhouse) that now the tide has turned and even HONEST MISTAKES are perceived as wilful and malicious anti-competitive measures.
Spread enough FUD and it'll eventually come back to haunt you!
Chuck
try { do() || do_not(); } catch (JediException err) { yoda(err); }
If you saw the doe-eyed little Microsofties on C-SPAN dutifully tossing warm and fuzzy bunny softball questions at Algore and telling him how they come to work every day just to make the world a better place, you know this must be an innocent error on Microsoft's part.
Does anyone else remember, I think it was in the mid-eighties, when a PC Mag. column published a rumor that Windows was doing something to progressively decrease the performance of Lotus 1-2-3 and eventually crash it? Deja vu?
Microsoft: Making the World a Better Place, one B.S.O.D. at a time.
slashdot broke my sig
Domino runs almost everywere (NT, 4 or 5 Unix variants, OS/2, Netware), so I don't think it's NT version uses strange tricks to authenticate users. Besides, Notes/Domino authentication is a lot better/sophisticated than NT one.
;-)
AND, proposing that a NT admin would give Domain Admin rights to its users is plain NONSENSE. He would rather deinstall/not install SP6.
[GUESS MODE ON]
I do not think this has nothing to do with the server: very probably it has to do with an option the Notes client has, that is authenticate using NT services instead of native Notes authentication. That's a feature I personally never used, since it would be something like using telnet to logon as root when you have ssh up and working.
It's a feature Lotus put in in the NT version of the client to mimic Exchange features and to avoid an additional password prompt. While having one less password prompt is IMHO a Good Thing, using a knonw-to-be-flawed auth engine it's NOT...
Moreover, if you (as a Notes Security Admin) have issued valid passwords to your users upoun creation, then disabling the SP6 ruined auth method is as simple as changing an INI file line inside a text file.
[GUESS MODE OFF]
Ciao,
Rob!
P.S.
This article reminds me of the kind of quality you usually get from Italian economical/political journalists. Yes, this is quite an insult...
AniToolBox! An Open Source animation program!
Is there ever going to be a separate Micro$oft section on /.? It would be nice for the some folks to get their fix in one place, and have highly applicable M$ stuff show up on the "front page".
This constant new old news gets, well, old. But when I have the time, I definitely like the laugh/throbbing veins, depending on the story.
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
Richard von Weizs
----
----
"Oh, bother," said Pooh, as he hid Piglet's mangled corpse.
I don't know if this was deliberate (I kind of doubt it), but if it's not deliberate it betrays an incredible degree of incompetance on Microsoft's part.
One of the reasons NT is so expensive is the heavy duty testing that goes into the product. Are we really to beleive that MS didn't notice that they broke a major application?
If they didn't notice, they deserve to be lynched for gross incompetance. If they did notice, they should have either 1/ fixed the service pack, or 2/ notified Lotus well before the release so Lotus could issue a patch.
It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
This is just another case of MS shooting itself in the foot. Some people have been criticising MS for their testing practices, but this was the first SP that I received a beta of in the 9 months I have been receiving Technet as a MCSE. See, we are all running Win2k beta, so we can't be testing NT 4 SP6 beta, can we?
/ recommended/SP6/allSP6.asp
Seriously, if this was an attempt by the evil empire to slap Lotus around, why on earth would they wait til now, when every major corporation has a complete lockdown in anticipation of Y2k. Places that would be affected by this should have in place major review of any system patches due to y2k lockdown.
MS sez they will has a hot fix available next week, which probably means if one were to call their support lines, one could obtain it free of charge. (Note that normally MS charges per call, but will release hot fixes to people who can prove their need for them. Then hot fixes generally are released into a post SPx dir on MS's ftp server, and then finally folded into the next SP. I have no desire to discuss people's woes of fee based customer support, experience with customer support, or MS's hotfix practice. I am just telling it like it is).
http://www.microsoft.com/ntserver/nts/downloads
That is where MS sez the hot fix will be available next week.
The real problem here is how MS implements changes. Some people have claimed that an article says that every port over 1023 now needs admin access to open. This may well be true, but MS's readme file says absolutely nothing about this. This approach to security is insane. Learning about security in MS products is a gotcha! endeavor. They make changes by stealth. aieee
matt
I am not affiliated Lotus corporation. I just have to support it on Unix and NT. I just grabbed SP6 and tried it with Notes, and here's my answer:
/etc/services` to get a fair listing of TCP ports, and get an idea of which ones are affected.
SP6 requires you to have Admin rights to open a TCP port higher than 1023. That means things like IRC, NFS, Ingres, SNA, Lotus Notes, and hundreds of other things are affected.
Since there's that "magic" number of 1023 in there, I think it's more likely a programmer gaffe than a "Let's Sock it To Them" attitude from Microsoft. Lotus Notes uses port 1352 to communicate. There's an RFC that lists all the services, but most of you can `more
Anyway, it's not just a Lotus vs. Microsoft problem.
I don't know about you guys, but the fact that some MS weenie used this scheme, and on top of that used Pegasus as the key, is funny as hell !!! MS is supposed to be the leading software firm in the world and they have no idea what is going out their door. All I can envision is a bunch of programmers giving clueless managers code that they have no idea how to test.
I, for one, am staying as far away from Win2000 as possible. It's clueless stuff like this fiasco that makes it impossible to trust MS. Without being able to review their code, I will never buy another product from them as long as I live. The sad thing for them is there are going to be a lot of people like me in the next few years who will apply that logic to business purchases as well.
MS is in a heap of trouble.
Hates people who have stupid little sigs
Maybe the libc maintainers should remove unsafe functions like strcpy() and gets() from the standard C library. Force developers to use safer versions like strncpy(). Am I overlooking something here? Isn't strcpy() the most common buffer overflow problem?
.so library! Backwards compatibility is important, but sometimes safety requires a little extra work.
This would be a painful libc upgrade, but maybe it would be worthwhile. A possible upgrade path could be to leave strcpy() and friends in "libc7", but remove it from the headers. This would allow binary compatibility, but not source compatibility. Then in "libc8", remove the code for strcpy() and friends from the actual
cpeterso
http://www.ddj.com/articles/1993/9309/9309d/9309d. htm or just click here.
Chuck
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Microsoft is so focused on rushing Windows 2000 out the door, how could they have time/people to test "every" NT application on new NT4 service packs? Remember how crappy SP4 was? SP5 was OK because it was much smaller, but I'm not surprised SP6 is crappy. The press is turning up the heat as Microsoft continues to slip the Windows 2000 ship date. If you were Microsoft what would you do, focus on NT4 SPs or Windows 2000? From a financial perspective, Microsoft will make big cash money with Windows 2000, while NT4 SP development time/people/equipment is just a cash sinkhole.
Windows NT is a huge house of cards. Microsoft can't touch the code without a few cards falling. Here is a great article by Nicholas Petreley from the now defunct magazine "NC World": Will Windows NT develop into a super-OS or an unmanageable disaster?
Also, to quote Microsoft's own Jim McCarthy in Dynamics of Software Development (an insightful but "fluffy" book, BTW): "Shipping a product is like watching a large-sized serving of quivering Jell-O. Gradually, the Jell-O slows its vibrations. But then you fix a bunch of bugs, and it starts quivering again. Then slowly, ever so slowly, the quivering subsides. You wait, focused and primed, for the instant the Jell-O stops shaking. Then... you ship it! And then it starts shaking again."
cpeterso
No, it is not well documented because it didn't happen. Microsoft never released a product that deliberately broke a competitor's product.
It very funny that the very next post after yours contains a link to the Dr. Dobbs article that not only shows that it was done but how it was done.
The anti-MS folks are relying on the fact that if you repeat something enough times, some people will start to believe you. Unfortunately, their immoral tactics seem to be working.
No, they are relying on the truth. I've been an MS developer since windows 3.1. I've watched them do these things. I've seen them do everything they can to kill the competition. Well, now finally they are caught (the FoF, not this story which is probably just a mistake on their part) and good lord, talk about the whine that was heard around the world!
Have you read the history of the Dr.Dos case at the Register? It uses documents from the Caldera case... which is about... ta dah exactly what we are talking about.
I hope this help clear up any misconceptions the Microsoft marketing department may have caused you.
Myddrin
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Oh. My. God.
This is not rumour mongering. The situation with respect to DR DOS has been established already, and is being rehashed in a lawsuite brought by the makers of DR DOS (since acquired by Caldera).
Reference the consent decree (which Microsoft appears to have violated) as well as the Findings of Fact in the currently ongoing DOJ department.
Unfortunately, the Microsoft Astroturfers and Apologists are relying on the notion that if you repeat something often enough, some people will start to believe it. Fortunately, their immoral tactics aren't working as well as they used to.
The Future of Human Evolution: Autonomy
MS has released the 'hotfix' patch for the Winsock problem. You can dload either the Alpha or i386 versions, or read their Knowledge Base article.
Consultancy: If you're not part of the solution, there's money to be made in prolonging the problem
> It's really hard to believe that this is intentional on the part of Microsoft.
/. readers are falling for it. Al Gore and the major media should be pushovers.
What planet did you grow up on? How is this different from what they did to DR-DOS, or their documented intent to make using Netscape "a harrowing experience"?
It's too easy. Make a "mistake", fix it a week later, cry innocent when they inevitable accusations arise... but most importantly, leave that corporate IT manager worried about being left in the lurch if he uses a non-MS product in the future.
Good plan, Bill. Even half the
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
If a Linux patch broke some application nobody would whine these idiotic theories. It's a bug - Microsoft is embarassed by it.
It's analogy time! A hypothetical guy (George) has a criminal record. He has been jailed three times for robbing a liquor store and hitting the cashier over the head with a 2x4. Each time he broke the glass door with a brick to gain entry.
Now, you come across a liquor store, broken front door, brick on the floor. Cashier unconscious and bleeding from his scalp. George is standing over him next to a bloody 2x4. What do you think happened?
Perhaps the story that George reformed, came across the liquor store, ran in to help the cashier and etc. etc.
Perhaps George would be more believable if he didn't have such a record.
Perhaps MS would be too.
However, my suspicion is that MS hardly cares any more whether its OS works well with anything other than MS products. Now that they have the dominant office suite, the dominant web browser, and are pushing MS alternatives to practically every other mass-market software there is, why should they care whether anybody other than MS can compete and develop stable programs for Windows?
They don't adequately test 3rd-party software compatibility, and the problem is that they can get away with it.
The ridiculously high number of API calls for Windows (and the fact that they're constantly increasing) only makes sense if they don't care about 3rd-party developers being able to keep up.
Think about it: if Windows didn't have the monopoly on desktop OS that it enjoys now, would anybody in their right mind choose to develop software for it? Would they really want to learn the 2500-or-so API calls, only to have an unknown number of them be obsolete when DirectWhatever 9.0 comes out in another month (timed to coincide with the splashy release of MSWhatever 1.0)?
Next?
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Because they broke into my desk while I was at lunch?
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
I assume you haven't read any of the references I gave in my initial comment.
... just that its on one installation CD and Microsoft decided to combine its revenues into one product with the initial Caldera (and other) law suits at the time.
Undocumented DOS is the best reference.
Watch the Caldera suit against MS for many more. Search news.com or another older online news source for references if you wish. Search through your old PC World magazines. There are many references to the tactics MS used to make other DOS operating systems not work with the Windows "platform" so they could then finalise the pressure with an integrated platform. Note: Windows 95 is no more integrated than Dos 6.1 and Windows 3.11
- Michael T. Babcock <homepage>
- Michael T. Babcock (Yes, I blog)