And why the hell weren't they working on it when the advisory first came out in June? They aren't doing their job if it takes an infection of this scale to make them patch this hole. And let's face it, if it took them one and a half months to get around to patching this one hole, how many others have they left unpatched? See ya around when the next worm hits. I don't have one bit of sympathy for these people, the bottom line is they weren't doing their job.
I completely agree. And yet, despite the fact that I was doing my job, this still left me dead in the water.
And some of them were working on it when they got the advisory, but couldn't fix it yet because their third-party software doesn't work with Service Pack 6 installed, so they can't install the patch. They were working with the vendors to get the software updated, or working to find or code a replacement, trusting that the NT admins with customer-facing IIS servers would patch.
Some of those folks were overridden by PHBs.
While this was going on, I was being told I couldn't install a Sun FTP patch "until it was tested via the normal process", which added about a week of time in which I was subject to a known vulnerability, but couldn't do dick about it.
Ironically, we installed it Thursday.
I had it ready to go five minutes after the advisory was released, but couldn't install it for a week, because of management. The NT folks go through similar problems.
Re:not in critical systems.
on
Code Red III
·
· Score: 2
You don't have to have it in CRITICAL systems to result in loss of life; if it's feeding you faulty data and you're making decisions based on that data, you could run out of oxygen 8 hours earlier than you thought, or something similar.
And as for the Navy, they're launching missiles with the damn thing.
Re:Microsoft should be sued
on
Code Red III
·
· Score: 2
And what do you do if your server runs third-party software that can't run with Service Pack 6?
Microsoft unfortunately has chosen to integrate IIS so tightly with the operating system, that to upgrade one is to upgrade the other.
Some folks are in a real pickle, and don't have the knowledge to get out of it in a short period of time.
Re:Linux to the rescue?
on
Code Red III
·
· Score: 2
The bottom line regarding legality isn't what clever logical constructs we can formulate on/.
The bottom line is what 12 people too stupid to get out of jury duty are going to think, and the average person would think that making use of a hole in order to run code on somebody else's machine without their permission is an intrusion, and thus illegal.
Your life isn't in danger from the attack on your system, so you have a "duty to retreat" that compels you to shut down your system if necessary, not counterattack.
I don't agree with it, but there won't be 12 of me on your jury.
Re:It's not like they haven't announced the patch
on
Code Red III
·
· Score: 2
There's also the subtle difference that flaws in Microsoft products don't kill people.
Don't be so sure; there are Microsoft products in use on the space shuttle, the space station, and Navy warships.
Even if they're just pushing data around, bad data in those environments can result in death.
FYI, there appears to be some differences in the terminology between versions, and at least one major AV vender *cough*McAfee*cough* has crucial details wrong.
What CERT calls "Code Red II" is the third iteration, and that's what hit us. Some others are calling it III, and McAfee claims II doesn't run on NT. Which is bullshit.
Re:Copycats
on
Code Red III
·
· Score: 5, Insightful
Get over it. Code Red is dead.
The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.
And the only thing I saw wrong in that report is that they believed the companies in question when they reported "isolated" problems that have already been fixed.
I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.
The pisser is none of MY servers were affected, but I'm still dead in the water because of a bunch of idiots on other teams and projects.
Yeah, but what villian would be stupid enough to clone Jar-Jars???
What villain would be stupid enough, after having destroyed an entire enemy invasion force by flying into the ship and blowing up the reactor, to build not one but TWO Death Stars with the same flaw?
But far away ahead of them all is Farscape.
I don't know how much you Americans have seen, but I've been watching it on DVD and I'v seen up to about half way through the second series.
Instead, ask "what would you use to view the contents of TCP packets on the network?"
We start with the basics "what would you use to list the contents of a directory?" and work up from there, to gauge the level of knowledge.
Also, technical folks conduct that part of the interview over the phone, and the person doesn't get a face-to-face with a manager about non-technical issues until AFTER we've made our recommendations.
No, I'm intentionally linking to these ISO's a well-known source of cryptographic software, which has provided a lot of free services for the community, made so that people will be able to use free software without paying unnecessary prices for it, if they so choose.
If Theo doesn't feel like he can support the project without charging, then he shouldn't be engaged in an Open Source project.
If they will lose customers by using passport exclusively, they are stupid.
If using Passport loses them 100 customers, but makes things easier on them so that they can save more money than 100 customers make for them, they'd be stupid not to use it, presuming we don't present them with an alternative.
* We know he's going forward through time, about 600+ years, and yet the monkeys have evolved dramatically (into other species infact) over that time period.
Why is every single person who responds to this review assuming that the modified apes were the only ones present on the planet?
Has it crossed no-ones mind that the modified apes could have bred with unmodified apes, producing offspring that resembled the unmodified species but with higher intelligence, strength, etc.?
If he doesn't defend against this, it can mean that his ENTIRE CLAIM on "light saber" is lost.
And wouldn't it be a tragedy, if he didn't have the exclusive rights to put these two common English words together to describe a science fiction concept that was invented years before he ever made Star Wars?
Users want the ability to double-click on executable attachments in order to open them, and email software needs to honor that request to stay competitive.
And if that was all Microsoft did here to cause a problem, you'd probably be right.
But most users do not want the system to lie to them about a file's name, causing them to think it's NOT an executable file when it in fact is.
Most users do NOT want their email to be able to destroy their entire system, and thus would be perfectly happy if said executables ran in a "jail" that couldn't affect the rest of the filesystem without a prompt. "This program is attempting to delete c:\windows\SOMEFILE.EXE, should I allow it to do that? (OK/CANCEL)".
Most users do NOT want their email to be able to run scripts without them even having opened the message, much less clicked on something.
Microsoft themselves have admitted that a number of things have been included because exactly one large customer wanted it, that affect how everything else on the system is designed. This is more than likely one of those things.
Slashdot Mirror
Guys, you can't have it both ways:
If proprietary software is evil, then Loki was evil.
If Loki was good, then proprietary software is good.
Pick a moral stance and stay with it. To paraphrase J. C. Watts, integrity is doing the right thing, even when it's inconvenient.
Hell, for years we were all telling them that you couldn't get a virus from email.
And why the hell weren't they working on it when the advisory first came out in June? They aren't doing their job if it takes an infection of this scale to make them patch this hole. And let's face it, if it took them one and a half months to get around to patching this one hole, how many others have they left unpatched? See ya around when the next worm hits. I don't have one bit of sympathy for these people, the bottom line is they weren't doing their job.
I completely agree. And yet, despite the fact that I was doing my job, this still left me dead in the water.
And some of them were working on it when they got the advisory, but couldn't fix it yet because their third-party software doesn't work with Service Pack 6 installed, so they can't install the patch. They were working with the vendors to get the software updated, or working to find or code a replacement, trusting that the NT admins with customer-facing IIS servers would patch.
Some of those folks were overridden by PHBs.
While this was going on, I was being told I couldn't install a Sun FTP patch "until it was tested via the normal process", which added about a week of time in which I was subject to a known vulnerability, but couldn't do dick about it.
Ironically, we installed it Thursday.
I had it ready to go five minutes after the advisory was released, but couldn't install it for a week, because of management. The NT folks go through similar problems.
You don't have to have it in CRITICAL systems to result in loss of life; if it's feeding you faulty data and you're making decisions based on that data, you could run out of oxygen 8 hours earlier than you thought, or something similar.
And as for the Navy, they're launching missiles with the damn thing.
And what do you do if your server runs third-party software that can't run with Service Pack 6?
Microsoft unfortunately has chosen to integrate IIS so tightly with the operating system, that to upgrade one is to upgrade the other.
Some folks are in a real pickle, and don't have the knowledge to get out of it in a short period of time.
The bottom line regarding legality isn't what clever logical constructs we can formulate on /.
The bottom line is what 12 people too stupid to get out of jury duty are going to think, and the average person would think that making use of a hole in order to run code on somebody else's machine without their permission is an intrusion, and thus illegal.
Your life isn't in danger from the attack on your system, so you have a "duty to retreat" that compels you to shut down your system if necessary, not counterattack.
I don't agree with it, but there won't be 12 of me on your jury.
There's also the subtle difference that flaws in Microsoft products don't kill people.
Don't be so sure; there are Microsoft products in use on the space shuttle, the space station, and Navy warships.
Even if they're just pushing data around, bad data in those environments can result in death.
Would you mind suggesting it to them?
Yeah, us folks on the Unix side of the operation have been snickering at the NT guys the whole time.
Unfortunately, some of our stuff requires some of theirs to be there in order to push the data around.
FYI, there appears to be some differences in the terminology between versions, and at least one major AV vender *cough*McAfee*cough* has crucial details wrong.
What CERT calls "Code Red II" is the third iteration, and that's what hit us. Some others are calling it III, and McAfee claims II doesn't run on NT. Which is bullshit.
Get over it. Code Red is dead.
The folks here at the Fortune 500 company I work for who have been working around the clock since Wednesday trying to clean up this mess will be real happy to hear that you don't believe it exists.
No, this fun new version is "XXXXXXXX".
And the only thing I saw wrong in that report is that they believed the companies in question when they reported "isolated" problems that have already been fixed.
I've got entire projects sitting dead in the water because one server relies on one piece of third-party software that can't operate with Service Pack 6a, and so can't be brought up until they find a solution.
The pisser is none of MY servers were affected, but I'm still dead in the water because of a bunch of idiots on other teams and projects.
Don't argue. Go watch the movie.
No, better idea; stop watching the movie, and get out of the house.
No, remember, this is a Fox production:
When Clones Attack.
Yeah, but what villian would be stupid enough to clone Jar-Jars???
What villain would be stupid enough, after having destroyed an entire enemy invasion force by flying into the ship and blowing up the reactor, to build not one but TWO Death Stars with the same flaw?
But far away ahead of them all is Farscape.
I don't know how much you Americans have seen, but I've been watching it on DVD and I'v seen up to about half way through the second series.
Most of the way through the third season, here.
(How many people ever got around sending money to the artists after Naptering/etc. the music? Not many.)
Many.
Remember, the studies show that Napster users buy more CDs.
Don't ask "what is tcpdump?".
Instead, ask "what would you use to view the contents of TCP packets on the network?"
We start with the basics "what would you use to list the contents of a directory?" and work up from there, to gauge the level of knowledge.
Also, technical folks conduct that part of the interview over the phone, and the person doesn't get a face-to-face with a manager about non-technical issues until AFTER we've made our recommendations.
No, I'm intentionally linking to these ISO's a well-known source of cryptographic software, which has provided a lot of free services for the community, made so that people will be able to use free software without paying unnecessary prices for it, if they so choose.
If Theo doesn't feel like he can support the project without charging, then he shouldn't be engaged in an Open Source project.
Is it slimy if I link to a RedHat ISO, too?
-
Oh the irony... complaining about ethics, and then offering a link to OpenBSD ISO's in the .sig...
No, irony is thinking it's OK to distribute images of commercial music CDs, but not OK to distribute privately-created CDs of Open Source software.
In fact, if the former is OK, then it should be OK to put images of the official CD up on Napster.
-
He didn't say ethics laws, he said ethics.
Any society that doesn't teach it's ethics will only have them for a single generation.
You need only look around your neighborhood (assuming you're in the US) to see that I'm right.
-
If they will lose customers by using passport exclusively, they are stupid.
If using Passport loses them 100 customers, but makes things easier on them so that they can save more money than 100 customers make for them, they'd be stupid not to use it, presuming we don't present them with an alternative.
-
* We know he's going forward through time, about 600+ years, and yet the monkeys have evolved dramatically (into other species infact) over that time period.
Why is every single person who responds to this review assuming that the modified apes were the only ones present on the planet?
Has it crossed no-ones mind that the modified apes could have bred with unmodified apes, producing offspring that resembled the unmodified species but with higher intelligence, strength, etc.?
-
But I can see absolutely no purpose to pulling that word out of his butt, and nothing in the context signals any "playfulness" with language.
Unfortunately for you, "fabulistic" is a real word.
Or, rather, "fabulist" is a real word, and "fabulistic" is a reasonable English use of the noun as an adjective.
For all Jon's faults, he at least owns a dictionary. Perhaps you should invest in one.
-
If he doesn't defend against this, it can mean that his ENTIRE CLAIM on "light saber" is lost.
And wouldn't it be a tragedy, if he didn't have the exclusive rights to put these two common English words together to describe a science fiction concept that was invented years before he ever made Star Wars?
-
Users want the ability to double-click on executable attachments in order to open them, and email software needs to honor that request to stay competitive.
And if that was all Microsoft did here to cause a problem, you'd probably be right.
But most users do not want the system to lie to them about a file's name, causing them to think it's NOT an executable file when it in fact is.
Most users do NOT want their email to be able to destroy their entire system, and thus would be perfectly happy if said executables ran in a "jail" that couldn't affect the rest of the filesystem without a prompt. "This program is attempting to delete c:\windows\SOMEFILE.EXE, should I allow it to do that? (OK/CANCEL)".
Most users do NOT want their email to be able to run scripts without them even having opened the message, much less clicked on something.
Microsoft themselves have admitted that a number of things have been included because exactly one large customer wanted it, that affect how everything else on the system is designed. This is more than likely one of those things.
-